A significant number of security control weaknesses jeopardize the confidentiality, integrity and availability of the Food and Drug Administration’s (FDA) information and systems, according to new 59-page Government Accountability Office (GAO) audit report.
GAO said although FDA has taken steps to safeguard the seven systems GAO reviewed, it “did not fully or consistently implement access controls, which are intended to prevent, limit and detect unauthorized access to computing resources.”
Specifically, GAO pointed out, “FDA did not always adequately protect the boundaries of its network; consistently identify and authenticate system users; limit users’ access to only what was required to perform their duties; encrypt sensitive data; consistently audit and monitor system activity; and conduct physical security reviews of its facilities.”
“FDA conducted background investigationsfor personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks and hard drives to ensure information on them was ‘sanitized’ and could not be retrieved after they are disposed of,” GAO reported.
GAO said, “These control weaknesses existed, in part, because FDA had not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.”
GAO found FDA did not:
- Ensure risk assessments for reviewed systems were comprehensive and addressed system threats; Review or update security policies and procedures in a timely manner;
- Complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected;
- Ensure that personnel with significant security responsibilities received training or that such training was effectively tracked;
- Always test security controls effectively and at least annually; and
- Always ensure that identified security weaknesses were addressed in a timely manner, and fully implement procedures for responding to security incidents.
“Until FDA rectifies these weaknesses,” GAO stated, “the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration and loss.”
GAO made 15 recommendations to FDA to fully implement its agency-wide information security program. “In a separate report with limited distribution,” GAO further recommended FDA take 166 specific actions to resolve weaknesses in information security controls.
As GAO pointed out, the “FDA has a demanding responsibility of ensuring the safety, effectiveness and quality of food, drugs and other consumer products. In carrying out its mission, FDA relies extensively on information technology systems to receive, process and maintain sensitive industry and public health data, including proprietary business information such as industry drug submissions and reports of adverse reactions. Accordingly, effective information security controls are essential to ensure that the agency’s systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure or destruction.”
The Department of Heath and Human Services stated in comments on a draft of GAO’s report that FDA concurred with GAO’s recommendations and has begun implementing several of them.
In response to GAO’s findings, Todd Simpson, FDA Chief Information Officer, said, “The FDA has worked quickly to address the concerns outlined by the GAO – already fully implementing 80 percent (12 of 15) of GAO’s program recommendations, and 61 percent (102 of 166) of GAO’s technical recommendations. We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year.”
Simpson said, “The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis. In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report.”
“The FDA appreciates and takes very seriously the GAO report’s recommendations, but the report’s limited findings should not be broadly applied to the FDA’s entire IT enterprise,” Simpson added, noting, “It is also important to note that the FDA has not experienced any major cybersecurity related breaches that exposed industry or public health information. We recognize the risks associated with operating our large global IT enterprise and have implemented processes, procedures and tools to ensure the deterrence, prevention, detection and correction of incidents. In addition to addressing the majority of the recommendations identified in the GAO report, we have also undertaken several other key activities and initiatives to ensure our IT systems and sensitive information are appropriately protected by safeguarding against unauthorized disclosure, access or misuse.”
“We are committed to working … to ensure the timely closure of their findings,” Simpson concluded.