FDA's Information Security Fixes Expected To Be Completed Within A Year
Executive Summary
GAO report prompts vigorous action – and some defensiveness – by the agency.
FDA expects to complete upgrades its information security systems within a year, the agency said following recommendations from the Government Accountability Office that it "needs to rectify … weaknesses that place industry and public health data at risk."
GAO's report was requested by the leadership of the House Energy and Commerce Committee, who put out a relatively upbeat statement about the findings. "The security of information held and managed by FDA is far better today because of collaboration with the committee and independent auditors, and can serve as a model for future Congress-agency interaction across the government in fortifying cybersecurity."
FDA's reaction to the report seems more defensive in tone. A statement by FDA Chief Information Officer Todd Simpson notes that the agency is "already fully implementing 80 percent (12 of 15) of GAO’s program recommendations, and 61 percent (102 of 166) of GAO’s technical recommendations. We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year."
Left unsaid by FDA is that the work is already well underway because GAO and the Commerce Committee were so alarmed by the findings that they started sharing the results with FDA at the beginning of the year, even before the audit was completed.
Simpson's statement was accompanied by a graph and table showing the agency's progress on the program recommendations (see below), and the FDA release also includes what could probably be best described as talking points:
"The FDA appreciates and takes very seriously the GAO report’s recommendations, but the report’s limited findings should not be broadly applied to the FDA’s entire IT enterprise," Simpson said. "It is also important to note that the FDA has not experienced any major cybersecurity related breaches that exposed industry or public health information."
That's perfectly true, and well worth understanding, but the agency's statements leave an incomplete impression. GAO's audit was indeed "limited" – it only included seven of FDA's more than 80 systems – but that doesn't mean the agency's other systems are completely fine; they simply haven't been assessed. And FDA may not see the breaches it has suffered as "major" but sponsors who had to reset their passwords after the agency's registration databases were hacked in 2013 might indeed choose that term to categorize the incident. (Also see "FDA Cybersecurity Again In Spotlight As Hackers Breach CBER’s Database" - Pink Sheet, 11 Nov, 2013.).
If FDA seems loath to acknowledge information security shortcomings, the reaction is understandable given how the agency has felt treated by GAO reports in the past. The agency and watchdog have a long-running dispute over the assessment of drug shortages, and recently a relatively banal GAO report concluding that FDA needs to do a better job with its long-term planning was seized on by some Senators to basically declare that the agency shouldn't get funding increases. (Also see "FDA Funding Debate Reframed By GAO Reports On Strategic Planning" - Pink Sheet, 16 Jun, 2016.)
Problems And Solutions
GAO's report concluded that the agency's information security "weaknesses existed, in part, because FDA had not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. For example, FDA did not:
- Ensure risk assessments for reviewed systems were comprehensive and addressed system threats,
- Review or update security policies and procedures in a timely manner,
- Complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected,
- Ensure that personnel with significant security responsibilities received training or that such training was effectively tracked,
- Always test security controls effectively and at least annually,
- Always ensure that identified security weaknesses were addressed in a timely manner, and
- Fully implement procedures for responding to security incidents."
FDA's statement in response to the report notes that it is most of the way through fixing the problems, although it only details progress on the program recommendations, not the technical ones, which are not as far along.
In Progress FDA Information Security Programs |
Percentage Complete |
Recommendation Number In GAO Report |
Complete a risk assessment and authorization to operate for one FDA system. |
25% |
1 |
Review and update as needed per FDA’s frequency, the policies for the 11 security control families. |
20% |
6 |
Test controls for two systems at least annually. |
50% |
12 |
Completed FDA Information Security Programs |
Percentage Complete |
Recommendation Number In GAO Report |
Ensure that completed risk assessments for six systems reviewed address the likelihood and impact of threats to FDA. |
100% |
2 |
Develop a policy for system maintenance. |
100% |
3 |
Develop procedures for the following eight security control families. |
100% |
4 |
Enhance procedures for the following seven security control families. |
100% |
5 |
Develop a security plan for one system. |
100% |
7 |
Update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six (reviewed) systems. |
100% |
8 |
Review and approve security plans for the six systems reviewed at least annually. |
100% |
9 |
Implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities |
100% |
10 |
Ensure that personnel with significant security responsibilities receive role-based training. |
100% |
11 |
Implement remedial actions in accordance with FDA’s prescribed time frames or update milestones if actions are delayed. |
100% |
13 |
Update FDA’s incident response policy in accordance with agency requirements. |
100% |
14 |
Update incident response procedures to include (1) instructions for coordinating incident response with contingency planning and (2) lessons learned from incident response tests. |
100% |
15 |
Source: FDA |