AMU Emergency Management Public Safety

The FDA Falls Short in Information Security

Pinterest LinkedIn Tumblr

The FDA and information security

Much like other businesses these days, the Food and Drug Administration (FDA) relies heavily upon IT systems to fulfill its mission. IT plays a part in conducting operations, processing transactions, delivering services to constituents, and communicating with individuals and organizations.

The FDA collects, processes, and maintains highly sensitive information, personally identifiable information, trade secrets, and confidential commercial information, placing their need for a secure network as a high priority.

According to a recent [link url=”” title=”Government Accountability Office (GAO) report”], the FDA reportedly spent $585 million on IT, with nearly $12 million of the spend directly on information security, during fiscal year 2015.

With what seems to be a healthy budget to combat cyber attacks and threats, the report detailed how the FDA failed to completely implement an agency-wide information security program.

GAO takes a hard look

The GAO further outlined within its report [link url=”” title=”six areas in which the FDA failed”]: (1) adequately protecting the boundaries of its network, (2) consistently identifyiing and authenticating system users, (3) limiting users’ access to only what was required to perform their duties, (4) encrypting sensitive data, (5) consistently auditing and monitoring system activity, and (6) conducting physical security reviews of its facilities.

Where the FDA is falling short

Many of these shortcomings are a direct result of not implementing guidelines as required under the [link url=”″ title=”Federal Information Security Modernization Act of 2014″] and the [link url=”” title=”Federal Information Security Management Act of 2002″].

These acts provide a structure that was to be implemented by all federal government operations to strengthen overall information security. [link url=”” title=”According to the report”], the FDA neglected to apply many of the mandatory directives outlined, as they did not implement any of the following:

  • Ensure risk assessments for reviewed systems were comprehensive and addressed system threats.
  • Review or update security policies and procedures in a timely manner.
  • Complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected.
  • Ensure that personnel with significant security responsibilities received training or that such training was effectively tracked.
  • Always test security controls effectively and at least annually.
  • Always ensure that identified security weaknesses were addressed in a timely manner.
  • Fully implement procedures for responding to security incidents.

Placing systems at risk

This lack of execution by the FDA placed no fewer than seven of its systems at risk, according to the GAO report. [link url=”” title=”The report”] identifies weaknesses within the access controls, change controls, and patch management systems which is jeopardizing the confidentiality, integrity, and availability of these systems.

Adam served ten years in the United States Army primarily in the Operations and Physical Security realm. His tour allowed him to serve in the DC Metro area as the Operations for a Military Police Company and a Sniper/Observer team member for the Military District of Washington's Special Reaction Team, Hawaii as Operations for a Brigade Combat Team, and Fort Leavenworth as the Operations for the Department of Emergency Services as well as a Physical Security Specialist. Adam now works for the University of Foreign Military and Cultural Studies, where Critical Thinking and Group Think Mitigation are taught in hopes of bettering the decision making process and the development of better plans and ideas.

Comments are closed.