The Food and Drug Administration (FDA) lacks sufficient security controls, jeopardizing the confidentiality and availability of its data and systems, according to a recent Government Accountability Office (GAO) report.
The GAO report, publicly released on Sept. 29, identified 87 weaknesses across four major control areas, including access controls, configuration management, contingency planning, and media protection. FDA inconsistently protects the boundaries of its network, identifies system users, limits users’ access to only areas required for their specific duties, encrypts sensitive data, monitors system activity, and conducts physical security checks, according to the report.
“The agency did not fully or consistently implement access controls, which are intended to prevent, limit, and detect unauthorized access to computing resources,” the GAO report stated.
The report said that FDA’s weaknesses exist because the agency did not apply an agencywide information security program, which was required by the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. FDA does not observe certain mandates of these acts, which include conducting risk assessments, training personnel with significant security responsibilities, and testing security controls.
GAO recommends 15 steps for FDA to conduct its agencywide information security program and is releasing another report with 166 recommendations to redress weaknesses in information security controls.
“Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss,” the report said.