The Government Accountability Office says the Food and Drug Administration should do more to strengthen the security of its information systems that track industry and public health data.
The report, released Thursday, says that while the agency has taken some steps to strengthen the seven systems reviewed by the nonpartisan watchdog organization, the FDA did not “fully or consistently implement access controls, which are intended to prevent, limit, and detect unauthorized access to computing resources.”
The FDA did not adequately protect its network boundaries, consistently identify and authenticate system users, limit users access to only what was necessary for their jobs, encrypt sensitive data, review system activity or conduct physical security reviews of its facilities, the report says.
“FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks, and hard drives to ensure information on them was ‘sanitized’ and could not be retrieved after they are disposed of,” it reads.
The report finds that the weaknesses in system security exist because the FDA did not fully implement an agency-wide security program under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.
The partnership between the committee, the GAO and the FDA could serve as a model for oversight of the security systems for other federal agencies that work with sensitive information, a release from the committee says.
“While the committee continues to monitor FDA’s progress, the fact remains that FDA’s cybersecurity posture today as compared to when GAO first informed the committee about the vulnerabilities is much improved,” it reads. “The collaborative effort undertaken by all parties involved helped resolve the problem faster, more efficiently, and more effectively than more traditional means.”