Information Security:

FDA Needs to Rectify Control Weaknesses That Place Industry and Public Health Data at Risk

GAO-16-513: Published: Aug 30, 2016. Publicly Released: Sep 29, 2016.

Multimedia:

  • PODCAST: FDA Information Security
    Since the issuance of our limited distribution report, FDA told us that it has taken actions to correct the weaknesses we identified. Further, FDA provided us with information on its corrective actions; we are in the process of determining whether these actions sufficiently address implementation of our recommendations.

    Audio interview by GAO staff with Greg Wilshusen, Director, Information Technology.

    View the transcript

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
barkakatin@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Although the Food and Drug Administration (FDA), an agency of the Department of Health and Human Services (HHS), has taken steps to safeguard the seven systems GAO reviewed, a significant number of security control weaknesses jeopardize the confidentiality, integrity, and availability of its information and systems. The agency did not fully or consistently implement access controls, which are intended to prevent, limit, and detect unauthorized access to computing resources. Specifically, FDA did not always (1) adequately protect the boundaries of its network, (2) consistently identify and authenticate system users, (3) limit users' access to only what was required to perform their duties, (4) encrypt sensitive data, (5) consistently audit and monitor system activity, and (6) conduct physical security reviews of its facilities. FDA conducted background investigations for personnel in sensitive positions, but weaknesses existed in other controls, such as those intended to manage the configurations of security features on and control changes to hardware and software; plan for contingencies, including systems disruptions and their recovery; and protect media such as tapes, disks, and hard drives to ensure information on them was “sanitized” and could not be retrieved after they are disposed of. The table below shows the number of GAO-identified weaknesses and associated recommendations, by control area.

Number of GAO-Identified Information Security Weaknesses at the Food and Drug Administration and Associated Recommendations, by Control Area

Control area

 

Number of weaknesses

identified

Number of recommendations

Access controls

58

122

Configuration management

23

37

Contingency planning

5

6

Media protection

1

1

Total

87

166

Source: GAO. | GAO-16-513

These control weaknesses existed, in part, because FDA had not fully implemented an agency-wide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002. For example, FDA did not

ensure risk assessments for reviewed systems were comprehensive and addressed system threats,

review or update security policies and procedures in a timely manner,

complete system security plans for all reviewed systems or review them to ensure that the appropriate controls were selected,

ensure that personnel with significant security responsibilities received training or that such training was effectively tracked,

always test security controls effectively and at least annually,

always ensure that identified security weaknesses were addressed in a timely manner, and

fully implement procedures for responding to security incidents.

Until FDA rectifies these weaknesses, the public health and proprietary business information it maintains in these seven systems will remain at an elevated and unnecessary risk of unauthorized access, use, disclosure, alteration, and loss.

Why GAO Did This Study

FDA has a demanding responsibility of ensuring the safety, effectiveness, and quality of food, drugs, and other consumer products. In carrying out its mission, FDA relies extensively on information technology systems to receive, process, and maintain sensitive industry and public health data, including proprietary business information such as industry drug submissions and reports of adverse reactions. Accordingly, effective information security controls are essential to ensure that the agency's systems and information are adequately protected from inadvertent or deliberate misuse, improper modification, unauthorized disclosure, or destruction.

GAO was asked to examine security controls over key FDA information systems. GAO assessed the extent to which FDA had effectively implemented information security controls to protect the confidentiality, integrity, and availability of its information on seven information systems selected for review. To do this, GAO reviewed security policies, procedures, reports, and other documents; examined the agency's network infrastructure; tested controls for the seven systems; and interviewed FDA personnel.

What GAO Recommends

GAO is making 15 recommendations to FDA to fully implement its agency-wide information security program. In a separate report with limited distribution, GAO is recommending that FDA take 166 specific actions to resolve weaknesses in information security controls. HHS stated in comments on a draft of this report that FDA concurred with GAO's recommendations and has begun implementing several of them.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We verified that FDA completed a risk assessment and an authorization to operate for the FDA system that GAO identified during the audit that was operating without them.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to complete a risk assessment and authorization to operate for one FDA system.

    Agency Affected: Department of Health and Human Services

  2. Status: Closed - Implemented

    Comments: We verified that risk assessments for six systems reviewed addressed the likelihood and impact of threats to FDA.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that completed risk assessments for six systems reviewed address the likelihood and impact of threats to FDA.

    Agency Affected: Department of Health and Human Services

  3. Status: Closed - Implemented

    Comments: We verified that FDA developed a policy for system maintenance.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to develop a policy for system maintenance.

    Agency Affected: Department of Health and Human Services

  4. Status: Closed - Implemented

    Comments: We verified that FDA developed and documented procedures for the following eight security control families: Audit and Accountability, Identification and Authentication, Maintenance, Media Protection, Physical and Environmental Protection, Security Planning, Systems Communication and Protection, and System Information and Integrity.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to develop procedures for the following 8 security control families: Audit and Accountability, Identification and Authentication, Maintenance, Media Protection, Physical and Environmental Protection, Security Planning, Systems Communication and Protection, and System Information and Integrity.

    Agency Affected: Department of Health and Human Services

  5. Status: Closed - Implemented

    Comments: We verified that FDA enhanced procedures for implementing controls in the following seven security control families: Access Control, Awareness and Training, Security Assessment and Authorization, Configuration Management, Program Management, Personnel Security, and System and Services Acquisition.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to enhance procedures for the following 7 security control families: Access Control, Awareness and Training, Security Assessment and Authorization, Configuration Management, Program Management, Personnel Security, and System and Services Acquisition.

    Agency Affected: Department of Health and Human Services

  6. Status: Closed - Implemented

    Comments: We verified that FDA documented and implemented a new entity-wide policy in March 2017 that addressed each of the 18 National Institute of Standards and Technology security control families, including the 11 security control families in our recommendation.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to review and update as needed per FDA's frequency, the policies for the following 11 security control families: Access Control, Audit and Accountability, Contingency Planning, Identification and Authentication, Incident Response, Media Protection, Physical and Environmental Protection, Security Planning, Personnel Security, System and Services Acquisition, and System and Information Integrity.

    Agency Affected: Department of Health and Human Services

  7. Status: Closed - Implemented

    Comments: We verified that FDA developed and documented a security plan for one system supporting FDA's scientific research.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to develop and document a security plan for one system supporting FDA's scientific research.

    Agency Affected: Department of Health and Human Services

  8. Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six systems.

    Agency Affected: Department of Health and Human Services

  9. Status: Closed - Implemented

    Comments: We verified that FDA reviewed and approved security plans for the six systems reviewed and documented procedures to review them at least annually.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to review and approve security plans for the six systems reviewed at least annually.

    Agency Affected: Department of Health and Human Services

  10. Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities.

    Agency Affected: Department of Health and Human Services

  11. Status: Open

    Comments: FDA concurred with the recommendation but has not yet provided sufficient evidence that it has implemented the recommendation.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to ensure that personnel with significant security responsibilities receive role-based training.

    Agency Affected: Department of Health and Human Services

  12. Status: Closed - Implemented

    Comments: We verified that FDA tested controls for the two systems that support FDA's scientific research and IT infrastructure and documented procedures to test them at least annually.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to test controls at least annually for the two systems that support FDA's scientific research and IT infrastructure.

    Agency Affected: Department of Health and Human Services

  13. Status: Closed - Implemented

    Comments: We verified that FDA implemented remedial actions in accordance with its prescribed timeframes. Additionally, the statuses of open and overdue remedial actions are included in monthly program reports for management review and attention.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to implement remedial actions in accordance with FDA's prescribed time frames or update milestones if actions are delayed.

    Agency Affected: Department of Health and Human Services

  14. Status: Closed - Implemented

    Comments: We verified that FDA updated its incident response policy in accordance with agency requirements.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update FDA's incident response policy in accordance with agency requirements.

    Agency Affected: Department of Health and Human Services

  15. Status: Closed - Implemented

    Comments: We verified that FDA updated its incident response procedures to include (1) instructions for coordinating incident response with contingency planning and (2) lessons learned from its incident response tests.

    Recommendation: To effectively implement key elements of the FDA's information security program, the Secretary of Health and Human Services should direct the Commissioner of FDA to update incident response procedures to include (1) instructions for coordinating incident response with contingency planning and (2) lessons learned from incident response tests.

    Agency Affected: Department of Health and Human Services

 

Explore the full database of GAO's Open Recommendations »

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Feb 14, 2017

Looking for more? Browse all our products here