The Food and Drug Administration needs to take 166 specific actions to resolve 87 identified information security weaknesses, a recent study by the Government Accountability Office determined. 

Asked to examine security policies, procedures, reports and controls of key FDA network infrastructure, the GAO found significant access control and configuration management issues that jeopardize the confidentiality, integrity and availability of information in the seven systems assessed. 

FDA computing resource safeguards did not adequately or consistently protect network boundaries; identify, authenticate and limit users' access; properly encrypt data; audit and monitor system activity and manage security feature configurations; plan for system disruption/recovery contingencies; and review facility and physical media security.

The Aug. 30 report, publicly released Sept. 29, notes that the risk of unauthorized data access, use, disclosure, alteration and loss partially stems from the FDA not fully implementing an agencywide information security program, as required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.

The Department of Health and Human Services, FDA's parent agency, agreed with GAO's draft recommendations that timely risk assessments, security plan reviews and updates, controls tests, security incident response procedures, and personnel training should be implemented.

The report can be viewed in its entirety on GAO's website.

Share:
In Other News
Load More