News & Events

FDA Statement

FDA Statement from Todd Simpson, FDA Chief Information Officer (CIO) on GAO Report Regarding FDA’s IT Security Program

For Immediate Release

September 29, 2016


Information security and the protection of industry and public health information are among the FDA’s highest priorities and we do not take lightly the recommendations provided by the Government Accountability Office (GAO) in its August 2016 report. The FDA has worked quickly to address the concerns outlined by the GAO - already fully implementing 80 percent (12 of 15) of GAO’s program recommendations, and 61 percent (102 of 166) of GAO’s technical recommendations. We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year.

The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis. In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report.

The FDA appreciates and takes very seriously the GAO report’s recommendations, but the report’s limited findings should not be broadly applied to the FDA’s entire IT enterprise. It is also important to note that the FDA has not experienced any major cybersecurity related breaches that exposed industry or public health information. We recognize the risks associated with operating our large global IT enterprise and have implemented processes, procedures and tools to ensure the deterrence, prevention, detection and correction of incidents. In addition to addressing the majority of the recommendations identified in the GAO report, we have also undertaken several other key activities and initiatives to ensure our IT systems and sensitive information are appropriately protected by safeguarding against unauthorized disclosure, access or misuse.

We are committed to working with the Energy and Commerce Committee and the GAO to ensure the timely closure of their findings. Find the GAO report with FDA’s response from June 2016 here:

This chart shows 12(80%) of the 15 Program Recommendations have been remediated.3 of the Program Recommendations are in progress.

Rec#Security Program Recommendations-Completed% Complete
2Ensure that completed risk assessments for six systems reviewed address the likelihood and impact of threats to FDA.100%
3Develop a policy for system maintenance.100%
4Develop procedures for the following eight security control families.100%
5Enhance procedures for the following seven security control families.100%
7Develop a security plan for one system.100%
8Update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six (reviewed) systems.100%
9Review and approve security plans for the six systems reviewed at least annually.100%
10Implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities100%
11Ensure that personnel with significant security responsibilities receive role-based training.100%
13Implement remedial actions in accordance with FDA’s prescribed time frames or update milestones if actions are delayed.100%
14Update FDA’s incident response policy in accordance with agency requirements.100%
15Update incident response procedures to include (1) instructions for coordinating incident response with contingency planning and (2) lessons learned from incident response tests.100%
Rec#Security Program Recommendations-Open% In Progress
12Test controls for two systems at least annually.50%
1Complete a risk assessment and authorization to operate for one FDA system.25%
6Review and update as needed per FDA’s frequency, the policies for the 11 security control families.20%





 Stephanie Caccomo



Page Last Updated: 09/29/2016
Note: If you need help accessing information in different file formats, see Instructions for Downloading Viewers and Players.
Language Assistance Available: Español | 繁體中文 | Tiếng Việt | 한국어 | Tagalog | Русский | العربية | Kreyòl Ayisyen | Français | Polski | Português | Italiano | Deutsch | 日本語 | فارسی | English