U.S. flag An official website of the United States government
  1. Home
  2. News & Events
  3. FDA Newsroom
  4. Press Announcements
  5. FDA Statement from Todd Simpson, FDA Chief Information Officer (CIO) on GAO Report Regarding FDA’s IT Security Program
  1. Press Announcements

FDA Statement

FDA Statement from Todd Simpson, FDA Chief Information Officer (CIO) on GAO Report Regarding FDA’s IT Security Program

For Immediate Release:
Statement From:

Information security and the protection of industry and public health information are among the FDA’s highest priorities and we do not take lightly the recommendations provided by the Government Accountability Office (GAO) in its August 2016 report. The FDA has worked quickly to address the concerns outlined by the GAO - already fully implementing 80 percent (12 of 15) of GAO’s program recommendations, and 61 percent (102 of 166) of GAO’s technical recommendations. We anticipate completing the remaining three program recommendations in the next few months, and the remaining technical recommendations in the next year.

The agency continues to enhance its cybersecurity strategies and procedures to ensure FDA information security systems provide adequate protection of industry data and public health information on a continual, long-term basis. In support of these efforts, we acquired industry-leading expertise to assist in the development and execution of timely action plans, as well as program/project management activities to immediately address the recommendations outlined in the GAO report.

The FDA appreciates and takes very seriously the GAO report’s recommendations, but the report’s limited findings should not be broadly applied to the FDA’s entire IT enterprise. It is also important to note that the FDA has not experienced any major cybersecurity related breaches that exposed industry or public health information. We recognize the risks associated with operating our large global IT enterprise and have implemented processes, procedures and tools to ensure the deterrence, prevention, detection and correction of incidents. In addition to addressing the majority of the recommendations identified in the GAO report, we have also undertaken several other key activities and initiatives to ensure our IT systems and sensitive information are appropriately protected by safeguarding against unauthorized disclosure, access or misuse.

We are committed to working with the Energy and Commerce Committee and the GAO to ensure the timely closure of their findings. Find the GAO report with FDA’s response from June 2016 here: http://www.gao.gov/assets/680/679359.pdf

This chart shows 12(80%) of the 15 Program Recommendations have been remediated.3 of the Program Recommendations are in progress.

Rec# Security Program Recommendations-Completed % Complete
2 Ensure that completed risk assessments for six systems reviewed address the likelihood and impact of threats to FDA. 100%
3 Develop a policy for system maintenance. 100%
4 Develop procedures for the following eight security control families. 100%
5 Enhance procedures for the following seven security control families. 100%
7 Develop a security plan for one system. 100%
8 Update security plans to ensure the plans fully and accurately document the controls selected and intended for protecting each of the six (reviewed) systems. 100%
9 Review and approve security plans for the six systems reviewed at least annually. 100%
10 Implement a process to effectively monitor and track training for personnel with significant security roles and responsibilities 100%
11 Ensure that personnel with significant security responsibilities receive role-based training. 100%
13 Implement remedial actions in accordance with FDA’s prescribed time frames or update milestones if actions are delayed. 100%
14 Update FDA’s incident response policy in accordance with agency requirements. 100%
15 Update incident response procedures to include (1) instructions for coordinating incident response with contingency planning and (2) lessons learned from incident response tests. 100%
Rec# Security Program Recommendations-Open % In Progress
12 Test controls for two systems at least annually. 50%
1 Complete a risk assessment and authorization to operate for one FDA system. 25%
6 Review and update as needed per FDA’s frequency, the policies for the 11 security control families. 20%




FDA Office of Media Affairs

Back to Top