The Government Accountability Office has recommended the Food and Drug Administration fully implement an agency-wide information security program and take 166 specific actions to address gaps in information security controls.
GAO said in a report published Thursday the FDA has taken steps to protect seven GAO-reviewed systems that might jeopardize the confidentiality, integrity and availability of information and systems.
Auditors noted the FDA did not fully or consistently implement access controls designed to prevent, limit and detect unauthorized access to computing resources and 87 information security weaknesses were identified on access controls, configuration management, contingency planning and media protection.
GAO added the FDA did not protect boundaries of its network, identify and authenticate system users, limit user access, encrypt sensitive data, audit and monitor system activity or conduct physical security reviews on its facilities.
The watchdog cited control weaknesses as a product of a failure to implement an FDA-wide information security program required under the Federal Information Security Modernization Act of 2014 and the Federal Information Security Management Act of 2002.