FDA Cybersecurity Defenses and Enhancements within the Threat Landscape
By Todd Simpson, CIO, FDA
The U.S. Food and Drug Administration (FDA) reliesrely on a strong enterprise security system to help the agency fulfill its global public health mission. In September 2016, the Government Accountability Office (GAO) issued a report, “FDA Needs to Rectify Control Weaknesses that Place Industry and Public Health Data at Risk.” This extensive GAO Federal Information Systems Controls Audit Manual (FISCAM) review identified a number of administrative and technical control weaknesses and associated recommendations regarding six systems and the Scientific Network within the FDA IT Enterprise. While the FDA has not experienced any major cybersecurity breaches that exposed industry or public health information, the agency took the findings in the report very seriously.
"The FDA’s Cybersecurity Strategic Plan has a broad focus on information protection that outlines safeguards against unauthorized disclosure, access, or misuse as first line defenses"
The FDA coordinated with HHS in the development and alignment of its Cybersecurity Strategic Plan to strengthen the agency’s ability to conduct highly effective incident response, insider threat detection and operational situational awareness and to decrease overall security risks and support the delivery of secure services to our customers, then positioned both the financial and operational resources to enhance our cyber defenses and the operational awareness to effectively address these evolving challenges.
The findings from the GAO report were further integrated into the FDA’s Cybersecurity Strategic Plan. Our five-year needs include a budgetary increase in FY 2018 to address the cybersecurity vulnerabilities and associated recommendations identified by the Government Accountability Office audit. Specifically, while the FDA’s Cybersecurity Program budget was less than 2 percent of total IT budget in 2015, in 2016 spending has increased to 5 percent. This increase will go a long way to ensure the FDA’s Cybersecurity program fully implements its agency-wide information security program. These needs include implementing true Disaster Recovery (DR) versus the traditional high availability model previously employed at FDA. These needs also include critical infrastructure improvements and refreshing our Intrusion Detection System (IDS) technology. All of these investments will address the GAO recommendations and strengthen our ability to conduct highly effective operations within our cybersecurity program.
The FDA’s Cybersecurity Strategic Plan has a broad focus on information protection that outlines safeguards against unauthorized disclosure, access, or misuse as first line defenses. Also, the plan highlights cyber, threat, and vulnerability management with an emphasis on strengthening our detection and response capabilities. Finally, FDA focuses on IT and cybersecurity compliance intended to improve its existing information security compliance policies, procedures, and practices.
The additional funding will improve FDA’s ability to detect cybersecurity threats, better protect information by leveraging Data Loss Prevention (DLP) technologies, improve authorized access to FDA information, strengthen cybersecurity skills through training, and ensure availability of FDA business applications. Beyond DLP, we focus on implementing encryption at rest, security incident response event management, upgrading our perimeter firewalls, rolling out multi-factor authentication to overcome HSPD-12 technology gaps, and upgrading our end-of-life hardware and software.
Recent actions we have taken to strengthen our cybersecurity program include the realignment of the Cybersecurity Program leadership and shifting the direction of the Information Security Services Staff to ensure the confidentiality, integrity, and availability of over 300 systems and applications across the FDA Enterprise. We stood up a Scientific Computing Cybersecurity Task Force in order to build a secure, compliant, and manageable scientific research environment, and we enhanced information sharing to support computer incident response operations, counterintelligence, cybersecurity, and insider threat detection.
Among the most significant enhancements of the FDA cybersecurity posture was the alignment of the Systems Management Center (SMC) under the FDA Chief Information Security Officer (ClSO), which has significantly improved our security and operational postures. The SMC supports the integration and unification of the Network Operations Center (NOC), Security Operations Center (SOC), systems/ application monitoring, and other related cybersecurity threat management activities and operations, and is the central command and control center for the monitoring, triaging, troubleshooting, and escalation of all detected or reported or potential security incidents, performance issues, enterprise services, and infrastructure operations.
The operationalization of the SMC included the dedication of people and the understanding of procedures in order to succeed. Under the SMC construct, three teams were developed:
► Tools and Alerts: This team conducts incident/event management oversight activities, notifications and includes network, system, and application monitoring tools, incident tickets, events, email, and/or telephone notifications.
► Network and Infrastructure: This team coordinates, triages and responds to incidents/events. Responses may escalate to specialist teams within the SMC or to an appropriate service team based on the type of incident, technology involved, and severity of threat.
► Cybersecurity Operations: This team monitors and conducts incident response and cybersecurity analysis. It proactively addresses imminent threats to prevent risk exposure and disruption.
The SMC provides near real-time cybersecurity capabilities and risk management methods to protect sensitive data and information systems in support of the FDA’s public health mission. The SMC is a hub for collaboration and transparency, and represents a culture of cooperation, collaboration, transparency, and openness across the entire FDA Enterprise.
Efficiencies and response times for incident and event management has substantially improved. Quarterly Balanced Scorecard Reporting indicates positive results in key performance measures and metrics that highlight the overall decrease in network outages and application downtime. Despite considerable increases in external cyber threats, the SMC monitoring tools and capabilities have successfully prevented and detected potential cyber incidents and have improved enforcement of cybersecurity standards, controls, and overall operational policies.
Effective coordination and collaboration with the Department of Homeland Security, U.S. Computer Emergency Readiness Team (CERT) and the Department of Health and Human Services, Computer Security Incident Response (CSIRC), to rapidly detect, identify, and respond to cybersecurity attacks and enterprise incidents has reduced overall threat exposures. Consistent with our IT and Cybersecurity Strategic Plans, the operationalization of the SMC has been critical in meeting the following objectives.
► Reduction of the overall number of identified vulnerabilities
► Enhancement of network monitoring and alerting capabilities to detect suspicious patterns that may indicate network or system attacks, breaches, and outages
► Adoption of cyber and intelligence principles that afford dissemination of cyber threat information to senior management, center leadership, and other relevant security partners
► Expansion of information sharing, coordination, and collaboration among FDA Centers, Offices, and external agencies
The protection of FDA information and information systems remains our top priority. The SMC is a unique capability, which is an essential component that leads the cybersecurity program in its work to reduce the threats, vulnerabilities, and risks to our public health mission.