FDA outlines plan for ‘agency-wide approach’ to cybersecurity

The US Food and Drug Administration (FDA) has released a new action plan for approaching cybersecurity, outlining its mission to upgrade, enhance and modernize its defenses to assets and data at the agency.

“Cybersecurity touches every facet of the FDA’s broad, complex responsibility. It’s one of our agency’s top priorities, and we take it seriously, particularly given today’s increased cybersecurity risks,” Vid Desai, chief information officer and Craig Taylor, chief information security officer at FDA, wrote in a companion FDA Voices statement.

Desai and Taylor noted that there was a 457% increase in cybersecurity threats to FDA during the COVID-19 pandemic, which included “reconnaissance activities, denial of service, attempted exploitation, and other cyber incidents against IT infrastructure.” They said FDA is taking an “agency-wide approach” to combating digital threats.

“The FDA must enhance current cybersecurity defenses to address the ever-evolving threat landscape and protect the vital data supporting our regulatory decision-making,” they wrote.

FDA’s Cybersecurity Modernization Action Plan (CMAP) is the latest in the agency’s digital transformation plans, which followed the Technology Modernization Action Plan in 2019, Data Modernization Action Plan in 2021 and Enterprise Modernization Action Plan in 2022. The overall goal of CMAP is to “protect sensitive information, modernize cybersecurity capabilities, and improve situational awareness to decrease overall security risks” to FDA.

One CMAP objective include implementing a Zero Trust approach, which consists of pillars of identity, device, network environment, application workload and data. The Zero Trust framework also contains support pillars for visibility and analytics, automation and orchestration and governance. Other objectives are to use best practices in software assurance and create security measures at each lifestyle stage of development, improve collaboration and secure data exchange between FDA and its partners as well as within the agency, implement artificial intelligence and machine learning to help identify digital threats and potential responses, use an “intelligence-driven approach” enabled by counterintelligence and insider risk principles in the Zero Trust framework and investing in FDA’s dedicated cybersecurity workforce.

“This transformation builds on the fundamental cybersecurity concepts and technologies with the goal to attain an optimal maturity level by upgrading, modernizing, and enhancing our security and cyber defenses to address evolving cyber threats, vulnerabilities, and risks to the FDA’s IT infrastructure and sensitive data in direct support of FDA’s mission to protect and promote U.S. public health,” Desai and Taylor said in their FDA Voices statement.

The agency anticipates this cybersecurity plan will create opportunities for better customer experience, improved performance, enhanced visibility and situational awareness, increased threat protections and lower latency and faster speed to the cloud through modernized connections. To aid the agency in these goals, FDA envisions a “highly skilled cyber workforce that leverages state-of-the-art technologies and advanced processes” to combat modern digital threats.

“Strengthening FDA’s network environment, identity capabilities, and data protections are critical as the Agency continues to modernize and deploy new digital services and facilitate more seamless data sharing across its global regulatory environment,” FDA wrote in the plan. “Our CMAP will support the Agency in building a modern security architecture that will expedite digital transformation and directly support FDA’s mission to protect and promote U.S. public health.”

Cybersecurity Modernization Action Plan

FDA outlines plan for ‘agency-wide approach’ to cybersecurity

Related topics

Recommended content

Welcome to the new RAPS Digital Experience