FDA’s Cybersecurity Modernization Action Plan

By Vid Desai, Chief Information Officer and Craig Taylor, Chief Information Security Officer, FDA
Twitter: @US_FDA

The U.S. Food and Drug Administration is critical to protecting and promoting public health. The products the FDA regulates are in every supermarket, pharmacy, and home across the U.S. Cybersecurity touches every facet of the FDA’s broad, complex responsibility. It’s one of our agency’s top priorities, and we take it seriously, particularly given today’s increased cybersecurity risks. During the pandemic, the FDA experienced a 457% increase in reconnaissance activities, denial of service, attempted exploitation, and other cyber incidents against IT infrastructure, that includes nearly 9.5 billion firewall and intrusion detection blocks on a monthly basis.

The FDA must enhance current cybersecurity defenses to address the ever-evolving threat landscape and protect the vital data supporting our regulatory decision-making. To achieve these new capabilities, the FDA is advancing an agency-wide approach to cybersecurity modernization under the direction of the Office of Digital Transformation, Office of Information Security (OIS). OIS provides near real-time cybersecurity capabilities and risk management methodologies to protect sensitive data and information systems and with a vision to provide a best-in-class, intelligence-driven cybersecurity program to enable the FDA’s public health mission.

Today we are introducing the Cybersecurity Modernization Action Plan (CMAP), the next phase of the FDA’s enterprise digital approach. Our digital transformation journey began in 2019, with the Technology Modernization Action Plan (TMAP), Data Modernization Action Plan (DMAP) in 2021, and Enterprise Modernization Action Plan (EMAP) this year.

To achieve our goals, the FDA is coupling advances in IT, data, and business process levels with improved cybersecurity capabilities. The CMAP outlines the measures we will take to modernize our security and cyber defenses and implement “Zero Trust.” Zero Trust is a strategy or an approach that ensures that the right people have the right access to the right resources at the right time.

OIS will work across the agency and in alignment with the TMAP, DMAP, EMAP, in implementing the FDA’s Cybersecurity Strategic Plan 2022-2025. The CMAP also aligns with the recent Presidential Executive Order 14028 Improving the Nation’s Cybersecurity and the Office of Management and Budget OMB M-22-09 Moving the U.S. Government Toward Zero Trust Cybersecurity Principals.

The key CMAP objectives are to:

  • Establish a comprehensive Zero Trust approach to facilitate new digital services and modernization efforts.
  • Promote software assurance best practices to include security measures at every development lifecycle stage.
  • Enhance interoperable and secure data exchange and collaboration across the FDA and its public health partners.
  • Leverage Artificial Intelligence and Machine Learning technologies to enhance cyber detection and response capabilities.
  • Integrate counterintelligence and insider risk principles with the Zero Trust model to enable an intelligence-driven approach.
  • Prioritize and invest in the FDA’s cybersecurity workforce.

As the cyber threat landscape evolves globally, threat actors present ever-changing challenges. The FDA will modernize our cyber defenses and will continue to develop our workforce to meet current and future cybersecurity needs. Our workforce activities will focus on adopting new processes and technologies to create a skilled workforce that leverages state-of-the-art technologies and advances processes to address the challenges of a rapidly changing threat environment.

As a “mission first, people always” organization, the FDA actively invests in cybersecurity talent acquisition and development as outlined in Presidential Executive Order 13870 America’s Cybersecurity Workforce. These efforts prioritize the skillsets needed to meet our next-generation cyber needs and modernization objectives.

This cybersecurity modernization plan will serve as our roadmap to effectively transition to a Zero Trust model that will enhance and underpin the security and success of our ongoing IT, data, and business process modernization. This transformation builds on the fundamental cybersecurity concepts and technologies with the goal to attain an optimal maturity level by upgrading, modernizing, and enhancing our security and cyber defenses to address evolving cyber threats, vulnerabilities, and risks to the FDA’s IT infrastructure and sensitive data in direct support of FDA’s mission to protect and promote U.S. public health.

This article was originally published on FDA Voices and is reprinted here with permission.