Jan 31 2023

Federal Agencies Can Learn from the FDA’s Cybersecurity Modernization Action Plan

The FDA looks to establish a zero-trust model, leverage AI and machine learning, and promote software assurance best practices.

The U.S. Food and Drug Administration recently released a cybersecurity modernization action plan, expressing an urgency to enhance defenses to mitigate growing threats that agencies have faced in the past few years. The FDA alone has reported a 457 percent increase in reconnaissance activities, denial of service, attempted exploitation and other cyber incidents against IT infrastructure during the pandemic.

The FDA said it needs to evolve to address these changing threats, and it will advance an agencywide approach to cybersecurity modernization. The new action plan will build on the FDA’s 2019 Technology Modernization Action Plan, its 2021 Data Modernization Action Plan and its 2022 Enterprise Modernization Action Plan.

“The FDA’s cybersecurity and technology modernization efforts are key to faster, more accurate, data-driven decisions to support our public health and regulatory mission,” says FDA CISO Craig Taylor. “By protecting and securing our information systems, we are better protecting and securing public health.”

Of course, the FDA isn’t the only federal agency under fire from bad actors. How can other agencies follow in the FDA’s footsteps? The organization's modernization plan outlines key actions, such as establishing a zero-trust approach to security, leveraging artificial intelligence (AI) and machine learning (ML), and promoting software assurance best practices, as well as steps other agencies can take to modernize their IT systems.

Click the banner below to get Insider access to exclusive cybersecurity articles.

Prioritizing Data Protection with Zero Trust

In its modernization plan, the FDA identified data and information protection as priority No. 1. It’s enhancing its cybersecurity protections by implementing a zero-trust security framework, along with secure cloud computing, multifactor authentication, encryption, threat detection and vulnerability management.

To ensure smooth adoption, the FDA’s Office of Digital Transformation developed a zero-trust implementation strategy. To make sure it stays on the right track, the FDA will measure its progress using a scorecard based on criteria defined in the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model. That model identifies criteria for three levels of maturity: traditional, advanced and optimal.

At the final, optimal stage of the model, zero-trust maturity means:

  • Fully automated assigning of attributes to assets and resources
  • Dynamic policies based on automated/observed triggers
  • Alignment with open standards for cross-pillar interoperability
  • Centralized visibility with historian functionality for point-in-time recollection of state
  • Assets have self-enumerating dependencies for dynamic least privilege access (within thresholds)

LEARN MORE: GSA CIO David Shive talks shared services, zero trust and modernization.

How the FDA Is Committing to Cybersecurity Innovation

The FDA also prioritized cybersecurity innovation and set up frameworks to identify and support the adoption of emerging technologies. The agency named ML, AI, data sharing, collaboration platforms and high-performance computing as innovative tools and technologies they’re looking to migrate toward in the near future.

“Our future vision is a highly skilled cyber workforce that leverages state-of-the-art technologies,” the FDA noted in a release on the new modernization plan.

Craig Taylor
The FDA’s cybersecurity and technology modernization efforts are key to faster, more accurate, data-driven decisions to support our public health and regulatory mission.”

Craig Taylor CISO, FDA

A Comprehensive Security Adoption and Modernization Strategy

In addition to zero-trust adoption, the FDA’s main cybersecurity modernization initiatives include promoting software assurance best practices to include security at every stage of development.

“From the planning, development, testing, production and through retirement of our software solutions, the FDA utilizes advanced code analysis technology during development and continuous monitoring in production to assure our software solutions are secure,” Taylor says.

The FDA is poised to leverage AI/ML technologies to enhance cyber detection and response capabilities. Additionally, the agency looks to integrate counterintelligence and insider risk principles and prioritize and invest in the FDA’s cybersecurity workforce.

“The FDA identified cybersecurity workforce needs; expanded cyber mentorship, education and training for the workforce; recruited and hired cyber talent; and retained and developed highly skilled personnel,” Taylor says. “Partnering with the FDA Office of Talent Solutions, the Office of Digital Transformation established a category of retention incentive pay of 5 percent at one year, 7.5 percent at two years and 10 percent at three years for cybersecurity positions.”

Hispanolistic/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT