Mapping the Road Ahead: FDA Targets Cybersecurity

Mapping the Road Ahead: FDA Targets Cybersecurity

FDA published its Cybersecurity Modernization Plan, the fifth "MAP" in a years-long effort that began in 2019.

The Food and Drug Administration (FDA) released its Cybersecurity Modernization Action Plan (CMAP) earlier this month, the latest addition to the agency’s collection of digital transformation strategies helping FDA allocate technology, talent and resources for optimized modernization efforts.

The CMAP comes as federal agencies continue to experience record numbers of ransomware and cyberattacks since the beginning of the COVID-19 pandemic.

FDA developed its first targeted digital transformation strategy in 2019 with the release of the Technology Modernization Action Plan (TMAP). Since then, the agency developed four additional modernization action plans, or "MAPs," to strategically drive the modernization of data, business processes, workforce, cybersecurity and more.

These include:

  • Technology Modernization Action Plan (TMAP), 2019
  • Data Modernization Action Plan (DMAP), 2021
  • Enterprise Modernization Action Plan (EMAP), 2022
  • Cybersecurity Modernization Action Plan (CMAP), 2022
  • Leadership Modernization Action Plan (LMAP), coming 2023

"Over the years – because of our past siloed and fragmented culture – we've built up a lot of technical debt,” FDA’s CIO Vid Desai told GovCIO Media & Research in a June HealthCast. “In 2019, we did a study and over 73% of our IT environment was end-of-life. Many of our existing systems were built in the siloed, fragmented manner that makes it really hard for us to do many simple things. Over 95% of our budget is basically going into keeping our legacy systems running.”

 

Technology Modernization Action Plan  

The FDA published its first “MAP” in September 2019, the TMAP, which focused on near-term modernization in computer hardware and software technologies.

FDA outlined three major elements in its TMAP: 1) modernizing FDA’s technical infrastructure; 2) enhancing FDA's capability to develop technology products to support its regulatory mission; and 3) fostering communication and collaboration between FDA and stakeholders to drive technological progress that is interoperable across the system.

The TMAP intended to provide a sturdy technological foundation for the development of FDA’s ongoing strategy around data itself, in order to better leverage data and accelerate the path to improved therapeutic and diagnostic options.  

Ultimately, the goal of the TMAP is to enable the FDA to “make sense of all of their data in efficient ways so they can aggregate critical and sensitive information across different drug applications and medical device applications,” said Amy Abernethy, former FDA Principal Deputy Director and Acting CIO. 

This year's TMAP annual report outlined how the FDA drove infrastructure and operations modernization in response to the pandemic, built an agile culture for adopting best practices and fostered partnerships across the federal technology sector.

 

Data Modernization Action Plan 

The March 2021 Data Modernization Action Plan (DMAP) expanded on the progress FDA made with TMAP. DMAP takes a three-pronged actionable approach, focusing on data use cases, practices and talent. 

“Our initial focus was towards stabilization, and I'm so glad we took the time to focus on that, because when the pandemic hit us, the work that we had done to stabilize our environment is what allowed us to shift to telework with little to no disruption to the agency,” Desai said in the June HealthCast. “It was a huge win for us. Since then, we've started shifting away from just stabilization now towards more of a modernization and transformation.” 

During an interview following DMAP’s release, FDA’s Chief Data Officer Ram Iyer said the TMAP provided a technological foundation for the development of FDA’s Data Strategy, and the DMAP will realize the strategy with immediate and longer-term actions. 

“I think of the TMAP as the lowest level of foundation,” Iyer said. “On top of that, we are building the DMAP, so there is a high level of interconnectivity between the TMAP and DMAP, and then we expect to build additional layers on top so that we get the value out of it.” 

Earlier this year, FDA published an annual report on the progress made with TMAP and DMAP, which outlined where the agency optimized shared business processes, enhanced operational efficiency and data use, and strengthened cross-agency alignment with strategic objectives and investments. 

The report outlined how FDA’s DMAP and TMAP enabled the agency to meet new pandemic demands and accelerated FDA’s modernization of IT infrastructure, analytic services, talent and tools, supporting the agency’s work at national and international levels. The modernization plans also helped FDA tackle enterprise modernization, break down barriers and eliminate silos, ensuring the agency gets the best return on investment from its talent, technology and budget. 

"When I first started talking about modernization – and we published the DMAP and TMAP – there was a lot of skepticism... Now what we're seeing is that skepticism has shifted to enthusiasm,” Desai said. “We can make the change; people are starting to believe that, and there's almost a pep in our step. We're really pleased to see that cultural change that's occurred which, is powering much of our progress on the DMAP and TMAP.” 

 

Enterprise Modernization Action Plan  

FDA published its Enterprise Modernization Action Plan (EMAP) in May 2022, which serves as the “next installment” of stronger data and technology foundational approach that began with TMAP and DMAP. 

The action plan has three primary components: to create the infrastructure to support change, develop a common operational approach, and strategically align activities.   

“[EMAP] sets the stage for us to align and agree on business process transformation before we apply technology. It's wasteful for us to put technology ahead of the process transformation that needs to occur,” Desai explained during a HealthCast. “If we just modernize technology without modernizing the business processes, all we're doing is replacing old boxes with shiny new boxes, but the business experience doesn't change much.” 

EMAP outlines FDA’s plans to shape the agency’s future by delivering successful cross-agency efforts that optimize common and essential business processes. These efforts will improve operational efficiency and data use, while strengthening the alignment between agency-wide strategic objectives and investments.   

The plan advances modernization by supporting people at the forefront of FDA’s public health mission, focusing on the business of the organization such as financial resources, operational efficiency and data. EMAP’s end goal is to enhance decision-making by improving availability of information and knowledge across FDA by investing in the agency’s staff. 

"The EMAP basically shows the work that we've done and we're doing in establishing this transformation office, which will basically look at our enterprise processes, establish where we need to optimize and then apply technology to that,” Desai added.  

 

Cybersecurity Modernization Action Plan 

FDA released its latest map, the Cybersecurity Modernization Action Plan, earlier this month. The CMAP outlines the measures that FDA will take to modernize its security and cyber defenses.  

During the pandemic, the FDA reported a 457% increase in reconnaissance activities, denial of service, attempted exploitation, and other cyber incidents against IT infrastructure. To combat the rising threat levels, the FDA will advance an agency-wide approach to cybersecurity modernization built on zero trust principles.  

The new action plan is designed to build off the progress made on the TMAP, DMAP and EMAP. 

“The CMAP is the next phase in our modernization journey and the FDA’s evolution to having a best-in-class, intelligence-driven and fully integrated cybersecurity program, as we advance towards a mature Zero Trust model,” FDA’s Chief Information Security Officer Craig Taylor told GovCIO Media & Research. 

Strengthening cybersecurity will also facilitate more seamless data sharing across the global regulatory environment, the CMAP report says, and is fundamental to protecting public health. 

 

Leadership Modernization Action Plan 

The Leadership Modernization Action Plan (LMAP) is still in the works, but FDA leaders teased this map will help shape the “CIO of the future.” 

FDA’s Office of Digital Transformation (ODT) is developing the map, which will complement FDA’s Diversity, Equity, Inclusion, and Accessibility (DEIA) Strategy. The LMAP will articulate a strategic framework for new ways of leading, including fundamental leadership competencies and values.  

“We're really interested in creating that diverse, highly talented leadership pipeline within our organization, but also helping to cultivate leaders who are diverse, inclusive and changemakers,” Jess Berrellez ODT executive officer told GovCIO Media & Research in a September interview. “[We’re] really focusing on building a deep leadership bench and ‘smart skills,’ not just technical skills.” 

The action plan also aligns with Executive Order No. 14035, which called upon the federal government to “be a model for diversity, equity, inclusion and accessibility.” 

Berrellez aims to release the LMAP in 2023.

“The next year is going to be about articulating our strategic vision and helping to formalize and scale a lot of these early ideas that we've prototyped internally,” Berrellez said.