The Government Accounting Office (GAO) was asked to examine and assess seven key Food and Drug Administration (FDA) information systems.  The assessment was based on the effectiveness to which the FDA may have implemented information security controls intended to protect the confidentiality, integrity, and availability of information.  In the assessment, security policies, procedures, reports, and other documents were reviewed along with an examination of the FDA network infrastructure and interviews of FDA personnel.

The findings by GAO specifically state that the FDA did not always 

1. adequately protect the boundaries of its network
2. consistently identify and authenticate system users
3. limit users’ access to only what was required to perform their duties
4. encrypt sensitive data
5. consistently audit and monitor system activity
6. conduct physical security reviews of its facilities