(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.
(c) * * *
(2) Contain provisions for the control of access to select agents and toxins, including the safeguarding of animals (including arthropods) or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.
(8) Describe procedures for how the Responsible Official will be informed of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins; and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity.
(9) Contain provisions for information security that:
(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users;
(ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices), and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked;
(iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer viruses, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records as specified in § 331.17
(iv) Establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications; and
(v) Establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of § 331.17
are rendered inoperable.
(10) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including documented procedures for receiving, monitoring, and shipping of all select agents and toxins. These provisions must provide that an entity will properly secure containers on site and have a written contingency plan for unexpected shipments.
(e) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur:
(1) Upon the physical relocation of a collection or inventory of select agents or toxins for those select agents or toxins in the collection or inventory;
(2) Upon the departure or arrival of a principal investigator for those select agents and toxins under the control of that principal investigator; or
(3) In the event of a theft or loss of a select agent or toxin, all select agents and toxins under the control of that principal investigator.
(g) In developing a security plan, an individual or entity should consider the documents entitled, “Security Guidance for Select Agent or Toxin Facilities.” This document is available on the National Select Agent Registry at