(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.
(c) * * *
(2) Contain provisions for the control of access to select agents and toxins, including the safeguarding of animals or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.
(8) Describe procedures for how the responsible official will be informed of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins; and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity.
(9) Contain provisions for information security that:
(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users;
(ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices), and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked;
(iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer viruses, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records as specified in § 121.17
(iv) Establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications; and
(v) Establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of § 121.17
are rendered inoperable.
(10) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including documented procedures for receiving, monitoring, and shipping of all select agents and toxins. These provisions must provide that an entity will properly secure containers on site and have a written contingency plan for unexpected shipments.
(e) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur:
(1) Upon the physical relocation of a collection or inventory of select agents or toxins for those select agents or toxins in the collection or inventory;
(2) Upon the departure or arrival of a principal investigator for those select agents and toxins under the control of that principal investigator; or
(3) In the event of a theft or loss of a select agent or toxin, all select agents and toxins under the control of that principal investigator.
(f) In addition to the requirements contained in paragraphs (c) and (d) of this section, the security plan for an individual or entity possessing a Tier 1 select agent or toxin must also:
(1) Describe procedures for conducting a pre-access suitability assessment of persons who will have access to a Tier 1 select agent or toxin;
(2) Describe procedures for how an entity's responsible official will coordinate their efforts with the entity's safety and security professionals to ensure security of Tier 1 select agents and toxins and share, as appropriate, relevant information; and
(3) Describe procedures for the ongoing assessment of the suitability of personnel with access to a Tier 1 select agent or toxin. The procedures must include:
(i) Self- and peer-reporting of incidents or conditions that could affect an individual's ability to safely have access to or work with select agents and toxins, or to safeguard select agents and toxins from theft, loss, or release;
(ii) The training of employees with access to Tier 1 select agents and toxins on entity policies and procedures for reporting, evaluation, and corrective actions concerning the assessment of personnel suitability; and
(iii) The ongoing suitability monitoring of individuals with access to Tier 1 select agents and toxins.
(4) Entities with Tier 1 select agents and toxins must prescribe the following security enhancements:
(i) Procedures that will limit access to a Tier 1 select agent or toxin to only those individuals who are approved by the HHS Secretary or Administrator following a security risk assessment by the Attorney General, have had an entity-conducted pre-access suitability assessment, and are subject to the entity's procedures for ongoing suitability assessment;
(ii) Procedures that limit access to laboratory and storage facilities outside of normal business hours to only those specifically approved by the responsible official or designee;
(iii) Procedures for allowing visitors, their property, and vehicles at the entry and exit points to the registered space, or at other designated points of entry to the building, facility, or compound that are based on the entity's site-specific risk assessment;
(iv) A minimum of three security barriers where each security barrier adds to the delay in reaching secured areas where select agents and toxins are used or stored. One of the security barriers must be monitored in such a way as to detect intentional and unintentional circumventing of established access control measures under all conditions (day/night, severe weather, etc.) The final barrier must limit access to the select agent or toxin to personnel approved by the HHS Secretary or Administrator, following a security risk assessment by the Attorney General.
(v) All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied;
(vi) Personnel monitoring the IDS must be capable of evaluating and interpreting the alarm and alerting the designated security response force or law enforcement;
(vii) For powered access control systems, describe procedures to ensure that security is maintained in the event of the failure of access control systems due to power disruption affecting registered space;
(viii) The entity must:
(A) Determine that the response time for security forces or local police will not exceed 15 minutes where the response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier or;
(B) Provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.
(5) Entities that possess foot-and-mouth disease virus and rinderpest virus must have the following additional security requirements:
(i) A minimum of four barriers, one of which must be a perimeter security fence or equivalent which is monitored 24 hours a day, 7 days a week (24/7) to detect the presence of unauthorized persons, vehicles, materials, or unauthorized activities;
(ii) Onsite 24/7 armed security response force with roving patrol. Response time must not exceed 5 minutes from the time of an intrusion alarm or report of a security incident;
(iii) CCTV surveillance with 24/7 monitoring and recording; and
(iv) Transport vehicle with GPS tracking designed to serve as a containment vehicle.
(g) In developing a security plan, an individual or entity should consider the document entitled, “Security Guidance for Select Agent or Toxin Facilities.” This document is available on the Internet at