42 CFR 73.11 - Security.
(a) An individual or entity required to register under this part must develop and implement a written security plan. The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release.
(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.
(c) The security plan must:
(1) Describe procedures for physical security, inventory control, and information systems control,
(2) Contain provisions for the control of access to select agents and toxins including the safeguarding of animals (including arthropods) or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.
(3) Contain provisions for routine cleaning, maintenance, and repairs,
(4) Establish procedures for removing unauthorized or suspicious persons,
(5) Describe procedures for addressing loss or compromise of keys, keycards, passwords, combinations, etc. and protocols for changing access permissions or locks following staff changes,
(6) Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records, and
(8) Describe procedures for how the Responsible Official will be informed of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins; and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity.
(9) Contain provisions for information security that:
(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users;
(ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked;
(iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer virus, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records in § 73.17;
(iv) Establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications; and
(v) Establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of section 17 of this part are rendered inoperable.
(10) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including documented procedures for receiving, monitoring, and shipping of all select agents and toxins. These provisions must provide that an entity will properly secure containers on site and have a written contingency plan for unexpected shipments.
(d) An individual or entity must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security:
(2) Allow individuals not approved for access from the HHS Secretary or Administrator to conduct routine cleaning, maintenance, repairs, or other activities not related to select agents or toxins only when continuously escorted by an approved individual if the potential for access to select agents or toxins exists,
(3) Provide for the control of select agents and toxins by requiring freezers, refrigerators, cabinets, and other containers where select agents or toxins are stored to be secured against unauthorized access (e.g., card access system, lock boxes),
(4) Inspect all suspicious packages before they are brought into or removed from the area where select agents or toxins are used or stored,
(5) Establish a protocol for intra-entity transfers under the supervision of an individual with access approval from the HHS Secretary or Administrator, including chain-of-custody documents and provisions for safeguarding against theft, loss, or release,
(6) Require that individuals with access approval from the HHS Secretary or Administrator refrain from sharing with any other person their unique means of accessing a select agent or toxin (e.g., keycards or passwords),
(i) Any loss or compromise of keys, passwords, combination, etc.,
(ii) Any suspicious persons or activities,
(iii) Any loss or theft of select agents or toxins,
(iv) Any release of a select agent or toxin, and
(v) Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised, and
(vi) Any loss of computer, hard drive or other data storage device containing information that could be used to gain access to select agents or toxins.
(8) Separate areas where select agents and toxins are stored or used from the public areas of the building.
(e) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur:
(1) Describe procedures for conducting a pre-access suitability assessment of persons who will have access to a Tier 1 select agent or toxin;
(2) Describe procedures for how an entity's Responsible Official will coordinate their efforts with the entity's safety and security professionals to ensure security of Tier 1 select agents and toxins and share, as appropriate, relevant information; and
(3) Describe procedures for the ongoing assessment of the suitability of personnel with access to a Tier 1 select agent or toxin. The procedures must include:
(i) Self- and peer-reporting of incidents or conditions that could affect an individual's ability to safely have access to or work with select agents and toxins, or to safeguard select agents and toxins from theft, loss, or release;
(ii) The training of employees with access to Tier 1 select agents and toxins on entity policies and procedures for reporting, evaluation, and corrective actions concerning the assessment of personnel suitability; and
(iii) The ongoing suitability monitoring of individuals with access to Tier 1 select agents and toxins.
(4) Entities with Tier 1 select agents and toxins must prescribe the following security enhancements:
(i) Procedures that will limit access to a Tier 1 select agent or toxin to only those individuals who are approved by the HHS Secretary or Administrator, following a security risk assessment by the Attorney General, have had an entity-conducted pre-access suitability assessment, and are subject to the entity's procedures for ongoing suitability assessment;
(ii) Procedures that limit access to laboratory and storage facilities outside of normal business hours to only those specifically approved by the Responsible Official or designee;
(iii) Procedures for allowing visitors, their property, and vehicles at the entry and exit points to the registered space, or at other designated points of entry to the building, facility, or compound that are based on the entity's site-specific risk assessment;
(iv) A minimum of three security barriers where each security barrier adds to the delay in reaching secured areas where select agents and toxins are used or stored. One of the security barriers must be monitored in such a way as to detect intentional and unintentional circumventing of established access control measures under all conditions (day/night, severe weather, etc.) The final barrier must limit access to the select agent or toxin to personnel approved by the HHS Secretary or Administrator, following a security risk assessment by the Attorney General.
(v) All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied;
(vi) Personnel monitoring the IDS must be capable of evaluating and interpreting the alarm and alerting the designated security response force or law enforcement;
(vii) For powered access control systems, describe procedures to ensure that security is maintained in the event of the failure of access control systems due to power disruption affecting registered space;
(viii) The entity must:
(A) Determine that the response time for security forces or local police will not exceed 15 minutes where the response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier or;
(B) Provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.
(5) Entities that possess Variola major virus and Variola minor virus must have the following additional security requirements:
(i) Require personnel with independent unescorted access to Variola major or Variola minor virus to have a Top Secret security clearance;
(ii) Require Variola major or Variola minor virus storage locations to be under the surveillance of closed circuit television that is monitored;
(iii) After hours access procedures for Variola major or Variola minor virus must require notification of the entity's security staff prior to entry into the Variola laboratory and upon exit;
(iv) Require that observation zones be maintained in outdoor areas adjacent to the physical barrier at the perimeter of the entity and be large enough to permit observation of the activities of people at that barrier in the event of its penetration;
(v) Provide for a minimum of four barriers for the protection of the Variola major or Variola minor virus, one of which must be a perimeter fence;
(vi) Require a numbered picture badge identification subsystem to be used for all individuals who are authorized to access Variola major or Variola minor without escort;
(vii) Require the use, at all times, of properly trained and equipped security force personnel able to interdict threats identified in the site specific risk assessment;
(viii) Identify security force personnel designated to strengthen onsite response capabilities, and that will be onsite and available at all times to carry out their assigned response duties;
(ix) Provide for security patrols to periodically check external areas of the registered areas to include physical barriers and building entrances;
(x) Require that all on-duty security force personnel shall be capable of maintaining continuous communication with support and response assets by way of security operations center;
(xi) Require that Variola major and Variola minor material in long term storage be stored in tamper-evident systems;
(xii) Require that all spaces containing working or permanent Variola major or Variola minor stocks be locked and protected by an intrusion alarm system that will alarm upon the unauthorized entry of a person anywhere into the area;
(xiii) Require that alarms required pursuant to this section annunciate in a continuously manned security operations center located within the facility; and
(xiv) Require that the security operations center shall be located within a building so that the interior is not visible from the perimeter of the protected area.
(g) In developing a security plan, an individual or entity should consider the document entitled, “Security Guidance for Select Agent or Toxin Facilities.” This document is available on the National Select Agent Registry at http://www.selectagents.gov/.
(h) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident. Drills or exercises must be documented to include how the drill or exercise tested and evaluated the plan, any problems that were identified and corrective action(s) taken, and the names of registered entity personnel participants.