7 CFR 331.11 - Security.
(a) An individual or entity required to register under this part must develop and implement a written security plan. The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release.
(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.
(c) The security plan must:
(1) Describe procedures for physical security, inventory control, and information systems control;
(2) Contain provisions for the control of access to select agents and toxins, including the safeguarding of animals (including arthropods) or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.
(3) Contain provisions for routine cleaning, maintenance, and repairs;
(4) Establish procedures for removing unauthorized or suspicious persons;
(5) Describe procedures for addressing loss or compromise of keys, keycards, passwords, combinations, etc. and protocols for changing access permissions or locks following staff changes;
(6) Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records;
(8) Describe procedures for how the Responsible Official will be informed of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins; and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity.
(9) Contain provisions for information security that:
(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users;
(ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices), and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked;
(iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer viruses, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records as specified in § 331.17;
(iv) Establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications; and
(v) Establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of § 331.17 are rendered inoperable.
(10) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including documented procedures for receiving, monitoring, and shipping of all select agents and toxins. These provisions must provide that an entity will properly secure containers on site and have a written contingency plan for unexpected shipments.
(d) An individual or entity must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security:
(2) Allow individuals not approved for access by the Administrator or the HHS Secretary to conduct routine cleaning, maintenance, repairs, and other activities not related to select agents or toxins only when continuously escorted by an approved individual if the potential to access to select agents or toxins exists;
(3) Provide for the control of select agents and toxins by requiring freezers, refrigerators, cabinets, and other containers where select agents or toxins are stored to be secured against unauthorized access (e.g., card access system, lock boxes);
(4) Inspect all suspicious packages before they are brought into or removed from an area where select agents or toxins are used or stored;
(5) Establish a protocol for intra-entity transfers under the supervision of an individual with access approval from the Administrator or the HHS Secretary, including chain-of-custody documents and provisions for safeguarding against theft, loss, or release; and
(6) Require that individuals with access approval from the Administrator or the HHS Secretary refrain from sharing with any other person their unique means of accessing a select agent or toxin (e.g., keycards or passwords);
(i) Any loss or compromise of keys, passwords, combinations, etc.;
(ii) Any suspicious persons or activities;
(iii) Any loss or theft of select agents or toxins;
(iv) Any release of a select agent or toxin;
(v) Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised; and
(vi) Any loss of computer, hard drive or other data storage device containing information that can be used to gain access to select agents or toxins; and
(8) Separate areas where select agents and toxins are stored or used from the public areas of the building.
(e) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur:
(g) In developing a security plan, an individual or entity should consider the document entitled, “Security Guidance for Select Agent or Toxin Facilities.” This document is available on the National Select Agent Registry at http://www.selectagents.gov/.
(h) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident. Drills or exercises must be documented to include how the drill or exercise tested and evaluated the plan, any problems that were identified and corrective action(s) taken, and the names of registered entity personnel participants.