(a) An individual or entity required to register under this part must develop and implement a written security plan. The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release.
(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested.
(c) The security plan must:
(1) Describe procedures for physical security, inventory control, and information systems control;
(2) Contain provisions for the control of access to select agents and toxins, including the safeguarding of animals or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release.
(3) Contain provisions for routine cleaning, maintenance, and repairs;
(4) Establish procedures for removing unauthorized or suspicious persons;
(5) Describe procedures for addressing loss or compromise of keys, passwords, combinations, etc. and protocols for changing access numbers or locks following staff changes;
(6) Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records;
(7) Contain provisions for ensuring that all individuals with access approval from the Administrator or the HHS Secretary understand and comply with the security procedures.
(8) Describe procedures for how the responsible official will be informed of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins; and describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of such activity.
(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users;
(ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices), and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked;
(iii) Ensure that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer viruses, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to spaces registered under this part or records as specified in § 121.17;
(iv) Establish a robust configuration management practice for information systems to include regular patching and updates made to operating systems and individual applications; and
(v) Establish procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of § 121.17 are rendered inoperable.
(10) Contain provisions and policies for shipping, receiving, and storage of select agents and toxins, including documented procedures for receiving, monitoring, and shipping of all select agents and toxins. These provisions must provide that an entity will properly secure containers on site and have a written contingency plan for unexpected shipments.
(d) An individual or entity must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security:
(2) Allow individuals not approved for access by the Administrator or the HHS Secretary to conduct routine cleaning, maintenance, repairs, and other activities not related to select agents or toxins only when continuously escorted by an approved individual;
(3) Provide for the control of select agents and toxins by requiring freezers, refrigerators, cabinets, and other containers where select agents or toxins are stored to be secured against unauthorized access (e.g., card access system, lock boxes);
(4) Inspect all suspicious packages before they are brought into or removed from an area where select agents or toxins are used or stored;
(5) Establish a protocol for intra-entity transfers under the supervision of an individual with access approval from the Administrator or the HHS Secretary, including chain-of-custody documents and provisions for safeguarding against theft, loss, or release; and
(6) Require that individuals with access approval from the Administrator or the HHS Secretary refrain from sharing with any other person their unique means of accessing a select agent or toxin (e.g., keycards or passwords);
(7) Require that individuals with access approval from the Administrator or the HHS Secretary immediately report any of the following to the responsible official:
(i) Any loss or compromise of keys, passwords, combinations, etc.;
(ii) Any suspicious persons or activities;
(iii) Any loss or theft of select agents or toxins;
(v) Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised; and
(8) Separate areas where select agents and toxins are stored or used from the public areas of the building.
(e) Entities must conduct complete inventory audits of all affected select agents and toxins in long-term storage when any of the following occur:
(1) Upon the physical relocation of a collection or inventory of select agents or toxins for those select agents or toxins in the collection or inventory;
(2) Upon the departure or arrival of a principal investigator for those select agents and toxins under the control of that principal investigator; or
(3) In the event of a theft or loss of a select agent or toxin, all select agents and toxins under the control of that principal investigator.
(f) In addition to the requirements contained in paragraphs (c) and (d) of this section, the security plan for an individual or entity possessing a Tier 1 select agent or toxin must also:
(1) Describe procedures for conducting a pre-access suitability assessment of persons who will have access to a Tier 1 select agent or toxin;
(2) Describe procedures for how an entity's responsible official will coordinate their efforts with the entity's safety and security professionals to ensure security of Tier 1 select agents and toxins and share, as appropriate, relevant information; and
(3) Describe procedures for the ongoing assessment of the suitability of personnel with access to a Tier 1 select agent or toxin. The procedures must include:
(i) Self- and peer-reporting of incidents or conditions that could affect an individual's ability to safely have access to or work with select agents and toxins, or to safeguard select agents and toxins from theft, loss, or release;
(ii) The training of employees with access to Tier 1 select agents and toxins on entity policies and procedures for reporting, evaluation, and corrective actions concerning the assessment of personnel suitability; and
(iii) The ongoing suitability monitoring of individuals with access to Tier 1 select agents and toxins.
(4) Entities with Tier 1 select agents and toxins must prescribe the following security enhancements:
(i) Procedures that will limit access to a Tier 1 select agent or toxin to only those individuals who are approved by the HHS Secretary or Administrator following a security risk assessment by the Attorney General, have had an entity-conducted pre-access suitability assessment, and are subject to the entity's procedures for ongoing suitability assessment;
(ii) Procedures that limit access to laboratory and storage facilities outside of normal business hours to only those specifically approved by the responsible official or designee;
(iii) Procedures for allowing visitors, their property, and vehicles at the entry and exit points to the registered space, or at other designated points of entry to the building, facility, or compound that are based on the entity's site-specific risk assessment;
(iv) A minimum of three security barriers where each security barrier adds to the delay in reaching secured areas where select agents and toxins are used or stored. One of the security barriers must be monitored in such a way as to detect intentional and unintentional circumventing of established access control measures under all conditions (day/night, severe weather, etc.) The final barrier must limit access to the select agent or toxin to personnel approved by the HHS Secretary or Administrator, following a security risk assessment by the Attorney General.
(v) All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied;
(vi) Personnel monitoring the IDS must be capable of evaluating and interpreting the alarm and alerting the designated security response force or law enforcement;
(vii) For powered access control systems, describe procedures to ensure that security is maintained in the event of the failure of access control systems due to power disruption affecting registered space;
(A) Determine that the response time for security forces or local police will not exceed 15 minutes where the response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier or;
(B) Provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.
(5) Entities that possess foot-and-mouth disease virus and rinderpest virus must have the following additional security requirements:
(i) A minimum of four barriers, one of which must be a perimeter security fence or equivalent which is monitored 24 hours a day, 7 days a week (24/7) to detect the presence of unauthorized persons, vehicles, materials, or unauthorized activities;
(ii) Onsite 24/7 armed security response force with roving patrol. Response time must not exceed 5 minutes from the time of an intrusion alarm or report of a security incident;
(iii) CCTV surveillance with 24/7 monitoring and recording; and
(iv) Transport vehicle with GPS tracking designed to serve as a containment vehicle.
(g) In developing a security plan, an individual or entity should consider the document entitled, “Security Guidance for Select Agent or Toxin Facilities.” This document is available on the Internet at http://www.selectagents.gov/.
(h) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident.