FAQ: Security

General

Surveillance cameras are only required for entities that are registered to possess Variola major virus, Variola minor virus, Foot-and-mouth disease virus or Rinderpest virus (see Section 11 of 42 CFR part 73 or 9 CFR part 121).

Cameras are not a security barrier and are not an acceptable substitute for the escort required by Section 11 (Security). A surveillance camera can serve as an enhancement to the entity’s security program (e.g., security monitoring device). The use of surveillance cameras as part of the entity security program should be documented in the security plan. The plan should address how cameras are used, how they are monitored, who monitors the cameras, and how information obtained through camera surveillance supports the security program.

If the entity determines that cameras are appropriate for their particular security needs, the entity should evaluate the systems available that meet their need. The Select Agent regulations do not contain recommendation for specific makes or models of cameras.

It would depend on the individual’s duties. If the individual monitoring the surveillance camera is able to access the select agent or toxin, the individual would need to undergo a security risk assessment. A registered entity may not provide an individual access to a select agent or toxin, and an individual may not access a select agent or toxin, unless the individual is approved by the HHS Secretary or APHIS Administrator, following a security risk assessment by the Attorney General. An individual will be deemed to have access at any point in time if the individual has possession of a select agent or toxin (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin. However, if the individual’s duties are limited to only observing the camera feed and they will never be able to access the select agent or toxin, then the individual would not need to undergo a security risk assessment.

Each entity must develop and implement a written security plan (9 CFR § 121.11, 7 CFR § 331.11, and 42 CFR § 73.11). The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release. The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested. The entity must review the plan annually and revise it as necessary. The entity must conduct drills and exercises annually to test and evaluate the effectiveness of the plan.

An IDS is a system that consists of a sensor device which triggers an alarm when a security breach occurs and the alarm notifies a response force (e.g., police, guards, etc.) that will react to the alarm.

As identified in the regulations, entities that possess Tier 1 biological select agents and toxins must determine that the response time for entity security forces or local police will not exceed 15 minutes or provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard these materials from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier. An IDS system will help ensure a registered entity meets this demand. In addition to the latter, IDS’s can be an inexpensive, flexible and effective means to enhance a security plan. Instead of investing in additional security barriers and locks which can only further delay a threat, an entity may have a greater effect by investing in an IDS which ensures a threat is detected and a response to this threat occurs.

“Reasonably afford access” applies to an entry way that will allow access into and out of a registered space with or without minimal force. This primarily applies to emergency exits (with handles), or unused doors. Generally, if a person can get through a barrier without breaking anything (i.e., windows), it is deemed to “reasonably afford access.”

No, because it does not reasonably afford access into registered space (i.e., designed to allow exit only).

No, since that entry point is “physically occupied” there’s no requirement for IDS. For additional guidance see Appendix V in the Security Guidance for Select Agent or Toxin Facilities document.

Security requirements for shared areas depend on the access to the select agents and toxins. All personnel who have access to the Tier 1 BSAT must have gone through the entity’s pre-access suitability and be enrolled in the ongoing assessment program. Beyond that, it depends on the security parameters in place for the work or actions in progress at any given time. Below are six common scenarios and the corresponding personnel and physical security requirements.

1. Actively working with Tier 1 BSAT and select agents and toxins simultaneously in the same contiguous registered area. An entity is conducting research using Tier 1 BSAT along with other work in a single registered suite.
  - Personnel Requirements:
    All people with access to the agent within the suite/shared area have gone through the entity’s pre-access suitability and are subject to on-going assessment.
  - Physical Security Requirements:
    The suite/shared area meet all the physical security requirements for Tier 1. Final barrier usually the door to the suite.
2. Storage only within a registered space. A Tier 1 storage location or freezer location inside a registered laboratory or a shared freezer inside a registered laboratory.
  - Personnel Requirements:
    All people with access to the locking storage device (i.e., freezer) have gone through the entity’s pre-access suitability and on-going assessment. All people with access to the room but not to the Tier 1 BSAT do not need to be in the entity’s pre-access suitability and on-going assessment program.
  - Physical Security Requirements:
    Storage location must meet the security requirement for Tier 1. In this case the final barrier usually is the locking mechanism of the storage device.
3. Working with Tier 1 BSAT and select agents and toxins inside the same contiguous registered space separated by time. This entails only working with Tier 1 during well-defined times and conditions. The entity restricts access during times when Tier 1 BSAT is outside of locked storage units such as a locked freezer or a locked incubator.
  - Personnel Requirements:
    All people with access to the suite/shared area when Tier 1 BSAT is present have gone through the entity’s pre-access suitability and on-going assessment.
  - Physical Security Requirements:
    The suite/shared area meet all the physical security requirements for Tier 1 BSAT. Depending on how the work is organized, the final barrier may be the door to the suite or to any freezers /devices containing Tier 1 BSAT during work with select agents and toxins.

Shared Autoclave. Using an autoclave for both Tier1 BSAT and select agents and toxins.
- Personnel Requirements:
  For select agents and toxins, individuals operating the autoclave must be SRA approved.For Tier 1 BSAT, individuals operating the autoclave must be SRA approved and have gone through the entity’s pre-access suitability and subject to on-going assessment.
- Physical Security Requirements:
  For all select agents and toxins, the agent or toxin must be secured by SRA approved persons until the autoclave reaches effective operational parameters.For Tier 1 BSAT, the agent or toxin secured by individuals who is SRA approved and has gone through the entity’s pre-access suitability and subject to on-going assessment. That person must remain until the autoclave reaches desired operational parameters.It is recommended that autoclave cycles be scheduled so that select agent materials can be autoclaved without delay.
Animals experimentally infected with a Tier 1 Select Agent (see Scenario 6 below for animals containing a Tier 1 Select Toxin)
- Personnel Requirements:
  Individuals who expose the animal must be SRA approved and have gone through the entity’s pre-access suitability and subject to on-going assessment.Personnel who handle or care for the animal must be SRA approved and have gone through the entity’s pre-access suitability and subject to on-going assessment.
- Physical Security Requirements:
  The area where the animal is handled and housed meets all the physical security requirements for Tier 1 agents. Final barrier usually the door to the suite.
Animals inoculated with a Select Toxin
- Personnel Requirements:
  For Tier 1 select toxin, individuals who inoculate animals must be SRA approved and have gone through the entity’s pre-access suitability and subject to on-going assessment.
- Physical Security Requirements:
  For all select toxins, room used for inoculation must be registered. Animals inoculated with select toxins are not subject to additional security requirements.For Tier 1 select toxin, registered room must meet Tier 1 security requirements (e.g., 3 barriers, IDS).Once inoculated with a select toxin (including Tier 1 select toxins) an animal is no longer considered to fall under the Select Agent regulations.

If an individual or entity detects a known or suspected violation of Federal law or is aware of suspicious activity related to a listed toxin, it must be reported to CDC/DRSC at 404-718-2000 or LRSAT@CDC.gov.

However, first entities should report the incident to the Federal Bureau of Investigation (FBI) Weapons of Mass Destruction Coordinator. To locate the nearest Federal Bureau of Investigation Weapons of Mass Destruction Coordinator, refer to the list of FBI Field Offices.

Then, the report sent to CDC/DRSC should include the following information: 1) Name of facility where the concern was identified, 2) Name of individual reporting the concern, 3) Brief summary of situation, and 4) Evidence and confirmation that this was reported to law enforcement.

Physical Security

If the package containing select agents and toxins is labeled generically as hazardous material and does not identify the package as “select agent or toxin,” the package can be placed with other hazardous materials for shipment.

If the package is labeled to identify the package as a select agent or toxin, the entity can use any number of methods to secure the shipment (e.g., cages, safes, individuals approved to access select agents and toxins). The methods must be described in the security plan. If the area temporarily stores identified select agents and toxins, the area must be listed on the entity’s certificate of registration and meet all provisions outlined in the select agent regulations. If the area will house Tier 1 select agents and toxins, the area must meet all provisions associated with Tier 1 requirements.

No, card readers and biometric scanners are examples of access control measures (see page 29 of the Security Guidance for Select Agent or Toxin Facilities document). The locked door is the barrier; the method of unlocking the door is an access control measure.

A barrier is a physical structure that is designed to prevent access by unauthorized persons. Cameras, security lighting and intrusion detection system are not considered security barriers because while they may monitor access, they cannot, by themselves, prevent access. Examples of a third, final barrier can be a key locked container with strong key control measures, a biometric lock system on the freezer, laboratory card-key pin access, PIN access to the freezer or storage unit, restricted card key access to the registered space. You may refer to the Federal Select Agent Program Security Guidance for Select Agent or Toxin Facilities document for more information.

The intention of this provision is to specify that entities must maintain security and control of animals, plants, or arthropods which are intentionally infected or inoculated with select agents. This includes an accurate and current accounting of such animals, plants or arthropods. In addition, any animals, plants, or arthropods which are accidentally exposed in a research facility to a select agent must also be maintained under appropriate security and control in compliance with select agent regulations. An entity’s security plan must contain a provision for maintaining a current accounting of any animals or plants intentionally or accidentally exposed to or infected with a select agent.

Select agents which occur in their natural environment are exempted from the select agent regulations provided that the select agent has not been intentionally introduced, cultivated, collected, or otherwise extracted from its natural source. Natural exposure created in a laboratory setting between animals, plants or arthropods would not qualify for this exemption as select agents are being introduced intentionally via natural exposure.

For powered access control systems, the entity must describe procedures to ensure that security is maintained in the event of the failure of the access control system due to power disruption. This may include locks “failing secure” (locked), personnel/guard forces, backup generators or other similar features. For example, if power is lost and the door locks (even if it can be opened only from the inside), then it meets this requirement. If power is lost and door unlocks (it can be open from the outside), then it does not “fail secure.” You may refer to the Federal Select Agent Program Security Guidance for Select Agent or Toxin Facilities document for more information.

Information Security

The entity needs to determine if the individual’s function will provide them with access to a select agent or toxin. An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin. Anyone, including IT personnel, who will have access to a select agent or toxin, direct or otherwise, will need to have a security risk assessment and be listed on the entity’s APHIS/CDC Form 1.

If the individual has access to the entity’s database that contains information about select agents and toxins which will allow them to have access to select agents or toxins, then the individual will need to undergo a security risk assessment and receive access approval from the Federal Select Agent Program. However, if the individual’s duties are limited to only retrieving information from the database and they will not be able to access the selects agents or toxins, then the individual would not need to undergo a security risk assessment.

Yes. The key would be controlling and managing both devices to ensure that the information is safeguarded from unauthorized access by a proper firewall and encryption. The methodology for maintaining this type of information system would need to be clearly articulated in the entity’s security plan.

The Federal Select Agent Program has prepared the “Information Systems Security Control Guidance Document” to assist entities in complying with the select agent regulations to develop and implement a written security plan that describes procedures for information system control and information security.

The guidance document is available here.

The “authenticated user” is an individual who has the appropriate approval or has permission rights to information on a trusted domain (sensitive information) based on the individuals’ specific job duties and appropriate background checks for that position. The entity should maintain system passwords and login identification to allow access to sensitive databases to only those individuals (“authenticated users”) that have been identified as having a legitimate need/requirement to access those data bases.

If the information will allow an individual access to a Tier 1 select agent or toxin, the entity must develop security enhancements that provide a response time for security forces including entity guards or other trained responders or local police to not exceed 15 minutes or provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.

The guidance document did not address the FISMA standards as these standards are only limited to Federal agencies and departments. The guidance document is provided to assist entities in complying with the select agent regulations by developing and implementing a written security plan that describes procedures for information system control and information security. However, the entity may use to FISMA standards to assist in building the entity’s security program since the standards contain helpful information.

The select agent regulations place no restrictions on releasing information related to select agents or toxins as long as any records or information systems would not allow an unauthorized individual to gain access to the select agents or toxins as outlined under Section 10(a). The Federal Select Agent Program strongly encourages entities to refrain from providing detailed information about location of select agents and toxins, quantities on site, or personal information on researchers.

No. The select agent regulations do not require that select agent information sent to the Federal Select Agent Program be encrypted. If there is any doubt that information is sent over an unsecured network, encryption should be considered.

For network security software (network firewalls, intrusion detection and prevention systems (IDPS)), which functionality is required as a minimum?
The Federal Select Agent Program is aware of the variety of applications that an entity chooses for IT systems. The guidance document is provided to assist entities in complying with the select agent regulations to develop and implement a written security plan that describes procedures for information system control and information security.
Often antivirus and firewall applications offer a considerable overlap in terms of functionality with IDS solutions-especially if seen as a watchdog for unauthorized operation. Is AV software, such as Sophos, with an active agent monitoring memory usage and runtime behavior of programs sufficient as IDS as well?
Federal Select Agent Program does not make recommendations on particular applications. Entities should work with the IT professionals to ensure integrity of all applications associated with their select agent program.
On the market there are either endpoint or network based solutions. Are they equally acceptable?
Federal Select Agent Program does not make recommendations on particular applications.

What are the minimum requirements in terms of key length and algorithm?
The entity should follow its organization policy.
Is it possible to define what sets of information have to be safeguarded in what way and what operations are permissible on the data (e.g., a lab notebook describing an experiment with select agent without naming the location of the select agent is obviously less sensitive information than a list of the amounts and exact locations and access ways to actual select agent in storage)?
The Information Systems Security Control Guidance offers examples of what is considered security information related to select agents and toxins.
When using encryption, either full drive or file based, in order to have a backup mode of access, is the use of a recovery agent permissible, who in addition to the system/file owner can decrypt the information?
The decision remains with the entity on who should have access rights to your select agent program information.

What is the primary aim: limiting access to Select Agent (SA) data or even IT infrastructure involved in working with SA data?
The primary aim is to not allow unauthorized individuals to gain access to the select agents or toxins as outlined under Section 10(a).
Can IT systems be used by those individuals who do not have access approval from the Federal Select Agent Program if access to select agent data is properly restricted (encryption and access control lists)?
Yes, the select agent regulations place no restrictions on individuals who should have access to the IT systems. The primary goal is to not allow an unauthorized individual to gain access to the select agents or toxins as outlined under Section 10(a).