Security Plan Guidance: Section 11(c)(2)
Section 11(c)(2) – Access Control
Section 11(c)(2) of the select agent regulations require the security plan to describe how the select agent or toxin is physically secured against unauthorized access. The security plan is performance based and should complement the Incident Response Plan and Biosafety Plan. An effective physical security plan deters, detects, delays, and responds to threats identified by the site-specific risk assessment. A successful security plan creates sufficient time between detection and the completion of an attack for response force to arrive. The physical security plan should include:
- Security barriers which both deter intrusion and deny access (except by access approved personnel) to the areas containing select agents and toxins:
- Perimeter fences
- Walls
- Locked doors
- Security windows
- Trained person (e.g., security guard, trained laboratorians, or escorts)
- Biosafety measures and other environmental factors which increase security such as:
- Access or locking system which denies access to BSAT, e.g. mechanical locks, card key access systems or biometrics
- Tamper-evident devices for select agents and toxins held in long-term storage
- A balanced approach so that all access points, including windows and emergency exits, are secured at the same level
- A procedure or process to keep the number of alarms to a minimum
Create a system which limits access to select agents and toxins to those approved by the HHS Secretary or APHIS Administrator for access to select agents and toxins. The access control system should:
- Include provisions to limit unescorted/unrestricted access to the registered areas to those who have been approved by the HHS Secretary or APHIS Administrator to have access to select agents and toxins.
- Include provisions for the safeguarding of animals and plants exposed to or infected with select agents.
- Regularly review and update access logs.
- Be modified when access requirements change or be responsive to changes in personnel’s access requirements during personnel changes.
Remain flexible enough so non-approved personnel can be escorted if needed. See Non-Tier 1 Barrier Scenarios for a visual representation of adequate physical security barriers. See Intrusion Detection Systems for a chart that defines and explains the use of various IDS options.
Section 11(c)(3) – Control Access of Support Personnel for Maintenance, Cleaning, and Repair
The security plan must state how cleaning, maintenance, and repairs will be accomplished in areas where BSAT are stored or used. When allowing maintenance, cleaning, or repair personnel (whether in-house or contract services) into a registered area, an entity should practice one or more of the following:
- Use only access approved individuals.
- Provide an access approved individual as an escort to the non-approved individual.
- If the non-approved individual will not be escorted, install additional security measures (e.g., additional lock and key, cipher lock, or tamper alarms interfaced with the facility intrusion detection system) to prohibit access to select agents and toxins by non-approved individual; or
- Remove the select agent or toxin to a different area that is appropriately registered.
Section 17 (Records) of the select agent regulations requires that access logs must be in place to record the name and date/time of entry into the registered area, including the name of an escort.
Section 11(d)(2) – Escort Provisions
The security plan must contain provisions which allow non-approved persons access to registered spaces that store BSAT only when escorted by an access approved person. The escort must be dedicated to observing the escorted person. No other duties may be performed during the time that the individual is serving as an escort. The escort must understand what to observe for (e.g., accessing select agents and toxins). Non-approved persons are not allowed to have access to an agent, even if escorted by an access approved person. The escort’s responsibilities include:
- Serving as a physical barrier between the non-SRA approved person and select agents and toxins.
- Being knowledgeable about the entity’s security policies.
- Training non-SRA approved persons on emergency protocols and risks related to the BSAT before they enter the registered space.
- Executing safety protocols as necessary.
- Receive approval for escorted access and notifying the RO when escorted entry has concluded.
See the Security Risk Assessment FAQs for more information about escort provisions.
Section 11(d)(6) – Prevent Sharing Access Credentials
The security plan must state that any person accessing select agents and toxins will not share their unique means of access (such as key cards and passwords) with any other person. This should include how the entity prevents:
- “Piggybacking” or “tailgating” on another access approved person’s access card.
- Key card, password or badge sharing.
Challenge all individuals who tailgate or piggyback a secured access entry point.
Section 11(c)(5) – Address Procedures for Access Control Changes
The security plan must describe the procedures for changing access after personnel changes in order to prevent access by personnel who have previous approved access to select agents and toxins. This can include:
- Deactivating card key access.
- Deactivating email, network, and local machine computer accounts which provide access to information.
- Surrendering key cards and badges.
- Surrendering keys and key cards when people leave or change duties.
The security plan must indicate that the following incidents must be reported to the RO:
- Any loss or compromise of keys, passwords, and combinations.
- Any suspicious persons or activities.
- Any loss or theft of a select agent or toxin.
- Any release of a select agent or toxin.
- Any sign that inventory or use records for select agents and toxins have been altered or otherwise compromised.