DOC

Generic Biosecurity Plan Outline

By Paul Baker,2014-06-17 17:47
9 views 0
Generic Biosecurity Plan Outline ...

    Generic Select Agent Biosecurity Plan Template

Generic text that may be appropriate to include in a facility’s biosecurity plan is included below.

    Guidance on facility-specific information that should be included is provided in italicized text.

    1 Introduction

    What is the goal of this plan? To whom does it apply? Indicate that it demonstrates compliance

    with specific federal regulations, such as 42 CFR 73, 9 CFR 121, or 7 CFR 331, and that it

    describes the full spectrum of measures taken to achieve graded protection of Select Agents

    (which should be defined in this introduction as a term used in this plan to refer to all CFR-

    regulated pathogens and toxins) against theft and sabotage. Indicate whether a single approach

    is being taken to secure all Select Agents at the facility or whether Moderate Risk and High Risk

    agents are being addressed separately (while still complying with all Federal regulations).

    2 Roles and Responsibilities

    The roles and responsibilities included in this section are not all-inclusive but are intended to

    represent those functions related to implementation of the CFR requirements.

    2.1 Responsible Official

    The Responsible Official is an official authorized to ensure that the requirements of the CFRs

    are met. These requirements include developing and implementing this Biosecurity Plan.

    The Responsible Official (RO) will review this Plan annually and after any incident.

    2.2 Alternate Responsible Official

    The Alternate Responsible Official is an official authorized to act for the Responsible Official

    when the RO is unavailable.

    2.3 Select Agent Supervisor

    Select Agent Supervisors are individuals who are responsible for directing a project or

    program. Each Select Agent project or program is overseen by a Select Agent Supervisor,

    who is responsible for the scientific and technical direction of that project or program, and

    who has task authority over individuals who have permission to use Select Agents. Select

    Agent Supervisors are responsible for:

    ? Adopting the Biosecurity Plan procedures and ensuring that all personnel within their

    charge who have access to Select Agents familiarize themselves with the contents of

    the Plan and obtain biosecurity training annually

    ? Reporting Select Agent transfers, destruction, and inventory anomalies to the RO

    ? Requesting the RO to make Select Agent access authorization changes (See also

    Section 4.6.5)

    ? Providing the RO with any non-electronic visitor logs upon request

    ? Requesting changes to personnel access authorization

    ? Providing the RO with an up-to-date Select Agent registration packet.

    2.4 Accountable Scientist

    The accountable scientist, who may be a Select Agent Supervisor and/or a Principal

    Investigator, is responsible for Select Agent material control and accountability and Select

    Agent material transfers, as described in Sections 6 and 7.

     1

2.5 Security Force

    If a security force is employed, what is the nature of its responsibilities?

    2.6 Local Police

    If applicable, what is the nature of the local police force responsibilities under a Memorandum

    of Understanding (MOU)?

    2.7 Specialty Personnel

    Specialty personnel may be employed by larger facilities. These may include Security

    Specialists who work in a Security Operations Center where an intrusion detection system is

    monitored, Physical Security Department Personnel, and Counterintelligence Personnel.

    Roles and responsibilities for these personnel should be spelled out in this portion of the

    security plan.

    2.8 Personnel Security

    The Personnel Security Division is responsible for initiating and monitoring necessary

    background screening and often, for evaluating the results.

    2.9 Badge Office

    Badge Office Personnel are responsible for issuing and managing badges for regular and

    visiting personnel.

    2.10 Information and Network Security

    Information and network security personnel include:

    ? The Chief Information Security Officer is responsible for network and information

    security policy for the facility; and

    ? The Center and Division Information Technology Officers are responsible for

    ensuring their respective network segments and information protection systems are

    implemented according to policy and that personnel are adequately trained on

    information and network security.

    ? System/Network Administrators are responsible for maintaining the system security,

    updating hardware and software, and responding to network intrusions. 2.11 Individuals with Select Agent Access Authorization

    In addition to other duties individuals have, individuals with Select Agent access authorization

    are responsible for:

    ? Protecting Select Agents while in their physical possession

    ? Protecting information related to Select Agents, while in their physical possession, in

    the context of verbal or electronic communication, and when storing it.

    ? Following all security-related procedures related to Select Agents, including those

    that apply to hosting and escorting procedures for visitors (See Sections 5.8 and 5.9)

    ? Reporting incidents and/or breaches in security to the appropriate Select Agent

    Supervisor and RO.

     2

    3 Basis for Biosecurity Program

    3.1 Risk Assessment

    This security plan reflects a risk management process in which assets and possible

    adversary actions (threats) are defined, and the resulting undesired events are evaluated

    based on their security risk. The risk assessment is an evaluation of the potential an

    adversary possesses to successfully execute an undesired event and the subsequent

    consequences. It establishes the set of risks a facility faces and presents them in ranked

    order so that the facility management may decide which risks will be protected against or

    mitigated and which risks will not. The security plan is based on this defined security risk

    posture, and demonstrates how the facility achieves protection and mitigation through a

    combination of security system design and incident response planning.

    3.2 Graded Protection

    Different assets require different levels of protection, accountability, and controls. The

    highest level of protection is given to the primary assets whose loss, theft, compromise,

    and/or unauthorized use will most seriously affect the national security, and/or the health and

    safety of employees, the public, the environment, or mission; e.g. High Risk pathogens.

    Slightly less protection is given to those secondary assets that may represent a Moderate

    Risk or that may assist an adversary in gaining access to, or diverting, a primary asset.

    Tertiary assets include operational assets and require somewhat less protection then the

    secondary assets. In this manner, the security system is designed to have graded levels,

    with the highest risk assets receiving the highest level of protection, and security increasing

    gradually as one moves physically closer to the asset.

    What types of assets would be considered Primary, Secondary and Tertiary at this facility?

    3.3 Assets

    3.3.1 Select Agents

    Select Agents are those agents and toxins that have the potential to pose a severe threat

    to human, animal, or plant health, or to plant and animal products as defined by the CFRs.

    Which Select Agents does the facility possess?

    3.3.2 Sensitive Information

    Sensitive information is information that is too sensitive to be released to the public or to

    anyone who does not have an official purpose that requires him/her to hear, view, or

    have possession of the information (i.e., a need to know). Sensitive information is

    protected from unauthorized access and from disclosure under the Freedom of

    Information Act. See Section 8 for details on protecting sensitive information.

    Sensitive information includes information related to the Select Agents, security-related

    information, and human resources information specific to those individuals who work with

    Select Agents.

    3.3.2.1 Select Agent Information

    The following examples of sensitive information include, but are not limited to, the

    Select Agent records the Responsible Official is required to maintain:

    ? Select Agent information related to records described in the CFRs as:

    o A current list of all individuals with access to Select Agents;

    o Training records for individuals with access to Select Agents;

    o Select Agent inventory records (including source and characterization

    data as well as any anomalies);

     3

    o Permits and transfer documents (CDC Form EA 101 and/or APHIS Form

    2041);

    o Visitor logs for laboratories containing Select Agents;

    ? Databases containing security and Select Agent information

    ? Documentation associated with experimental data or other data that has

    been restricted by the facility’s review and approval process

    3.3.2.2 Security Related Information

    The following examples of sensitive information include, but are not limited to, the

    security related records the Responsible Official is required to maintain:

    ? Security information related to the records described in the CFRs:

    o Security records (e.g., transactions from automated access control

    systems, testing and maintenance of security systems, visitor logs);

    o Containment and security incident reports;

    o Biosecurity Plan

    ? Details of facility description and blueprints especially as related to Limited

    and Exclusion Area designations and protection measures

    ? Details of vulnerabilities of those facilities that handle Select Agents and/or

    sensitive information

    ? Details of physical security (e.g., drawings and descriptions of security

    hardware and software systems)

    ? Details of computer systems and procedures

    ? Security procedures

    ? Badge design information

    ? Security system performance test results and audit results

    ? Incident reports and disciplinary actions

    ? Response force contracts and results of response force exercises

    3.3.2.3 Human Resource Information

    Human resource information includes all information about personnel who work with

    or have access to Select Agents. This information includes:

    ? Home contact information

    ? Listings of family members

    ? Financial information

    ? Background investigation results

    3.3.3 Critical Operational Assets

    Critical operational assets are those that may cause significant work delays or financial

    impact if destroyed or are directly involved in the security associated with High Risk

    Agents.

    Provide a list of the critical operational assets with a brief description of each.

    3.4 Threat Definition

    3.4.1 Insider

    The insider threat category includes a single, non-violent person with authorized access

    inside the facility. The insider is considered to be any person granted unescorted access

    to any portion of an Exclusion or Limited Area (see Sections 4.2 and 4.3 for further details

    on these areas). The intent of a malevolent insider is to steal, destroy, or release a

    Moderate or High Risk agent, or to steal or destroy other high consequence assets at

    [facility name] without detection. The insider would be expected to abort any theft

     4

    attempt to avoid identification. Authorized access affords this person extensive knowledge of the facility and operating systems. The insider has the opportunity to choose the best time to commit a malevolent act.

    3.4.2 Outsider

    Outside adversaries can employ force, stealth, and deceit tactics to achieve their goals. Using force, the adversary makes no attempt to conceal acts or intention; the adversary simply overwhelms the system and personnel. Using stealth, the adversary attempts to enter the facility undetected to accomplish his goal. An adversary using deceit will attempt to accomplish his goal under the guise of authorized access through the use of forged credentials or other methods. Obviously, a sophisticated and well-trained adversary could employ a combination of all three tactics in order to steal, destroy, or release a defined asset. The outsider has access to only publicly available information and may be equipped with hand tools, may be armed, and may resort to violence (but is not suicidal).

    3.5 Protection Strategy

    3.5.1 Insider Protection

    Traditional physical protection measures, personnel security programs, strict escorting rules, and material control and accountability procedures are the basic elements of the security strategy for protection against a malevolent insider. Of increased importance, given the difficulty with pathogen accountability, is the reliance that must be placed on employees and others with access to the pathogens. Stand-off detection technologies do not exist for biological agents, and inventory control systems will not necessarily reveal when material has been stolen or diverted. Thus, the insider threat is a daunting problem for biological research laboratories.

    It is very difficult for a physical security system to prevent the theft or diversion of microorganisms by insiders. Therefore, it is paramount that biological research facilities do everything possible to ensure that those who have access to dangerous pathogens and toxins are reliable and trustworthy.

    It should be noted that foreign nationals cannot be investigated as thoroughly as US citizens until the foreign national has resided in the US for the number of years that the investigation will cover. Until this point in time is reached, foreign nationals holding positions requiring a background investigation will represent a relatively greater risk than US citizens. Collusion is protected against in the same manner as any other insider threat.

    3.5.2 Outsider Protection

    The strategy to protect against an outsider is to detect unauthorized access, through likely avenues of approach, to the biosafety containment labs or other areas where critical assets are located. Detection must be done in a timely manner and response forces summoned. These response forces may be private security forces or local law enforcement. When local law enforcement is employed, it is important to have a Memorandum of Understanding in place that outlines the conditions under which local law enforcement will respond, the response time that may be expected, and the protocol to follow once law enforcement arrives on site (due to possible biological containment issues).

    The approach often used to achieve timely detection is to concentrate security upgrades at the physical locations where the pathogens or other critical assets are kept, and to control access to these locations.

     5

    4 Physical Security

    The physical security system limits access into defined security areas to authorized individuals

    with a valid need for access.

    4.1 Property Protection Areas

    A Property Protection Area is defined by the outer-most perimeter of the facility. This security area is established to protect against damage, destruction, and theft of facility-owned property.

    What establishes the Property Protection Area (e.g. a perimeter fence)? What, if any, credentials are required to access the Property Protection Area?

    What areas of the facility are Property Protection Areas? What assets are within this area? 4.2 Limited Areas

    A Limited Area is a secured area, residing within the Property Protection Area, with barriers that identify its boundaries and encompass the designated space. The perimeter of a building often defines the boundaries of a Limited Area.

    What physical security measures are in place? What credentials are required to access the Limited Area?

    What areas of the facility are Limited Areas? What assets are within this area? 4.3 Exclusion Areas

    An Exclusion Area, like a Limited Area, is a security area with barriers that identify its boundaries and encompass the designated space, further restricting access beyond the Limited Area. Laboratories or storage areas that contain Select Agents are often designated as Exclusion Areas.

    What physical security measures are in place? What credentials are required to access the Exclusion Area?

    What areas of the facility are Exclusion Areas? What assets are within this area? 4.4 Long-Term Select Agent Storage

    Are there differences in which area select agents can be stored if they are in locked storage containers (e.g. freezers, refrigerators)? If so, include the locations here.

    4.5 Security Operations

    4.5.1 Access Hours

    Does everyone have 24 hour access or do certain types of workers have access in

    different “time zones?” e.g. Mon-Fri, 6 a.m 6 p.m; Mon-Sun. 6 a.m. 6 p.m.; or 24 by 7.

    4.5.2 Visitor Logs

    In what rooms/areas are visitors required to sign log books? What information must be

    included? Does the escort also need to sign?

    4.5.3 Vehicles

    Who is authorized to park on site? Are there other parking restrictions, e.g. are private

    vehicles restricted from loading dock areas? Do personal cars require a parking sticker

    or placard? How is visitor parking handles?

     6

4.5.4 Tailgating

    “Tailgating” is the practice of one individual following another into an area that has been restricted with an electronic security device (e.g. a proximity card) without utilizing his or her own means for unlocking the door. Tailgating is prohibited into any Limited or

    Exclusion Area. The term “tailgating” it is not used to describe the authorized entrance of individuals under escort, who follow additional escort/host procedures to insure

    accountability.

    4.5.5 Access Changes

    When an individual is re-assigned to an activity that does not require access to Select

    Agents, requires access to different Select Agents, or is initiating access to Select Agents, his/her access control authorizations must be updated. The Responsible Official reports

    any changes in Select Agent access to the CDC SAP/APHIS. The Responsible Official

    will immediately notify CDC SAP/APHIS when an individual’s access to Select Agents is

    terminated; the Responsible Official must explain to CDC SAP/APHIS the reasons for

    terminating access. When an individual no longer needs access to a particular restricted

    area, these changes are also documented and electronic access devices are updated.

    4.5.6 Package Inspections

    The CFRs require that all suspicious packages are inspected before they are brought into

    or removed from the area where select agents or toxins are used or stored.

    Include under this section details regarding the specifics of suspicious package

    inspections: Is the inspection conducted in Shipping & Receiving? At the entrance of the

    laboratory? What are they inspected for? leaks, damage, etc? Who conducts package

    inspections? Employees should be suspicious of any mail that:

    1. Is unexpected or from someone unfamiliar to you.

    2. Is addressed to someone no longer with your organization or is otherwise

    outdated.

    3. Has no return address, or has one that can't be verified as legitimate.

    4. Is of unusual weight, given its size, or is lopsided or oddly shaped.

    5. Is marked with restrictive endorsements, such as "Personal" or "Confidential."

    6. Has protruding wires, strange odors, or stains.

    7. Shows a city or state in the postmark that doesn't match the return address. If you come in contact with any mail you consider suspicious, whenever you see an

    unattended or suspicious item on [the site name] properties, or if you receive a

    suspicious package, do handle the item. Call one of the numbers below.

    [emergency hot line phone number] if the situation appears to be an emergency, or [non-

    emergency hot line phone number] if the situation appears to be a non-emergency.

    Please be prepared to provide the location and description of the suspicious package.

    While waiting for emergency response personnel to arrive, please follow the guidance

    below:

    1. Do not handle the parcel or contents further.

    2. Isolate the parcel or contents and move personnel from the immediate area.

    3. Ensure that everyone who has come into contact with the parcel or contents

    washes their hands thoroughly with soap and cold water.

     7

    5 Personnel Security

    5.1 Position Risk Categories

    5.1.1 Low Risk

    Low risk positions are positions that involve duties with the potential for limited impact on

    the agency or program mission or on the integrity and efficiency of the services provided.

    5.1.1.1 Background Investigation

    What types of personnel screening does the facility use for people in this category?

    5.1.1.2 Job Categories

    All [facility name] employees, contractors, and working visitors who do not fall into the

    Moderate or High Risk categories are considered to hold Low Risk positions.

    Personal and Casual Visitors are not given a risk designation.

    What types of job categories at the facility are considered low risk? 5.1.2 Moderate Risk

    Moderate risk positions are those positions with duties that are of considerable importance to the agency mission, with significant program or delivery of service responsibilities. Moderate risk is the position risk level for the majority of positions associated with Select Agents.

    5.1.2.1 Background Investigations

    Moderate risk positions typically receive a more comprehensive background

    investigation than those in low risk positions. Sometimes, this is limited to the

    additional requirement of the DOJ Risk Assessment, if this category is limited to

    those who require access to Select Agents. These positions may also be subjected

    to a periodic reinvestigation.

    What types of personnel screening does the facility use for people in this category?

    5.1.2.2 Job Categories

    What types of job categories at the facility are considered low risk? 5.1.3 High Risk

    High risk positions are those positions with duties that have a broad scope of

    responsibility and authority, which are especially critical to the agency or program mission.

    5.1.3.1 Background Investigations

    High risk positions typically receive a more comprehensive background investigation,

    and/or have a more restrictive authorization process. These positions may also be

    subjected to a periodic reinvestigation.

    What types of personnel screening does the facility use for people in this category?

    5.1.3.2 Job Categories

    What types of job categories at the facility are considered low risk?

    If an employee has access to classified information, they are considered to hold a

    high risk positions. Generally, those positions at the top of the executive ladder and

    those in high level positions of the security staff or IT staff who have access to the

     8

    types of information that if released would make the facility vulnerable, are

    considered high risk.

    5.2 Reinvestigations

    The Responsible Official must request renewal of the CDC SAP/APHIS access approval

    every 5 years for as long as an individual needs access to Select Agents.

    What position risk categories, if any, have background investigations that will be routinely

    repeated on a periodic basis? What is the period between investigations?

    5.3 Access Limitations

    5.3.1 Employees

    Those individuals who require access to Select Agents must have CDC SAP/APHIS

    access authorization.

    Are there any other access limitations in place for limited or exclusion areas? E.g. must

    the background investigation be complete before an individual is allowed into an area

    without an escort? Must an individual meet any other requirements before being granted

    authorized access, e.g. yearly training? Immunizations?

    5.3.2 Visitors

    Visitors include personnel from universities, contractors, students, research fellows,

    visiting scientists, laboratory visitors, trades professionals, delivery personnel, etc. who,

    due to the duration of stay or nature of the work performed on site, are not provided with

    regular access to the facility. Visitors are escorted at all times in restricted (non-public)

    areas by an individual who has a complete and approved background investigation,

    access authorization, and a need-to-know. Visitors are expected to wear a visitor badge,

    sign all visitor logs, remain with their escort, and follow all facility policies and procedures,

    including the surrender of prohibited articles while on site.

    Note: Facility/security managers may permit visitors to have unescorted access to restricted areas if the visitor is able to provide proof of an equivalent background

    investigation as that required of regular staff, including CDC SAP/APHIS authorization

    that has been processed by the facility’s RO for access at the facility, if appropriate, and

    has legitimate business in these areas.

    5.3.2.1 Host Responsibilities

    Each visitor or group of visitors must have a host at the facility. The host must have

    a standard badge. The host is responsible for informing the visitor of the relevant

    policies and procedures, including access restrictions, prohibited articles, etc. The

    host may escort the visitor, or arrange for a separate escort who also has a standard

    badge and authorized escort into the areas to be visited.

    Include any department or individual that requires advance notice of expected visitor

    arrivals (e.g. Physical Security, receptionist, parking attendant, etc.), and what

    information is required (e.g. visitor name, arrival date and duration of stay).

    5.3.2.2 Escorting

    An individual who has a standard badge and authorization to enter the areas to be

    visited must escort visitors.

    Are there different ratios of visitor to escort that apply in different areas, e.g.

    administrative offices vs. laboratories? Are visitors allowed on site only during certain

    hours? Are there certain areas where an escort is unnecessary?

     9

5.4 Foreign Nationals

    Foreign nationals from countries the US Secretary of State has determined to be supporters of international terrorism will not be approved for escorted or unescorted access into Select Agent areas.

    5.5 Badging

     “Standard” badges will be issued to all employees and contractors. Visitors will be issued a distinct visitor badge. The name of the individual, name of facility, picture of the individual (for standard badges), and expiration date will be included on the badge.

    This section should accurately describe what features are included in the both the standard badge and the visitor badge, e.g. types of information, electronic access control (usually on standard badges), etc. This section should describe how long the badges are valid, e.g. 5 years for employees and contractors, or limited to the duration of stay for the visitor. It should describe any exceptions to wearing a badge (e.g. in laboratories, or under other conditions, where safety might be compromised). It should also describe the procedure an employee with a standard badge follows if his/her badge is forgotten, lost or stolen.

    6 Material Control and Accountability

    For the purposes of this section, “material” refers to repository stocks of Select Agents. Clinical

    samples and working stocks are not included.

    6.1 Material Control

    All Select Agent materials are associated with specific laboratories, which are identified by campus (if there are multiple campuses of the facility), building number, floor, and room

    number. When materials are stored, the container (such as a freezer, refrigerator, or vault) is locked to restrict access.

    Laboratory inventory is checked on an as-needed basis to confirm that records correspond to actual materials. Any discrepancies are reported to the RO. The inventory review may be initiated by the laboratory staff, or by request from the RO.

    Any change to the association of a material with a laboratory is considered a material “transfer,” and is subject to the provisions of the Material Transfer Security section. Inventory

    records must be consistent with transfer operations.

    Testing, diagnostic, and clinical samples are not controlled as part of the material inventory. Nevertheless, when isolates have been identified in clinical or diagnostic material as Select Agents, and those isolates are kept for future use, the isolates are added to material inventory as soon as they are stored.

    Non-inventory samples that may contain Select Agent material must be destroyed as soon as they are no longer needed. When inventoried material is destroyed, however, the inventory record is updated accordinglythe record is not deleted.

    6.2 Accountability

    Within each laboratory that uses or stores Select Agents, an accountable scientist maintains material inventory records, monitors the usage of materials, and oversees access to the materials. That accountable scientist is the contact person for the RO for any matters concerning the associated materials. The accountable scientist is usually a principal investigator or senior research scientist who normally works with the materials, and may be the Select Agent Supervisor, or someone designated by the Select Agent Supervisor. If a laboratory works with more than one Select Agent, that laboratory may have separate accountable scientists for each agent. An accountable scientist may have a backup person, but otherwise the accountability is restricted to one individual. The accountable scientist

     10

Report this document

For any questions or suggestions please email
cust-service@docsford.com