Generic Select Agent Biosecurity Plan Template
Generic text that may be appropriate to include in a facility’s biosecurity plan is included below.
Guidance on facility-specific information that should be included is provided in italicized text.
What is the goal of this plan? To whom does it apply? Indicate that it demonstrates compliance
with specific federal regulations, such as 42 CFR 73, 9 CFR 121, or 7 CFR 331, and that it
describes the full spectrum of measures taken to achieve graded protection of Select Agents
(which should be defined in this introduction as a term used in this plan to refer to all CFR-
regulated pathogens and toxins) against theft and sabotage. Indicate whether a single approach
is being taken to secure all Select Agents at the facility or whether Moderate Risk and High Risk
agents are being addressed separately (while still complying with all Federal regulations).
2 Roles and Responsibilities
The roles and responsibilities included in this section are not all-inclusive but are intended to
represent those functions related to implementation of the CFR requirements.
2.1 Responsible Official
The Responsible Official is an official authorized to ensure that the requirements of the CFRs
are met. These requirements include developing and implementing this Biosecurity Plan.
The Responsible Official (RO) will review this Plan annually and after any incident.
2.2 Alternate Responsible Official
The Alternate Responsible Official is an official authorized to act for the Responsible Official
when the RO is unavailable.
2.3 Select Agent Supervisor
Select Agent Supervisors are individuals who are responsible for directing a project or
program. Each Select Agent project or program is overseen by a Select Agent Supervisor,
who is responsible for the scientific and technical direction of that project or program, and
who has task authority over individuals who have permission to use Select Agents. Select
Agent Supervisors are responsible for:
? Adopting the Biosecurity Plan procedures and ensuring that all personnel within their
charge who have access to Select Agents familiarize themselves with the contents of
the Plan and obtain biosecurity training annually
? Reporting Select Agent transfers, destruction, and inventory anomalies to the RO
? Requesting the RO to make Select Agent access authorization changes (See also
? Providing the RO with any non-electronic visitor logs upon request
? Requesting changes to personnel access authorization
? Providing the RO with an up-to-date Select Agent registration packet.
2.4 Accountable Scientist
The accountable scientist, who may be a Select Agent Supervisor and/or a Principal
Investigator, is responsible for Select Agent material control and accountability and Select
Agent material transfers, as described in Sections 6 and 7.
2.5 Security Force
If a security force is employed, what is the nature of its responsibilities?
2.6 Local Police
If applicable, what is the nature of the local police force responsibilities under a Memorandum
of Understanding (MOU)?
2.7 Specialty Personnel
Specialty personnel may be employed by larger facilities. These may include Security
Specialists who work in a Security Operations Center where an intrusion detection system is
monitored, Physical Security Department Personnel, and Counterintelligence Personnel.
Roles and responsibilities for these personnel should be spelled out in this portion of the
2.8 Personnel Security
The Personnel Security Division is responsible for initiating and monitoring necessary
background screening and often, for evaluating the results.
2.9 Badge Office
Badge Office Personnel are responsible for issuing and managing badges for regular and
2.10 Information and Network Security
Information and network security personnel include:
? The Chief Information Security Officer is responsible for network and information
security policy for the facility; and
? The Center and Division Information Technology Officers are responsible for
ensuring their respective network segments and information protection systems are
implemented according to policy and that personnel are adequately trained on
information and network security.
? System/Network Administrators are responsible for maintaining the system security,
updating hardware and software, and responding to network intrusions. 2.11 Individuals with Select Agent Access Authorization
In addition to other duties individuals have, individuals with Select Agent access authorization
are responsible for:
? Protecting Select Agents while in their physical possession
? Protecting information related to Select Agents, while in their physical possession, in
the context of verbal or electronic communication, and when storing it.
? Following all security-related procedures related to Select Agents, including those
that apply to hosting and escorting procedures for visitors (See Sections 5.8 and 5.9)
? Reporting incidents and/or breaches in security to the appropriate Select Agent
Supervisor and RO.
3 Basis for Biosecurity Program
3.1 Risk Assessment
This security plan reflects a risk management process in which assets and possible
adversary actions (threats) are defined, and the resulting undesired events are evaluated
based on their security risk. The risk assessment is an evaluation of the potential an
adversary possesses to successfully execute an undesired event and the subsequent
consequences. It establishes the set of risks a facility faces and presents them in ranked
order so that the facility management may decide which risks will be protected against or
mitigated and which risks will not. The security plan is based on this defined security risk
posture, and demonstrates how the facility achieves protection and mitigation through a
combination of security system design and incident response planning.
3.2 Graded Protection
Different assets require different levels of protection, accountability, and controls. The
highest level of protection is given to the primary assets whose loss, theft, compromise,
and/or unauthorized use will most seriously affect the national security, and/or the health and
safety of employees, the public, the environment, or mission; e.g. High Risk pathogens.
Slightly less protection is given to those secondary assets that may represent a Moderate
Risk or that may assist an adversary in gaining access to, or diverting, a primary asset.
Tertiary assets include operational assets and require somewhat less protection then the
secondary assets. In this manner, the security system is designed to have graded levels,
with the highest risk assets receiving the highest level of protection, and security increasing
gradually as one moves physically closer to the asset.
What types of assets would be considered Primary, Secondary and Tertiary at this facility?
3.3.1 Select Agents
Select Agents are those agents and toxins that have the potential to pose a severe threat
to human, animal, or plant health, or to plant and animal products as defined by the CFRs.
Which Select Agents does the facility possess?
3.3.2 Sensitive Information
Sensitive information is information that is too sensitive to be released to the public or to
anyone who does not have an official purpose that requires him/her to hear, view, or
have possession of the information (i.e., a need to know). Sensitive information is
protected from unauthorized access and from disclosure under the Freedom of
Information Act. See Section 8 for details on protecting sensitive information.
Sensitive information includes information related to the Select Agents, security-related
information, and human resources information specific to those individuals who work with
18.104.22.168 Select Agent Information
The following examples of sensitive information include, but are not limited to, the
Select Agent records the Responsible Official is required to maintain:
? Select Agent information related to records described in the CFRs as:
o A current list of all individuals with access to Select Agents;
o Training records for individuals with access to Select Agents;
o Select Agent inventory records (including source and characterization
data as well as any anomalies);
o Permits and transfer documents (CDC Form EA 101 and/or APHIS Form
o Visitor logs for laboratories containing Select Agents;
? Databases containing security and Select Agent information
? Documentation associated with experimental data or other data that has
been restricted by the facility’s review and approval process
22.214.171.124 Security Related Information
The following examples of sensitive information include, but are not limited to, the
security related records the Responsible Official is required to maintain:
? Security information related to the records described in the CFRs:
o Security records (e.g., transactions from automated access control
systems, testing and maintenance of security systems, visitor logs);
o Containment and security incident reports;
o Biosecurity Plan
? Details of facility description and blueprints especially as related to Limited
and Exclusion Area designations and protection measures
? Details of vulnerabilities of those facilities that handle Select Agents and/or
? Details of physical security (e.g., drawings and descriptions of security
hardware and software systems)
? Details of computer systems and procedures
? Security procedures
? Badge design information
? Security system performance test results and audit results
? Incident reports and disciplinary actions
? Response force contracts and results of response force exercises
126.96.36.199 Human Resource Information
Human resource information includes all information about personnel who work with
or have access to Select Agents. This information includes:
? Home contact information
? Listings of family members
? Financial information
? Background investigation results
3.3.3 Critical Operational Assets
Critical operational assets are those that may cause significant work delays or financial
impact if destroyed or are directly involved in the security associated with High Risk
Provide a list of the critical operational assets with a brief description of each.
3.4 Threat Definition
The insider threat category includes a single, non-violent person with authorized access
inside the facility. The insider is considered to be any person granted unescorted access
to any portion of an Exclusion or Limited Area (see Sections 4.2 and 4.3 for further details
on these areas). The intent of a malevolent insider is to steal, destroy, or release a
Moderate or High Risk agent, or to steal or destroy other high consequence assets at
[facility name] without detection. The insider would be expected to abort any theft
attempt to avoid identification. Authorized access affords this person extensive knowledge of the facility and operating systems. The insider has the opportunity to choose the best time to commit a malevolent act.
Outside adversaries can employ force, stealth, and deceit tactics to achieve their goals. Using force, the adversary makes no attempt to conceal acts or intention; the adversary simply overwhelms the system and personnel. Using stealth, the adversary attempts to enter the facility undetected to accomplish his goal. An adversary using deceit will attempt to accomplish his goal under the guise of authorized access through the use of forged credentials or other methods. Obviously, a sophisticated and well-trained adversary could employ a combination of all three tactics in order to steal, destroy, or release a defined asset. The outsider has access to only publicly available information and may be equipped with hand tools, may be armed, and may resort to violence (but is not suicidal).
3.5 Protection Strategy
3.5.1 Insider Protection
Traditional physical protection measures, personnel security programs, strict escorting rules, and material control and accountability procedures are the basic elements of the security strategy for protection against a malevolent insider. Of increased importance, given the difficulty with pathogen accountability, is the reliance that must be placed on employees and others with access to the pathogens. Stand-off detection technologies do not exist for biological agents, and inventory control systems will not necessarily reveal when material has been stolen or diverted. Thus, the insider threat is a daunting problem for biological research laboratories.
It is very difficult for a physical security system to prevent the theft or diversion of microorganisms by insiders. Therefore, it is paramount that biological research facilities do everything possible to ensure that those who have access to dangerous pathogens and toxins are reliable and trustworthy.
It should be noted that foreign nationals cannot be investigated as thoroughly as US citizens until the foreign national has resided in the US for the number of years that the investigation will cover. Until this point in time is reached, foreign nationals holding positions requiring a background investigation will represent a relatively greater risk than US citizens. Collusion is protected against in the same manner as any other insider threat.
3.5.2 Outsider Protection
The strategy to protect against an outsider is to detect unauthorized access, through likely avenues of approach, to the biosafety containment labs or other areas where critical assets are located. Detection must be done in a timely manner and response forces summoned. These response forces may be private security forces or local law enforcement. When local law enforcement is employed, it is important to have a Memorandum of Understanding in place that outlines the conditions under which local law enforcement will respond, the response time that may be expected, and the protocol to follow once law enforcement arrives on site (due to possible biological containment issues).
The approach often used to achieve timely detection is to concentrate security upgrades at the physical locations where the pathogens or other critical assets are kept, and to control access to these locations.
4 Physical Security
The physical security system limits access into defined security areas to authorized individuals
with a valid need for access.
4.1 Property Protection Areas
A Property Protection Area is