Generic Biosecurity Plan Outline

By Paul Baker,2014-06-17 17:47
10 views 0
Generic Biosecurity Plan Outline ...

    Generic Select Agent Biosecurity Plan Template

Generic text that may be appropriate to include in a facility’s biosecurity plan is included below.

    Guidance on facility-specific information that should be included is provided in italicized text.

    1 Introduction

    What is the goal of this plan? To whom does it apply? Indicate that it demonstrates compliance

    with specific federal regulations, such as 42 CFR 73, 9 CFR 121, or 7 CFR 331, and that it

    describes the full spectrum of measures taken to achieve graded protection of Select Agents

    (which should be defined in this introduction as a term used in this plan to refer to all CFR-

    regulated pathogens and toxins) against theft and sabotage. Indicate whether a single approach

    is being taken to secure all Select Agents at the facility or whether Moderate Risk and High Risk

    agents are being addressed separately (while still complying with all Federal regulations).

    2 Roles and Responsibilities

    The roles and responsibilities included in this section are not all-inclusive but are intended to

    represent those functions related to implementation of the CFR requirements.

    2.1 Responsible Official

    The Responsible Official is an official authorized to ensure that the requirements of the CFRs

    are met. These requirements include developing and implementing this Biosecurity Plan.

    The Responsible Official (RO) will review this Plan annually and after any incident.

    2.2 Alternate Responsible Official

    The Alternate Responsible Official is an official authorized to act for the Responsible Official

    when the RO is unavailable.

    2.3 Select Agent Supervisor

    Select Agent Supervisors are individuals who are responsible for directing a project or

    program. Each Select Agent project or program is overseen by a Select Agent Supervisor,

    who is responsible for the scientific and technical direction of that project or program, and

    who has task authority over individuals who have permission to use Select Agents. Select

    Agent Supervisors are responsible for:

    ? Adopting the Biosecurity Plan procedures and ensuring that all personnel within their

    charge who have access to Select Agents familiarize themselves with the contents of

    the Plan and obtain biosecurity training annually

    ? Reporting Select Agent transfers, destruction, and inventory anomalies to the RO

    ? Requesting the RO to make Select Agent access authorization changes (See also

    Section 4.6.5)

    ? Providing the RO with any non-electronic visitor logs upon request

    ? Requesting changes to personnel access authorization

    ? Providing the RO with an up-to-date Select Agent registration packet.

    2.4 Accountable Scientist

    The accountable scientist, who may be a Select Agent Supervisor and/or a Principal

    Investigator, is responsible for Select Agent material control and accountability and Select

    Agent material transfers, as described in Sections 6 and 7.


2.5 Security Force

    If a security force is employed, what is the nature of its responsibilities?

    2.6 Local Police

    If applicable, what is the nature of the local police force responsibilities under a Memorandum

    of Understanding (MOU)?

    2.7 Specialty Personnel

    Specialty personnel may be employed by larger facilities. These may include Security

    Specialists who work in a Security Operations Center where an intrusion detection system is

    monitored, Physical Security Department Personnel, and Counterintelligence Personnel.

    Roles and responsibilities for these personnel should be spelled out in this portion of the

    security plan.

    2.8 Personnel Security

    The Personnel Security Division is responsible for initiating and monitoring necessary

    background screening and often, for evaluating the results.

    2.9 Badge Office

    Badge Office Personnel are responsible for issuing and managing badges for regular and

    visiting personnel.

    2.10 Information and Network Security

    Information and network security personnel include:

    ? The Chief Information Security Officer is responsible for network and information

    security policy for the facility; and

    ? The Center and Division Information Technology Officers are responsible for

    ensuring their respective network segments and information protection systems are

    implemented according to policy and that personnel are adequately trained on

    information and network security.

    ? System/Network Administrators are responsible for maintaining the system security,

    updating hardware and software, and responding to network intrusions. 2.11 Individuals with Select Agent Access Authorization

    In addition to other duties individuals have, individuals with Select Agent access authorization

    are responsible for:

    ? Protecting Select Agents while in their physical possession

    ? Protecting information related to Select Agents, while in their physical possession, in

    the context of verbal or electronic communication, and when storing it.

    ? Following all security-related procedures related to Select Agents, including those

    that apply to hosting and escorting procedures for visitors (See Sections 5.8 and 5.9)

    ? Reporting incidents and/or breaches in security to the appropriate Select Agent

    Supervisor and RO.


    3 Basis for Biosecurity Program

    3.1 Risk Assessment

    This security plan reflects a risk management process in which assets and possible

    adversary actions (threats) are defined, and the resulting undesired events are evaluated

    based on their security risk. The risk assessment is an evaluation of the potential an

    adversary possesses to successfully execute an undesired event and the subsequent

    consequences. It establishes the set of risks a facility faces and presents them in ranked

    order so that the facility management may decide which risks will be protected against or

    mitigated and which risks will not. The security plan is based on this defined security risk

    posture, and demonstrates how the facility achieves protection and mitigation through a

    combination of security system design and incident response planning.

    3.2 Graded Protection

    Different assets require different levels of protection, accountability, and controls. The

    highest level of protection is given to the primary assets whose loss, theft, compromise,

    and/or unauthorized use will most seriously affect the national security, and/or the health and

    safety of employees, the public, the environment, or mission; e.g. High Risk pathogens.

    Slightly less protection is given to those secondary assets that may represent a Moderate

    Risk or that may assist an adversary in gaining access to, or diverting, a primary asset.

    Tertiary assets include operational assets and require somewhat less protection then the

    secondary assets. In this manner, the security system is designed to have graded levels,

    with the highest risk assets receiving the highest level of protection, and security increasing

    gradually as one moves physically closer to the asset.

    What types of assets would be considered Primary, Secondary and Tertiary at this facility?

    3.3 Assets

    3.3.1 Select Agents

    Select Agents are those agents and toxins that have the potential to pose a severe threat

    to human, animal, or plant health, or to plant and animal products as defined by the CFRs.

    Which Select Agents does the facility possess?

    3.3.2 Sensitive Information

    Sensitive information is information that is too sensitive to be released to the public or to

    anyone who does not have an official purpose that requires him/her to hear, view, or

    have possession of the information (i.e., a need to know). Sensitive information is

    protected from unauthorized access and from disclosure under the Freedom of

    Information Act. See Section 8 for details on protecting sensitive information.

    Sensitive information includes information related to the Select Agents, security-related

    information, and human resources information specific to those individuals who work with

    Select Agents. Select Agent Information

    The following examples of sensitive information include, but are not limited to, the

    Select Agent records the Responsible Official is required to maintain:

    ? Select Agent information related to records described in the CFRs as:

    o A current list of all individuals with access to Select Agents;

    o Training records for individuals with access to Select Agents;

    o Select Agent inventory records (including source and characterization

    data as well as any anomalies);


    o Permits and transfer documents (CDC Form EA 101 and/or APHIS Form


    o Visitor logs for laboratories containing Select Agents;

    ? Databases containing security and Select Agent information

    ? Documentation associated with experimental data or other data that has

    been restricted by the facility’s review and approval process Security Related Information

    The following examples of sensitive information include, but are not limited to, the

    security related records the Responsible Official is required to maintain:

    ? Security information related to the records described in the CFRs:

    o Security records (e.g., transactions from automated access control

    systems, testing and maintenance of security systems, visitor logs);

    o Containment and security incident reports;

    o Biosecurity Plan

    ? Details of facility description and blueprints especially as related to Limited

    and Exclusion Area designations and protection measures

    ? Details of vulnerabilities of those facilities that handle Select Agents and/or

    sensitive information

    ? Details of physical security (e.g., drawings and descriptions of security

    hardware and software systems)

    ? Details of computer systems and procedures

    ? Security procedures

    ? Badge design information

    ? Security system performance test results and audit results

    ? Incident reports and disciplinary actions

    ? Response force contracts and results of response force exercises Human Resource Information

    Human resource information includes all information about personnel who work with

    or have access to Select Agents. This information includes:

    ? Home contact information

    ? Listings of family members

    ? Financial information

    ? Background investigation results

    3.3.3 Critical Operational Assets

    Critical operational assets are those that may cause significant work delays or financial

    impact if destroyed or are directly involved in the security associated with High Risk


    Provide a list of the critical operational assets with a brief description of each.

    3.4 Threat Definition

    3.4.1 Insider

    The insider threat category includes a single, non-violent person with authorized access

    inside the facility. The insider is considered to be any person granted unescorted access

    to any portion of an Exclusion or Limited Area (see Sections 4.2 and 4.3 for further details

    on these areas). The intent of a malevolent insider is to steal, destroy, or release a

    Moderate or High Risk agent, or to steal or destroy other high consequence assets at

    [facility name] without detection. The insider would be expected to abort any theft


    attempt to avoid identification. Authorized access affords this person extensive knowledge of the facility and operating systems. The insider has the opportunity to choose the best time to commit a malevolent act.

    3.4.2 Outsider

    Outside adversaries can employ force, stealth, and deceit tactics to achieve their goals. Using force, the adversary makes no attempt to conceal acts or intention; the adversary simply overwhelms the system and personnel. Using stealth, the adversary attempts to enter the facility undetected to accomplish his goal. An adversary using deceit will attempt to accomplish his goal under the guise of authorized access through the use of forged credentials or other methods. Obviously, a sophisticated and well-trained adversary could employ a combination of all three tactics in order to steal, destroy, or release a defined asset. The outsider has access to only publicly available information and may be equipped with hand tools, may be armed, and may resort to violence (but is not suicidal).

    3.5 Protection Strategy

    3.5.1 Insider Protection

    Traditional physical protection measures, personnel security programs, strict escorting rules, and material control and accountability procedures are the basic elements of the security strategy for protection against a malevolent insider. Of increased importance, given the difficulty with pathogen accountability, is the reliance that must be placed on employees and others with access to the pathogens. Stand-off detection technologies do not exist for biological agents, and inventory control systems will not necessarily reveal when material has been stolen or diverted. Thus, the insider threat is a daunting problem for biological research laboratories.

    It is very difficult for a physical security system to prevent the theft or diversion of microorganisms by insiders. Therefore, it is paramount that biological research facilities do everything possible to ensure that those who have access to dangerous pathogens and toxins are reliable and trustworthy.

    It should be noted that foreign nationals cannot be investigated as thoroughly as US citizens until the foreign national has resided in the US for the number of years that the investigation will cover. Until this point in time is reached, foreign nationals holding positions requiring a background investigation will represent a relatively greater risk than US citizens. Collusion is protected against in the same manner as any other insider threat.

    3.5.2 Outsider Protection

    The strategy to protect against an outsider is to detect unauthorized access, through likely avenues of approach, to the biosafety containment labs or other areas where critical assets are located. Detection must be done in a timely manner and response forces summoned. These response forces may be private security forces or local law enforcement. When local law enforcement is employed, it is important to have a Memorandum of Understanding in place that outlines the conditions under which local law enforcement will respond, the response time that may be expected, and the protocol to follow once law enforcement arrives on site (due to possible biological containment issues).

    The approach often used to achieve timely detection is to concentrate security upgrades at the physical locations where the pathogens or other critical assets are kept, and to control access to these locations.


    4 Physical Security

    The physical security system limits access into defined security areas to authorized individuals

    with a valid need for access.

    4.1 Property Protection Areas

    A Property Protection Area is