Generic Select Agent Biosecurity Plan Template
Generic text that may be appropriate to include in a facility’s biosecurity plan is included below.
Guidance on facility-specific information that should be included is provided in italicized text.
What is the goal of this plan? To whom does it apply? Indicate that it demonstrates compliance
with specific federal regulations, such as 42 CFR 73, 9 CFR 121, or 7 CFR 331, and that it
describes the full spectrum of measures taken to achieve graded protection of Select Agents
(which should be defined in this introduction as a term used in this plan to refer to all CFR-
regulated pathogens and toxins) against theft and sabotage. Indicate whether a single approach
is being taken to secure all Select Agents at the facility or whether Moderate Risk and High Risk
agents are being addressed separately (while still complying with all Federal regulations).
2 Roles and Responsibilities
The roles and responsibilities included in this section are not all-inclusive but are intended to
represent those functions related to implementation of the CFR requirements.
2.1 Responsible Official
The Responsible Official is an official authorized to ensure that the requirements of the CFRs
are met. These requirements include developing and implementing this Biosecurity Plan.
The Responsible Official (RO) will review this Plan annually and after any incident.
2.2 Alternate Responsible Official
The Alternate Responsible Official is an official authorized to act for the Responsible Official
when the RO is unavailable.
2.3 Select Agent Supervisor
Select Agent Supervisors are individuals who are responsible for directing a project or
program. Each Select Agent project or program is overseen by a Select Agent Supervisor,
who is responsible for the scientific and technical direction of that project or program, and
who has task authority over individuals who have permission to use Select Agents. Select
Agent Supervisors are responsible for:
? Adopting the Biosecurity Plan procedures and ensuring that all personnel within their
charge who have access to Select Agents familiarize themselves with the contents of
the Plan and obtain biosecurity training annually
? Reporting Select Agent transfers, destruction, and inventory anomalies to the RO
? Requesting the RO to make Select Agent access authorization changes (See also
? Providing the RO with any non-electronic visitor logs upon request
? Requesting changes to personnel access authorization
? Providing the RO with an up-to-date Select Agent registration packet.
2.4 Accountable Scientist
The accountable scientist, who may be a Select Agent Supervisor and/or a Principal
Investigator, is responsible for Select Agent material control and accountability and Select
Agent material transfers, as described in Sections 6 and 7.
2.5 Security Force
If a security force is employed, what is the nature of its responsibilities?
2.6 Local Police
If applicable, what is the nature of the local police force responsibilities under a Memorandum
of Understanding (MOU)?
2.7 Specialty Personnel
Specialty personnel may be employed by larger facilities. These may include Security
Specialists who work in a Security Operations Center where an intrusion detection system is
monitored, Physical Security Department Personnel, and Counterintelligence Personnel.
Roles and responsibilities for these personnel should be spelled out in this portion of the
2.8 Personnel Security
The Personnel Security Division is responsible for initiating and monitoring necessary
background screening and often, for evaluating the results.
2.9 Badge Office
Badge Office Personnel are responsible for issuing and managing badges for regular and
2.10 Information and Network Security
Information and network security personnel include:
? The Chief Information Security Officer is responsible for network and information
security policy for the facility; and
? The Center and Division Information Technology Officers are responsible for
ensuring their respective network segments and information protection systems are
implemented according to policy and that personnel are adequately trained on
information and network security.
? System/Network Administrators are responsible for maintaining the system security,
updating hardware and software, and responding to network intrusions. 2.11 Individuals with Select Agent Access Authorization
In addition to other duties individuals have, individuals with Select Agent access authorization
are responsible for:
? Protecting Select Agents while in their physical possession
? Protecting information related to Select Agents, while in their physical possession, in
the context of verbal or electronic communication, and when storing it.
? Following all security-related procedures related to Select Agents, including those
that apply to hosting and escorting procedures for visitors (See Sections 5.8 and 5.9)
? Reporting incidents and/or breaches in security to the appropriate Select Agent
Supervisor and RO.
3 Basis for Biosecurity Program
3.1 Risk Assessment
This security plan reflects a risk management process in which assets and possible
adversary actions (threats) are defined, and the resulting undesired events are evaluated
based on their security risk. The risk assessment is an evaluation of the potential an
adversary possesses to successfully execute an undesired event and the subsequent
consequences. It establishes the set of risks a facility faces and presents them in ranked
order so that the facility management may decide which risks will be protected against or
mitigated and which risks will not. The security plan is based on this defined security risk
posture, and demonstrates how the facility achieves protection and mitigation through a
combination of security system design and incident response planning.
3.2 Graded Protection
Different assets require different levels of protection, accountability, and controls. The
highest level of protection is given to the primary assets whose loss, theft, compromise,
and/or unauthorized use will most seriously affect the national security, and/or the health and
safety of employees, the public, the environment, or mission; e.g. High Risk pathogens.
Slightly less protection is given to those secondary assets that may represent a Moderate
Risk or that may assist an adversary in gaining access to, or diverting, a primary asset.
Tertiary assets include operational assets and require somewhat less protection then the
secondary assets. In this manner, the security system is designed to have graded levels,
with the highest risk assets receiving the highest level of protection, and security increasing
gradually as one moves physically closer to the asset.
What types of assets would be considered Primary, Secondary and Tertiary at this facility?
3.3.1 Select Agents
Select Agents are those agents and toxins that have the potential to pose a severe threat
to human, animal, or plant health, or to plant and animal products as defined by the CFRs.
Which Select Agents does the facility possess?
3.3.2 Sensitive Information
Sensitive information is information that is too sensitive to be released to the public or to
anyone who does not have an official purpose that requires him/her to hear, view, or
have possession of the information (i.e., a need to know). Sensitive information is
protected from unauthorized access and from disclosure under the Freedom of
Information Act. See Section 8 for details on protecting sensitive information.
Sensitive information includes information related to the Select Agents, security-related
information, and human resources information specific to those individuals who work with
18.104.22.168 Select Agent Information
The following examples of sensitive information include, but are not limited to, the
Select Agent records the Responsible Official is required to maintain:
? Select Agent information related to records described in the CFRs as:
o A current list of all individuals with access to Select Agents;
o Training records for individuals with access to Select Agents;
o Select Agent inventory records (including source and characterization
data as well as any anomalies);
o Permits and transfer documents (CDC Form EA 101 and/or APHIS Form
o Visitor logs for laboratories containing Select Agents;
? Databases containing security and Select Agent information
? Documentation associated with experimental data or other data that has
been restricted by the facility’s review and approval process
22.214.171.124 Security Related Information
The following examples of sensitive information include, but are not limited to, the
security related records the Responsible Official is required to maintain:
? Security information related to the records described in the CFRs:
o Security records (e.g., transactions from automated access control
systems, testing and maintenance of security systems, visitor logs);
o Containment and security incident reports;
o Biosecurity Plan
? Details of facility description and blueprints especially as related to Limited
and Exclusion Area designations and protection measures
? Details of vulnerabilities of those facilities that handle Select Agents and/or
? Details of physical security (e.g., drawings and descriptions of security
hardware and software systems)
? Details of computer systems and procedures
? Security procedures
? Badge design information
? Security system performance test results and audit results
? Incident reports and disciplinary actions
? Response force contracts and results of response force exercises
126.96.36.199 Human Resource Information
Human resource information includes all information about personnel who work with
or have access to Select Agents. This information includes:
? Home contact information
? Listings of family members
? Financial information
? Background investigation results
3.3.3 Critical Operational Assets
Critical operational assets are those that may cause significant work delays or financial
impact if destroyed or are directly involved in the security associated with High Risk
Provide a list of the critical operational assets with a brief description of each.
3.4 Threat Definition
The insider threat category includes a single, non-violent person with authorized access
inside the facility. The insider is considered to be any person granted unescorted access
to any portion of an Exclusion or Limited Area (see Sections 4.2 and 4.3 for further details
on these areas). The intent of a malevolent insider is to steal, destroy, or release a
Moderate or High Risk agent, or to steal or destroy other high consequence assets at
[facility name] without detection. The insider would be expected to abort any theft
attempt to avoid identification. Authorized access affords this person extensive knowledge of the facility and operating systems. The insider has the opportunity to choose the best time to commit a malevolent act.
Outside adversaries can employ force, stealth, and deceit tactics to achieve their goals. Using force, the adversary makes no attempt to conceal acts or intention; the adversary simply overwhelms the system and personnel. Using stealth, the adversary attempts to enter the facility undetected to accomplish his goal. An adversary using deceit will attempt to accomplish his goal under the guise of authorized access through the use of forged credentials or other methods. Obviously, a sophisticated and well-trained adversary could employ a combination of all three tactics in order to steal, destroy, or release a defined asset. The outsider has access to only publicly available information and may be equipped with hand tools, may be armed, and may resort to violence (but is not suicidal).
3.5 Protection Strategy
3.5.1 Insider Protection
Traditional physical protection measures, personnel security programs, strict escorting rules, and material control and accountability procedures are the basic elements of the security strategy for protection against a malevolent insider. Of increased importance, given the difficulty with pathogen accountability, is the reliance that must be placed on employees and others with access to the pathogens. Stand-off detection technologies do not exist for biological agents, and inventory control systems will not necessarily reveal when material has been stolen or diverted. Thus, the insider threat is a daunting problem for biological research laboratories.
It is very difficult for a physical security system to prevent the theft or diversion of microorganisms by insiders. Therefore, it is paramount that biological research facilities do everything possible to ensure that those who have access to dangerous pathogens and toxins are reliable and trustworthy.
It should be noted that foreign nationals cannot be investigated as thoroughly as US citizens until the foreign national has resided in the US for the number of years that the investigation will cover. Until this point in time is reached, foreign nationals holding positions requiring a background investigation will represent a relatively greater risk than US citizens. Collusion is protected against in the same manner as any other insider threat.
3.5.2 Outsider Protection
The strategy to protect against an outsider is to detect unauthorized access, through likely avenues of approach, to the biosafety containment labs or other areas where critical assets are located. Detection must be done in a timely manner and response forces summoned. These response forces may be private security forces or local law enforcement. When local law enforcement is employed, it is important to have a Memorandum of Understanding in place that outlines the conditions under which local law enforcement will respond, the response time that may be expected, and the protocol to follow once law enforcement arrives on site (due to possible biological containment issues).
The approach often used to achieve timely detection is to concentrate security upgrades at the physical locations where the pathogens or other critical assets are kept, and to control access to these locations.
4 Physical Security
The physical security system limits access into defined security areas to authorized individuals
with a valid need for access.
4.1 Property Protection Areas
A Property Protection Area is defined by the outer-most perimeter of the facility. This security area is established to protect against damage, destruction, and theft of facility-owned property.
What establishes the Property Protection Area (e.g. a perimeter fence)? What, if any, credentials are required to access the Property Protection Area?
What areas of the facility are Property Protection Areas? What assets are within this area? 4.2 Limited Areas
A Limited Area is a secured area, residing within the Property Protection Area, with barriers that identify its boundaries and encompass the designated space. The perimeter of a building often defines the boundaries of a Limited Area.
What physical security measures are in place? What credentials are required to access the Limited Area?
What areas of the facility are Limited Areas? What assets are within this area? 4.3 Exclusion Areas
An Exclusion Area, like a Limited Area, is a security area with barriers that identify its boundaries and encompass the designated space, further restricting access beyond the Limited Area. Laboratories or storage areas that contain Select Agents are often designated as Exclusion Areas.
What physical security measures are in place? What credentials are required to access the Exclusion Area?
What areas of the facility are Exclusion Areas? What assets are within this area? 4.4 Long-Term Select Agent Storage
Are there differences in which area select agents can be stored if they are in locked storage containers (e.g. freezers, refrigerators)? If so, include the locations here.
4.5 Security Operations
4.5.1 Access Hours
Does everyone have 24 hour access or do certain types of workers have access in
different “time zones?” e.g. Mon-Fri, 6 a.m – 6 p.m; Mon-Sun. 6 a.m. – 6 p.m.; or 24 by 7.
4.5.2 Visitor Logs
In what rooms/areas are visitors required to sign log books? What information must be
included? Does the escort also need to sign?
Who is authorized to park on site? Are there other parking restrictions, e.g. are private
vehicles restricted from loading dock areas? Do personal cars require a parking sticker
or placard? How is visitor parking handles?
“Tailgating” is the practice of one individual following another into an area that has been restricted with an electronic security device (e.g. a proximity card) without utilizing his or her own means for unlocking the door. Tailgating is prohibited into any Limited or
Exclusion Area. The term “tailgating” it is not used to describe the authorized entrance of individuals under escort, who follow additional escort/host procedures to insure
4.5.5 Access Changes
When an individual is re-assigned to an activity that does not require access to Select
Agents, requires access to different Select Agents, or is initiating access to Select Agents, his/her access control authorizations must be updated. The Responsible Official reports
any changes in Select Agent access to the CDC SAP/APHIS. The Responsible Official
will immediately notify CDC SAP/APHIS when an individual’s access to Select Agents is
terminated; the Responsible Official must explain to CDC SAP/APHIS the reasons for
terminating access. When an individual no longer needs access to a particular restricted
area, these changes are also documented and electronic access devices are updated.
4.5.6 Package Inspections
The CFRs require that all suspicious packages are inspected before they are brought into
or removed from the area where select agents or toxins are used or stored.
Include under this section details regarding the specifics of suspicious package
inspections: Is the inspection conducted in Shipping & Receiving? At the entrance of the
laboratory? What are they inspected for? leaks, damage, etc? Who conducts package
inspections? Employees should be suspicious of any mail that:
1. Is unexpected or from someone unfamiliar to you.
2. Is addressed to someone no longer with your organization or is otherwise
3. Has no return address, or has one that can't be verified as legitimate.
4. Is of unusual weight, given its size, or is lopsided or oddly shaped.
5. Is marked with restrictive endorsements, such as "Personal" or "Confidential."
6. Has protruding wires, strange odors, or stains.
7. Shows a city or state in the postmark that doesn't match the return address. If you come in contact with any mail you consider suspicious, whenever you see an
unattended or suspicious item on [the site name] properties, or if you receive a
suspicious package, do handle the item. Call one of the numbers below.
[emergency hot line phone number] if the situation appears to be an emergency, or [non-
emergency hot line phone number] if the situation appears to be a non-emergency.
Please be prepared to provide the location and description of the suspicious package.
While waiting for emergency response personnel to arrive, please follow the guidance
1. Do not handle the parcel or contents further.
2. Isolate the parcel or contents and move personnel from the immediate area.
3. Ensure that everyone who has come into contact with the parcel or contents
washes their hands thoroughly with soap and cold water.
5 Personnel Security
5.1 Position Risk Categories
5.1.1 Low Risk
Low risk positions are positions that involve duties with the potential for limited impact on
the agency or program mission or on the integrity and efficiency of the services provided.
188.8.131.52 Background Investigation
What types of personnel screening does the facility use for people in this category?
184.108.40.206 Job Categories
All [facility name] employees, contractors, and working visitors who do not fall into the
Moderate or High Risk categories are considered to hold Low Risk positions.
Personal and Casual Visitors are not given a risk designation.
What types of job categories at the facility are considered low risk? 5.1.2 Moderate Risk
Moderate risk positions are those positions with duties that are of considerable importance to the agency mission, with significant program or delivery of service responsibilities. Moderate risk is the position risk level for the majority of positions associated with Select Agents.
220.127.116.11 Background Investigations
Moderate risk positions typically receive a more comprehensive background
investigation than those in low risk positions. Sometimes, this is limited to the
additional requirement of the DOJ Risk Assessment, if this category is limited to
those who require access to Select Agents. These positions may also be subjected
to a periodic reinvestigation.
What types of personnel screening does the facility use for people in this category?
18.104.22.168 Job Categories
What types of job categories at the facility are considered low risk? 5.1.3 High Risk
High risk positions are those positions with duties that have a broad scope of
responsibility and authority, which are especially critical to the agency or program mission.
22.214.171.124 Background Investigations
High risk positions typically receive a more comprehensive background investigation,
and/or have a more restrictive authorization process. These positions may also be
subjected to a periodic reinvestigation.
What types of personnel screening does the facility use for people in this category?
126.96.36.199 Job Categories
What types of job categories at the facility are considered low risk?
If an employee has access to classified information, they are considered to hold a
high risk positions. Generally, those positions at the top of the executive ladder and
those in high level positions of the security staff or IT staff who have access to the
types of information that if released would make the facility vulnerable, are
considered high risk.
The Responsible Official must request renewal of the CDC SAP/APHIS access approval
every 5 years for as long as an individual needs access to Select Agents.
What position risk categories, if any, have background investigations that will be routinely
repeated on a periodic basis? What is the period between investigations?
5.3 Access Limitations
Those individuals who require access to Select Agents must have CDC SAP/APHIS
Are there any other access limitations in place for limited or exclusion areas? E.g. must
the background investigation be complete before an individual is allowed into an area
without an escort? Must an individual meet any other requirements before being granted
authorized access, e.g. yearly training? Immunizations?
Visitors include personnel from universities, contractors, students, research fellows,
visiting scientists, laboratory visitors, trades professionals, delivery personnel, etc. who,
due to the duration of stay or nature of the work performed on site, are not provided with
regular access to the facility. Visitors are escorted at all times in restricted (non-public)
areas by an individual who has a complete and approved background investigation,
access authorization, and a need-to-know. Visitors are expected to wear a visitor badge,
sign all visitor logs, remain with their escort, and follow all facility policies and procedures,
including the surrender of prohibited articles while on site.
Note: Facility/security managers may permit visitors to have unescorted access to restricted areas if the visitor is able to provide proof of an equivalent background
investigation as that required of regular staff, including CDC SAP/APHIS authorization
that has been processed by the facility’s RO for access at the facility, if appropriate, and
has legitimate business in these areas.
188.8.131.52 Host Responsibilities
Each visitor or group of visitors must have a host at the facility. The host must have
a standard badge. The host is responsible for informing the visitor of the relevant
policies and procedures, including access restrictions, prohibited articles, etc. The
host may escort the visitor, or arrange for a separate escort who also has a standard
badge and authorized escort into the areas to be visited.
Include any department or individual that requires advance notice of expected visitor
arrivals (e.g. Physical Security, receptionist, parking attendant, etc.), and what
information is required (e.g. visitor name, arrival date and duration of stay).
An individual who has a standard badge and authorization to enter the areas to be
visited must escort visitors.
Are there different ratios of visitor to escort that apply in different areas, e.g.
administrative offices vs. laboratories? Are visitors allowed on site only during certain
hours? Are there certain areas where an escort is unnecessary?
5.4 Foreign Nationals
Foreign nationals from countries the US Secretary of State has determined to be supporters of international terrorism will not be approved for escorted or unescorted access into Select Agent areas.
“Standard” badges will be issued to all employees and contractors. Visitors will be issued a distinct visitor badge. The name of the individual, name of facility, picture of the individual (for standard badges), and expiration date will be included on the badge.
This section should accurately describe what features are included in the both the standard badge and the visitor badge, e.g. types of information, electronic access control (usually on standard badges), etc. This section should describe how long the badges are valid, e.g. 5 years for employees and contractors, or limited to the duration of stay for the visitor. It should describe any exceptions to wearing a badge (e.g. in laboratories, or under other conditions, where safety might be compromised). It should also describe the procedure an employee with a standard badge follows if his/her badge is forgotten, lost or stolen.
6 Material Control and Accountability
For the purposes of this section, “material” refers to repository stocks of Select Agents. Clinical
samples and working stocks are not included.
6.1 Material Control
All Select Agent materials are associated with specific laboratories, which are identified by campus (if there are multiple campuses of the facility), building number, floor, and room
number. When materials are stored, the container (such as a freezer, refrigerator, or vault) is locked to restrict access.
Laboratory inventory is checked on an as-needed basis to confirm that records correspond to actual materials. Any discrepancies are reported to the RO. The inventory review may be initiated by the laboratory staff, or by request from the RO.
Any change to the association of a material with a laboratory is considered a material “transfer,” and is subject to the provisions of the Material Transfer Security section. Inventory
records must be consistent with transfer operations.
Testing, diagnostic, and clinical samples are not controlled as part of the material inventory. Nevertheless, when isolates have been identified in clinical or diagnostic material as Select Agents, and those isolates are kept for future use, the isolates are added to material inventory as soon as they are stored.
Non-inventory samples that may contain Select Agent material must be destroyed as soon as they are no longer needed. When inventoried material is destroyed, however, the inventory record is updated accordingly—the record is not deleted.
Within each laboratory that uses or stores Select Agents, an accountable scientist maintains material inventory records, monitors the usage of materials, and oversees access to the materials. That accountable scientist is the contact person for the RO for any matters concerning the associated materials. The accountable scientist is usually a principal investigator or senior research scientist who normally works with the materials, and may be the Select Agent Supervisor, or someone designated by the Select Agent Supervisor. If a laboratory works with more than one Select Agent, that laboratory may have separate accountable scientists for each agent. An accountable scientist may have a backup person, but otherwise the accountability is restricted to one individual. The accountable scientist