Download: docx | pdf

_{Security Plan Template}

_{(42 CFR § 73.11, 7 CFR § 331.11, and 9 CFR § 121.11)}

_{(March 2017)}

Centers for Disease Control and Prevention (CDC)

Division of Select Agents and Toxins (DSAT)

Animal and Plant Health Inspection Service (APHIS)

Agriculture Select Agent Services (AgSAS)

Instructions for Using the Security Plan Template

Please note that the Security Plan Template is not required by FSAP to be used by the entity. The purpose of this document is to facilitate creating a Security Plan that meets section 11 of Select Agent Regulations 7 CFR Part 331, 9 CFR Part 121, and 42 CFR Part 73. This document template is made purposely customizable to fit the specific needs of the entity.

Public reporting burden: Public reporting burden of this collection of information is estimated to average 30 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to CDC/ATSDR Reports Clearance Officer; 1600 Clifton Road NE, MS D-74, Atlanta, Georgia 30329; ATTN: PRA (0920-0576).

Review and Approval

The Security Plan for this facility has been prepared with the intent of establishing and maintaining compliance with the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 and 7 C.F.R. Part 331, 9 C.F.R. Part 121, and 42 C.F.R. Part 73. As required by the select agent regulations, this plan must be reviewed annually and updated, as needed. Lastly, the efficacy of this plan must be tested and evaluated with drills or exercises on an annual basis.

___________________________________________ __________________

Signature of Responsible Official Review Date

___________________________________________

Print Name

Annual Review Verification
VERIFICATION DATE	SIGNATURE
2017
2018
2019
2020
2021

Security Plan Leadership

Section 11(a): List the individuals who are responsible for developing and managing a security plan which is sufficient to safeguard select agents and toxins against unauthorized access, theft, loss, or release. This team will include the Responsible Official (RO) and may also include the Owner/Controller, CEO, Ranking Official, Department Chair and other senior leadership personnel, in addition to other individuals involved. Edit this table as necessary to suit the conditions of your entity’s organization.

Title	Name	Contact Information
Principal Investigator (PI)
Responsible Official (RO)
Alternate Responsible Official (ARO)
Security staff
Institutional Biosafety Committee
Laboratory Management

Security Plan Responsibilities

Describe the responsibilities of each individual involved in managing or supporting the security plan.

Title	Name	Contact Information
Principal Investigator (PI)
Responsible Official (RO)
Alternate Responsible Official (ARO)
Security staff
Institutional Biosafety Committee
Laboratory Management

Inventory Control

Section 11(c)(1): Describe how the entity accounts for any animals or plant intentionally or accidentally exposed to a select agent.

Section 11(c)(1): Describe how the entity keeps an accurate and current inventory for each select agent and toxin. Note that this includes both material in storage and working stock.

Section 11(c)(1): Describe how the entity labels and identifies select agents and toxins to ensure that the entity’s inventory is accurately reflected in inventory records.

Section 17(a): Describe how the entity accounts for and maintains inventory and inventory records. See the Inventory Audits section of the Security Guidance for more details.

Inventory Accountability Procedures
Select Agent Inventory
Select Toxin Inventory
Accountability of animals, including arthropods, accidentally exposed to a select agent (including final disposition)
Accountability of plants accidentally exposed to a select agent (including final disposition)

HHS Approval

Section 11(c)(7)Describe how you will allow access only to individuals with approval from the HHS Secretary or Administrator.

Section 11(c)(3): Describe how individuals not approved for access from the HHS Secretary or Administrator conducts routine cleaning, maintenance, repairs and other activities unrelated to select agents or toxins in a registered space without having access to select agents or toxins (e.g., escorted access to registered spaces).

Storage

Section 11(d)(3): Describe how freezers, refrigerators, cabinets, and other storage containers containing select agents and toxins are stored to secure them against unauthorized access.

Access Control

Describe how the entity limits access to personnel approved by the HHS Secretary of Administrator. Describe the control of access to select agents and toxins, including the safeguarding of animals, including arthropods, or plants intentionally or accidentally exposed to or infected with a select agent, against unauthorized access, theft, loss or release. If all registered areas within an entity have the same security features, then indicate so. If not, identify the features by each unique registered area.

Section 11(d)(1): Describe how you will allow access only to individuals with approval from the HHS Secretary or Administrator.

Section 11(c)(5): For entities with electronic access (card keys, biometrics), describe who manages access control and how they are notified when an individual has been granted access approval. Also, if there are electronic master keys, describe how they are controlled.

Section 11(c)(5): For entities with mechanical locks (even if dual locks with electronic readers), describe key control procedures. If the lock has a master key or facility master key, describe how that key is controlled as well.

Section 11(d)(6): Describe the policy ensuring that individuals with access refrain from sharing their unique means of accessing select agents and toxins (e.g. credentials, passwords, keycards).

Section 11(c)(5): For entities with key locks to freezers housing select agents or toxins, describe key control procedures.

Section 17(a)(x)(5): Describe how access is recorded.

Section 11(f)(4): If a person is employed as a barrier, describe procedures.

Equipment and Shared Space

Sections 10(a), 10(b), 11(c)(2)

Shared Equipment: If the registered space has equipment (e.g. incubators, centrifuges) that is shared between individuals doing non-select agent work, describe procedures which control access to the equipment when select agent work is being done. If they are locked, discuss key control procedures.

Autoclaves: If the autoclave is outside registered space, include procedures for autoclaving material.

Shared Space: If the space is shared, describe procedures which control access when used for select agents and toxins.

Swing Space: If the access to space is separated by time (swung) between select agent or toxin work and other work, describe procedures which control access when used for select agents and toxins. Also describe method of inactivating the space.

Unauthorized or Suspicious Persons

Section 11(c)(2): Describe how the entity addresses the removal of unauthorized or suspicious persons.

Section 11(c)(6): Describe how the entity addresses suspicious activity of a criminal nature.

RO Reporting

Sections 11(c)(6), (c)(8) and 11(d)(7): Describe the policy for reporting any of the following circumstances to the RO.

Circumstance	Reporting Policy
Any loss or compromise of keys, passwords, credentials, etc.
Any suspicious persons or activities
Any loss or theft of select agents or toxins
Any release of a select agent or toxin
Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised

Information Systems Security Control

Describe the policies for managing the entity’s information systems security control. Please see the Information Systems Security guidance for more information.

Describe in your plan how your laboratory addresses the security of electronic and hard copy data. If the entity has SOPs or policies which cover the requirements, they must be attached to this plan.

Section 11(c)(9)(i): Describe how all external connections to systems which manage security for the registered space are isolated or have controls that permit and monitor only authorized and authenticated users (e.g., external logins, “VPNs,” physically separate media, etc.)

Section 11(c)(9)(ii): Describe the controls which allow only authorized and authenticated users access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications as necessary to fulfill their roles and responsibilities.

Section 11(c)(9)(ii): Describe how access is modified when the user’s roles and responsibilities change or when their access to select agents and toxins is suspended or revoked.

Section 11(c)(9)(iii): Describe controls that are in place that are designed to prevent malicious code (such as, but not limited to, computer virus, worms, spyware) from compromising the confidentiality, integrity, or availability of information systems which manage access to registered spaces. This description should include any anti-virus software or security suite running on the systems. The security plan should also include if the network is isolated physically or virtually.

Section 11(c)(9)(iv): Describe configuration management practices for information systems to include regular patching and updates made to operating systems and individual applications. Describe how new software is approved and how patches are applied.

Section 11(c)(9)(v): Describe procedures that provide backup security measures in the event that access control systems, surveillance devices, and/or systems that manage the requirements of section 17 of the select agent regulations are rendered inoperable.

Shipping and Transfers

Section 11(c)(10): Describe the protocol for intra-entity transfers under the supervision of someone with access approval to select agents and toxins.

Section 11(d)(4): Describe the entity policy for inspecting suspicious packages before they are brought into or removed from areas containing select agents or toxins.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Robinson-Holland, Danielle (CDC/OPHPR/DSAT) (CTR)
File Modified	0000-00-00
File Created	2021-01-20