Security Training For Select Agent Laboratories Applicable Regulations 42 CFR Part 73 (DHHS) 9 CFR 121 (APHIS) 7 CFR 331 (APHIS)
73.11 Security Plan n Written Plan: Individual clearance Training Inventory control & Record Keeping Physical Security Visitor Access Policies Cyber Security Notification and Reporting –suspicious events –compromised security –exposures, releases
Authorized individuals n DOJ registered “entity” personnel n Background check (FBI clearance) –restricted person criteria n Have direct access to Select Agents (SA’s) n Biohazard (BSL3) clearance from IBC BL3/Biosafety/BBP/Chemical Safety Security/Shipping/Observation (work practices)
Authorized individuals n Notify EHS of: –updates in lab staff (new, exiting staff) –disgruntled employees in lab (those authorized or with access to SA areas) –Suspicious behaviour –restrict access/change locks
Visitor Access Policy to SA areas n Notify the EHS before bringing in guests n Training prior to entry n Escorted at all times in SA areas n Service work cleared before escorted entry n Record of entry/exit and escort name
SA Inventories (Log/checkbook) n For each SA: –Agent name, characteristics, source data –qty held on date of 1st inventory –qty acquired, source, date of acquisition –qty, volume or mass destroyed, and date of each action –qty used, date of use (toxins only) –qty transferred, transfer date, individuals involved –current qty held –Any SA lost, stolen, or unaccounted for Written explanation of any discrepancies –Records maintained by PI and EHS
Physical Security n Lock boxes n Locked freezers, incubators, animal cages, etc. n Locked Door –keycard access –each entry/exit recorded
Physical Security n Intrusion alarms –glass break –motion sensors –alarm activated camera –dead latch –hinged pins n High priority response areas –Security & Police
Cyber Security n Cyber Security Office n Firewalls n Passwords n Locked computer stations n Anti-virus programs n Prudent exchange of information
Notification & Reporting n Suspicious –people –activity –packages (in or out) n Immediately report to: –Local Police –Institutional Security –EHS Office
Notification & Reporting n Spills/releases n Loss of keys/ID’s n Theft or missing SA’s n Alteration of record n Immediately report to: –Local Police –Institutional Security –EHS Office
Notification of theft, loss, release n Theft/loss of SA –immediate notification to: HHS Secretary (APHIS) by phone, fax, or State law enforcement authorities Local law enforcement authorities –reported whether recovered or not, or responsible parties identified –Follow-up written report to HHS/APHIS w/in 7 days
Notification & Reporting n All Transfers –intra-facility –inter-facility –EHS, CDC, USDA approval –SA Form 2 n Final Destruction of SA’s –Provide notification to lead agency –May need to await federal approval
Records (maintained for 3 years) n For access to areas where SA’s used/stored name of each person who has accessed area date/time of entry - date/time individual left area Records of all entries to space of non approved persons and the authorized users who accompanied them –RO’s inspection records of SA locations (at least annually), list of authorized workers –Safety, security, emergency response plans –Training, transfer records –Safety, security incident reports
Penalties and Fines n Civil money penalites –$250,00 - $500,000 n Criminal Penalties – years in Prison