National Select Agent Registry phone numbers for APHIS (301-851-3300) and CDC (404-718-2000).
Last Updated: Monday, April 28, 2014

Security FAQ's

General

  1. Are security cameras required for compliance with the Select Agent Regulations?
  2. Can surveillance cameras be considered a security barrier or used in lieu of an escort to prevent access to a select agent or toxin?
  3. I am installing cameras, what's the best kind to get?
  4. Are personnel monitoring the surveillance cameras required to undergo a security risk assessment?
  5. What information will be required to address security provisions of the select agent regulations?
  6. What is an "Intrusion Detection System" (IDS)?
  7. Why would I want an IDS for my entity?
  8. What is meant by "reasonably afford access" in the provisions which states "All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied"?
  9. Is an IDS required for an emergency exit (break-out) door that has no external hardware (i.e., door handle) for entry?
  10. I have guards at the entrance 24/7. Do I need an 'intrusion detection system' at that entry point?'
  11. What are the security requirements for shared space where Tier 1 BSAT are used or stored?

Physical Security

  1. Do the select agent regulations require any physical measures (i.e., cages, safes) to secure shipments containing select agents or toxins prior to being picked up by a commercial carrier to deliver to the intended recipients?
  2. Do a card reader and biometric scanner on the same door count as two different security barriers?
  3. What would be considered an acceptable third security barrier to separate individuals approved for work with Tier 1 agents from people who are not approved?
  4. Could you clarify the provision in Section 11(2) requiring the safeguarding of animals including arthropods, or plants intentionally or accidentally exposed to or infected with a select agent? And does "accidentally" include "naturally"?
  5. Is it sufficient to ensure the security system and cameras remain operative during a power outage by providing enough uninterruptable power source (UPS) resources?

Information Security

  1. Do IT personnel (e.g., network engineers/administrators that may have remote access to an inventory system, but no knowledge of inventory storage or database vs. application managers with direct access to inventory database/system, etc.) need to be listed on the APHIS/CDC Form 1?
  2. Should access to the entity's database that contains information about select agents and toxins be limited to only those individuals who have access approval from the Federal Select Agent Program?
  3. Regarding Section 11(c)(9)(i) of the select agent regulations, which states "ensure that all external connections to systems which manage security for registered space are isolated or have controls that permit only authorized and authenticated users"; does disconnection from the LAN during access control program changes meet the intent of this provision?
  4. What security measures should I have in place for our select agent database?
  5. For the provisions related to information security, which states "(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users; (ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user's roles and responsibilities change or when their access to select agents and toxins is suspended or revoked," what constitutes "authenticated users?"
  6. Is the entity required by the select agent regulations to have a 15 minute response time for security forces or local police to protect information related to Tier 1 select agents and toxins?
  7. Why did the "Information Systems Security Control Guidance Document" not address Federal Information Security Management Act (FISMA) standards?
  8. Is my entity allowed to provide information required as part of grant application (i.e., National Institutes of Health or Department of Homeland Security funding) or will providing this information violate the select agent regulations?
  9. Should files containing select agent information sent by an entity to Federal Select Agent Program be encrypted?
  10. Review of the documentation provided on the select agent website suggests that the IT infrastructure used to work with select agent related data be limited to a single or few workstations. Our high throughput environment naturally focuses on a highly integrated approach using the internal network to communicate between the instruments with a centrally located Laboratory Information Management System (LIMS) as data hub. In regards to intrusion detection system software:
    1. For network security software (network firewalls, intrusion detection and prevention systems (IDPS)), which functionality is required as a minimum?
    2. Often antivirus and firewall applications offer a considerable overlap in terms of functionality with IDS solutions-especially if seen as a watchdog for unauthorized operation. Is AV software, such as Sophos, with an active agent monitoring memory usage and runtime behavior of programs sufficient as IDS as well?
    3. On the market there are either endpoint or network based solutions. Are they equally acceptable?
  11. Encryption – with our network communication we naturally use Transport Layer Security encryption for both device communication (web services) and user access (HTTPS) to protect the information exchanged over the network. With regard to local encryption we are in the process of determining a solution. If there is any doubt that information is sent over an unsecured network, encryption should be considered.
    1. What are the minimum requirements in terms of key length and algorithm?
    2. Is it possible to define what sets of information have to be safeguarded in what way and what operations are permissible on the data (e.g., a lab notebook describing an experiment with select agent without naming the location of the select agent is obviously less sensitive information than a list of the amounts and exact locations and access ways to actual select agent in storage)?
    3. When using encryption, either full drive or file based, in order to have a backup mode of access, is the use of a recovery agent permissible, who in addition to the system/file owner can decrypt the information?
  12. Authentication and authorized access
    1. What is the primary aim: limiting access to Select Agent (SA) data or even IT infrastructure involved in working with SA data?
    2. Can IT systems be used by those individuals who do not have access approval from the Federal Select Agent Program if access to select agent data is properly restricted (encryption and access control lists)?

General

  1. Are security cameras required for compliance with the Select Agent Regulations?

    Surveillance cameras are not required by the Select Agent regulations (42 CFR part 73, 9 CFR part 121 or 7 CFR part 331).

    Return to top

  2. Can surveillance cameras be considered a security barrier or used in lieu of an escort to prevent access to a select agent or toxin?

    Cameras are not a security barrier and are not an acceptable substitute for the escort required by Section 11 (Security). A surveillance camera can serve as an enhancement to the entity's security program (e.g., security monitoring device). The use of surveillance cameras as part of the entity security program should be documented in the security plan. The plan should address how cameras are used, how they are monitored, who monitors the cameras, and how information obtained through camera surveillance supports the security program.

    Return to top

  3. I am installing cameras, what's the best kind to get?

    If the entity determines that cameras are appropriate for their particular security needs, the entity should evaluate the systems available that meet their need. The Select Agent regulations do not contain recommendation for specific makes or models of cameras.

    Return to top

  4. Are personnel monitoring the surveillance cameras required to undergo a security risk assessment?

    It would depend on the individual's duties. If the individual monitoring the surveillance camera is able to access the select agent or toxin, the individual would need to undergo a security risk assessment. A registered entity may not provide an individual access to a select agent or toxin, and an individual may not access a select agent or toxin, unless the individual is approved by the HHS Secretary or APHIS Administrator, following a security risk assessment by the Attorney General. An individual will be deemed to have access at any point in time if the individual has possession of a select agent or toxin (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin. However, if the individual's duties are limited to only observing the camera feed and they will never be able to access the select agent or toxin, then the individual would not need to undergo a security risk assessment.

    Return to top

  5. What information will be required to address security provisions of the select agent regulations?

    Each entity must develop and implement a written security plan (9 CFR § 121.11, 7 CFR § 331.11, and 42 CFR § 73.11). The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release. The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. A current security plan must be submitted for initial registration, renewal of registration, or when requested. The entity must review the plan annually and revise it as necessary. The entity must conduct drills and exercises annually to test and evaluate the effectiveness of the plan.

    Return to top

  6. What is an "Intrusion Detection System" (IDS)?

    An IDS is a system that consists of a sensor device which triggers an alarm when a security breach occurs and the alarm notifies a response force (e.g., police, guards, etc.) that will react to the alarm.

    Return to top

  7. Why would I want an IDS for my entity?

    As identified in the regulations, entities that possess Tier 1 biological select agents and toxins must determine that the response time for entity security forces or local police will not exceed 15 minutes or provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard these materials from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier. An IDS system will help ensure a registered entity meets this demand. In addition to the latter, IDS’s can be an inexpensive, flexible and effective means to enhance a security plan. Instead of investing in additional security barriers and locks which can only further delay a threat, an entity may have a greater effect by investing in an IDS which ensures a threat is detected and a response to this threat occurs.

    Return to top

  8. What is meant by "reasonably afford access" in the provisions which states "All registered space or areas that reasonably afford access to the registered space must be protected by an intrusion detection system (IDS) unless physically occupied"?

    "Reasonably afford access" applies to an entry way that will allow access into and out of a registered space with or without minimal force. This primarily applies to emergency exits (with handles), or unused doors. Generally, if a person can get through a barrier without breaking anything (i.e., windows), it is deemed to "reasonably afford access."

    Return to top

  9. Is an IDS required for an emergency exit (break-out) door that has no external hardware (i.e., door handle) for entry?

    No, because it does not reasonably afford access into registered space (i.e., designed to allow exit only).

    Return to top

  10. I have guards at the entrance 24/7. Do I need an 'intrusion detection system' at that entry point?'

    No, since that entry point is "physically occupied" there's no requirement for IDS. For additional guidance see Appendix V in the Security Guidance for Select Agent or Toxin Facilities document.

    Return to top

  11. What are the security requirements for shared space where Tier 1 BSAT are used or stored?

    Security requirements for shared areas depend on the access to the select agents and toxins. All personnel who have access to the Tier 1 BSAT must have gone through the entity’s pre-access suitability and be enrolled in the ongoing assessment program. Beyond that, it depends on the security parameters in place for the work or actions in progress at any given time. Below are six common scenarios and the corresponding personnel and physical security requirements.

    1. Actively working with Tier 1 BSAT and select agents and toxins simultaneously in the same contiguous registered area. An entity is conducting research using Tier 1 BSAT along with other work in a single registered suite.
      Personnel Requirements All people with access to the agent within the suite/shared area have gone through the entity's pre-access suitability and are subject to on-going assessment.
      Physical Security Requirements The suite/shared area meet all the physical security requirements for Tier 1. Final barrier usually the door to the suite.

    2. Storage only within a registered space. A Tier 1 storage location or freezer location inside a registered laboratory or a shared freezer inside a registered laboratory.
      Personnel Requirements All people with access to the locking storage device (i.e., freezer) have gone through the entity’s pre-access suitability and on-going assessment. All people with access to the room but not to the Tier 1 BSAT do not need to be in the entity’s pre-access suitability and on-going assessment program.
      Physical Security Requirements Storage location must meet the security requirement for Tier 1. In this case the final barrier usually is the locking mechanism of the storage device.

    3. Working with Tier 1 BSAT and select agents and toxins inside the same contiguous registered space separated by time. This entails only working with Tier 1 during well-defined times and conditions. The entity restricts access during times when Tier 1 BSAT is outside of locked storage units such as a locked freezer or a locked incubator.
      Personnel Requirements All people with access to the suite/shared area when Tier 1 BSAT is present have gone through the entity’s pre-access suitability and on-going assessment.
      Physical Security Requirements The suite/shared area meet all the physical security requirements for Tier 1 BSAT. Depending on how the work is organized, the final barrier may be the door to the suite or to any freezers /devices containing Tier 1 BSAT during work with select agents and toxins.

    4. Shared Autoclave. Using an autoclave for both Tier1 BSAT and select agents and toxins.
      Personnel Requirements

      For select agents and toxins, individuals operating the autoclave must be SRA approved.

      For Tier 1 BSAT, individuals operating the autoclave must be SRA approved and have gone through the entity's pre-access suitability and subject to on-going assessment.

      Physical Security Requirements

      For all select agents and toxins, the agent or toxin must be secured by SRA approved persons until the autoclave reaches effective operational parameters.

      For Tier 1 BSAT, the agent or toxin secured by individuals who is SRA approved and has gone through the entity's pre-access suitability and subject to on-going assessment. That person must remain until the autoclave reaches desired operational parameters.

      It is recommended that autoclave cycles be scheduled so that select agent materials can be autoclaved without delay.


    5. Animals experimentally infected with a Tier 1 Select Agent (see Scenario 6 below for animals containing a Tier 1 Select Toxin)
      Personnel Requirements

      Individuals who expose the animal must be SRA approved and have gone through the entity's pre-access suitability and subject to on-going assessment.

      Personnel who handle or care for the animal must be SRA approved and have gone through the entity's pre-access suitability and subject to on-going assessment.

      Physical Security Requirements

      The area where the animal is handled and housed meets all the physical security requirements for Tier 1 agents. Final barrier usually the door to the suite.


    6. Animals inoculated with a Select Toxin
      Personnel Requirements

      For select toxins, persons inoculating the animals must be SRA approved.

      For Tier 1 select toxin, individuals who inoculate animals must be SRA approved and have gone through the entity's pre-access suitability and subject to on-going assessment.

      Physical Security Requirements

      For all select toxins, room used for inoculation must be registered. Animals inoculated with select toxins are not subject to additional security requirements.

      For Tier 1 select toxin, registered room must meet Tier 1 security requirements (e.g., 3 barriers, IDS).

      Once inoculated with a select toxin (including Tier 1 select toxins) an animal is no longer considered to fall under the Select Agent regulations.


    Return to top

Physical Security

  1. Do the select agent regulations require any physical measures (i.e., cages, safes) to secure shipments containing select agents or toxins prior to being picked up by a commercial carrier to deliver to the intended recipients?

    If the package containing select agents and toxins is labeled generically as hazardous material and does not identify the package as "select agent or toxin," the package can be placed with other hazardous materials for shipment.

    If the package is labeled to identify the package as a select agent or toxin, the entity can use any number of methods to secure the shipment (e.g., cages, safes, individuals approved to access select agents and toxins). The methods must be described in the security plan. If the area temporarily stores identified select agents and toxins, the area must be listed on the entity's certificate of registration and meet all provisions outlined in the select agent regulations. If the area will house Tier 1 select agents and toxins, the area must meet all provisions associated with Tier 1 requirements.

    Return to top

  2. Do a card reader and biometric scanner on the same door count as two different security barriers?

    No, card readers and biometric scanners are examples of access control measures (see page 29 of the Security Guidance for Select Agent or Toxin Facilities document). The locked door is the barrier; the method of unlocking the door is an access control measure.

    Return to top

  3. What would be considered an acceptable third security barrier to separate individuals approved for work with Tier 1 agents from people who are not approved?

    A barrier is a physical structure that is designed to prevent access by unauthorized persons. Cameras, security lighting and intrusion detection system are not considered security barriers because while they may monitor access, they cannot, by themselves, prevent access. Examples of a third, final barrier can be a key locked container with strong key control measures, a biometric lock system on the freezer, laboratory card-key pin access, PIN access to the freezer or storage unit, restricted card key access to the registered space. You may refer to the Federal Select Agent Program Security Guidance for Select Agent or Toxin Facilities document for more information.

    Return to top

  4. Could you clarify the provision in Section 11(2) requiring the safeguarding of animals including arthropods, or plants intentionally or accidentally exposed to or infected with a select agent? And does "accidentally" include "naturally"?

    The intention of this provision is to specify that entities must maintain security and control of animals, plants, or arthropods which are intentionally infected or inoculated with select agents. This includes an accurate and current accounting of such animals, plants or arthropods. In addition, any animals, plants, or arthropods which are accidentally exposed in a research facility to a select agent must also be maintained under appropriate security and control in compliance with select agent regulations. An entity's security plan must contain a provision for maintaining a current accounting of any animals or plants intentionally or accidentally exposed to or infected with a select agent.

    Select agents which occur in their natural environment are exempted from the select agent regulations provided that the select agent has not been intentionally introduced, cultivated, collected, or otherwise extracted from its natural source. Natural exposure created in a laboratory setting between animals, plants or arthropods would not qualify for this exemption as select agents are being introduced intentionally via natural exposure.

    Return to top

  5. Is it sufficient to ensure the security system and cameras remain operative during a power outage by providing enough uninterruptable power source (UPS) resources?

    For powered access control systems, the entity must describe procedures to ensure that security is maintained in the event of the failure of the access control system due to power disruption. This may include locks "failing secure" (locked), personnel/guard forces, backup generators or other similar features. For example, if power is lost and the door locks (even if it can be opened only from the inside), then it meets this requirement. If power is lost and door unlocks (it can be open from the outside), then it does not "fail secure." You may refer to the Federal Select Agent Program Security Guidance for Select Agent or Toxin Facilities document for more information.

    Return to top

Information Security

  1. Do IT personnel (e.g., network engineers/administrators that may have remote access to an inventory system, but no knowledge of inventory storage or database vs. application managers with direct access to inventory database/system, etc.) need to be listed on the APHIS/CDC Form 1?

    The entity needs to determine if the individual's function will provide them with access to a select agent or toxin. An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin. Anyone, including IT personnel, who will have access to a select agent or toxin, direct or otherwise, will need to have a security risk assessment and be listed on the entity's APHIS/CDC Form 1.

    Return to top

  2. Should access to the entity’s database that contains information about select agents and toxins be limited to only those individuals who have access approval from the Federal Select Agent Program?

    If the individual has access to the entity’s database that contains information about select agents and toxins which will allow them to have access to select agents or toxins, then the individual will need to undergo a security risk assessment and receive access approval from the Federal Select Agent Program. However, if the individual's duties are limited to only retrieving information from the database and they will not be able to access the selects agents or toxins, then the individual would not need to undergo a security risk assessment.

    Return to top

  3. Regarding Section 11(c)(9)(i) of the select agent regulations, which states "ensure that all external connections to systems which manage security for registered space are isolated or have controls that permit only authorized and authenticated users"; does disconnection from the LAN during access control program changes meet the intent of this provision? For example, an entity utilizing a password protected laptop with a small, standalone access control system. The laptop is connected to the access control system to download access data and to program user changes. At times, the laptop may be connected to the corporate LAN but not to the access control system.

    Yes. The key would be controlling and managing both devices to ensure that the information is safeguarded from unauthorized access by a proper firewall and encryption. The methodology for maintaining this type of information system would need to be clearly articulated in the entity's security plan.

    Return to top

  4. What security measures should I have in place for our select agent database?

    The Federal Select Agent Program has prepared the "Information Systems Security Control Guidance Document" to assist entities in complying with the select agent regulations to develop and implement a written security plan that describes procedures for information system control and information security.

    The guidance document is available at: http://www.selectagents.gov/Information_Systems_Security_Control_Guidance_Document.html.

    Return to top

  5. For the provisions related to information security, which states "(i) Ensure that all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users; (ii) Ensure that authorized and authenticated users are only granted access to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications as necessary to fulfill their roles and responsibilities, and that access is modified when the user’s roles and responsibilities change or when their access to select agents and toxins is suspended or revoked," what constitutes "authenticated users?"

    The "authenticated user" is an individual who has the appropriate approval or has permission rights to information on a trusted domain (sensitive information) based on the individuals’ specific job duties and appropriate background checks for that position. The entity should maintain system passwords and login identification to allow access to sensitive databases to only those individuals ("authenticated users") that have been identified as having a legitimate need/requirement to access those data bases.

    Return to top

  6. Is the entity required by the select agent regulations to have a 15 minute response time for security forces or local police to protect information related to Tier 1 select agents and toxins?

    If the information will allow an individual access to a Tier 1 select agent or toxin, the entity must develop security enhancements that provide a response time for security forces including entity guards or other trained responders or local police to not exceed 15 minutes or provide security barriers that are sufficient to delay unauthorized access until the response force arrives in order to safeguard the select agents and toxins from theft, intentional release, or unauthorized access. The response time is measured from the time of an intrusion alarm, or report of a security incident, to the arrival of the responders at the first security barrier.

    Return to top

  7. Why did the "Information Systems Security Control Guidance Document" not address Federal Information Security Management Act (FISMA) standards?

  8. The guidance document did not address the FISMA standards as these standards are only limited to Federal agencies and departments. The guidance document is provided to assist entities in complying with the select agent regulations by developing and implementing a written security plan that describes procedures for information system control and information security. However, the entity may use to FISMA standards to assist in building the entity’s security program since the standards contain helpful information.

    Return to top

  9. Is my entity allowed to provide information required as part of grant application (i.e., National Institutes of Health or Department of Homeland Security funding) or will providing this information violate the select agent regulations?

  10. The select agent regulations place no restrictions on releasing information related to select agents or toxins as long as any records or information systems would not allow an unauthorized individual to gain access to the select agents or toxins as outlined under Section 10(a). The Federal Select Agent Program strongly encourages entities to refrain from providing detailed information about location of select agents and toxins, quantities on site, or personal information on researchers.

    Return to top

  11. Should files containing select agent information sent by an entity to Federal Select Agent Program be encrypted?

  12. No. The select agent regulations do not require that select agent information sent to the Federal Select Agent Program be encrypted. If there is any doubt that information is sent over an unsecured network, encryption should be considered.

    Return to top

  13. Review of the documentation provided on the select agent website suggests that the IT infrastructure used to work with select agent related data be limited to a single or few workstations. Our high throughput environment naturally focuses on a highly integrated approach using the internal network to communicate between the instruments with a centrally located Laboratory Information Management System (LIMS) as data hub. In regards to intrusion detection system software:

    1. For network security software (network firewalls, intrusion detection and prevention systems (IDPS)), which functionality is required as a minimum?

      The Federal Select Agent Program is aware of the variety of applications that an entity chooses for IT systems. The guidance document is provided to assist entities in complying with the select agent regulations to develop and implement a written security plan that describes procedures for information system control and information security.

    2. Often antivirus and firewall applications offer a considerable overlap in terms of functionality with IDS solutions-especially if seen as a watchdog for unauthorized operation. Is AV software, such as Sophos, with an active agent monitoring memory usage and runtime behavior of programs sufficient as IDS as well?

      Federal Select Agent Program does not make recommendations on particular applications. Entities should work with the IT professionals to ensure integrity of all applications associated with their select agent program.

    3. On the market there are either endpoint or network based solutions. Are they equally acceptable?

      Federal Select Agent Program does not make recommendations on particular applications.

    Return to top

  14. Encryption – with our network communication we naturally use Transport Layer Security encryption for both device communication (web services) and user access (HTTPS) to protect the information exchanged over the network. With regard to local encryption we are in the process of determining a solution. If there is any doubt that information is sent over an unsecured network, encryption should be considered.

    1. What are the minimum requirements in terms of key length and algorithm?

      The entity should follow its organization policy.

    2. Is it possible to define what sets of information have to be safeguarded in what way and what operations are permissible on the data (e.g., a lab notebook describing an experiment with select agent without naming the location of the select agent is obviously less sensitive information than a list of the amounts and exact locations and access ways to actual select agent in storage)?

      The Information Systems Security Control Guidance offers examples of what is considered security information related to select agents and toxins.

    3. When using encryption, either full drive or file based, in order to have a backup mode of access, is the use of a recovery agent permissible, who in addition to the system/file owner can decrypt the information?

      The decision remains with the entity on who should have access rights to your select agent program information.

    Return to top

  15. Authentication and authorized access

    1. What is the primary aim: limiting access to Select Agent (SA) data or even IT infrastructure involved in working with SA data?

      The primary aim is to not allow unauthorized individuals to gain access to the select agents or toxins as outlined under Section 10(a).

    2. Can IT systems be used by those individuals who do not have access approval from the Federal Select Agent Program if access to select agent data is properly restricted (encryption and access control lists)?

      Yes, the select agent regulations place no restrictions on individuals who should have access to the IT systems. The primary goal is to not allow an unauthorized individual to gain access to the select agents or toxins as outlined under Section 10(a).

    Return to top

Change Text Size:
A A A
*Website is being revamped based on Revised Select Agent regulations.

Home | Resources | About Us | Forms | Helpful Information | Operations | Select Agents & Toxins | FAQ's
Animal and Plant Health Inspection Service Agricultural Select Agent Program 4700 River Road Unit 2, Mailstop 22, Cubicle 1A07 Riverdale, MD 20737 FAX: 301-734-3652 E-mail: AgSAS@aphis.usda.gov and Centers for Disease Control and Prevention Division of Select Agents and Toxins 1600 Clifton Road NE, Mailstop A-46 Atlanta, GA 30333 FAX: 404-718-2096 E-mail: lrsat@cdc.gov