National Select Agent Registry phone numbers for APHIS (301-851-3300) and CDC (404-718-2000).
Last Updated: Wednesday, January 09, 2013

Security Risk Assessment FAQ's

General

  1. What is a security risk assessment (SRA)?
  2. What are the prohibitors that would be identified in the SRA process?
  3. Who must undergo an SRA?
  4. Currently, we only store BSAT. Do we have to obtain SRA approval for individuals with access to the freezers?
  5. Would an individual (e.g., facilities management staff, escorted visitors) who has access to space where Tier 1 select agents or toxins are used or stored, but does not regularly work in the area, need to undergo a security risk assessment and be enrolled in the entityís suitability assessment program?
  6. Is the unique identifying number (UIN) provided to the entity where the individual is employed?

Obtaining an SRA

  1. What is the process for obtaining an SRA?
  2. How do I request an expedited SRA?
  3. What is the process for change in employment to another registered entity?
  4. Is there anything I can do to avoid delays in the SRA results?
  5. What is the process if an individual gets married and the last name changes?
  6. What do I do if I am contacted that my SRA is "cancelled"?
  7. Who do I contact if I have questions about SRAs?

Renewals of SRAs

  1. How long is the SRA valid?
  2. What is the process for the renewal request of an individualís SRA?
  3. What is the process for the renewal request of an entityís SRA?
  4. Will a new UIN be assigned to individuals for renewal requests of SRAs?

Termination of Access

  1. How does a RO terminate an individualís access to select agents and toxins?
  2. Once an amendment removing a personís access is received indicating that the individualís access to select agents and toxins is terminated, can the individualís access to select agents and toxins be approved without undergoing a new SRA?
  3. Is the RO required to notify APHIS or CDC if the RO suspends someoneís access to select agents or toxins?

Visitors

  1. What is the procedure if an individual access approval from one registered entity wants to visit another registered entity and have access to BSAT?
  2. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?
  3. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to non-Tier 1 BSAT?
  4. What is the procedure if an individual access approval for non-Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?
  5. What is the procedure if an individual from an unregistered entity wants to visit a registered entity?

Foreign Nationals

  1. What is the process if a foreign national wants to visit a registered entity?
  2. Can a foreign national be identified as an owner/controller of a registered entity?

General

  1. What is a security risk assessment (SRA)?

    An SRA is the electronic records check performed by the Federal Bureau of Investigation (FBI), Criminal Justice Information Services Division (CJIS) to determine whether an entity or an individual who wishes to register to possess, use or transfer a select agent or toxin, or an individual who has been identified by a registered entity as having a legitimate need to access a select agent or toxin meets one of the statutory restrictors which would either prohibit registration or restrict access, respectively.

    The results of an SRA will assist APHIS and CDC in its determination that the entity may possess, use, or transfer select agents or toxins; or that an individual may have access to biological select agents and toxins (BSAT).

    Return to top

  2. What are the prohibitors that would be identified in the SRA process?

    Using the SRA process, the FBI will identify whether an individual or an entity is a restricted person as that term is defined by section 175b of Title 18, United States Code. The FBI will also use the SRA process to determine whether an individual has committed a crime set forth in section 2332b(g)(5) of title 18, United States Code; is knowingly involved with any organization that engages in domestic or international terrorism (as defined in section 2331 of title 18, United States Code or any other organization that engages in intentional acts of violence; or is an agent of a foreign power (as defined in section 1801 of title 50, United States Code.

    The term "restricted person" means an individual who--

    • Is under indictment for a crime punishable by imprisonment for a term exceeding 1 year;
    • Has been convicted in any court of a crime punishable by imprisonment for a term exceeding 1 year;
    • Is a fugitive from justice;
    • Is an unlawful user of any controlled substance (as defined in section 102 of the Controlled Substances Act (21 U.S.C. 802));
    • Is an alien illegally or unlawfully in the United States;
    • Has been adjudicated as a mental defective or has been committed to any mental institution;
    • Is an alien (other than an alien lawfully admitted for permanent residence) who is a national of a country as to which the Secretary of State, pursuant to section 6(j) of the Export Administration Act of 1979 (50 U.S.C. App. 2405(j)), section 620A of chapter 1 of part M of the Foreign Assistance Act of 1961 (22 U.S.C. 2371), or section 40(d) of chapter 3 of the Arms Export Control Act (22 U.S.C. 2780(d)), has made a determination (that remains in effect) that such country has repeatedly provided support for acts of international terrorism; or
    • Has been discharged from the Armed Services of the United States under dishonorable conditions.

    Return to top

  3. Who must undergo an SRA?

    • The Responsible Official (RO),
    • The Alternate Responsible Official (ARO),
    • All individuals who will have access to BSAT, and
    • Each individual who owns or controls an entity as defined below:
      1. For private academic institutions, any individual that is an officer, trustee, member of the board, or owner of the academic institution, and is in a managerial or executive capacity with regard to BSAT possessed, used, or transferred by the entity;
      2. For entities other than private academic institutions, any individual that is a partner, officer, director, holder or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to BSAT possessed, used, or transferred by the entity.

    Return to top

  4. Currently, we only store BSAT. Do we have to obtain SRA approval for individuals with access to the freezers?

    Yes. A registered entity may not provide an individual access to BSAT until the individual is approved by APHIS or CDC, following an SRA.

    An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a BSAT.

    Return to top

  5. Would an individual (e.g., facilities management staff, escorted visitors) who has access to space where Tier 1 select agents or toxins are used or stored, but does not regularly work in the area, need to undergo a security risk assessment and be enrolled in the entityís suitability assessment program?

    The entity needs to determine if the individual will have access to a select agent or toxin. An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin.

    If the individual entering into the registered space is able to access the select agent or toxin, the individual would need to undergo a security risk assessment and receive access approval from the Federal Select Agent Program. The individual would also need to be enrolled in the entityís suitability assessment program. However, if the individual's duties are limited that they will never be able to access the select agent or toxin, then the individual would not need to undergo a security risk assessment or be part of the entityís suitability assessment program. In this circumstance, the individual should be escorted by a person with a security risk assessment and who is enrolled in the entitiesí suitability assessment program.

    Return to top

  6. Is the unique identifying number (UIN) provided to the entity where the individual is employed?

    Yes. As long as the individual stays employed with the registered entity, the individual will retain his or her original UIN.

    Return to top

Obtaining an SRA

  1. What is the process for obtaining an SRA?

    The application process for a new registration or an amendment to an existing registration is:

    • The entity's RO submits an application or amendment that includes the individual's information using the APHIS/CDC Form 1 to the entity's lead agency (APHIS or CDC, but not both).
    • The lead agency issues the entity a letter providing the unique identifying number (UIN) for each individual listed on the APHIS/CDC Form 1.
    • The RO notifies each individual of his/her UIN.
    • Each individual completes the FD-961 Form and includes the UIN in Section II, item #11.
    • The RO faxes a request to CJIS for fingerprint card packages, which consists of two FD-258 Fingerprint Cards, general instructions, fingerprint instructions, and a pre-addressed return envelope. The request should include the following: entity name, requestor, mailing address, telephone number, and the quantity of fingerprint card packets requested. The request should be faxed to CJIS at (304) 625-2198.
    • The applicant must submit the completed form and two legible fingerprint cards, printed by a local law enforcement agency, as one package directly to CJIS (not APHIS or CDC). The CJIS mailing address is:

      Bioterrorism Security Risk Assessment Group E-3
      CJIS Division
      1000 Custer Hollow Road
      Clarksburg, WV 26306-0002

    For guidance on how to complete the FD-961 Form, please refer to the FBI website at: http://www.fbi.gov/about-us/cjis/bioterrorism-security-risk-assessment-form .

    NOTE: All FD-961 Forms received by APHIS or CDC will be returned directly to the RO of the entity, which will delay the processing the SRA. FD-961 Forms must be submitted directly to CJIS.

    Return to top

  2. How do I request an expedited SRA?

    Prior to a request for expedited processing, the RO should confirm that the FD-961 Form and two FD-258 Fingerprint Cards have been received by CJIS for processing.

    The RO must submit a written request with justification of good cause to APHIS or CDC. Good cause might be a public health or agricultural emergency, national security, or a short term visit by a prominent researcher. A written decision granting or denying the request will be issued (Refer to 42 CFR 73.10(e), 7 CFR 331.10(e), and 9 CFR 121.10(e)).

    Return to top

  3. What is the process for change in employment to another registered entity?

    Under any case where an individual is changing employers from one registered entity to another registered entity, the new employing entity's RO submits an application or amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (APHIS or CDC, but not both). The individual must undergo a new SRA (This process is described in, Obtaining an SRA Question # 1). A full SRA must be completed prior to an individual being granted access to select agents and toxins at the new place of employment. The SRA granted under previous employment is NOT transferable.

    Return to top

  4. Is there anything I can do to avoid delays in the SRA results?

    Common errors may delay the SRA process. Please pay careful attention to:

    • Ensure that the information (e.g., name, date of birth, etc.) for individuals listed on the APHIS/CDC Form 1 is identical to the information provided on the FD-961 Form submitted to CJIS for each individual.
    • Ensure that the APHIS or CDC assigned UIN is correct and listed on Section II, Item #11 on the FD-961 Form.
    • Ensure all questions are answered on the FD-961 Form.
    • Ensure that the applicant signs Section II (below the certification questions) and Section III (consent page).

    Return to top

  5. What is the process if an individual gets married and the last name changes?

    The entity RO submits an amended APHIS/CDC Form 1 to the entityís lead agency (APHIS or CDC) that indicates the name change.

    Return to top

  6. What do I do if I am contacted that my SRA is "cancelled"?

    An individualís SRA is cancelled when CJIS cannot complete the SRA process due to missing or incomplete information (e.g., signature was not provided, questions not answered, UIN number not provided).

    If the individualís current SRA expires during renewal process and the renewal is cancelled, the individualís access to select agents or toxins will be terminated.

    Return to top

  7. Who do I contact if I have questions about SRAs?

    For guidance on the SRA process, contact CJIS directly at 304-625-4900.

    Return to top

Renewals of SRAs

  1. How long is the SRA valid?

  2. An SRA for individuals that will have access to select agents and toxins is valid for a period not to exceed three years. APHIS or CDC can cancel approval at any time based on new information germane to the SRA. A registered entity can of course deny access to select agents and toxins to an individual at any time the entity determines that the individual no longer has a legitimate need to handle or use such agents and toxins. The RO, ARO, individuals that own or control an entity, and non-exempted entities must obtain SRA approval each time the certificate of registration is renewed. A certificate of registration is valid for a maximum of three years.

    Return to top

  3. What is the process for the renewal request of an individualís SRA?

    • APHIS or CDC will provide the RO with a list of individuals who need renewed SRAs and details regarding the SRA renewal process. Note: It is the ROís responsibility to ensure all individuals listed on the entityís registration are SRA approved.
    • No less than 45 days prior to their expiration date, any individual identified for SRA renewal should submit a new FD-961 Form to CJIS by faxing to 304-625-2198. Fingerprint cards are not required for the renewal process. However, CJIS reserves the right to request additional fingerprint cards if necessary.
    • APHIS or CDC will notify the RO in writing the results of the individualís SRA.

    Return to top

  4. What is the process for the renewal request of an entityís SRA?

  5. CJIS conducts SRAs of all non-exempt entities. APHIS or CDC will initiate the SRA process for the entity. Therefore, no action is required by the entity.

    Return to top

  6. Will a new UIN be assigned to individuals for renewal requests of SRAs?

  7. No. As long as the individual stays employed with the registered entity, the individual will retain his or her original UIN.

    Return to top

Termination of Access

  1. How does a RO terminate an individualís access to select agents and toxins?

    Section 10(j) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121) requires that the RO immediately notify APHIS or CDC when an entity has terminated an individualís access to select agents or toxins. The notification must include the reason for termination of access. Notification should be submitted in writing via mail, fax, or email to APHIS or CDC.

    The termination of an individualís access to select agents and toxins is effective once the amendment is received by the Federal Select Agent Program not when the amendment is approved. It should be noted that all paperwork, biographic and biometric data associated with the individualís security risk assessment will be removed.

    When terminating an individualís access to select agents or toxins, it is critical that the RO takes steps to ensure that the individual no longer has the ability to access select agents or toxins. This may include retrieving keys, changing locks, disabling passwords, or disabling cardkeys.

    Return to top

  2. Once an amendment removing a personís access is received indicating that the individualís access to select agents and toxins is terminated, can the individualís access to select agents and toxins be approved without undergoing a new SRA?

    No. If the individual's access to select agents or toxins is terminated, the individual must undergo a new SRA, which includes new finger print cards and FD 961 (This process is described in, Obtaining an SRA Question # 1). The SRA granted previously is NOT transferable.

    Return to top

  3. Is the RO required to notify APHIS or CDC if the RO suspends someoneís access to select agents or toxins?

    No. The Select Agent Regulations only require notification if the individualís access to select agents or toxins has been terminated.

    Return to top

Visitors

  1. What is the procedure if an individual access approval from one registered entity wants to visit another registered entity and have access to BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (APHIS or CDC, but not both). Using the individual's information from the home entity, the host entity's RO completes the required information on the APHIS/CDC Form 1 and includes the name of the individual's home entity (i.e., individual's place of employment) on the cover letter that accompanies the amendment.

    Once the visit is complete, the host entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, the host entity's RO may decide to leave the visitor on the registration, if the same individual will be visiting the entity again.

    Return to top

  2. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (APHIS or CDC, but not both). Using the individual's information from the home entity, the host entity's RO completes the required information on the APHIS/CDC Form 1 and includes the name of the individual's home entity (i.e., individual's place of employment) on the cover letter that accompanies the amendment.

    The regulatory requirements do not change for this situation but there are additional personnel security options. The host entity must still verify that that each trainee has an SRA, are on the host entity's registration, and verify a justification for the training. Since the training involves access to Tier 1 BSAT, trainees must receive entity specific training on the host entity's policies and procedures concerning personnel suitability, however this may be specific training for trainees and different than training for permanent employees.

    All personnel who have access to the Tier 1 BSAT must have gone through pre-access suitability and are subject to on-going assessments. Options for the ongoing assessment requirements for trainees include:

    • Ensure training is monitored. For example, an instructor observes the work and verifies that the trainee is engaged only in that work.
    • Limit access to the registered area. Trainees should only have access to the registered area during specific work or training times.
    • Limit access within the registered areas. Trainees should not be given access to storage freezers or other registered areas not directly involved in the training program.

    With trainees, the host entity can always enroll trainees into its pre-access suitability program; however, if that is not feasible, an entity can rely on the home entity's verification checks. This may include:

    • Verify with the home entity that the trainee has gone through a pre-access suitability program and is subject to ongoing assessment.
    • Verify with the home entity that the trainee has gone through similar pre-access checks (references, employment, criminal) and accept those checks as sufficient.
    • Verify with home entity which pre-access checks have been accomplished and work with the home entity to complete any checks which were not done. The host entity is strongly encouraged to adjudicate any new derogatory information with the home entity prior to making an access decision.

    The host entity is responsible for maintaining records outlined in Section 17. If an entity chooses to rely on the home entity's checks, that must be documented and retained as well.

    The host entity can also deny access to Tier 1 BSAT to any trainee if the host entity cannot verify the trainee's status.

    If a trainee demonstrates a behavior which may compromise safety or security, their access to BSAT should be removed.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

    Return to top

  3. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to non-Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (APHIS or CDC, but not both). Besides the required information on the APHIS/CDC Form 1, the host entity's RO should include with the name of the individual's home entity (i.e., individual's place of employment).

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

    Return to top

  4. What is the procedure if an individual access approval for non-Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (APHIS or CDC, but not both). Besides the required information on the APHIS/CDC Form 1, the host entity's RO should include with the name of the individual's home entity (i.e., individual's place of employment).

    The regulatory requirements do not change for this situation but there are additional personnel security options. The host entity must still verify that that each trainee has an SRA, are on the host entity's registration, and verify a justification for the training. Since the training involves access to Tier 1 BSAT, trainees must receive entity specific training on the host entity's policies and procedures concerning personnel suitability, however this may be specific training for trainees and different than training for permanent employees. All personnel who have access to the Tier 1 BSAT must have gone through pre-access suitability and are subject to on-going assessments. The host entity must enroll trainees into its pre-access suitability program.

    Options for the ongoing assessment requirement in for trainees include:

    • Ensure training is monitored. For example, an instructor observes the work and verifies that the trainee is engaged only in that work.
    • Limit access to the registered area. Trainees should only have access to the registered area during specific work or training times.
    • Limit access within the registered areas. Trainees should not be given access to storage freezers or other registered areas not directly involved in the training program.

    If a trainee demonstrates a behavior which may compromise safety or security, their access to BSAT should be removed.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

    Return to top

  5. What is the procedure if an individual from an unregistered entity wants to visit a registered entity?

    A registered entity may not provide an individual access or an individual may not access a select agent or toxin, unless the individual is approved by the APHIS or CDC, following a security risk assessment by CJIS (Section 10(a)) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121).

    An individual will be deemed having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin (Section 10 (b)) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121).

    See Obtaining an SRA Question #1 for the process for obtaining an SRA.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

    Return to top

Foreign Nationals

  1. What is the process if a foreign national wants to visit a registered entity?

    If the individual will have access to select agents or toxins, they must have a current SRA. See Obtaining an SRA Question #1 for the process for obtaining an SRA.

    Please note for any individual to undergo an SRA, the individual must be physically in the United States with a valid visa. To avoid delays in this process, the RO should inform CDC or APHIS of the dates the visit will occur.

    Return to top

  2. Can a foreign national be identified as an owner/controller of a registered entity?

    Yes. The individual must have a current SRA. See Obtaining an SRA Question #1 for the process for obtaining an SRA .

    Please note for any individual to receive an SRA, the individual must have a legal presence in the United States (e.g., valid green card).

    Return to top


Change Text Size:
A A A
*Website is being revamped based on Revised Select Agent regulations.

Home | Resources | About Us | Forms | Helpful Information | Operations | Select Agents & Toxins | FAQ's
Animal and Plant Health Inspection Service Agricultural Select Agent Program 4700 River Road Unit 2, Mailstop 22, Cubicle 1A07 Riverdale, MD 20737 FAX: 301-734-3652 E-mail: ASAP@aphis.usda.gov and Centers for Disease Control and Prevention Division of Select Agents and Toxins 1600 Clifton Road NE, Mailstop A-46 Atlanta, GA 30333 FAX: 404-718-2096 E-mail: lrsat@cdc.gov