SRA FAQ's

skip navigation
Home Resources Training Facility Inspection Videos Checklists Biosafety in Microbiological and Biomedical Laboratories (BMBL) Long Term Storage Security Related Information Synthetic Genomics Theft, Loss, Release About Us Forms APHIS/CDC Form 1 - Application for Laboratory Registration for Possession, Use, and Transfer of Select Agents and Toxins APHIS/CDC Form 2 - Request to Transfer Select Agents or Toxin APHIS/CDC Form 3 - Report of Theft, Loss, or Release of Select Agents or Toxin APHIS/CDC Form 4 - Report of Identification of Select Agents or Toxin APHIS/CDC Form 5 - Request for Exemption of Select Agents and Toxins for Public Health or Agricultural Emergency or Investigational/Experimental Product Helpful Information Regulations Guidelines Legislation Exclusions Privacy Statement FOIA Act Accessibility Statement Operations Security Risk Assessments Importing Select Agents Select Agents & Toxins Select Agents and Toxins List Select Agents and Toxins - Exclusions Select Agents and Toxins - Restricted Experiments Permissible Toxin Amounts FAQ's General Security Risk Assessments APHIS/CDC Form 2 - Request to Transfer Select Agents or Toxin APHIS/CDC Form 4 - Report of Identification of Select Agents or Toxin Last Updated: Monday, May 17, 2010
Frequently asked questions concerning Security Risk Assessments : General Obtaining a Security Risk Assessment Renewals of Security Risk Assessments Termination of Access Visiting Scientists Foreign Nationals General : What is a security risk assessment? A security risk assessment (SRA) is the method used by FBI, Criminal Justice Information Services Division (CJIS) to evaluate an individual's suitability to access, possess, use, receive, or transfer Select Agents. What criteria are used for determining approval of a security risk assessment? The security risk assessment will evaluate if an individual is a restricted person based on the criteria of the USA PATRIOT Act, whether or not an individual has committed a Federal crime, is involved with any group that engages in domestic or international terrorism or any organization that engages in intentional acts of violence, or is an agent of a foreign power (for more information, go to (http://www.cdc.gov/od/sap/Legislation.html) Who is required to obtain a security risk assessment? An SRA must be obtained by: All entities (except for Federal, State, or local governmental agencies), The Responsible Official (RO), The Alternate RO, All individuals with access to Select Agents or toxins must have an approved security risk assessment, and Each individual who owns or controls a private entity (academic, non-profit, commercial, or other). An individual will be deemed to own or control an entity under the following conditions: For private accredited academic institutions, any individual will be deemed to own or control the entity if the individual is an officer, trustee, member of the board, or owner of the academic institution, and is in a managerial or executive capacity with regard to the Select Agents or toxins possessed, used, or transferred by the entity; For entities other than accredited academic institutions (public or private), an individual will be deemed to own or control an entity if the individual is a partner, officer, director, holder or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to Select Agents or toxins possessed, used, or transferred by the entity. Currently, we only store Select Agents and toxins; do we have to obtain SRA approval for individuals with access to the freezers? Yes. You must submit an FD-961 Form to CJIS for any individuals that require access, including the RO and alternate RO's, and any individual who owns or controls the entity. See Question #5 for information on submitting the FD-961 Form. Obtaining a Security Risk Assessment What is the process for obtaining a security risk assessment (SRA)? The following process applies to a new application or an amendment to an existing application: The entity's Responsible Official (RO) submits an application or amendment that includes the individual's information using the APHIS/CDC Form 1, Application for Registration to his or her lead agency (APHIS or CDC, but not both). The lead agency issues to the entity a letter with the unique Department of Justice (DOJ) identifying number for each individual listed on the APHIS/CDC Form 1, Application for Registration. The RO forwards the DOJ identifying number to each individual. The individual completes the FD-961 Form and puts his or her unique identifying number in block 11. The RO faxes a request for fingerprint card packages which consists of two fingerprint cards, general instructions, fingerprint instructions, and a pre-addressed return envelope. The faxed request should include the following: the entity name, point of contact or RO, the correct mailing address, contact telephone number and the number of fingerprint card packets being requested. The request should be faxed to the FBI at 304-625-3984. The entity must submit a completed FD-961 form and two legible fingerprint cards, printed by a local law enforcement agency, and then mail the FD-961 form and fingerprint cards as one package directly to the FBI, Criminal Justice Information Services Division (CJIS), not to APHIS or CDC. The CJIS mailing address is: FBI, CJIS, Bioterrorism 1000 Custer Hollow Road, Module E-3 Clarksburg, WV 26306-0147 For guidance on how to complete the FD-961 form, see the FBI website http://www.fbi.gov/terrorinfo/bioterrorfd961.htm for additional information. NOTE: All FBI FD-961 forms received by APHIS or CDC will be returned directly to the RO of the entity which will delay the processing of your request. FD-961 forms must be submitted directly to CJIS. What is the process for obtaining an SRA for the entity? The CDC or APHIS Select Agents Program will initiate the SRA for the entity. There is no additional action needed from the entity. How do I request an expedited security risk assessment? Prior to the request for expedited processing, the RO should confirm that the FD-961 Form and fingerprint cards have been submitted to CJIS for processing (See Question #5). The Responsible Official must submit a written request with justification of good cause to CDC or APHIS. Good cause might be public health or agricultural emergencies, national security, or a short term visit by a prominent researcher. A written decision granting or denying the request will be issued (Refer to 42 CFR 73.10(e), 7 CFR 331.10(e), and 9 CFR 121.10(e)). What is the process for change in employment? Under any case where an individual is changing employers, the individual must submit a completed FD-961 form to the CJIS (See Question # 5). The individual would put the new assigned DOJ number provided by APHIS or CDC in block 11. Two fingerprint cards are not required if a legible set is already on file with the CJIS. The CJIS reserves the right to request additional fingerprint cards in the future if necessary. A full security risk assessment must be completed prior to an individual being granted access to Select Agents and toxins at the new place of employment. The security risk assessment granted under previous employment is NOT transferable. Is there anything I can do to avoid delays in the security risk assessment results? Common errors may delay the security risk assessment process. Please pay careful attention to: Ensure that the information (e.g., name, date of birth, etc.) for individuals listed on the APHIS/CDC Form 1, Application for Registration is identical to the information provided on the FD-961 Form submitted to CJIS for each individual. Ensure that the APHIS or CDC assigned DOJ identifier number is correct and listed for Block 11 on the FD-961 Form. Ensure all questions are answered on the FD-961 Form. Ensure that the applicant signs the front page and third page. The third page is the consent page. What is the process if an individual gets married and the last name changes? The entity RO submits an amended APHIS/CDC Form 1, Application for Registration to their lead agency (APHIS or CDC, but not both) that indicates the name change. Who do I contact if I have questions about security risk assessments? For guidance on security risk assessment process, CJIS should be contacted directly at 304-625-4900. Renewals of Security Risk Assessments How long is the security risk assessment valid? A security risk assessment for individuals that will have access to Select Agents and toxins is valid for a period of five years unless terminated by the entity, HHS Secretary or APHIS Administrator sooner. The Responsible Official, Alternate Responsible Official, and individuals that own or control the entity and the entity must obtain security risk assessment approval each time the certificate of registration is renewed. A certificate of registration is valid for a maximum of three years. Why are renewals being requested for security risk assessments that have not yet expired? The Select Agents Regulations indicate that SRAs are effective for a period not to exceed five years. However, in an effort to prevent a repeat of the backlog in the processing of SRAs that was experienced after the passing of the Interim Final Rule, a staggered renewal process is being implemented. What is the process for the renewal request of an individual's security risk assessment? APHIS or CDC will provide the RO with a list of individuals who need renewed SRAs and details regarding the SRA renewal process. Within 30 days of receipt of this information, individuals identified for SRA renewal should submit a new FD-961 form (this process is described in Question #5) to CJIS by faxing to 304-625-5393. CJIS requests the word "Renewal" be written on the top of the form. Fingerprint cards are not required for the renewal process. However, CJIS reserves the right to request additional fingerprint cards in the future if necessary. For individual's access to Select Agents or toxins that have been terminated by the entity, see Question # 17. CDC or APHIS will notify the RO in writing after the SRAs have been approved. What is the process for the renewal request of an entity's security risk assessment? CJIS conducts security risk assessments of all non-governmental entities. The CDC or APHIS Select Agents Program will initiate the SRA for the entity. Therefore, no additional paperwork needs to be submitted to CJIS. Will a new DOJ unique identifier number be assigned to individuals for renewal requests of security risk assessments? No. As long as the individual stays employed with the registered entity, the individual will retain his/her original DOJ unique identifier number. Termination of Access How do I terminate an individual's access to Select Agents and toxins? Section 10(j) of the Select Agents Regulations (42 CFR 73, 7 CFR 331, and 9 CFR 121) requires that the Responsible Official immediately notify CDC or APHIS when an entity is terminating an individual's access to Select Agents or toxins. The notification should include the name of the individual who is being removed from the entity's registration, the reasons for termination of access and should be submitted in writing via mail, fax, or email to your File Manager. When terminating an individual's access to Select Agents or toxins it is critical that the Responsible Official take steps to ensure that the individual no longer has the ability to access Select Agents or toxins. This may include retrieving keys, changing locks, disabling passwords, or disabling cardkeys. Guidance on restricting access to Select Agents and toxins and other information on the requirements of the Select Agents Regulations may be found on the National Select Agents Registry Web site at http://www.selectagents.gov/Resources.html. Once an individual's access to Select Agents and toxins is terminated, can the individual's access to Select Agents and toxin be reactivated? No. If the individual's access to Select Agents or toxins is terminated, the individual must submit a completed FD-961 form to the CJIS (this process is described in Question #5). As long as the individual stays employed with the registered entity, the individual will retain his/her original DOJ unique identifier number. The individual would put the DOJ identifier number provided by APHIS or CDC in block 11. Two fingerprint cards are not required if a legible set is already on file with the CJIS. The CJIS reserves the right to request additional fingerprint cards in the future if necessary. A full security risk assessment must be completed prior to an individual being granted access to Select Agents and toxins at the new place of employment. The security risk assessment granted previously is NOT transferable. Visiting Scientists What is the procedure if an individual from one registered entity wants to visit another registered entity? If the individual will have access to Select Agents or toxins, the receiving entity RO should request that the sending entity RO provides a letter which states the individual is currently identified on the sending entity's certificate of registration. The receiving entity is defined as the entity where the training, work or visit will take place. The sending entity is defined as the entity where the individual is currently located. The individual must have a current SRA approval. The letter should include: visitor's full name, date of birth, date of issuance of the SRA approval and unique DOJ identifying number of the individual. The receiving entity RO should submit this letter and a request for an amendment to the registration to the lead agency (APHIS or CDC). The amendment request should provide the updated sections of the APHIS/CDC Form 1, Application for Registration where applicable (e.g., Principal Investigator, specific agents or toxins, specific laboratory buildings/rooms, etc.). Once the visit is complete, the receiving entity RO should amend the entity's registration (APHIS/CDC Form 1, Application for Registration) to remove the visitor. In some circumstances, the receiving entity RO may decide to leave the visitor on the registration, if the same individual will be visiting the entity again. What is the procedure if an individual from an unregistered entity wants to visit a registered entity? If the visitor will have access to Select Agents or toxins, he or she must have a current security risk assessment. Follow the procedures as indicated in Question #5. Once the visit is complete, the receiving entity RO should amend the entity's registration (APHIS/CDC Form 1, Application for Registration) to remove the visitor. In some circumstances, the receiving entity RO may decide to leave the visitor on the registration, if the same individual will be visiting the entity again. Foreign Nationals What is the process if a foreign national wants to visit a registered entity? If the individual will have access to Select Agents or toxins, they must have a current security risk assessment. Follow the procedures as indicated in Question #5. Please note for any individual to receive a security risk assessment, the individual must have a presence in the United States (e.g., valid green card). The individual's security risk assessment will not be processed until the individual is officially located in the United States. To avoid delays in this process, the RO should inform CDC or APHIS of the dates the visit will occur. Can an owner/controller who is a foreign national be identified for a registered entity? Each individual who owns or controls a private entity (academic, non-profit, commercial, or other) will be deemed to own or control an entity under the following conditions: For private accredited academic institutions, any individual will be deemed to own or control the entity if the individual is an officer, trustee, member of the board, or owner of the academic institution, and is in a managerial or executive capacity with regard to the Select Agents or toxins possessed, used, or transferred by the entity; For entities other than accredited academic institutions (public or private), an individual will be deemed to own or control an entity if the individual is a partner, officer, director, holder or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to Select Agents or toxins possessed, used, or transferred by the entity. The individual must have a current security risk assessment. Please note for any individual to receive a security risk assessment, the individual must have a presence in the United States (e.g., valid green card).	Change Text Size: A A A Print This Page
Home \| Resources \| About Us \| Forms \| Helpful Information \| Operations \| Select Agents & Toxins \| FAQ's