Information Systems Security Controls Guidance
Changes and Highlights
This is a living document subject to ongoing improvement. Feedback or suggestions for improvement from registered Select Agent entities or the public are welcomed. Submit comments directly to the Federal Select Agent Program at:
- October 12, 2012: Initial posting
- February 12, 2014 (Revision 1): The revisions are primarily changes to correct editorial errors from previous version.
- May 2017: Revised to accommodate the new language to regulations.
The select agent regulations require a registered entity to develop and implement a written security plan that:
- Describes procedures for information system control. (See section 11(c)(1))
- Contains provisions for information security(See section 11(c)(9))
The purpose of this guidance document is to assist the regulated community in addressing the information systems control and information security provisions of the select agent regulations. The entity must provide the policies and procedures for information system security controls or reference the organizational policies and procedures in the security plan as required by Section 11 (42 CFR § 73.11external icon, 7 CFR § 331.11external icon, and 9 CFR § 121.11external icon) of the select agent regulations.
BSAT security information includes at a minimum:
- The use of inventory access logs
- The use of passwords
- The procedures in place for adhering to the use of access control systems
- The implementation of Security, Biosafety, and Incident Response plans
Entity record information includes:
- The use and security of entry access logbooks
- Rosters of individuals approved for access to BSAT
Information systems security control is comprised of the processes and practices of technologies designed to protect networks, computers, programs and data from unwanted, and most importantly, deliberate intrusions. Elements of information systems security control include:
- Identifying isolated and networked systems
- Application security
- Information security, including hard copy
- Network security (network and isolated)
- Mitigating insider vulnerabilities
- Incident response
A complete program should include aspects of what’s applicable to BSAT security information and access to BSAT registered space.
Information Systems Security Control
Most entities registered with FSAP have an Information Technology (IT) department that provides the foundation of information systems security. The RO should work with the IT department to ensure that their information systems are compliant with Section 11(c)(9) of the select agent regulations, as well as all other applicable parts of the select agent regulations.