Security Risk Assessment FAQ's

General

  1. What is a security risk assessment (SRA)?

    An SRA is the electronic records check performed by the Federal Bureau of Investigation (FBI), Criminal Justice Information Services Division (CJIS) to determine whether an entity or an individual who wishes to register to possess, use or transfer a select agent or toxin, or an individual who has been identified by a registered entity as having a legitimate need to access a select agent or toxin meets one of the statutory restrictors which would either prohibit registration or restrict access, respectively.

    The results of an SRA will assist AgSAS or DSAT in its determination that the entity may possess, use, or transfer select agents or toxins; or that an individual may have access to biological select agents and toxins (BSAT).

  2. What are the prohibitors that would be identified in the SRA process?

    Using the SRA process, the FBI will identify whether an individual or an entity is a restricted person as that term is defined by section 175b of Title 18, United States Code. The FBI will also use the SRA process to determine whether an individual has committed a crime set forth in section 2332b(g)(5) of title 18, United States Code; is knowingly involved with any organization that engages in domestic or international terrorism (as defined in section 2331 of title 18, United States Code or any other organization that engages in intentional acts of violence; or is an agent of a foreign power (as defined in section 1801 of title 50, United States Code.

    The term "restricted person" means an individual who--

    • Is under indictment for a crime punishable by imprisonment for a term exceeding 1 year;
    • Has been convicted in any court of a crime punishable by imprisonment for a term exceeding 1 year;
    • Is a fugitive from justice;
    • Is an unlawful user of any controlled substance (as defined in section 102 of the Controlled Substances Act (21 U.S.C. 802));
    • Is an alien illegally or unlawfully in the United States;
    • Has been adjudicated as a mental defective or has been committed to any mental institution;
    • Is an alien (other than an alien lawfully admitted for permanent residence) who is a national of a country as to which the Secretary of State, pursuant to section 6(j) of the Export Administration Act of 1979 (50 U.S.C. App. 2405(j)), section 620A of chapter 1 of part M of the Foreign Assistance Act of 1961 (22 U.S.C. 2371), or section 40(d) of chapter 3 of the Arms Export Control Act (22 U.S.C. 2780(d)), has made a determination (that remains in effect) that such country has repeatedly provided support for acts of international terrorism; or
    • Has been discharged from the Armed Services of the United States under dishonorable conditions.

  3. Who must undergo an SRA?
    • The Responsible Official (RO),
    • The Alternate Responsible Official (ARO),
    • All individuals who will have access to BSAT, and
    • Each individual who owns or controls an entity as defined below:
      1. For private academic institutions, any individual that is an officer, trustee, member of the board, or owner of the academic institution, and is in a managerial or executive capacity with regard to BSAT possessed, used, or transferred by the entity;
      2. For entities other than private academic institutions, any individual that is a partner, officer, director, holder or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to BSAT possessed, used, or transferred by the entity.
  4. Currently, we only store BSAT. Do we have to obtain SRA approval for individuals with access to the freezers containing select agents and toxins?

    Yes. A registered entity may not provide an individual access to BSAT until the individual is approved by AgSAS or DSAT, following an SRA.

    An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a BSAT.

  5. Would an individual (e.g., facilities management staff, escorted visitors) who has access to space where Tier 1 select agents or toxins are used or stored, but does not regularly work in the area, need to undergo a security risk assessment and be enrolled in the entity’s suitability assessment program?

    The entity needs to determine if the individual will have access to a select agent or toxin. An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin.

    If the individual entering into the registered space is able to access the select agent or toxin, the individual would need to undergo a security risk assessment and receive access approval from the Federal Select Agent Program. The individual would also need to be enrolled in the entity’s suitability assessment program. However, if the individual's duties are limited that they will never be able to access the select agent or toxin, then the individual would not need to undergo a security risk assessment or be part of the entity’s suitability assessment program. In this circumstance, the individual should be escorted by a person with a security risk assessment and who is enrolled in the entities’ suitability assessment program.

  6. Is the unique identifying number (UIN) provided to the entity where the individual is employed?

    Yes. As long as the individual stays employed with the registered entity, the individual will retain his or her original UIN.

  7. Is a maintenance worker who has not been approved to access select agents and toxins allowed to enter a laboratory storing select agents or toxins to perform maintenance on biological safety cabinet?

    Yes, provisions for cleaning, maintenance, and repair personnel are as follows: When cleaning, maintenance, or repair personnel (either in-house staff or contracted workers) need access to select agent areas (including storage areas), an entity should either 1) use only SRA-approved individuals; or 2) provide an SRA-approved individual as an escort at all times for the non-SRA-approved personnel while the non-SRA-approved personnel are in, or have access to, a select agent area; or 3) if the non-SRA-approved individual will not be escorted, install additional security countermeasures (beyond the basic locked freezer/refrigerator/incubator or lock boxes) to prohibit access to the select agents or toxins by non-SRA-approved individuals; or 4) move the select agents or toxins to a different area that is appropriately registered. Additional countermeasures may include, but are not limited to, an additional lock and key, cipher lock, or tamper alarms interfaced with the facility intrusion detection system. Section 17 (Records) requires that select agent area access logs must be in place to record the name, date, and time of entry into the select agent activity area, including the name of an escort, if applicable.

    Note: An entity also must provide biosafety information and training to each individual regardless of whether the individual has SRA approval before he/she works in or visits registered areas. The training should be tailored to address the risks posed by the select agents and toxins present as well as any particular needs of the individual or the work required.

  8. Is a new employee who has not been approved to access select agents and toxins allowed to observe a researcher who is monitoring select agent infected animals in micro-isolator cages?

    Yes, non-approved individuals will be allowed access to areas where select agents are accessible only if they are continuously escorted by an approved individual and the non-approved individual will not have access to a select agent or toxin. An individual will be deemed as having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin.

    It is the intent of the regulations that the escort will have the means and ability to prevent the non-approved individual from obtaining or making use of any accessible select agent or toxin in that area. Please note that section 73.17 (Records) requires that select agent area access logs must be in place to record the name and date/ time of entry into the select agent activity area, including the name of an escort, if applicable. In addition, an entity also must provide biosafety information and training to each individual regardless of whether the individual has SRA approval before he/she works in or visits registered areas. The training should be tailored to address the risks posed by the select agents and toxins present as well as any particular needs of the individual or the work required.

  9. Can a person without security risk assessment (SRA) approval accept a package containing a select agent?

    It depends on the circumstances under which package was received. Under the select agent regulations, the package containing select agents and toxins is not considered "received" by the entity until the intended recipient (person that opens the package) takes possession of the package. The intended recipient, or his/her designee, must be an individual who is approved by the Federal Select Agent Program for access to select agents and toxins.


Obtaining an SRA

  1. What is the process for obtaining an SRA?

    The application process for a new registration or an amendment to an existing registration is:

    • The entity's RO submits an application or amendment that includes the individual's information using the APHIS/CDC Form 1 to the entity's lead agency (AgSAS or DSAT, but not both).
    • The lead agency issues the entity a letter providing the unique identifying number (UIN) for each individual listed on the APHIS/CDC Form 1.
    • The RO notifies each individual of his/her UIN.
    • Each individual completes the FD-961 Form and includes the UIN in Section II, item #3.
    • The RO faxes a request to CJIS for fingerprint card packages, which consists of two FD-258 Fingerprint Cards, general instructions, fingerprint instructions, and a pre-addressed return envelope. The request should include the following: entity name, requestor, mailing address, telephone number, and the quantity of fingerprint card packets requested. The request should be faxed to CJIS at (304) 625-2198.
    • The applicant must submit the completed form and two legible fingerprint cards, printed by a local law enforcement agency, as one package directly to CJIS (not AgSAS or DSAT). The CJIS mailing address is:

      Bioterrorism Security Risk Assessment Group E-3
      CJIS Division
      1000 Custer Hollow Road
      Clarksburg, WV 26306-0002

    For guidance on how to complete the FD-961 Form, please refer to the FBI website.

    NOTE: All FD-961 Forms received by AgSAS or DSAT will be returned directly to the RO of the entity, which will delay the processing the SRA. FD-961 Forms must be submitted directly to CJIS.

  2. How do I request an expedited SRA?

    The RO must submit a written request with justification of good cause to APHIS or CDC. Good cause might be a public health or agricultural emergency, national security, or a short term visit by a prominent researcher. A written decision granting or denying the request will be issued (Refer to 42 CFR 73.10(f), 7 CFR 331.10(f), and 9 CFR 121.10(f)).

  3. What is the process for change in employment to another registered entity?

    Under any case where an individual is changing employers from one registered entity to another registered entity, the new employing entity's RO submits an application or amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (AgSAS or DSAT, but not both). The individual must undergo a new SRA (This process is described in, Obtaining an SRA Question # 1). A full SRA must be completed prior to an individual being granted access to select agents and toxins at the new place of employment. The SRA granted under previous employment is NOT transferable.

  4. Is there anything I can do to avoid delays in the SRA results?

    Common errors may delay the SRA process. Please pay careful attention to:

    • Ensure that the information (e.g., name, date of birth, etc.) for individuals listed on the APHIS/CDC Form 1 is identical to the information provided on the FD-961 Form submitted to CJIS for each individual.
    • Ensure that the AgSAS or DSAT assigned UIN is correct and listed on Section II, Item #3 on the FD-961 Form.
    • Ensure all questions are answered on the FD-961 Form.
    • Ensure that the applicant signs Section II (below the certification questions) and Section III (consent page).

  5. What is the process if an individual gets married and the last name changes?

    The entity RO submits an amended APHIS/CDC Form 1 to the entity’s lead agency (AgSAS or DSAT) that indicates the name change.

  6. What do I do if I am contacted that my SRA is "cancelled"?

    An individual’s SRA is cancelled when CJIS cannot complete the SRA process due to missing or incomplete information (e.g., signature was not provided, questions not answered, UIN number not provided).

    If the individual’s current SRA expires during renewal process and the renewal is cancelled, the individual’s access to select agents or toxins will be terminated.

  7. Who do I contact if I have questions about SRAs?

    For guidance on the SRA process, contact CJIS directly at 304-625-4900.


Renewals of SRAs

  1. How long is the SRA valid?

    An SRA for individuals that will have access to select agents and toxins is valid for a period not to exceed three years. AgSAS or DSAT can cancel approval at any time based on new information germane to the SRA. A registered entity can of course deny access to select agents and toxins to an individual at any time the entity determines that the individual no longer has a legitimate need to handle or use such agents and toxins. The RO, ARO, individuals that own or control an entity, and non-exempted entities must obtain SRA approval each time the certificate of registration is renewed. A certificate of registration is valid for a maximum of three years.

  2. What is the process for the renewal request of an individual’s SRA?
    • AgSAS or DSAT will provide the RO with a list of individuals who need renewed SRAs and details regarding the SRA renewal process. Note: It is the RO’s responsibility to ensure all individuals listed on the entity’s registration are SRA approved.
    • No less than 45 days prior to their expiration date, any individual identified for SRA renewal should submit a new FD-961 Form to CJIS by faxing to 304-625-2198. Fingerprint cards are not required for the renewal process. However, CJIS reserves the right to request additional fingerprint cards if necessary.
    • AgSAS or DSAT will notify the RO in writing the results of the individual’s SRA.

  3. What is the process for the renewal request of an entity’s SRA?

    CJIS conducts SRAs of all non-exempt entities. AgSAS or DSAT will initiate the SRA process for the entity. Therefore, no action is required by the entity.

  4. Will a new UIN be assigned to individuals for renewal requests of SRAs?

    No. As long as the individual stays employed with the registered entity, the individual will retain his or her original UIN.


Termination of Access

  1. How does a RO terminate an individual’s access to select agents and toxins?

    Section 10(k) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121) requires that the RO immediately notify AgSAS or DSAT when an entity has terminated an individual’s access to select agents or toxins. The notification must include the reason for termination of access. Notification should be submitted in writing via mail, fax, or email to AgSAS or DSAT.

    The termination of an individual’s access to select agents and toxins is effective once the amendment is received by the Federal Select Agent Program not when the amendment is approved. It should be noted that all paperwork, biographic and biometric data associated with the individual’s security risk assessment will be removed.

    When terminating an individual’s access to select agents or toxins, it is critical that the RO takes steps to ensure that the individual no longer has the ability to access select agents or toxins. This may include retrieving keys, changing locks, disabling passwords, or disabling cardkeys.

  2. Once an amendment removing a person’s access is received indicating that the individual’s access to select agents and toxins is terminated, can the individual’s access to select agents and toxins be approved without undergoing a new SRA?

    No. If the individual's access to select agents or toxins is terminated, the individual must undergo a new SRA, which includes new finger print cards and FD 961 (This process is described in, Obtaining an SRA Question # 1). The SRA granted previously is NOT transferable.

  3. Is the RO required to notify AgSAS or DSAT if the RO suspends someone’s access to select agents or toxins?

    No. The Select Agent Regulations only require notification if the individual’s access to select agents or toxins has been terminated.


Visitors

  1. What is the procedure if an individual access approval from one registered entity wants to visit another registered entity and have access to BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (AgSAS or DSAT, but not both). Using the individual's information from the home entity, the host entity's RO completes the required information on the APHIS/CDC Form 1 and includes the name of the individual's home entity (i.e., individual's place of employment) on the cover letter that accompanies the amendment.

    Once the visit is complete, the host entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, the host entity's RO may decide to leave the visitor on the registration, if the same individual will be visiting the entity again.

  2. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (AgSAS or DSAT, but not both). Using the individual's information from the home entity, the host entity's RO completes the required information on the APHIS/CDC Form 1 and includes the name of the individual's home entity (i.e., individual's place of employment) on the cover letter that accompanies the amendment.

    The regulatory requirements do not change for this situation but there are additional personnel security options. The host entity must still verify that that each trainee has an SRA, are on the host entity's registration, and verify a justification for the training. Since the training involves access to Tier 1 BSAT, trainees must receive entity specific training on the host entity's policies and procedures concerning personnel suitability, however this may be specific training for trainees and different than training for permanent employees.

    All personnel who have access to the Tier 1 BSAT must have gone through pre-access suitability and are subject to on-going assessments. Options for the ongoing assessment requirements for trainees include:

    • Ensure training is monitored. For example, an instructor observes the work and verifies that the trainee is engaged only in that work.
    • Limit access to the registered area. Trainees should only have access to the registered area during specific work or training times.
    • Limit access within the registered areas. Trainees should not be given access to storage freezers or other registered areas not directly involved in the training program.

    With trainees, the host entity can always enroll trainees into its pre-access suitability program; however, if that is not feasible, an entity can rely on the home entity's verification checks. This may include:

    • Verify with the home entity that the trainee has gone through a pre-access suitability program and is subject to ongoing assessment.
    • Verify with the home entity that the trainee has gone through similar pre-access checks (references, employment, criminal) and accept those checks as sufficient.
    • Verify with home entity which pre-access checks have been accomplished and work with the home entity to complete any checks which were not done. The host entity is strongly encouraged to adjudicate any new derogatory information with the home entity prior to making an access decision.

    The host entity is responsible for maintaining records outlined in Section 17. If an entity chooses to rely on the home entity's checks, that must be documented and retained as well.

    The host entity can also deny access to Tier 1 BSAT to any trainee if the host entity cannot verify the trainee's status.

    If a trainee demonstrates a behavior which may compromise safety or security, their access to BSAT should be removed.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

  3. What is the procedure if an individual access approval for Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to non-Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (AgSAS or DSAT, but not both). Besides the required information on the APHIS/CDC Form 1, the host entity's RO should include with the name of the individual's home entity (i.e., individual's place of employment).

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

  4. What is the procedure if an individual access approval for non-Tier 1 BSAT from one registered entity wants to be trained at another registered entity and have access to Tier 1 BSAT?

    The host entity's (i.e., registered entity that the individual will be visiting) RO submits an amendment that includes the individual's information using the APHIS/CDC Form 1 to the lead agency (AgSAS or DSAT, but not both). Besides the required information on the APHIS/CDC Form 1, the host entity's RO should include with the name of the individual's home entity (i.e., individual's place of employment).

    The regulatory requirements do not change for this situation but there are additional personnel security options. The host entity must still verify that that each trainee has an SRA, are on the host entity's registration, and verify a justification for the training. Since the training involves access to Tier 1 BSAT, trainees must receive entity specific training on the host entity's policies and procedures concerning personnel suitability, however this may be specific training for trainees and different than training for permanent employees. All personnel who have access to the Tier 1 BSAT must have gone through pre-access suitability and are subject to on-going assessments. The host entity must enroll trainees into its pre-access suitability program.

    Options for the ongoing assessment requirement in for trainees include:

    • Ensure training is monitored. For example, an instructor observes the work and verifies that the trainee is engaged only in that work.
    • Limit access to the registered area. Trainees should only have access to the registered area during specific work or training times.
    • Limit access within the registered areas. Trainees should not be given access to storage freezers or other registered areas not directly involved in the training program.

    If a trainee demonstrates a behavior which may compromise safety or security, their access to BSAT should be removed.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

  5. What is the procedure if an individual from an unregistered entity wants to visit a registered entity?

    A registered entity may not provide an individual access or an individual may not access a select agent or toxin, unless the individual is approved by the AgSAS or DSAT, following a security risk assessment by CJIS (Section 10(a)) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121).

    An individual will be deemed having access at any point in time the individual has possession of (e.g., ability to carry, use, or manipulate) or the ability to gain possession of a select agent or toxin (Section 10 (b)) of the Select Agent Regulations (42 CFR part 73, 7 CFR part 331, and 9 CFR part 121).

    See Obtaining an SRA Question #1 for the process for obtaining an SRA.

    Once the visit is complete, the receiving entity's RO should amend the entity's registration (APHIS/CDC Form 1) to remove the visitor. In some circumstances, if the same individual will be visiting the entity again, the receiving entity's RO may decide to leave the visitor on the registration.

  6. Can visitors who have not received access approval from the Federal Select Agent Program (non SRA approved) be allowed in a laboratory that contains select agents and toxins without an escort?

    Yes. non-SRA approved persons (i.e., Regular Visitor, Recurrent Visitor, Maintenance and other Non-Scientific Support Visitor, or First Responder/Emergency Personnel) can be allowed in a laboratory that contains select agents and toxins without an escort if they are (1) trained based on the risk associated with accessing areas where select agents and toxins are used and/or stored and (2) additional security measures are in place (e.g., additional lock and key, cipher lock, or tamper alarms interfaced with the facility intrusion detection system) to prohibit access to select agents and toxins by this person or the select agent or toxin is removed to a different area that is appropriately registered.

    • Recurrent Visitor: An individual, usually a scientist or laboratorian, working in registered space, but not with select agents and toxins.
    • Regular Visitor: An individual visits an entity on an occasional basis and would enter the area containing select agents and toxins, but not need access to the agents or toxins.
    • Maintenance and other Non-Scientific Support Visitor: An individual who would conduct routine maintenance of the facility, construction, equipment repairs, housekeeping, and re-certification of equipment where the individual would enter the area containing select agents and toxins, but not need access to the agents or toxins.
    • First Responder/Emergency Personnel: An individual (e.g., an emergency medical technician or a police officer) that arrives first on the scene of a disaster, accident, or life-threatening medical situation. The first responder's duties include providing medical assistance and calling other emergency caregivers to the scene.
  7. Who can serve as an escort into an area containing select agents or toxins?

    The escort’s primary role is ensuring that the non-SRA approved person does not have access to the select agents and toxins. The escort should have knowledge of the security procedures for entry into areas that contain select agents and toxins. The escort should have the ability to prevent the non-SRA approved person from accessing select agents and toxins. The escort should be trained to serve as a physical barrier or have other means of alerting appropriate security personnel in the event the non-SRA approved person attempts to access a select agent or toxin.

  8. How should the entity’s security plan account for the use of escorts?
    • If an escort is used, the person acting as the escort must be SRA approved and knowledgeable of the registered entity’s security requirements and biosafety risks of the select agent or toxin in the areas where the escorted person is being allowed to enter. The escort must be capable of executing appropriate safety protocols.
    • A registered entity’s security plan must address the protocol on how non-SRA approved persons are granted access to areas that contain select agents and toxins.
    • Train all Non-SRA approved persons on emergency protocols and the risks associated with the select agents and toxins located in the areas they will be entering.
    • Entry logs must reflect the name of the visitor, their escort, date and time of entry and purpose of visit. These records must be maintained for three years.
    • The Responsible Official should be aware and authorizes any non-SRA approved person accessing areas that contain select agents and toxins.
    • The escort is trained to handle security concerns regarding uncooperative non-SRA approved persons accessing areas that contain select agents and toxins.
    • Notify the Responsible Official when the entry is concluded.
  9. A fire has broken out in a laboratory that contains select agents and toxins and laboratorians are trapped inside. Is the registered entity allowed to have emergency first responders enter areas where select agents and toxins are present?

    In the event where it is not possible to escort first responders, appropriate personnel protective equipment should be available to them for use when responding to the emergency situation. The entity’s incident response plan should provide procedures in place to monitor the response personnel (i.e., record entry of all individuals into areas containing select agents and toxins) and account for the select agents and toxins as soon as is practical after the emergency.

  10. Can a registered entity allow non-SRA approved individuals working with biological agents and/or toxins that are not select agents or toxins to share the same space with SRA approved individuals working with select agents or toxins?

    Yes. The non-SRA approved individuals would require to be escorted at all times to ensure that they did not access a select agent or toxin unless additional security measures are in place (e.g., additional lock and key, cipher lock, or tamper alarms interfaced with the facility intrusion detection system) to prohibit access to select agents and toxins by the non-SRA approved individual or the select agent or toxin is removed to a different area that is appropriately registered.

  11. Is a non-SRA approved maintenance worker without escort allowed in a registered laboratory where the select agents have been removed and the laboratory room has been decontaminated to perform repairs?

    Yes. The non-SRA approved maintenance personnel are allowed entry because the select agents have been removed to a different area that is appropriately registered.

  12. Is a visiting scientist that does not have SRA approval allowed to observe ongoing research with a select agent?

    Yes. The individual would require to be escorted at all times to ensure that they do not access a select agent or toxin.

  13. Is a Federal Select Agent Program inspector allowed access to areas containing select agents and toxins?

    Yes. The individuals would require to be escorted at all times to ensure that they do not access a select agent or toxin.


Foreign Nationals

  1. What is the process if a foreign national wants to visit a registered entity?

    If the individual will have access to select agents or toxins, they must have a current SRA. See Obtaining an SRA Question #1 for the process for obtaining an SRA.

    Please note for any individual to undergo an SRA, the individual must be physically in the United States with a valid visa. To avoid delays in this process, the RO should inform AgSAS or DSAT of the dates the visit will occur.

  2. Can a foreign national be identified as an owner/controller of a registered entity?

    Yes. The individual must have a current SRA. See Obtaining an SRA Question #1 for the process for obtaining an SRA .

    Please note for any individual to receive an SRA, the individual must have a legal presence in the United States (e.g., valid green card).


Restricted Person

  1. Who is a “restricted person”?

    A "restricted person" is an individual who falls under one or more of the following categories:

    • Is under indictment for a crime punishable by imprisonment for a term exceeding 1 year.
    • Has been convicted in any court of a crime punishable by imprisonment for a term exceeding 1 year.
    • Is a fugitive from justice.
    • Is an unlawful user of any controlled substance (as defined in section 102 of the Controlled Substances Act (21 U.S.C. 802)).
    • Is an alien illegally or unlawfully in the United States.
    • Has been adjudicated as a mental defective or has been committed to any mental institution.
    • (i)Is an alien (other than an alien lawfully admitted for permanent residence) who is a national of a country as to which the Secretary of State, pursuant to section 6(j) of the Export Administration Act of 1979 (50 U.S.C. App. 2405(j)), section 620A of chapter 1 of part M of the Foreign Assistance Act of 1961 (22 U.S.C. 2371), or section 40(d) of chapter 3 of the Arms Export Control Act (22 U.S.C. 2780(d)), has made a determination (that remains in effect) that such country has repeatedly provided support for acts of international terrorism; or (ii) acts for or on behalf of, or operates subject to the direction or control of, a government or official of a country described in this subparagraph.
    • Has been discharged from the Armed Services of the United States under dishonorable conditions.
    • Is a member of, acts for or on behalf of, operates subject to the direction or control of, a terrorist organization as defined in section 212(a)(3)(B)(vi) of the Immigration and Nationality Act (8 USC 1182(a)(3)(B((iv).
  2. When will an individual’s access to select agents and toxins be denied or revoked?

    The Federal Select Agent Program (FSAP) will deny or revoke a “restricted person’s” approval for access to any select agent or toxin.

    In addition, FSAP may deny, limit, or revoke approval for access to any select agent or toxin for an individual if (See section 10 (Restricting access to select agents and toxins; security risk assessments) of the select agent regulations):

    • The individual is reasonably suspected by any Federal law enforcement or intelligence agency of
      • Committing a crime specified in 18 U.S.C. 2332b(g)(5);
      • Knowing involvement with an organization that engages in domestic or international terrorism (as defined in 18 U.S.C. 2331) or with any other organization that engages in intentional crimes of violence or
      • Being an agent of a foreign power (as defined in 50 U.S.C. 1801).
    • It is determined such action is necessary to protect public health and safety, animal health or animal products, or plant health or plant products.
  3. What steps must the Responsible Official take when notified that an individual’s access to select agents and toxins has been denied or revoked by FSAP?

    After notification by FSAP that an individual’s access to select agents and toxins has been denied or revoked, the Responsible Official must immediately notify the individual that he or she has lost their access to select agents or toxins and immediately take steps to ensure that the individual will not have  access to select agents and toxins (e.g., have the individual turn in keys or changing locks, update the electronic access records, etc.).  

    Depending on an individual’s role, or any determination by the entity that suspicious activity may have occurred with this individual while the individual had access to select agents and toxins, FSAP recommends conducting a review of entity inventory and access records to ensure that select agents and toxins have been safeguarded against theft, loss, or release.  

  4. How does an individual identified as a “restricted person” apply for an appeal?

    Section 20(b) of the select agent regulations allows an individual to appeal a denial, limitation, or revocation of access approval. The appeal must be in writing, state the factual basis for the appeal, and be submitted to FSAP within 180 calendar days of the decision.

    Centers for Disease Control and Prevention
    Division of Select Agents and Toxins
    1600 Clifton Road NE, Mailstop A-46
    Atlanta, GA 30329
    FAX: 404-718-2096
    Email: lrsat@cdc.gov
    Animal and Plant Health Inspection Service
    Agriculture Select Agent Services
    4700 River Road Unit 2, Mailstop 22, Cubicle 1A07
    Riverdale, MD 20737
    FAX: 301-734-3652
    E-mail: AgSAS@aphis.usda.gov

    An individual who would like a copy of his or her FBI records should go to the FBI Identification Record Request webpage or write to:

    Criminal Justice Information Services Division
    Attention: Record Request
    1000 Custer Hollow Road
    Clarksburg, WV 26306

    NOTE: It should be noted that the individual will remain identified as restricted person throughout the appeal process. 

  5. Can an entity allow an individual identified as a “restricted person” access to an area in which select agents or toxins are used or stored?

    Yes. Although access to select agents and toxins by restricted persons is prohibited, there may be occasions when an entity needs to provide access to an area in which select agents are stored or used.  It is the policy of the FSAP that a registered entity may allow a restricted person into an area containing select agents and toxins under the following conditions:

    • Under no circumstances is the entity allowed to provide a restricted person access to a select agent or toxin.
    • The entity’s security plan addresses how the entity will safeguard select agents and toxins against theft, loss, release, or unauthorized access by allowing a restricted person entry into areas containing select agents and toxins.
    • The RO is notified that a restricted person requires entry into an area containing select agents and toxins and determines the risk of a restricted person accessing this select agent or toxin in this area. Based on this assessment, the RO approves or denies the request.
    • The entity, as provided in the entity’s security plan, secures all the select agents and toxins against unauthorized access while the restricted person is in an area containing select agents and toxins (e.g., select agents or toxins are removed from the area or agents and toxins are secured in containers that would not allow access by restricted person, etc.).
    • The restricted person is escorted and continuously monitored by an individual who received access approval to select agents and toxins by FSAP, following a security risk assessment by the Attorney General. The restricted person escort must be aware of their duty to not allow the restricted person access to a select agent or toxin. 
    • Section 17 (Records) of the select agent regulations requires that access logs must be in place to record the name and date/time of entry into the registered area including the name of the escort.
    • The entity verifies that all the select agents and toxins remained secure during the presence of the restricted person in the area containing select agents and toxins and the restricted person did not access the agent or toxin.