Personnel Suitability
Assessment FAQ's

General

  1. How would the Federal Select Agent Program (FSAP) inspectors verify an entity's suitability assessment program?

    For an entity required to have a suitability program, during their inspection, FSAP inspectors will review the entity’s security plan, any records that the entity maintains as a part of its suitability assessment program (pre-access and ongoing), and interview entity staff. At a minimum, the inspectors will look to see that there is a formal description of the program and that all involved workers have been enrolled and adequately trained.

  2. Are there forms that an entity is required to provide to document the entity's suitability assessment program?

    No, there are no specific forms required for the documentation of an entity’s suitability assessment program, although this program must be included as part of the security plan for entities that possess, use, or transfer Tier 1 select agents or toxins. An entity required to have a suitability program has the discretion to document its suitability assessment program (pre-access and ongoing) in a way that best meets its needs.

  3. Is a background investigation done for a security clearance considered equivalent to a suitability assessment?

    An entity required to have a suitability program may certainly use a background investigation for a national security clearance to complement its suitability assessment program. However, while such a background investigation may address the integrity and trustworthiness of an individual, it may not address other entity requirements needed to determine suitability.

  4. Is our entity required to perform drug screening?

    It depends on the circumstance. Drug screening is not a specific requirement of the regulations. However, this does not preclude an entity from establishing a drug screening program if it determines that this measure would be an appropriate component of its personal reliability assessment program. Such a program would need to be administered in compliance with applicable local, state, and federal regulations.

  5. Is our entity required to investigate a person's finances or run a credit report?

    It depends on the circumstance. An investigation of a person’s finances or obtaining a credit report is not a specific requirement of the regulations. However, this does not preclude an entity from establishing a personal financial review program if it determines that this measure would be an appropriate component of its personal reliability assessment program. Such a program would need to be administered in compliance with applicable local, state, and federal regulations.

  6. What assistance is available for entities to vet individuals that they have identified as having criminal misdemeanor records?

    Responsible Officials should look to their local or institutional legal and human resource managers to assist with setting up systems and procedures to adjudicate cases in which individuals with criminal misdemeanor records have been identified.

  7. How does our entity transition individuals who already have access to Tier 1 select agents and toxins?

    Individuals who already have approved access to Tier 1 select agents and toxins are not required to have a pre-access suitability assessment, but will be subject to the entity’s ongoing assessment and monitoring program.

    If the entity has concerns about an individual that has access to Tier 1 select agents and toxins, the entity should perform a modified pre-access suitability assessment for the individual that may include records verification and training on the entity’s suitability assessment program and Tier 1 regulatory requirements.

  8. Is our entity required to perform ongoing monitoring of medications or medical issues of individuals that have access to Tier 1 select agents and toxins?

    It depends on the circumstance. Although the select agent regulations do not specifically require the ongoing monitoring of medications or medical issues for individuals who have access to Tier 1 select agents or toxins, Section 12(d) of the regulations requires that entities administer an occupational health program for these individuals. If an entity determines that the ongoing monitoring of medications or medical issues of individuals is an appropriate component of an effective occupational health program, these measures should be implemented in compliance with all applicable local, state, and federal regulations.

  9. For the entity's suitability assessment program, who should the entity chose as a reviewer and should this person be listed on the entity's registration?

    The Reviewer (REV) should be an entity official whose duties include monitoring the suitability assessment program and reviewing warranted suitability actions. This person may be a security or administrative professional, legal counsel, or other person who can provide an alternate and complementary perspective on the suitability assessment program and Tier 1 select agents and toxins access decisions to the Responsible Official (RO). If resources do not permit the appointment of a separate REV, the RO may act as the REV. The REV should be able to protect and evaluate the personal information required to administer a suitability assessment program. The REV should be competent to assess personnel with respect to both pre-access and on-going suitability assessments.

    If the REV is the RO, Alternate RO, or a person who owns or controls an entity or will have access to select agents and toxins, this individual must be put on the entity registration and undergo a security risk assessment.

  10. For the entity's suitability assessment program, who should the entity chose as a certifying official and should this person be listed on the entity's registration?

    The Certifying Official (CO) should be an entity official who certifies that personnel meet the established requirements of an entity-specific suitability assessment and monitoring program. The CO should have sufficient familiarity with all individuals having access to Tier 1 select agents and toxins, and their supervisory chain, to permit a continual evaluation of their suitability, and have the authority to engage supervisors when warranted. The CO should possess human resources expertise and experience in order to collect, evaluate, and protect personal information required in the suitability assessment program. Optimally, the CO is a person outside the individual’s supervisory chain, such as a human resource professional, occupational health physician, Employment Assistance Program (EAP) counselor, Principal Investigator (PI) not associated with the work to be performed, or other interested and qualified person. The CO notifies the RO on matters pertinent to personnel suitability directly.

    If the CO will have access to select agents and toxins, the individual must be put on the entity registration and undergo a security risk assessment.

  11. How is personal information about personnel background obtained if human resource policies restrict the entity from asking such questions when determining suitability?

    We note that the gathering and possession of personal information must be done in accordance with applicable Federal, State, and local laws. For additional guidance, please refer to the Guidance for Suitability Assessments.

  12. Regarding mental health and medications, how do we reconcile the Personnel Reliability Program (PRP) requirements with Health Insurance Portability and Accountability Act (HIPAA) restrictions?

    First, the HIPAA Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The HIPAA privacy rule applies only to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. Second, a covered entity must disclose protected health information to individuals (or their personal representatives) specifically when they request access to their protected health information. A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosure to an employer of the results of a pre-employment physical or lab test. Information related to HIPAA can be found here.

  13. How would we perform assessment of a foreign national?

    Federal Select Agent Program has developed guidance for the development and implementation of pre-access suitability programs for persons who will have access to Tier 1 select agents or toxins. For additional guidance, please refer to the Guidance for Suitability Assessments. Entity pre-access suitability programs should be entity-specific and be in compliance with applicable state and local laws and regulations.

  14. If a person has been disciplined multiple times for not following the entity's procedures in the registered areas that use or store Tier 1 select agents and toxins, could this be grounds to terminate the individual from the entity's suitability assessment program?

    Yes, repeated failure to follow entity’s procedures may be used to determine an individual’s access to not only Tier 1 select agents and toxins but other select agents and toxins as determined by the Responsible Official. Entities should work with their Human Resources department to determine what actions are appropriate to address conduct and performance issues which impact safety and security in registered laboratories.

  15. Who pays for the costs associated with suitability assessments when direct/indirect contracts and research grants cannot be used?

    It is the responsibility of the entity to provide the resources for the entity to remain in compliance with the select agent regulations.

  16. Does an individual that meets the definition of an owner or controller of an entity that is registered for Tier 1 select agents have to be included in the entity's suitability assessment program?

    It depends upon whether or not the owner or controller would actually have access to Tier 1 select agents or toxins. Any individual, including an owner or controller (as defined in the Select Agent Regulations) who is approved to have access to Tier 1 select agents and toxins is required to be enrolled in the entity’s suitability assessment program.