[Code of Federal Regulations] [Title 7, Volume 5] [Revised as of January 1, 2005] From the U.S. Government Printing Office via GPO Access [CITE: 7CFR331.11] [Page 425-427] TITLE 7--AGRICULTURE CHAPTER III--ANIMAL AND PLANT HEALTH INSPECTION SERVICE, DEPARTMENT OF AGRICULTURE PART 331_POSSESSION, USE, AND TRANSFER OF BIOLOGICAL AGENTS AND TOXINS --Table of Contents Sec. 331.11 Biocontainment and security plan. (a) As a condition of registration, an individual or entity must develop and implement a Biocontainment and Security Plan.\8\ The Biocontainment and Security Plan must contain sufficient information and documentation to describe the containment procedures and the security systems and procedures. The plan must be commensurate with the risk of the agent or toxin, given its intended use. --------------------------------------------------------------------------- \8\ Technical assistance and guidance may be obtained by calling (301) 734-5519. --------------------------------------------------------------------------- (1) Containment procedures. The containment procedures must be sufficient to contain the agent or toxin (e.g., physical structure and features of the entity, and operational and procedural safeguards). At a minimum, the plan must address containment and inventory control. [[Page 426]] (2) Security systems and procedures.\9\ The security systems and procedures must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the threat posed by the agent or toxin. --------------------------------------------------------------------------- \9\ For guidance, see the USDA Departmental Manual No. 9610-001, ``USDA Security Policies and Procedures for Biosafety Level-3 Facilities'' (August 30, 2002). The manual may be obtained by calling (301) 734-5519. The manual is also available on the Internet at http:// www.usda.gov/ocio/directives/DM/DM9610-001.htm. See also Appendix F, ``Biosafety in Microbiological and Biomedical Laboratories,'' in Morbidity and Mortality Weekly Report (2002). This document may be obtained by writing to Select Agent Program, Centers for Disease Control and Prevention, 1600 Clifton Road, NE, Mail Stop E 79, Atlanta, GA 30333. It is also available on the Internet at http://www.cdc.gov/mmwr. --------------------------------------------------------------------------- (i) The site-specific risk assessment should involve a threat assessment and risk analysis in which threats are defined, vulnerabilities examined, and risks associated with those vulnerabilities are identified. (ii) The security systems and procedures must be tailored to address site-specific characteristics and requirements, ongoing programs, and operational needs, and must mitigate the risks identified under paragraph (a)(2)(i) of this section. (iii) The plan must describe inventory control procedures, personnel suitability for those individuals with access to agents or toxins listed in Sec. 331.3, physical security, and cybersecurity. The plan must also contain provisions for securing the area (e.g., card access, key pads, locks) and protocols for changing access numbers or locks following staff changes; procedures for loss or compromise of keys, passwords, combinations, etc.; procedures for reporting suspicious persons or activities, loss or theft of listed agents or toxins, release of listed agents or toxins, or alteration of inventory records; provisions for the control of access to containers where listed agents and toxins are stored; provisions for routine cleaning, maintenance, and repairs; and procedures for reporting and removing unauthorized persons. (iv) With respect to areas containing listed agents or toxins, an entity or individual must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security as the provisions below: (A) Allow unescorted access only to approved individuals who are performing a specifically authorized function during hours required to perform that job; (B) Allow individuals not approved under Sec. 331.10 to conduct routine cleaning, maintenance, repairs, and other non-laboratory functions only when escorted and continually monitored by approved individuals; (C) Provide for the control of access to containers where listed agents and toxins are stored by requiring that such containers be locked when not in the direct view of an approved individual and by using other monitoring measures, as needed; (D) Require the inspection of all packages upon entry and exit; (E) Establish a protocol for intra-entity transfers, including provisions for ensuring that the packaging and movement, is conducted under the supervision of an approved individual; (F) Require that approved individuals do not share with any other person their unique means of accessing the area or listed agents or toxins; and (G) Require that approved individuals immediately report any of the following to the responsible official: (1) Any loss or compromise of keys, passwords, combinations, etc.; (2) Any suspicious persons or activities; (3) Any loss or theft of listed agents or toxins; (4) Any release of a listed agent or toxin; and (5) Any sign that inventory and use records for listed agents and toxins have been altered or otherwise compromised. (3) Incident response procedures.\10\ The Biocontainment and Security Plan must also include incident response plans for containment breach, security [[Page 427]] breach, inventory violations, non-biological incidents such as workplace violence, and cybersecurity breach. The incident response plans must address containment, inventory control, and notification of managers and responders. The incident response plans must also address such events as bomb threats, severe weather (floods, hurricanes, tornadoes), earthquakes, power outages, and other natural disasters or emergencies. --------------------------------------------------------------------------- \10\ The requirements in this paragraph do not supercede or preempt the enforcement of emergency response requirements imposed by other statutes or regulations. --------------------------------------------------------------------------- (b) The Biocontainment and Security Plan must be reviewed, performance tested, and updated annually. The plan must also be reviewed and revised, as necessary, after any incident.