USDA_Inspection_Checklist by zhangyun

VIEWS: 196 PAGES: 26

									                                                                              USDA/APHIS Select Agent Inspection Checklist


                                                                                 Personnel Security Checklist
 1     Entity/Facility Name:                                                                              7   Review Date:
 2     Responsible Official:                                                                              8   Reviewers Name:
 3     Alternate Responsible Official:                                                                    9   Status:
 4     Building:
 5     Room number(s):
 6     Agent(s) used:
                                                                                                  Response
Item                                        Question                                                                            Comments    References
                                                                                                 Yes No N/A
 10    Personnel Management
 a     Personnel Management is specifically addressed in the Facility Security Plan.

 b     The facility has appointed an RO to manage the personnel security process.                                                          7 CFR 331.4.b

       RO's or Security Managers are aware of procedures for submitting requests for
 c                                                                                                                                         7 CFR.331.4.b
       access approval or clearance (e.g., FD961, SF85P or SF86).

 d     Initial and annual security awareness training is provided to all employees.                                                        7 CFR 331.12.b

 e     Records are maintained of initial and recurring security training.                                                                  7 CFR 331.14.a.3

 f     The facility has a comprehensive personnel security policy.                                                                         BMBL Appendix F

       Spot checks are conducted periodically to insure personnel are in compliance with
 g                                                                                                                                         42 CFR 73.10
       the security policy.
       Directors, RO's and/or Security Managers are immediately notified of adverse
 h                                                                                                                                         7 CFR 331.9.a.6
       information that may affect personnel clearances.
       The RO or Security Manager know what actions are to be taken when derogatory
 I                                                                                                                                         7 CFR 331.10.a
       information is received.

 j     A current access roster is available.                                                                                               7 CFR 331.14.a.2

 11    Personnel Suitability
 a     Personnel Suitability is specifically addressed in the Facility Security Plan.

       All personnel have completed a document to check suitability prior to having access
 b                                                                                                                                         7 CFR 331.6.a
       to select agents (e.g. FD 961, SF85P or SF 86).

 c     Initial briefing has been given to personnel prior to giving access to selected agents.                                             7 CFR 331.12.b

       Personnel are required to sign a non-disclosure agreement prior to gaining access to                                                Public Law 107-
 d
       selected agents.                                                                                                                    188.B.h.1.A
       All personnel with unescorted access to select agents have been cleared through the
 e                                                                                                                                         9 CFR 121
       Department of Justice.




                                                                                                      1
                                                                             USDA/APHIS Select Agent Inspection Checklist

                                                                                                  Response
Item                                         Question                                                                       Comments       References
                                                                                                 Yes No N/A
 12    Personnel Management
       Human Resource Management
       Human Resource Management is specifically addressed in the Facility Security
 a
       Plan.

 b     All personnel are required to complete a pre-employment checklist or application.                                               d

       A policy to ensure screening of all personnel who require access to select agents is in                                         Government SME
 c
       place.                                                                                                                          Best Practices
                                                                                                                                       Government SME
 d     Personnel are assigned to positions based on position descriptions.
                                                                                                                                       Best Practices
       Each Government position is based on the Position Risk Designation Record.                                                      Government SME
 e
       (Applies to Government Facilities Only)                                                                                         Best Practices
                                                                                                                                       Government SME
 f     All positions are identified with proper security classification.
                                                                                                                                       Best Practices
       Minimal education and experience criteria are established for those individuals
 g                                                                                                                                     43 CFR 73.11 (b)(1)
       involved with establishing and maintaining physical security.
       Pre-employment requirements include checks of references, prior employment,                                                     Government SME
 h
       education/training and professional credentials/certifications.                                                                 Best Practices
 14    Total Responses
 15    Reviewer's Summary
 a     Summarize review findings below:




 b     Indicate final disposition or recommendations below:




       Signature:                                                                                             Date:
 c                                                                                                        d




                                                                                                      2
USDA/APHIS                                                                                 Facility Security Compliance Review                    Physical Security Checklist (Ver. 1.1)



                                                                                        Physical Security Checklist
      1    Entity/Facility Name:                                                                                 7   Review Date:
      2    Responsible Official:                                                                                 8   Reviewers Name:
      3    Alternate Responsible Official:                                                                       9   Status:
      4    Building:
      5    Room number(s):
      6    Agent(s) used:
                                                                                                         Response
    Item                                        Question                                                                               Comments                   References
                                                                                                        Yes No N/A
     10    Security Planning
      a    Security Planning is specifically addressed in the Facility Security Plan.

           Facility Security plans contain all the basic elements: Inventory control proceures,
           Physical Security, IT Security, Security policy for personnel, policy for accessing                                                                  BMBL Appendix F; 42
      b    select agents, accountability, personnel suitability, , security training, receipt of                                                                CFR 73.11 A; 9 CFR
           agents, shipping or transfer of agents, emergency response plans, reporting of                                                                       121.12
           incidents injuries and breaches.
                                                                                                                                                                BMBL Appendix F; 42
                                                                                                                                                                CFR 73.11 8C; 7 CFR
      c    Facility security plan is based on a risk assessment and threat analysis.
                                                                                                                                                                331.11A2; 9 CFR
                                                                                                                                                                121.12A2
                                                                                                                                                                BMBL Appendix F; 42
      d    The security plans and policies are up-to-date and reviewed annually.
                                                                                                                                                                CFR 73.11 8C
           Security plans have been tested within the past year (i.e. exercises, key check, lock
      e                                                                                                                                                         BBML Appendix F
           check).
                                                                                                                                                                BBML Appendix F; 7
      f    Initial and annual security awareness training is provided to all employees.
                                                                                                                                                                CFR 331.12A
                                                                                                                                                                BBML Appendix F; 7
      g    All security awareness training is properly documented.
                                                                                                                                                                CFR 331.12A
                                                                                                                                                                Draft USDA IPSSPM
      h    Security guards are properly trained and qualified.
                                                                                                                                                                1.4.9.B
           Minimal education and experence criteria for those individuals involved with
      j                                                                                                                                                         42 CFR 73.11 b 1
           establishing and maintaining physical security.

      k    Laboratory emergency plan is adequate and up-to-date.                                                                                                42 CFR 73.2

      l    The laboratory emergency plan compliments the facility or site emergency plan.                                                                       42 CFR 73.2

     11    Perimeter Security
      a    Perimeter Security is specifically addressed in the Facility Security Plan.

           Sufficient barriers are in place to properly protect the perimeter of the site (i.e. chain                                                           Draft USDA IPSSPM
      b
           linked or steel fencing).                                                                                                                            1.20.7
           Gas lines, transformers, generators, HVAC and other external utility systems are                                                                     Draft USDA IPSSPM
      b
           properly protected (i.e. fencing, concrete walls or enclosed).                                                                                       1.15.7.K




Communications Resource, Inc.                                                                                3                                                          August 5, 2003
USDA/APHIS                                                                                  Facility Security Compliance Review              Physical Security Checklist (Ver. 1.1)



                                                                                                     Response
    Item                                        Question                                                                          Comments                   References
                                                                                                    Yes No N/A
      d
           Security Planning
           Adequate lighting for perimeter and parking areas with emergency backup is in                                                                   Draft USDA IPSSPM
           place.                                                                                                                                          1.15.7.S
                                                                                                                                                           Draft USDA IPSSPM
      e    Perimeter and parking area lighting has sufficient emergency power backup.
                                                                                                                                                           1.15.7.S
           Sufficient anti-ram devices are used to protect facility (i.e.bollards, planter's,                                                              Draft USDA IPSSPM
      f
           fences).                                                                                                                                        1.15.7.P
                                                                                                                                                           Draft USDA IPSSPM
      g    Electrical switches and panel are protected from accidental or deliberate tampering.
                                                                                                                                                           1.15.7.R
                                                                                                                                                           Draft USDA IPSSPM
      h    Security guards or police officers conduct routine checks of the perimeter.
                                                                                                                                                           1.4.7.A
                                                                                                                                                           Draft USDA IPSSPM
      i    CCTV surveillance cameras are utilized to monitor the perimeter of the site.
                                                                                                                                                           1.15.7.D

           Sufficient signage is in place for parking, surveillance warning and entry procedures                                                           Draft USDA IPSSPM
      j
           (i.e. Visitor Parking, Delivery Vehicles, Directional Signs, No Parking signage).                                                               1.13.6.E

                                                                                                                                                           Draft USDA IPSSPM
      k    ID system and procedures for authorized parking (i.e. placard, decal, card key, etc.).
                                                                                                                                                           1.2.7.B
     12    Entry Security
      a    Entry Security is specifically addressed in the Facility Security Plan.

           Facilities are equipped with security doors, security hardware with locking
      b                                                                                                                                                    BMBL Section III D1
           mechanism.
           All laboratory doors are kept locked when experiments are in progress or
      c                                                                                                                                                    BMBL Section III B1
           unoccupied.
           An adequate intrusion detection system with central monitoring
      d                                                                                                                                                    BMBL Appendix F
           capability has been installed.
           BSL 3 laboratories are equipped with two self closing lockable doors with interlock
      e                                                                                                                                                    BMBL Section III D1
           capabilities.

                                                                                                                                                           BMBL Appendix F; 42
           Adequate entry control procedures are used prior to granting access to rooms                                                                    CFR 73.11 B2; 7 CFR
      f
           where select agents are stored (e.g., videophone, or entry control with CCTV).                                                                  331.11A2; 9 CFR
                                                                                                                                                           121.12A2

                                                                                                                                                           42 CFR 73.11 B2; 7
      g    Facilities are equipped with electronic card access, pin readers or cipher locks.                                                               CFR 331.11A2; 9
                                                                                                                                                           CFR 121.12A2
           Door hinge pins are internally located, welded, or otherwise treated to prevent easy                                                            Draft USDA IPSSPM
      h
           removal.                                                                                                                                        1.15.7.N
                                                                                                                                                           42 CFR 73.11 D1; 7
      i    Visitor, maintenance, and other contractors are escorted at all times.                                                                          CFR 331.11 A2; 9
                                                                                                                                                           CFR 121.12 A2
                                                                                                                                                           42 CFR 73.11 B2; 7
           Doors with cipher locks are changed periodically and/or when an employee is
      j                                                                                                                                                    CFR 331.11A2; 9
           terminated, retires or is no longer working inside the facility.
                                                                                                                                                           CFR 121.12A2




Communications Resource, Inc.                                                                               4                                                      August 5, 2003
USDA/APHIS                                                                                 Facility Security Compliance Review              Physical Security Checklist (Ver. 1.1)



                                                                                                    Response
    Item                                       Question                                                                          Comments                   References
                                                                                                   Yes No N/A
           Security equipped with
           All doors are Planning a secondary protection device such as astragals or                                                                      Draft USDA IPSSPM
      k
           deadbolts.                                                                                                                                     1.15.7.N
                                                                                                                                                          Draft USDA IPSSPM
      l    Security guards or employees are present to control entry into the facility.
                                                                                                                                                          1.4.7.A

      m    All windows located in BSL 3 laboratories are closed and sealed.                                                                               BMBL Section III D6

                                                                                                                                                          Draft USDA IPSSPM
      n    Roof access points are properly secured.
                                                                                                                                                          1.15.7.L

      o    The facility has an auditable log and storage of keys.                                                                                         BMBL Appendix F

           The life safety equipment is up-to-date with current standards (e.g. fire                                                                      Draft USDA IPSSPM
      p
           detection, fire suppression systems, etc.).                                                                                                    Appendix A

           X-ray and magnetometer are used at public entrances to search incoming                                                                         Draft USDA IPSSPM
      q
           pedestrians.                                                                                                                                   1.15.7.M
           Entry and Exit Inspections for packages, handbags, and other containers are being                                                              BMBL Appendix F; 42
      r
           conducted.                                                                                                                                     CFR 73.11 D4

      s    Entry for visitors, maintenance, and other contractors is properly recorded.                                                                   BMBL Appendix F

     13    Interior Security

      a    Interior Seurity is specifically addressed in the Facility Security Plan.

                                                                                                                                                          42 CFR 73.11 B2; 7
           Access to critical rooms are controlled using hard keys with adequate key
      b                                                                                                                                                   CFR 331.11A2; 9
           management system.
                                                                                                                                                          CFR 121.12A2
                                                                                                                                                          42 CFR 73.11 B2; 7
           Access to critical rooms are controlled using cipher locks with proper code
      c                                                                                                                                                   CFR 331.11A2; 9
           management.
                                                                                                                                                          CFR 121.12A2
                                                                                                                                                          42 CFR 73.11 B2; 7
           Access to critical rooms is controlled using a electronic access system which is
      d                                                                                                                                                   CFR 331.11A2; 9
           properly managed.
                                                                                                                                                          CFR 121.12A2

           Procedures exist to report the loss or compromise of keys, passwords,
      e                                                                                                                                                   42 CFR 73.11 B3; d7i
           combinations etc.

                                                                                                                                                          Draft USDA IPSSPM
      f    Access to utility/mechanical rooms is secured with limited access.
                                                                                                                                                          1.17.5
           Organization photo ID for all personnel are displayed at all
      g                                                                                                                                                   BMBL Appendix F
           times.
           Organization photo ID includes a minimum of a photograph, name and expiration
      h                                                                                                                                                   BMBL Appendix F
           date.
           Laboratories are located away from areas with unrestricted traffic flow (i.e.
      I                                                                                                                                                   BMBL Appendix F
           Customer Service Area, Public Areas, Dining Facilities).
                                                                                                                                                          Draft USDA IPSSPM
      j    Drop or removable ceilings are adequately protected.
                                                                                                                                                          1.15.7.N




Communications Resource, Inc.                                                                              5                                                      August 5, 2003
USDA/APHIS                                                                            Facility Security Compliance Review              Physical Security Checklist (Ver. 1.1)



                                                                                                  Response
    Item                                         Question                                                                   Comments                   References
                                                                                                 Yes No N/A
      k
           Security Planning
           Emergency backup unit is provided for power outages and spikes.
                                                                                                                                                     Draft USDA IPSSPM
                                                                                                                                                     1.17.5

      l    Interior lighting is adequate for security purposes.                                                                                      BMBL Section III D9

      m    Visitors are escorted at all times.                                                                                                       BMBL Appendix F

           An adequate visitor badges system is being utilized (badges are easily
      n                                                                                                                                              BMBL Appendix F
           recognizable).
           Procedures are in place to properly control visitors and organization badges. These
      o                                                                                                                                              BMBL Appendix F
           procedures protect badges from potential theft, loss or duplication.
           Procedures exist for reporting suspicious activities and persons to the RO and for                                                        CFR 73.11
      p
           removing sususpicious persons.                                                                                                            b.4.5.7;d.7.ii
           Facility has provisions policies and procedures for routine cleaning, maintenance,
      q                                                                                                                                              CFR 73.11.b.2
           and repairs to maintain security of sensitive areas.
           Containers used to hold SBAT's are monitored by authorized individuals or other
      r                                                                                                                                              CFR 73.11.d.3
           monitoring measures as neeeded, such as video survellance.
     15    Total Responses
     16    Reviewer's Summary
      a    Summarize review findings below:




      b    Indicate final disposition or recommendations below:




           Signature:                                                                                           Date:
      c                                                                                                     d




Communications Resource, Inc.                                                                         6                                                        August 5, 2003
USDA/APHIS                                                                             Facility Security Compliance Review                    Cyber Security Checklist (Ver 1.1)



                                                                                      Cyber Security Checklist
      1    Entity/Facility Name:                                                                             7   Review Date:
      2    Responsible Official:                                                                             8   Reviewers Name:
      3    Alternate Responsible Official:                                                                   9   Status:
      4    Building:
      5    Room number(s):
      6    Agent(s) used:
                                                                                                  Response
    Item                                      Question                                                                             Comments                References
                                                                                                 Yes No N/A
     10    Risk Management
      a    Risk Management is specifically addressed in the Facility Security Plan.

                                                                                                                                                         OMB Circular A-130
      b    A risk assessment has been performed in the last 3 years.
                                                                                                                                                         Appendix III

      c    The risk assessment methodology is risk (asset) based.                                                                                        OMB Circular A-130

      d    All threats natural or manmade have been identified.                                                                                          NIST SP800-30

           The results of the risk assessment are documented, kept on file, are updated as the
      e                                                                                                                                                  NIST SP800-26
           infrastructure changes and are reviewed by senior management.
           The appropriate countermeasures to mitigate the risk have been identified and
      f                                                                                                                                                  NIST SP800-26
           documented.

      g    A mission / business impact analysis has been conducted.                                                                                      NIST SP800-26

      h    Countermeasures have been implemented to mitigate risk.                                                                                       NIST SP800-26

           Senior management understands the acceptable risks to their system(s) and has
      i                                                                                                                                                  NIST SP800-26
           authorized those risks.
     11    IT Infrastructure/Security Countermeasure Validation
           IT Infrastructure/Security Countermeasure is specifically addressed in the
      a
           Facility Security Plan.
                                                                                                                                                         Government SME
           Infrastructure document (e.g. network diagrams, system configurations, external
      b                                                                                                                                                  Best Practices; NIST
           connectivity) are routinely maintained.
                                                                                                                                                         SP800-26
           A system security plan has been developed and maintained that describes the
                                                                                                                                                         Public Law 100-235;
      c    overall IT infrastructure, security architecture and countermeasures that have been
                                                                                                                                                         NIST SP800-18
           implemented.

      d    Data classification has been considered.                                                                                                      NIST SP800-26

                                                                                                                                                         Government SME
      e    Internal and annual third-party penetration tests are performed on the system (s).
                                                                                                                                                         Best Practices




Communications Resource, Inc.                                                                          7                                                         August 5, 2003
USDA/APHIS                                                                                  Facility Security Compliance Review              Cyber Security Checklist (Ver 1.1)



                                                                                                     Response
    Item                                        Question                                                                          Comments                References
                                                                                                    Yes No N/A
      f
           Risk Management
           Vulnerability scans are routinely performed on the infrastructure.
                                                                                                                                                        Government SME
                                                                                                                                                        Best Practices

      g    System(s) have been certified and accredited.                                                                                                NIST SP800-37

     12    Physical Security of IT Assets
           Physical Security of IT Assets is specifically addressed in the Facility Security
      a
           Plan.
                                                                                                                                                        Draft USDA
      b    IT infrastructure is located in a dedicated space (slab-to-slab construction).                                                               Restricted IT Space,
                                                                                                                                                        CS-005

      c    Access control system that continuously restricts access.                                                                                    Draft USDA IPSSPM

                                                                                                                                                        Draft USDA
      d    Space is not located on outer wall with windows.                                                                                             Restricted IT Space,
                                                                                                                                                        CS-005
                                                                                                                                                        Draft USDA
      e    IT infrastructure is located in locked cabinets and physically cable locked.                                                                 Restricted IT Space,
                                                                                                                                                        CS-005
                                                                                                                                                        Draft USDA
      f    Door(s) are appropriately fire rated and properly installed to prevent intrusion.                                                            Restricted IT Space,
                                                                                                                                                        CS-005
                                                                                                                                                        Draft USDA
      g    Utilities are mapped and are not located near critical systems.                                                                              Restricted IT Space,
                                                                                                                                                        CS-005
                                                                                                                                                        Draft USDA
           Fire suppression is installed, is a dry non-ozone depleting substance, is automated
      h                                                                                                                                                 Restricted IT Space,
           and enunciates at the fire department.
                                                                                                                                                        CS-005

      i    Intrusion detection system is installed and monitored 24/7.                                                                                  Draft USDA IPSSPM

           Visitors are escorted, are required to sign in and are required to wear visitor ID
      j                                                                                                                                                 NIST SP800-26
           badges.
     13    Personnel Security
      a    Personnel Security is specifically addressed in the Facility Security Plan.

      b    Full-time IT support staff have criminal background checks or SECRET clearance.                                                              Draft USDA IPSSPM

      c    IT staff positions are reviewed for sensitivity.                                                                                             NIST SP800-26

                                                                                                                                                        Government SME
      d    Part-time or seasonal staff does not have access to the system(s).
                                                                                                                                                        Best Practices
                                                                                                                                                        Government SME
      e    Contractors do not have access to the system(s).
                                                                                                                                                        Best Practices




Communications Resource, Inc.                                                                               8                                                   August 5, 2003
USDA/APHIS                                                                             Facility Security Compliance Review              Cyber Security Checklist (Ver 1.1)



                                                                                                 Response
    Item                                      Question                                                                       Comments                References
                                                                                                Yes No N/A
      f
           Risk Management
           Appropriate hard-copy personnel records are securely archived.                                                                          Draft USDA IPSSPM

           Employees received copies of or have easy access to facility security procedures                                                        Government SME
      g
           and policy.                                                                                                                             Best Practices
     14    Access Control
      a    Access Control is specifically addressed in the Facility Security Plan.

           Perimeter Security (firewalls) and network/host intrusion detection systems have
      b                                                                                                                                            USDA DM 9610-001
           been implemented.

      c    Network/ host intrusion detection system is installed and monitored 24/7.                                                               USDA DM 9610-002

           Public system(s) (e.g. web servers) are located on an isolated local area network
      d                                                                                                                                            USDA DM 9610-002
           segment (virtual local area network or demilitarized zone network).
                                                                                                                                                   Government SME
      e    Role-based access based on position sensitivity is used to control system access .
                                                                                                                                                   Best Practices

      f    Unique user-ids and passwords are assigned to all users.                                                                                NIST SP800-26

                                                                                                                                                   Government SME
      g    Procedures are in place for secure distribution of user-id and passwords.
                                                                                                                                                   Best Practices
           Procedures are in place for recovery of lost passwords and denial of access for                                                         Government SME
      h
           separated employees.                                                                                                                    Best Practices

      i    Strong passwords (minimum 8 characters) are used and are frequently changed.                                                            NIST SP800-26

      j    Password protected screen locks are used.                                                                                               Draft USDA IPSSPM

           Start-up or BIOS passwords are used on system(s) with weak access control
      k                                                                                                                                            Draft USDA IPSSPM
           mechanisms.

      l    Deterrent controls are displayed prior to accessing the system(s).                                                                      NIST SP800-26

     15    Data Integrity
      a    Data Integrity is specifically addressed in the Facility Security Plan.

      b    Procedures or controls for error checking have been implemented.                                                                        USDA DM 9610-001

                                                                                                                                                   Government SME
      c    Data is continuously updated.
                                                                                                                                                   Best Practices

      d    Data input sources are continually validated and non-repudiated.                                                                        USDA DM 9610-001

                                                                                                                                                   Government SME
      e    Data integrity software has been implemented on pertinent system(s).
                                                                                                                                                   Best Practices
     16    Data Confidentiality
      a    Data Confidentiality is specifically addressed in the Facility Security Plan.




Communications Resource, Inc.                                                                          9                                                  August 5, 2003
USDA/APHIS                                                                              Facility Security Compliance Review                                                         Cyber Security Checklist (Ver 1.1)



                                                                                                   Response
    Item                                      Question                                                                                               Comments                                    References
                                                                                                  Yes No N/A
      b
           Risk Management
           System(s) have the capability to implement strong encryption algorithms.                                                                                                            NIST SP800-26

           Data transferred between systems (e.g., e-mail) is performed in a trusted and                                                                                                       Government SME
      c
           secure manner (using encryption, message digests or trusted courier).                                                                                                               Best Practices

      d    System logging and auditing functions are implemented and monitored.                                                                                                                NIST SP800-26

      e    Patch management is performed on all systems and applications.                                                                                                                      NIST SP800-26

     17    Data Availability
      a    Data Availability is specifically addressed in the Facility Security Plan.

      b    Disaster recovery plan and procedures has been developed and implemented.                                                                                                           NIST SP800-26

      c    Backup media is securely stored onsite and labeled for sensitivity.                                                                                                                 NIST SP800-26

           Backup media is rotated offsite to a location that may not be subject to a localized
      d                                                                                                                                                                                        NIST SP800-26
           disaster.

      e    Damaged and non-useable backup media is properly destroyed.                                                                                                                         NIST SP800-26

      f    Reused backup media is properly sanitized.                                                                                                                                          NIST SP800-26

      g    Virus detection software is installed, running and routinely updated.                                                                                                               NIST SP800-26

      h    Proper controls have been implemented to detect malicious software.                                                                                                                 USDA DM 9610-002

      i    Excess computer equipment is properly sanitized prior to disposal.                                                                                                                  NIST SP800-26

      j    Hard-copy documents are securely stored to prevent theft or accidental damage.                                                                                                      Draft USDA IPSSPM

      k    Hard-copy documents are properly destroyed using cross-cut shredder.                                                                                                                Draft USDA IPSSPM


      l    A system exists to ensure that all records and databases created under paragraphs (b) and (c) of this section are accurate, and that the authenticity of records may be verified.   73.15 (d)


      m    All records concerning inspections conducted under § 73.10(b) are maintained.                                                                                                       73.15 (e)

      n    Training records are maintained.                                                                                                                                                    73.15 (g)

      o    Records of transfer documents (CDC Form EA-101) and permits are maintained.                                                                                                         73.15 (h)

      p    Safety and security incident report records are maintained.                                                                                                                         73.15 (i)

      q    All records created under this part are maintained for three years.                                                                                                                 73.15 (j)

                                                                                                                                                                                               73.15 (c )(1)(i-vi); (2)(i-
      r    Inventory records of SBAT including agent types, quantities, transfers, destruction and authorized access are maintained.
                                                                                                                                                                                               iv)




Communications Resource, Inc.                                                                               10                                                                                             August 5, 2003
USDA/APHIS                                                                                 Facility Security Compliance Review              Cyber Security Checklist (Ver 1.1)



                                                                                                     Response
    Item                                      Question                                                                           Comments                References
                                                                                                    Yes No N/A
     18    Risk Management
           Mobile Technology
      a    Mobile Technology is specifically addressed in the Facility Security Plan.

                                                                                                                                                       Government SME
      b    Wireless local area networks provide access to sensitive systems.
                                                                                                                                                       Best Practices
           Remote access (e.g. telecommuters, virtual private networks) is provided using
      c                                                                                                                                                USDA DM 9610-001
           secure means such as virtual private networks.

      d    Mobile computers access sensitive system(s) and store sensitive system data.                                                                Draft USDA IPSSPM

      e    Instrument software upgrades are not performed over the internet.                                                                           Draft USDA IPSSPM

     19    Exploitable Web Content
      a    Exploitable Web Content is specifically addressed in the Facility Security Plan.

           Non-disclosure of agent(s) being researched at the facility on a public web page or
      b                                                                                                                                                Draft USDA IPSSPM
           qualifications statement.

      c    Web content does not describe facility IT infrastructure and/or applications.                                                               Draft USDA IPSSPM

           No personal information (e.g. birth date, place of birth, family members) is displayed
      d                                                                                                                                                Draft USDA IPSSPM
           on a public system.

      e    Web content is centrally reviewed prior to being placed on a public system.                                                                 USDA DM 9610-002

     20    Total Responses
     21    Reviewer's Summary
      a    Summarize review findings below:




      b    Indicate final disposition or recommendations below:




      c    Signature:                                                                                            d   Date:




Communications Resource, Inc.                                                                              11                                                 August 5, 2003
USDA/APHIS                                                                             Facility Security Compliance Review                    Inventory Security Checklist (Ver. 1.1)



                                                                                    Inventory Security Checklist
    1    Entity/Facility Name:                                                                               7   Review Date:
    2    Responsible Official:                                                                               8   Reviewers Name:
    3    Alternate Responsible Official:                                                                     9   Status:
    4    Building:
    5    Room number(s):
    6    Agent(s) used:
                                                                                                    Response
  Item                                       Question                                                                              Comments                       References
                                                                                                   Yes No N/A
    10   Biosecurity Plan
    a    Biosecurity Plan is specifically addressed in the Facility Security Plan.

                                                                                                                                                                USDA Security
                                                                                                                                                                Policies and
         A Biosecurity Plan has been developed and placed into routine use to assess                                                                            Procedures for
         potential security vulnerabilities related to use, storage and transfer of CDC Select                                                                  Laboratories and
    b
         Agents, USDA Listed Agents and Overlap Agents, also referred to as Select                                                                              Technical Facilities
         Biological Agents and Toxins (SBATs).                                                                                                                  (Excluding Biosafety
                                                                                                                                                                Level-3 Facilities
                                                                                                                                                                (4/30/03)


         A Responsible Official (RO) and possibly an Alternate Responsible Official (ARO)
         has/have been designated and documented as the Facility Executive Authority to
                                                                                                                                                                ABPA Section 212
    c    assume responsibility for the use, storage, transfer, transport, access and destruction
                                                                                                                                                                (d)(1); APHIS RKIC
         of SBATs. RO/ARO approves all documents (signed/dated) involving the possession,
         use and/or transfer/transport of SBATs.


                                                                                                                                                                 ABPA Section 212 (c
                                                                                                                                                                ); 42 CFR 72; 49 CFR
         Biosecurity Plan contains Chain of Custody for SBATs, biosecurity officer, SBAT-                                                                       171-180; 7 CFR Part
    d    Restricted Areas, inventory control, access guidelines, SBAT transfer/transport and                                                                    331; 9 CFR Part 121;
         destruction.                                                                                                                                           42 CFR 71; 42 CFR
                                                                                                                                                                71.54; IATA; WHO
                                                                                                                                                                Guidelines

         Risk Assessment. Potential risks, threats and vulnerabilities in regard to specific
                                                                                                                                                                42 CFR 73.11(a);
    e    SBAT possession, use and/or transfer are analyzed, defined and incorporated into a
                                                                                                                                                                USDA DM 9610.002
         Security Plan.
         Elements of Biosecurity Plan contain standard operating procedures to protect and
    f    prevent the release or unauthorized access to specific SBAT agents used and/or                                                                         ABPA Section 212 (c)
         stored in each location.




Communications Resource, Inc.                                                                          12                                                             August 5, 2003
USDA/APHIS                                                                              Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                      Response
  Item                                        Question                                                                        Comments                       References
                                                                                                     Yes No N/A
    g    A biosecurity officer has been designated to integrate all elements of biosecurity plan.                                                          BMBL Appendix F

         RO/ARO reviews the Biosecurity Plan at least annually and after every security
    h                                                                                                                                                      42 CFR 73.10(c)
         incident.

   11    Select Biological Agents and Toxins
         Select Biological Agents and Toxins is specifically addressed in the Facility
    a
         Security Plan.

                                                                                                                                                           ABPA Section 212
                                                                                                                                                           (a)(1)(A)/ (d)(1);
         The list of SBATs is recorded and filed in the office of the RO/ARO. SBATs are
    b                                                                                                                                                      APHIS RKIC; 7 CFR
         clearly identified in all documents.
                                                                                                                                                           330-331; 9 CFR 121-
                                                                                                                                                           122; 42 CFR 73

         Select Toxins exceeding the threshold toxicity (LD50 < 100 ng/kg body weight) are
    c                                                                                                                                                      BMBL Appendix I
         included as SBAT agents if used or stored at the facility.

   12    SBAT-Restricted Areas
    a    SBAT-Restricted Areas is specifically addressed in the Facility Security Plan.

         SBAT-Restricted Areas include any facility area containing SBATs in whole or in part,
                                                                                                                                                           Government SME
         in vitro or in vivo, including storage areas, laboratories, animal facilities, quarantine
    b                                                                                                                                                      Best Practices; ABPA
         facilities, greenhouses, insectaries, incubation rooms, biowaste storage areas and
                                                                                                                                                           Section 212 (d)(2)
         biowaste destruction areas containing SBATs.

         Each location where SBATs occupy culture media or diluents; whole animal, plant,
                                                                                                                                                           Government SME
    c    protist or prokaryotic hosts; or animal, plant or protist tissues or body fluids is
                                                                                                                                                           Best Practices
         designated at a Restricted Area.
         All areas considered Restricted Areas due to the use and/or storage of SBATs are
                                                                                                                                                           ABPA Section 212
    d    clearly identified and recorded with a systematic set of Policy & Procedure guidelines
                                                                                                                                                           (d)(2)
         in operation to control access to the area.
         In Restricted Areas, appropriate and secure (locked) storage areas and containment
    e                                                                                                                                                      42 CFR 73.11 (f)(1)
         are provided for SBAT storage.
         Restricted Areas containing SBAT use and/or storage are regularly inspected by the
    f                                                                                                                                                      42 CFR 73.10(b)
         RO/ARO.
   13    Audits and Inspections
         Procedures for inventory audits and spections are specifically addressed in the
    a
         Facility Security Plan.
         RO/ARO conducts regular inspections (at least annually) of the laboratory where
         SBATs are stored or used to ensure compliance with all of the procedures and
    b                                                                                                                                                      73.10 (b) - Safety
         protocols of the Safety and Security Plan. The results of these inspections are
         documented.




Communications Resource, Inc.                                                                            13                                                      August 5, 2003
USDA/APHIS                                                                               Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                       Response
  Item                                        Question                                                                         Comments                       References
                                                                                                      Yes No N/A
    c    The entity must create a record concerning inspections conducted under § 73.10(b).                                                                 73.15 (e)

         A mechanism exists to correct any deficiencies identified during safety and security
    d                                                                                                                                                       73.10 (b) - Safety
         inspections and assessments.
   14    Inventory Control
    a    Inventory Control is specifically addressed in the Facility Security Plan.


         Inventory Control is a systematic approach to maintain a current, comprehensive
                                                                                                                                                            42 CFR 73.11 (b);
         system to track and protect all agents designated as High Consequence Agents
    b                                                                                                                                                       ABPA Section 212
         (SBATs). Inherent in this requirement are the locations containing SBATs, designated
                                                                                                                                                            (d)(2)
         as SBAT-Restricted Areas, as well as rules for access to Restricted Areas.


         Inventory control includes a real-time accountability system for tracking all SBATs in
                                                                                                                                                            ABPA Section 212
    c    all possible media/hosts at any point in time and in every location, either through a
                                                                                                                                                            (a)(1)(A); APHIS RKIC
         centralized or localized database or in a laboratory record book.


                                                                                                                                                            ABPA Section 212 (c
                                                                                                                                                            ), (d)(2); 49 CFR 171-
         Accountability system defines requisite information areas, including Chain of Custody                                                              180; 42 CFR 72; 7
         such as agent name, agent location, responsible person, and contact information as                                                                 CFR Part 331; 9 CFR
         well as Biosafety level, quantity/volume, storage location(s), storage conditions,                                                                 Part 121; 42 CFR
    d
         procedures used, locations used, scientist users and contact information, any                                                                      71.54; 42 CFR 71;
         changes to disposition or Chain of Custody (new isolations/genetic                                                                                 IATA Guidelines;
         alterations/transfer/transport/destruction).                                                                                                       WHO Guidelines;
                                                                                                                                                            DOC; DOT; USPHS;
                                                                                                                                                            USDA DM 9610-002


         Accountability system describes and records the specific Genus species (and where
                                                                                                                                                            ABPA Section 212 (c
    e    appropriate, specific strains if relevant to an enhanced degree of virulence [e.g. E. coli
                                                                                                                                                            ), (d)(2)
         O157H7) of SBATs in use, held in storage or during transfer or transport.

         Accountability system describes and records the quantity and type of all culture
         media, diluents, whole animal hosts, plant hosts, protist hosts, animal tissue or plant
    f                                                                                                                                                       ABPA Section 212 (c)
         tissue containing SBATs at any point in time, including products of concentration and
         propagation procedures.
         Inventory Records including agent name, agency, laboratory, location, responsible
    g    person and contact information are submitted to the National Pathogen Inventory                                                                    USDA DM 9610-002
         (NPI) system.
         Inventory of SBATs identified by secure, consistent, distinct, permanent labeling that                                                             ABPA Section 212 (c
    h
         is readable and resistant to tampering or counterfeiting.                                                                                          ); APHIS RKIC




Communications Resource, Inc.                                                                             14                                                      August 5, 2003
USDA/APHIS                                                                            Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                     Response
  Item                                       Question                                                                       Comments                       References
                                                                                                    Yes No N/A
         Accountability system policies and procedures requires data entry to be regarded as
    i    permanent and unalterable. Procedures exist for correcting entries made in error and                                                            ABPA Section 212 (c)
         notifying the Laboratory Director and RO/ARO of such errors.

         A labeling system has been developed to identify specific SBAT locations inside of                                                              Government SME
    j
         storage containment.                                                                                                                            Best Practices
         Outdated information regarding SBAT storage, use, transfer, transport and/or
    k                                                                                                                                                    ABPA Section 212 (c)
         destruction is not eliminated but maintained in archival (inactive) files.
         Policies and procedures are in place to report unauthorized alteration of inventory
    l                                                                                                                                                    ABPA Section 212 (c)
         records or unauthorized access to SBATs.

    m    Laboratory Director and RO/ARO reviews inventory records regularly.                                                                             ABPA Section 212 (c)

         Facility or Laboratory Director or RO/ARO review, audit and reconcile inventory
    n                                                                                                                                                    ABPA Section 212 (c)
         records at least annually.
         Accountability system describes and records any host organisms that serve as
         genetic vectors for SBAT organisms or genetic material, whether partial or whole, if
    o                                                                                                                                                    NIH Guidelines
         the SBAT organism or part conveys genetic, metabolic or structural factors for
         virulence or toxicity (for toxin, if LD50 < 100 ng/Kg. body weight).

         Animals held in outdoor Restricted Areas are identified by tag, brand or tattoo with
    p    code to indicate the responsible scientist, contact information and the SBATs used.                                                             BMBL; APHIS OAFC
         SBAT use in outdoor animals is included in the accountability system.

         Policy and procedures have been developed to determine who can order and receive                                                                Government SME
    q
         SBATs.                                                                                                                                          Best Practices
         Accountability system describes and records the quantity and types of all living or non-
         living materials containing SBATs (e.g. biowaste materials, old working cultures, used                                                          Government SME
    r
         HEPA filters) if not destroyed by the close of the business day as part of the SBAT                                                             Best Practices
         inventory.
         Accountability system records the destruction of all biotic or abiotic materials                                                                42 CFR 73.11 (f)(3);
         containing SBATs including the number of containers or volumes of biowaste, and the                                                             BMBL (A8); BMBL
    s    manner of destruction (i.e. autoclaving [record of temperature and time] and agents                                                             (B10-d);BMBL
         destroyed), chemical inactivation (specify chemicals and agents destroyed), or                                                                  Appendix F; ABPA
         incineration.                                                                                                                                   (b)(1)(B)
         A system exists to verify that all records and databases created under paragraphs (b)
    t                                                                                                                                                    73.15 (d)
         and (c) of this section (73.15) are accurate and authentic.
         Current inventory includes each SBAT held in all medium, including storage,
         incubation, working cultures, destroyed waste and transferred/transported materials.                                                            73.11 (f)(1)(2)(3);
    u
         The inventory records must include the following information for each Select Agent                                                              73.15 (b)
         and Toxin:




Communications Resource, Inc.                                                                           15                                                     August 5, 2003
USDA/APHIS                                                                               Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                     Response
  Item                                         Question                                                                        Comments                       References
                                                                                                    Yes No N/A
    (1)   * The name, characteristics, and source data;                                                                                                     73.15 (b)(1)

    (2)   * The quantity held on the date of the first inventory (Toxins only);                                                                             73.15 (b)(2)

    (3)   * The quantity acquired, the source, and date of acquisition;                                                                                     73.15 (b)(3)

          * The quantity, volume, or mass destroyed or otherwise disposed of and the date of
    (4)                                                                                                                                                     73.15 (b)(4)
          each such action;

    (5)   * The quantity used and date(s) of the use (Toxins only);                                                                                         73.15 (b)(5)

          * The quantity transferred, the date of transfer, and individual to whom it was
    (6)   transferred. (Includes transfers within an entity when the sender and the recipient are                                                           73.15 (b)(6)
          covered by the same certificate of registration.)

    (7)   * The current quantity held (Toxins only);                                                                                                        73.15 (b)(7)

    (8)   * Any SBAT lost, stolen, or otherwise unaccounted for; and                                                                                        73.15 (b)(8)

    v     Monitor and record information regarding individuals with access to SBAT, including:                                                              73.15 (c )(1)

    (1)   * The name of each individual who has accessed any Select Agent or Toxin;                                                                         73.15 (c)(1)(i)

    (2)   * The Select Agent or Toxin used;                                                                                                                 73.15 (c)(1)(ii)

          * The date when the Select Agent or Toxin was removed, if removed from long-term
    (3)                                                                                                                                                     73.15 (c)(1)(iii)
          storage or holdings for stock cultures;

    (4)   * The quantity removed (Toxins only);                                                                                                             73.15 (c)(1)(iv)

          * The date the Select Agent or Toxin was returned to the long-term storage or
    (5)                                                                                                                                                     73.15 (c)(1)(v)
          holdings for stock cultures; and

    (6)   * The quantity returned (Toxins only);                                                                                                            73.15 (c)(1)(vi)

                                                                                                                                                            73.11 (d)(7)(iii); 73.15
    w     Procedures exist for reporting and investigating the loss or theft of SBATs.
                                                                                                                                                            (b)(9)
          Procedures exist for reporting and investigating the unintentional and/or inappropriate
    x                                                                                                                                                       73.11 (d)(7)(iv)
          release of SBATs.
          Policies and procedures exist to prevent and report the inappropriate alteration or
    y                                                                                                                                                       73.11 (b)(4); (d)(7)(v)
          compromise of inventory records of SBAT possession, use and/or transfer.




Communications Resource, Inc.                                                                            16                                                        August 5, 2003
USDA/APHIS                                                                             Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                    Response
  Item                                       Question                                                                        Comments                       References
                                                                                                   Yes No N/A
   15    Containment
    a    Containment is specifically addressed in the Facility Security Plan.


         Laboratory and storage areas containing SBATs are evaluated for adequacy in
         limiting access and containing agents, including capability to lock all avenues to the                                                           ABPA (b)(1)(B); BMBL
    b
         space, location away from common pedestrian traffic, secure windows and no                                                                       Appendix F
         vulnerable channels such as removable ventilation panels or service bays.

         BSL-4 lab design and operational systems have been evaluated and determined to
                                                                                                                                                           BMBL D(A)9, 10, 16;
         meet required design and operational requirements for security, including self-closing,
    c                                                                                                                                                     Appendix A; NIH G-
         lockable doors, secure material passage channels and break-resistant, sealed
                                                                                                                                                          11, D-4-j
         windows.

         BSL-4 containment (maximum containment) is inspected on a daily basis to ensure                                                                  BMBL D(A)2
    d
         that security systems and limited access parameters are fully operational.                                                                       Appendix A

                                                                                                                                                          ABPA Section 212
         Procedures are in place to comply with labeling, packaging, transfer and transport
    e                                                                                                                                                     (b)(1)(A); BMBL
         requirements for SBATs.
                                                                                                                                                          Appendix F
         Access to containers where SBATs are stored (e.g. freezers, refrigerators, cabinets
    f    and other containers holding SBATs) are locked (e.g., card access system, lock                                                                   73.11 (d)(3)
         boxes) when they are not in the direct view of approved staff.
         The inter-facility transport of all packages containing SBATs must occur in
    g                                                                                                                                                     73.11 (d)(4); (f)(2)
         accordance with § 73.14.
         Packages containing SBAT must be controlled by an authorized and trained
    h                                                                                                                                                     73.11 (d)(4)
         person(s).
         The intra-facility transfer of SBATs is controlled by an authorized and trained
         person(s) approved under § 73.8, including provisions for appropriate packaging, and
    i                                                                                                                                                     73.11 (d)(5)
         movement from a laboratory to another laboratory or from a laboratory to a shipping
         place.
         SBAT waste must be destroyed on-site by autoclaving, incineration, or another
    j                                                                                                                                                     73.11 (f)(3)
         recognized sterilization or neutralization process.




Communications Resource, Inc.                                                                          17                                                        August 5, 2003
USDA/APHIS                                                                             Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                   Response
  Item                                       Question                                                                        Comments                       References
                                                                                                  Yes No N/A
   16    Physical Access to Restricted Areas
         Physical Access to Restricted Areas is specifically addressed in the Facility
    a
         Security Plan.
         Restricted Areas holding SBATs are located away from high traffic and high volume                                                                42 CFR 73.11 (e);
    b
         areas in the facility.                                                                                                                           BMBL Appendix F
         Laboratory and storage areas for BSL-3 and/or BSL-4 agents are separate, detached
                                                                                                                                                          42 CFR 73.11 (b)(2);
    c    facilities or located in a specified area and separated by secure hallways, locking
                                                                                                                                                          BMBL D1 Appendix F
         doors, etc.
         All windows in Restricted Areas are closed, sealed and locked. First floor windows                                                               BMBL D6; NIH G-11,
    d
         have break-resistant glass or window guards.                                                                                                     C-4-f
         Restricted Area access to SBAT is controlled by policies and procedures that require
    e    locking laboratory doors and containment equipment holding SBATs in storage or                                                                   42 CFR 73.11 (d)(3)
         incubation when not in use.
         Exterior doors to Restricted Areas holding SBATs are labeled as containing
    f    biohazardous materials (Universal Biohazard sign) as well as the Laboratory Director.                                                            BMBL B4
         Specific SBATs are not specified.
         Packages entering and exiting Restricted Areas are inspected by an authorized
    g                                                                                                                                                     42 CFR 73.11 (d)(4)
         agent.
   17    Personnel Access to Restricted Areas
         Personnel Access to Restricted Areas is specifically addressed in the Facility
    a
         Security Plan.

                                                                                                                                                          BMBL B2 Appendix F;
         Laboratory Directors are responsible for maintaining a set of criteria for authorizing
                                                                                                                                                          NIH G-II, C-2-c; ABPA
         access, determining which individuals are granted access and recording current
    b                                                                                                                                                     Section 212 (d)(1);
         authorized access for SBAT-Restricted Areas. Authorization is limited to individuals
                                                                                                                                                          (d)(2); (e)(2)(A);
         with program performance or support objectives as described by the facility mission.
                                                                                                                                                          APHIS OAFC


         Entry/exit instructions are clearly posted for Restricted Areas with SBATs presenting                                                            BMBL B1; NIH G-11,
    c
         high transmission capability or exceptional risk from containment breach.                                                                        D-2-c

         Criteria for tiered levels of access approval are granted depending upon the need for
         requiring access (i.e. Full Access for researcher using agent, Temporary Access for a
                                                                                                                                                          ABPA Section 212
    d    visiting scientist, Area-Limited or Time-Limited Access for a contracted service agent
                                                                                                                                                          (d)(1); (d)(2); (e)(2)(A)
         such as a cleaning technician requiring access only during well defined times and in
         specified locations).
         Individuals undergoing quarantine from exposure to a SBAT comply with explicit and
    e    recorded rules include exclusion from vulnerable populations of people and animals                                                               BMBL
         for a period of time as determined by Import/Export staff.




Communications Resource, Inc.                                                                          18                                                        August 5, 2003
USDA/APHIS                                                                              Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                      Response
  Item                                       Question                                                                         Comments                       References
                                                                                                     Yes No N/A
         Approved full access to a Restricted Area requires (a) verification that a complete
         DOJ background check was conducted (b) verification of academic training and
         practical skills specific for the proper use of SBATs in the area to accessed and (c )
         verification of specific training in compliance with all security counter measures,
         policies and procedures to prevent unauthorized access. All verifications are reviewed
                                                                                                                                                           42 CFR 73.11 (b)(6);
         and approval granted by the authorized Biosecurity Officer. Training is updated as
                                                                                                                                                           BMBL Appendix I;
         needed.
    f                                                                                                                                                      ABPA Section 212
                                                                                                                                                           (b)(1)(A); (e)(3)(A)(B);
         (Required knowledge of SBATs includes modes of transmission, host range,
                                                                                                                                                           APHIS RKIC
         virulence characteristics and potential application as a bioterror agent, in addition to
         proficiency in standard microbiological practices and techniques, including handling
         human pathogens in vitro or in vivo. Specific training may be provided by the
         laboratory director or other competent scientist proficient in the unique microbiological
         practices and techniques. Training is updated as needed.)


         Approval for Full Access to a Restricted Area requires specific training regarding
         proper response to a security breach of SBAT inventory or potential threats against
                                                                                                                                                           BMBL B3; ABPA
    g    the locations and/or personnel handling or storing SBATs as defined in the Incident
                                                                                                                                                           Section 212 (b)(1)(A)
         Response Plan. Training is verified and approval is granted by the designated and
         authorized Biosecurity Officer.

         Full access to a Restricted Area requires the review and approval by the laboratory
                                                                                                                                                           Government SME
    h    supervisor(s) in charge of the laboratory area(s) where the SBATs are stored and/or
                                                                                                                                                           Best Practices
         in use, as well as a review and approval by the RO/ARO.
         Approval to Temporary Access to a Restricted Area requires (a) verification that a
         complete DOJ background check has been conducted (b) knowledge of the types of                                                                    ABPA Section 212
    i
         SBATs in use and/or storage and (c ) knowledge of general security measures in                                                                    (e)(3)(A)(B)
         place.

         Temporary access requires a review and approval by the laboratory director in the                                                                 Government SME
    j
         area containing the SBATs as well as a review and approval by the RO/ARO.                                                                         Best Practices


         Application for Area-Limited or Time-Limited Access to a Restricted Area requires (a)
         verification that a complete DOJ background check has been conducted (b)
         continuous supervision/escort if the background clearance cannot be verified.
                                                                                                                                                           42 CFR 73.11 (b)(2)
    k
         (Area-limited access is specified to a defined Restricted Area such as an autoclave                                                               (d)(1)
         room or a freezer storage room. Time-limited access is specified for a limited time
         duration or specific hours, such as the time required for a technician to complete a
         repair or for a delivery person to make a delivery.)


         Area-Limited or Time-Limited Access requires the review and approval of the
                                                                                                                                                           Government SME
    l    laboratory supervisor(s) in charge of the laboratory or storage area(s) where the
                                                                                                                                                           Best Practices
         SBATs are accessed. Review and approval is also required from the RO/ARO.




Communications Resource, Inc.                                                                            19                                                      August 5, 2003
USDA/APHIS                                                                              Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                      Response
  Item                                        Question                                                                        Comments                       References
                                                                                                     Yes No N/A
         Regular communications are disseminated and/or posted to advise personnel
                                                                                                                                                           42 CFR 73.11 (b)(4)
    m    regarding procedures for reporting and removing suspicious individuals accessing
                                                                                                                                                           (7)
         Restricted Areas or inquiring about SBATs.
         * Allow unescorted access only to individuals who have been approved under § 73.8
         and who are performing a specifically authorized function during hours required to
    n                                                                                                                                                      73.11 (d)(1)
         perform the defined job (including delivery to an outside shipping agent for
         transportation in commerce).B127
         Access to containers where listed agents and toxins are stored is limited to authorized
    o                                                                                                                                                      73.11 (b)(5)
         users only.
         An up-to-date, accurate list of the individuals approved under § 73.8 is maintained for
    p                                                                                                                                                      73.15 (a)
         access to Select Agents and Toxins.
         Policy exists to preclude that each approved individual under 73.8 does not share with
    q    any other person, his or her unique means (e.g., keycards or passwords) of accessing                                                              73.11 (d)(6)
         the area or SBATs.
         The entity must separate areas where Select Agents and Toxins are stored or used
    r                                                                                                                                                      73.11 (e)
         from the public areas of the buildings.
         Individuals not approved under § 73.8 conducting non-laboratory functions such as
    s    routine cleaning, maintenance and repairs in areas containing SBATs are escorted                                                                  73.11 (d)(2)
         and continually monitored by individuals approved under § 73.8.
         A record is kept of the name of each individual who has accessed an area containing
    t                                                                                                                                                      73.15 (c)(2)(i)(ii)(iii)
         SBAT along with the date, time of access and duration of access.
         A record is kept of the individual approved under § 73.8 who accompanies an
    u                                                                                                                                                      73.15 (c)(2)(iv)
         individual(s) not approved under § 73.8 into an area containing SBATs.
    18   Information Access

    a    Information Access is specifically addressed in the Facility Security Plan.



         Criteria exist for determining which information regarding SBAT possession, storage
         and transfer should not be readily available to the public. Information that might
         compromise security is designated as Restricted Information and P&P are developed
         to provide criteria to prevent its dissemination.                                                                                                 ABPA Section 212
    b
                                                                                                                                                           (h)(1)(A-E)
         (Regular training programs are in operation to provide personnel with an adequate
         understanding of which information regarding SBATs is considered Restricted
         Information-not for public dissemination (Sensitive But Unclassified)).

         Information and records regarding SBATs is maintained in a secure location and
    c                                                                                                                                                      APHIS RKIC
         accessible to an approved individual(s) only.
         Standard procedures are in place for the timely destruction of documents regarding
    d                                                                                                                                                      APHIS RKIC
         SBATs.

         Policy and procedure is enacted to provide information regarding SBAT usage and                                                                   Government SME
    e
         storage locations along with potential health risks to local First Responder authorities.                                                         Best Practices




Communications Resource, Inc.                                                                            20                                                       August 5, 2003
USDA/APHIS                                                                              Facility Security Compliance Review              Inventory Security Checklist (Ver. 1.1)



                                                                                                    Response
  Item                                        Question                                                                        Comments                       References
                                                                                                   Yes No N/A
   19    Specialized Training

    a    Specialized Training is specifically addressed in the Facility Security Plan.



         All individuals with access to SBATs, including workers and visitors, are trained in
    b                                                                                                                                                      73.11 (b)(2)(6)
         security requirements and equipped to follow established security procedures.

         Provide information and training on safety, containment and security for working with
         Select Agents and Toxins to each individual approved for access under § 73.8 and
         each unapproved individual working in, or visiting, areas where Select Agents and
         Toxins are handled or stored. RO assures completion of necessary training. (For
    c    facilities required to register and falling outside of the OSHA Bloodborne Pathogen                                                               73.13 (a)(c )
         Standard 29 CFR 1910.1030(a): the required information and training must meet the
         requirements of this section (73.8) and must ensure that all individuals who work in,
         or visit, the areas understand the hazards of Select Agents and Toxins present in the
         area.)
         Provide information and training at the time of an individual's initial assignment to a
    d    work area where SBATs are present and prior to assignments involving new                                                                          73.13 (b)
         exposure situations. Provide refresher training annually.
         Responsible Official may certify in writing that an individual already involved with
    e    handling SBATs has the required knowledge, skills, and abilities to safely carry out                                                              73.13 (d)
         the duties and responsibilities in lieu of initial training.

         Ensure that each individual with access to areas where SBATs are handled or stored
         received and understood the training required by this section unless certified under
    f                                                                                                                                                      73.13 (e)
         subsection (d), above. Record the identity of the individual trained, the date of
         training, and the means used to verify that the employee understood the training.

    20   Total Responses
   21    Reviewer's Summary
    a    Summarize review findings below:




    b    Indicate final disposition or recommendations below:




         Signature:                                                                                               Date:
    c                                                                                                         d




Communications Resource, Inc.                                                                           21                                                       August 5, 2003
      USDA/APHIS                                                                                       Facility Security Compliance Review              Incidence Response Checklist (Ver. 1.1)




                                                                                       Incident Response Checklist
 1      Entity/Facility Name:                                                                                      7   Review Date:
 2      Responsible Official:                                                                                      8   Reviewers Name:
 3      Alternate Responsible Official:                                                                            9   Status:
 4      Building:
 5      Room number(s):
 6      Agent(s) used:
                                                                                                        Response
Item                                          Question                                                                                       Comments           References
                                                                                                       Yes No N/A
 10     Physical Security
 a      Physical Security is specifically addressed in the Facility Security Plan.

 b      The facility has established a liaison with the local police department.                                                                              BBML Appendix F

                                                                                                                                                              Government SME
 c      The facility has a 5 minute response time in effect.
                                                                                                                                                              Best Practices
                                                                                                                                                              Government SME
 d      Response time to facility is commensurate with assets being protected.
                                                                                                                                                              Best Practices
        Facility has built-in security layers to delay intruders until first responders arrive (i.e.                                                          Government SME
 e
        Security Guards, Alarm Systems, Security Bars).                                                                                                       Best Practices
        The first responders are aware of hazards and the need to respond to the facility as                                                                  Government SME
 f
        quick as possible.                                                                                                                                    Best Practices

 g      Procedures are in-place for reporting and removing unauthorized persons.                                                                              BMBL Appendix F

 11     Cyber Security
 a      Cyber Security is specifically addressed in the Facility Security Plan.

        Formal computer incident response plan, procedures and infrastructure based on
 b                                                                                                                                                            USDA DM 3500-001
        incident reporting, handling, response and oversight are documented.
        Computer incident response team (CIRT) and responsible individuals have been
 c                                                                                                                                                            USDA DM 3500-001
        identified.

 d      Has there been an incident or compromise in the last 24 months?                                                                                       Draft USDA IPSSPM

        Facility end users are properly and continually educated on incident reporting
 e                                                                                                                                                            USDA DM 3500-001
        procedures.

 f      CIRT has tested and validated incident response procedures.                                                                                           USDA DM 3500-001

 g      Alerts and advisories are received, monitored and answered.                                                                                           NIST SP800-18

        Appropriate law enforcement, FedCIRC and other appropriate points of contact have
 h                                                                                                                                                            USDA DM 3500-001
        been identified and coordinated.

 i      Incidents are monitored and tracked until resolved.                                                                                                   NIST SP800-18




      Communications Resource, Inc.                                                                                    22                                                         AUgust 5, 2003
      USDA/APHIS                                                                                       Facility Security Compliance Review              Incidence Response Checklist (Ver. 1.1)



                                                                                                        Response
Item                                          Question                                                                                       Comments           References
                                                                                                       Yes No N/A
 j
        Physical Security
        Incident information is reported to the appropriate federal and state agencies, and
                                                                                                                                                              OMB Circular A-130
        organizations when necessary.
        Incident, common vulnerability and threat information is shared with interconnected
 k                                                                                                                                                            OMB Circular A-130
        systems.
 12     Inventory Security
 a      Inventory Security is specifically addressed in the Facility Security Plan.

        Potential risks to people, animals, plants and/or the environment from the accidental
 b                                                                                                                                                            USDA 9610-001
        or deliberate release of SBATs have been identified.
        In the event of a security or inventory breach, guidelines are developed to promptly
                                                                                                                                                              ABPA Section 212
 c      notify RO/ARO, Biosecurity Officer, and APHIS. First Responders are notified in the
                                                                                                                                                              (a)(1)(B);(e)(a); (e)(8)
        event of continuing safety or security concerns.

        Authorized personnel with demonstrated experience and/or training in the handling of                                                                  42 CFR 73.10a; 29
 d      SBATs including select toxins are designated for the containment and retrieval of                                                                     CFR 1910.1450; 29
        agents that have been removed from containment in Restricted Areas.                                                                                   CFR 1910.1200

        Standard procedures in place to investigate inventory breach involving missing
                                                                                                                                                              Government SME
 e      SBATs including interviews of individuals with approved access and consideration of
                                                                                                                                                              Best Practices
        potential access by non-approved persons.

        Develop a Standard Operation Procedure to conduct a conference of RO/ARO,
        Biosecurity Officer and APHIS to (a) assess the consequences and response
                                                                                                                                                              ABPA Section 212
 f      strategy regarding the unintentional release of an SBAT from facility containment (b)
                                                                                                                                                              (b)(3)
        notify all essential authorities (state and local health, veterinary, etc.) and (c) initiate
        investigation of the cause of the release.

        If individuals are exposed to SBATs, procedures and policies exist to determine                                                                       ABPA Section 212
 g
        potential quarantine requirements and medical considerations.                                                                                         (b)(3)
        For outdoor facilities, Wildlife Services is consulted for technical and/or operational
                                                                                                                                                              ABPA Section 212
 h      assistance in the event of a release of pathogens into a wild population or the
                                                                                                                                                              (b)(3)
        incursion of vulnerable wildlife into outdoor containment.
        First Responders are provided with the list of SBATs, locations, responsible officials,
                                                                                                                                                              ABPA Section 212
 i      contact information and potential health hazards or bioterror applications to maintain
                                                                                                                                                              (b)(3)
        prior to an incident.


        An Incident Response checklist has been developed that is specific for the types of
        SBATs in use/storage/transfer and details recommended response procedures for
        each agent. Includes information regarding host ranges, reservoirs, transmission
        rate, transmission modes, virulence factors, zoonotic potential, human pathogenicity,                                                                 ABPA Section 212
 j
        pharmacotherapies, environmental stability and application for bioterrorism.                                                                          (a)(1)(B); (e)(1)

        (Criteria for agents: consider the effect of exposure to the agent or toxin on animal or
        plant health, and on the production and marketability of animal and plant.)




      Communications Resource, Inc.                                                                                    23                                                                AUgust 5, 2003
     USDA/APHIS                                                                                    Facility Security Compliance Review              Incidence Response Checklist (Ver. 1.1)



                                                                                                    Response
Item                                        Question                                                                                     Comments           References
                                                                                                   Yes No N/A
       Physical Security
       An Emergency Response Plan that meets the requirements of OSHA Hazardous
       Waste Operations and Emergency Response Standard at 29 CFR 1910.120 and
 k     includes safety, security and emergency measures is in place. (Nothing in this                                                                     73.12 (a); 73.15 (f)
       section is to supersede or preempt the enforcement of the emergency response
       requirements imposed by the other statute or regulation.)
       Emergency Response Plan includes a Risk Assessment to describe the hazards
       associated with the use of SBATs including actions that could lead to a release and
 l                                                                                                                                                        73.12 (c)(1)(2); (c )(5)
       spread of a SBAT inside or outside of a facility. (Includes provisions to prevent
       emergencies and to recognize them when they occur.)
       Emergency alert and response procedures are planned and coordinated with outside
 m                                                                                                                                                        73.12 (c)(3); (c )(11)
       parties.
       Personnel roles, lines of authority, training, and communication are clearly described
 n                                                                                                                                                        73.12 (c)(4)
       for emergency response actions.
       Evacuation routes, evacuation procedures, safe distances and places of refuge have
 o     been identified, recorded and communicated among security and non-security                                                                         73.12 (c)(6); (c )(8)
       personnel.
       Needs for resources, standard procedures and personnel have been assessed to
 p                                                                                                                                                        73.12 (c)(7)
       provide site security and control in response to emergencies.
       The Emergency Response Plan must be coordinated with any entity-wide plans and
 q     address such events as bomb threats, severe weather (hurricanes, floods),                                                                          73.12 (b)
       earthquakes, power outages, and other natural disasters or emergencies.

 r     Provide for decontamination procedures.                                                                                                            73.12 (c)(9)

       Provide for emergency medical treatment, first aid, personal protective and
 s                                                                                                                                                        73.12 (c)(10); (c )(13)
       emergency equipment.

 t     Establish a mechanism for critique of response and follow-up.                                                                                      73.12 (c)(12)

 u     Describe special procedures needed to address the hazards of specific agents.                                                                      73.12 (c)(14)

                                                                                                                                                          42 CFR 73.11 (a);
                                                                                                                                                          USDA Security
                                                                                                                                                          Policies and
       Identify potential vulnerabilities for inventory discrepancies and/or breach of                                                                    Procedures for
 v     containment in addition to potential risks to people, animals, plants and/or the                                                                   Laboratories and
       environment from the accidental or deliberate release of SBATs                                                                                     Technical Facilities
                                                                                                                                                          (Excluding Biosafety
                                                                                                                                                          Level (BSL)-3
                                                                                                                                                          Facilities)
       In the event of a security or inventory breach, guidelines exist to promptly notify First
 w                                                                                                                                                         BMBL Appendix F
       Responders in the event of continuing safety or security concerns.
                                                                                                                                                           42 CFR 73.11 (a),
       Reporting and response procedures for accidental or deliberate release of SBATs or
                                                                                                                                                          (d)(7)iii), (d)(7)(iv);
       inventory discrepancy and/or breach of security of Restricted Areas are described,
 x                                                                                                                                                        ABPA Sect. 212
       including but not limited to the immediate reporting to the RO, Biosafety Officer and
                                                                                                                                                          (a)(1)(B);(e)(8); BMBL
       APHIS Safety, Health and Environment Section.
                                                                                                                                                          Appendix F




     Communications Resource, Inc.                                                                                 24                                                                AUgust 5, 2003
      USDA/APHIS                                                                                       Facility Security Compliance Review              Incidence Response Checklist (Ver. 1.1)



                                                                                                        Response
Item                                          Question                                                                                       Comments           References
                                                                                                       Yes No N/A
        Physical Security
        In the event of lost or stolen SBATs, accountability system provides system for
                                                                                                                                                              42 CFR 73.11
 y      reporting specific inventory discrepancies including date, type agent, last location
                                                                                                                                                              (d)(7)(iii)
        and quantity/volume.
        Incident Response Plan requires that any evidence of intentional alteration of SBAT                                                                     42 CFR 73.11
 z                                                                                                                                                            (d)(7)(v); BMBL
        inventory records is immediately reported to the RO.
                                                                                                                                                              Appendix F
        Authorized personnel with demonstrated experience and/or training in the handling of                                                                  42 CFR 73.10a, 29
 aa     SBATs including select toxins are designated for the containment and retrieval of                                                                     CFR 1910.1450, 29
        agents that have been removed from containment in Restricted Areas.                                                                                   CFR 1910.1200

        Standard procedures in place to investigate inventory breach involving missing
                                                                                                                                                              Government SME
 bb     SBATs including interviews of individuals with approved access and consideration of
                                                                                                                                                              Best Practices
        potential access by non-approved persons.
        For an unintentional SBAT breach of facility containment, a Standard Operation
        Procedure exists to conduct a conference of RO/ARO, Biosecurity Officer and APHIS
 cc     to (a) assess the consequences and response strategy (b) notify all essential                                                                         ABPA Sect. 212 (b)(3)
        authorities (state and local health, veterinary, etc.) and (c) initiate investigation of the
        cause of the release.
        If individuals are exposed to SBATs with potential clinical consequences, procedures
 dd     and policies exist to determine potential quarantine requirements and medical                                                                         ABPA Sect. 212 (b)(3)
        considerations.
        Wildlife Services is consulted for technical and/or operational assistance in the event
                                                                                                                                                              ABPA Sect. 212
 ee     of a release of pathogens into a wild population or the incursion of vulnerable wildlife
                                                                                                                                                              (b)(3); APHIS OAFC
        into outdoor animal containment.
 13     Total Responses
 14     Reviewer's Summary
 a      Summarize review findings below:




 b      Indicate final disposition or recommendations below:




        Signature:                                                                                                     Date:
 c                                                                                                                 d




      Communications Resource, Inc.                                                                                    25                                                             AUgust 5, 2003
USDA/APHIS                                   Facility Security Compliance Review                      References (Ver. 1.0)



                                     APHIS FSCR Checklists References
  Abbreviation Full Reference Name
  ABPA            Agricultural Bioterrorism Protection Act of 2002
  APHIS OAFC      Outdoor Animal Facilities Checklist
  APHIS RKIC      RECORD Keeping Inspection Checklist
  BMBL            Biosafety in Microbiological and Biomedical Laboratories, 4th Ed. CDC/NIH
  CDC             Center for Disease Control and Prevention
  CFR             Code of Federal Regulations
  DM              Departmental Manuals
  DOC             Department of Commerce
  DOT             Department of Transportation
  IATA            International Air Transport Association
  NIH             National Institute of Health Guidelines for Research with Recombinant DNA
  NIST            National Institute for Standards and Technology
  OAFC            Outdoor Animal Facilities Checklist
  OMB             Office of Management and Budget
  RKIC            Record Keeping Inspection Checklist

  USDA IPSSPM United States Department of Agriculture Integrated Physical Security Standards and Procedures Manual
  USPHS       United State Public Health Service
  WHO         World Health Organization




Communications Resource, Inc.                                 26                                              July 21, 2003

								
To top