[Code of Federal Regulations] [Title 7, Volume 5] [Revised as of January 1, 2006] From the U.S. Government Printing Office via GPO Access [CITE: 7CFR331.11] [Page 482-483] TITLE 7--AGRICULTURE CHAPTER III--ANIMAL AND PLANT HEALTH INSPECTION SERVICE, DEPARTMENT OF AGRICULTURE PART 331_POSSESSION, USE, AND TRANSFER OF SELECT AGENTS AND TOXINS--Table of Contents Sec. 331.11 Security. (a) An individual or entity required to register under this part must develop and implement a written security plan. The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release. (b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. The security plan must be submitted upon request. (c) The security plan must: (1) Describe procedures for physical security, inventory control, and information systems control; (2) Contain provisions for the control of access to select agents and toxins; [[Page 483]] (3) Contain provisions for routine cleaning, maintenance, and repairs; (4) Establish procedures for removing unauthorized or suspicious persons; (5) Describe procedures for addressing loss or compromise of keys, passwords, combinations, etc. and protocols for changing access numbers or locks following staff changes; (6) Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records; and (7) Contain provisions for ensuring that all individuals with access approval from the Administrator or the HHS Secretary understand and comply with the security procedures. (d) An individual or entity must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security: (1) Allow access only to individuals with access approval from the Administrator or the HHS Secretary; (2) Allow individuals not approved for access by the Administrator or the HHS Secretary to conduct routine cleaning, maintenance, repairs, and other activities not related to select agents or toxins only when continuously escorted by an approved individual; (3) Provide for the control of select agents and toxins by requiring freezers, refrigerators, cabinets, and other containers where select agents or toxins are stored to be secured against unauthorized access (e.g., card access system, lock boxes); (4) Inspect all suspicious packages before they are brought into or removed from an area where select agents or toxins are used or stored; (5) Establish a protocol for intra-entity transfers under the supervision of an individual with access approval from the Administrator or the HHS Secretary, including chain-of-custody documents and provisions for safeguarding against theft, loss, or release; and (6) Require that individuals with access approval from the Administrator or the HHS Secretary refrain from sharing with any other person their unique means of accessing a select agent or toxin (e.g., keycards or passwords); (7) Require that individuals with access approval from the Administrator or the HHS Secretary immediately report any of the following to the responsible official: (i) Any loss or compromise of keys, passwords, combinations, etc.; (ii) Any suspicious persons or activities; (iii) Any loss or theft of select agents or toxins; (iv) Any release of a select agent or toxin; and (v) Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised; and (8) Separate areas where select agents and toxins are stored or used from the public areas of the building. (e) In developing a security plan, an individual or entity should consider the document entitled, ``Laboratory Security and Emergency Response Guidance for Laboratories Working with Select Agents,'' in Morbidity and Mortality Weekly Report (December 6, 2002); 51 (No. RR- 19):1-6. This document is available on the Internet at http:// www.cdc.gov/mmwr. (f) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident.