From: Subject: Biosafety Level-3 Facility Policy/Procedures Date: Tue, 14 Aug 2012 15:28:12 -0600 MIME-Version: 1.0 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157 Biosafety Level-3 = Facility Policy/Procedures








           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =           =20 Page



TABLE OF CONTENTS           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;      =20 i          =20








1           = ;  =20 Purpose           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =  =20 1 2           = ;  =20 Special Instructions           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;        =20 1         =20 3           = ;  =20 Introduction           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;       =20 1-3

4           = ;  =20 Abbreviations           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;    =20 3-4

5           = ;  =20 Definitions           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;         =20 4-8

6           = ;  =20 Responsibilities           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;  =20 9

7           = ;  =20 Authorities, References, and Organizations           &nbs= p;            = ;            =             &= nbsp;         =20 9-12

8           = ;  =20 Inventory Control Procedures           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;    =20 13-16

9           = ;  =20 Physical Security Systems           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;          =20 16-24

10         =20 Cybersecurity Systems           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;   =20 24-28

11         =20 Personnel Suitability           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;       =20 29-30

12         =20 Biosecurity Incident Response Plan           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;        =20 30



WASHINGTON, D.C.=20 20250









USDA Security Policies and Procedures = for=20 Biosafety Level-3 Facilities



August 30, = 2002



Agricultural Research Service


1           = ;        =20 PURPOSE


        =20 The purpose of this Manual is to define U.S. Department of = Agriculture=20 (USDA) requirements to secure pathogens held at USDA Biosafety Level-3 = (BSL-3)=20 facilities.  Security of = pathogens=20 held at non-BSL-3 facilities is covered in another technical facility = security=20 USDA manual entitled, =93Security Policies and Procedures for USDA = Laboratories=20 and Technical Facilities Excluding BSL-3 = Facilities.=94



2           = ;        =20 SPECIAL=20 INSTRUCTIONS


a    This Manual = contains a=20 uniform set of USDA policies and procedures which are intended to cover = USDA=20 laboratories that work with or have the capacity to work with BSL-3 = pathogens=20 and other facilities as deemed appropriate. 


b    The policies and = procedures=20 described herein are subject to review on a

        =20 5-year basis unless conditions warrant earlier=20 review.



3           = ;        =20 INTRODUCTION


This Manual defines USDA = requirements=20 to secure USDA-held pathogens at BSL-3 facilities.  Each=20 BSL-3 biocontainment facility shall create or modify an existing plan = for=20 biosecurity that is distinct from their own biosafety plan.  The biosecurity plan shall = have the=20 following elements:


a    Inventory Control=20 Procedures

b    Physical Security=20 Systems

c    Cybersecurity = Systems

d    Personnel = Suitability

e    Biosecurity = Incident Response=20 Plan

The biosecurity plan is = the=20 responsibility of the Agency and will be approved by the = Administrator.  The USDA conducts research and = regulatory activities, including detection and diagnosis, to protect = American=20 agriculture, forestry, and

human health from = pathogens.  USDA scientists utilize = pathogens in=20 their research and diagnostic activities that could constitute a threat = to=20 either human health or productivity of the agriculture system if = purposely or=20 inadvertently released into the environment.


Not all pathogens = constitute an equal=20 risk of threat to humans.  = The=20 Centers for Disease Control and Prevention (CDC) provide a = classification scheme=20 (see Definitions) describing the level of containment that must be used = to=20 protect researchers from the pathogens. =20 In addition, agricultural scientists utilize a parallel set of = standards=20 for managing agricultural pathogens to protect researchers and minimize = the risk=20 of a release into the environment (see Definitions).  Pathogens of concern are those = needing=20 BSL-3 or BSL-4 containment.


USDA scientists work with = crop=20 pathogens that do not pose a direct threat to human health but may = indirectly=20 pose a threat through the production of toxins.  The major concern with exotic = crop=20 pathogens is the potential for harm to American = crops.


USDA scientists work with = animal=20 pathogens that need containment to prevent their release into the=20 environment.  An example = of such a=20 pathogen is

foot-and-mouth disease = virus that=20 does not pose a health threat to humans but would cause significant loss = among=20 impacted animal populations.


USDA scientists work with = zoonotic=20 pathogens that cause disease in animals and in humans.  Avian influenza virus is such = a pathogen=20 that causes illness in birds but can also cause serious illness and even = death=20 in humans.


USDA scientists may also = work with=20 human pathogens in order to solve animal disease or food safety=20 problems.  Human pathogens = are=20 sometimes better understood than their animal counterparts.  USDA scientists have used the = polio=20 virus as a surrogate for the foot-and mouth disease virus.  USDA scientists work with = E. coli=20 O157:H7 to develop means to prevent its contamination of the food=20 supply.


In light of legislation = and the=20 urgency to address security at USDA laboratories, in the interim and = absent any=20 criteria, all BSL-3 agents as currently defined will be treated as High=20 Consequence Pathogens (HCPs). =20 Pathogens classified at the

BSL-2 level and held with = BSL-3=20 pathogens will be treated as HCPs, including brucellosis species,=20 Bacillus anthracis, etc.  = The=20 Department will develop and maintain a HCPs list. 


All USDA personnel at = BSL-3=20 facilities are responsible for biosafety. =20 The USDA-Agricultural Research Service (ARS) employs a Biosafety = Officer=20 responsible for managing and directing the biosafety program of USDA = BSL-3=20 laboratories.  Line = managers in USDA=20 are responsible for implementing operational biosafety programs, with = direct=20 oversight assigned to researchers and diagnosticians.  Line managers provide = resources for=20 training, implementation, and monitoring of biosafety policies and=20 programs.  Individual = researchers or=20 diagnosticians play the primary role for day-to-day biosafety practices = related=20 to

inventory management and=20 security.  Researchers and = diagnosticians also oversee utilization of pathogens by technicians and = other=20 support staff.  USDA = collateral duty=20 biosafety officers serve as a resource for biosafety program = implementation,=20 quality control, biosafety inspections, and training. 


This Manual specifically = establishes=20 a biosecurity program that charges all those responsible for biosafety = with=20 parallel responsibilities for biosecurity. =20 This biosecurity program will outline individual responsibilities = to=20 deter, detect, and respond to any security threat to ensure that = pathogens are=20 not removed illegally from the biocontainment = facilities.



4         =20 ABBREVIATIONS


           =20 ARS            &nbs= p;=20 -  Agricultural = Research=20 Service

           =20 APHIS         =20 -  Animal and Plant = Health=20 Inspection Service

           =20 CDC           &nbs= p;=20 -  Centers for = Disease Control=20 and Prevention

           =20 CFR           &nbs= p; =20 -  Code of Federal=20 Regulation     =20

           =20 DOC           &nbs= p;=20 -  Department of=20 Commerce

           =20 HCPs           =20 -  High Consequence = Pathogens

           =20 IATA           =20 -  International Air = Transport=20 Association

           =20 ICAO          =20 -  International = Civil=20 Aviation Organization

           =20 IDS           &nbs= p;  =20 -  Intrusion = Detections=20 System

           =20 IRC           &nbs= p;  =20 -  Incident = Response=20 Chief

           =20 ISSP           &nbs= p;=20 -  Information = System=20 Security Plan

           =20 LAN           &nbs= p;=20 -  Local Area=20 Network

           =20 NACI          =20 -  National Agency = Check with=20 Inquiry

           =20 NPI           &nbs= p;  =20 -  National = Pathogen=20 Inventory

           =20 OSHA         =20 -  Occupational = Safety and=20 Health Administration

           =20 OCIO          =20 -  Office of Chief = Information=20 Officer

           =20 PSL           &nbs= p; =20 -  Personnel = Security=20 Level   

USDA          =20 -  U.S. Department = of=20 Agriculture

           =20 USPHS         -  U.S. Public Health=20 Service

           =20 VPN           &nbs= p;=20 -  Virtual Private=20 Network





           =20 a    Administrator.  Head = of an=20 agency within the Department of Agriculture

           &nbs= p; =20 regardless of the actual title used, e.g., Chief of the Forest=20 Service.  =


      b    Agency. =20 A=20 major program = (non-administrative)=20 organization within the

           =20 Department (USDA) headed by an administrator who reports to the=20 Secretary,

           =20 Deputy Secretary, or an Under Secretary.


c    Biosafety Level=20 (BSL).  A combination of work practices and physical = containment=20 requirements designed to reduce the risk of laboratory infection when = working=20 with infectious material.  = The=20 degree of protection  = recommended is=20 proportional to the risk associated with an agent.  There are four biosafety = levels.  Biosafety Level 3-Agriculture = (BSL-3Ag)=20 contains an agriculture modification of BSL-3.  Vaccine strains that have = undergone=20 multiple in vivo passages should not be considered avirulent = simply=20 because they are vaccine strains.


(1)     = BSL-1.   Practices, safety = equipment, and=20 facility design and construction are appropriate for undergraduate and = secondary=20 educational training and teaching laboratories, and for other = laboratories in=20 which work is done with defined and characterized strains of viable=20 microorganisms not known to consistently cause disease in healthy adult=20 humans.  Bacillus = subtilis,=20 Naegleria gruberi, infectious canine hepatitis virus, and exempt=20 organisms under the National Institutes of Health Guidelines for = Research=20 Involving Recombinant DNA Molecules are representative of = microorganisms=20 meeting these criteria.  = Many agents=20 not ordinarily associated with disease processes in humans are, however, = opportunistic pathogens and may cause infection in the young, the aged, = and=20 immunodeficient or immunosuppressed individuals. 


(2)        =20 BSL-2. =20 Practices, equipment, and facility design and construction are = applicable=20 to clinical, diagnostic, teaching, and other laboratories in which work = is done=20 with the broad spectrum of indigenous

        =20 moderate-risk agents that are present in the community and = associated=20 with human disease of varying severity. =20 With good microbiological techniques, these agents can be used = safely in=20 activities conducted on the

open bench, provided = the potential=20 for producing splashes or aerosols is

low. =20 Hepatitis B virus (HBV), the salmonellae, and Toxoplasma = spp. are=20 representative of microorganisms assigned to this containment = level.  BSL-2 is appropriate when work = is done=20 with any human-derived blood, body fluids, tissues, or primary human = cell lines=20 where the presence of an infectious agent may be unknown.  (Laboratory personnel working = with=20 human-derived materials should refer to the Occupational Safety and = Health=20 Administration (OSHA) Bloodborne Pathogen Standards = (2)=20 for specific required precautions.)


           &nbs= p;  =20 Primary hazards to personnel working with these agents relate to=20 accidental percutaneous or mucous membrane exposures, or ingestion of = infectious=20 materials.  Extreme = caution should=20 be taken with contaminated needles or sharp instruments.  Even though organisms = routinely=20 manipulated at BSL-2 are not known to be transmissible by the aerosol = route,=20 procedures with aerosol or high splash potential that may increase the = risk of=20 such personnel exposure must be conducted in primary containment = equipment, or=20 in devices such as a biological safety cabinet or safety centrifuge = cups.  Other primary barriers should = be used as=20 appropriate, such as splash shields, face protection gowns, and=20 gloves.


           &nbs= p;  =20 Secondary barriers such as hand washing sinks and waste = decontamination=20 facilities must be available to reduce potential environmental=20 contamination.  =20


(3)     = BSL-3.  Practices, safety equipment, = and=20 facility design and construction are applicable to clinical, diagnostic, = research, or production facilities in which work is done with indigenous = or=20 exotic agents with a potential for respiratory transmission, and which = may cause=20 serious and potentially lethal infection. =20 Mycobacterium tuberculosis, St. Louis encephalitis virus, = and=20 Coxiella burnetii are representative of the microorganisms = assigned to=20 this level.  Primary = hazards to=20 personnel working with these agents relate to autoinoculation, = ingestion, and=20 exposure to infectious aerosols.


           &nbs= p;  =20 At BSL-3, more emphasis is placed on primary and secondary = barriers to=20 protect personnel in contiguous areas, the community, and the = environment from=20 exposure to potentially infectious aerosols.  For example, all laboratory=20 manipulations should be performed in a biological safety cabinet or = other=20 enclosed equipment, such as a gas-tight

aerosol generation = chamber.  Secondary barriers for this = level=20 include

controlled access to = the=20 laboratory and ventilation requirements that

minimize the release = of infectious=20 aerosols from the laboratory.


(4)     = BSL-3-Ag.  There is a special concern for = reducing=20 the risk of environmental exposure to pathogens of consequence to=20 agriculture.  Therefore, = USDA=20 defined BSL-3-Ag criteria enhances containment described for BSL-3 by = adding=20 filtration of supply and exhaust air, sewage decontamination, exit = personnel=20 showers, and facility integrity testing. =20 BSL-3-Ag is treated the same as BSL-3 for biosecurity purposes of = this=20 document.


(5)     BSL-3=20 Facility.  A facility=20 constructed to provide containment for BSL-3 = pathogens.


(6)     = BSL-4.  Practices, safety equipment, = and=20 facility design and construction are applicable for work with dangerous = and=20 exotic agents that pose a high individual risk of life-threatening = disease,=20 which may be transmitted via the aerosol route and for which there is no = available vaccine or therapy. =20 Agents with a close or identical antigenic relationship to BSL-4 = agents=20 also should be handled at this level. =20 When sufficient data are obtained, work with these agents may = continue at=20 this level or at a lower level. =20 Viruses such as Marburg or Congo-Crimean hemorrhagic fever are=20 manipulated at BSL-4.


           &nbs= p;  =20 The primary hazards to personnel working with BSL-4 agents are=20 respiratory exposure to infectious aerosols, mucous membrane or broken = skin=20 exposure to infectious droplets, and autoinoculation.  All manipulations of = potentially=20 infectious diagnostic materials, isolates, and naturally or = experimentally=20 infected animals, pose a high risk of exposure and infection to = laboratory=20 personnel, the community, and the environment.


           &nbs= p;  =20 The laboratory director is specifically and primarily responsible = for the=20 safe operation of the laboratory. =20 His/her knowledge and judgment are critical in assessing risks = and=20 appropriately applying these recommendations.  The recommended biosafety = level=20 represents those conditions under which the agent can ordinarily be = safely=20 handled.  Special = characteristics of=20 the agents used, the training and experience of personnel, and the = nature or=20 function of the laboratory may further influence the director in = applying these=20 recommendations.


(7)     BSL-3=20 Pathogens.  For = purpose of this=20 Manual, all BSL-3 agents will be considered as = HCPs.


d    Chain of Custody. =20 The serial holders of a pathogen, each of who is = responsible for=20 securing the pathogen and are accountable for its documentation.


e    Foreign Animal=20 Disease.  A = contagious,=20 infectious, or communicable animal disease exotic to the United=20 States.


           =20 f    =20 Incident Response Chief (IRC).  USDA Center Director or = Laboratory=20 Director responsible for incident control. =20


g    Infectious = Biological=20 Material.  Infectious = substances=20 (also referred to as

      = etiologic=20 agents) as defined by the U.S. Public Health Service=20 (USPHS):


A substance containing or = suspected=20 of containing an infectious virus, prion, or a viable microorganism, = such as a=20 bacterium, rickettsia, parasite, fungus, or protozoan that is known or=20 reasonably believed to cause disease in humans.  Toxins known to be pathogenic = to humans=20 are to be packaged and shipped as infectious = substances.


For purposes of USDA = policy, this=20 includes any subunits or genetic elements of BSL-3 pathogens if those = subunits=20 or genetic elements, if inserted into an appropriate host system, are = reasonably=20 believed capable of causing disease or toxicosis in livestock, poultry, = and=20 crops.


           =20 h    = =93Select=20 Agents=94 as defined by USPHS:


Prior to the = shipment of any=20 biological material to any destination within the United States, the = designated=20 shipper must first check to see if the biological material is classified = as a=20 Select Agent under the updated 42 CFR Part 72.6, Additional Requirements = for=20 Facilities Transferring or Receiving Select Agents.  Select Agents are listed in = Appendix A,=20 to Part 72 -- Select Agents ( d/ohs/lrsat/42cfr72.htm=20 Appendix A).   If the = agent is=20 classified as a Select Agent, the designated shipper must receive = authorization=20 from the USDA designee before shipping. =20 All rules outlined in 42 CFR 72 must be followed.  It is the responsibility of = the USDA=20 designee to assure that the transfer of any USPHS Select Agents from = USDA=20 facilities is accomplished in adherence with the current = regulations.  =


i     = Organisms.  All cultures or collections of = organisms=20 or their derivatives that introduce or disseminate any contagious or = infectious=20 disease of animals including poultry.


j    =20 Vectors.  = Vector- A=20 carrier, usually an arthropod in biology, that transfers an infective = agent from=20 one host to another.  = Transmission=20 can be either mechanical, where no replication occurs in the vector or=20 biological (the usual case with viruses), where replication in the = vector is=20 required for transmission.


k    Intrusion = Detection=20 System.  A = system=20 designed to detect unauthorized entry and to send an alarm.=20


l     Guard Post = Orders=20 and Special Instructions. =20 Detailed instruction to the guard force detailing use of force = frequency=20 of patrols, hours of operation, special needs of the facility, and = outlining=20 changes in protocols to address specific incidents.  To the maximum extent = permissible under=20 the law, USDA will exercise available authority to arrest and = detain.  

m  =20 Personnel Security Level (PSL).  Designation assigned to = positions that=20 are located at BSL-3 facilities.  The designations are = commensurate=20 with low, moderate, and high-risk levels of public trust and have = similar=20 investigative requirements. 


(1)        =20 PSL-1.  Personnel assigned to positions with BSL-3=20 facility/center/complex, but whose duties do not involve access to=20

        =20 BSL-3 pathogens shall, at a minimum, be determined to encumber = low risk=20 public trust positions.  =

           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;      =20

(2)     PSL-2. =20 Personnel assigned to positions that have access to or = work with=20 BSL-3 facilities or that have access to or work with BSL-3 pathogens = shall, at a=20 minimum, be determined to encumber moderate risk public trust = positions. 


(3)    =20 PSL-3.  Personnel who are assigned to=20 leadership/supervisory positions and who plan, report, and control = research and=20 access to BSL-3 facilities and pathogens shall be determined to encumber = high=20 risk public trust positions. 



6           = ;        =20 RESPONSIBILITIES


           =20 a      =20 All USDA personnel at BSL-3 facilities are responsible for = security of=20 USDA assets.  Line = managers in USDA=20 are responsible for implementing and managing biosecurity programs with = direct=20 oversight assigned to researchers and diagnosticians.


The biosecurity program will outline individual = responsibility=20 to deter, detect, and respond to any security threat to ensure that = pathogens=20 are not removed illegally from the biocontainment facilities.  The following agency positions = have=20 responsibility for ensuring biosecurity procedures and policies are=20 implemented:


b       = Agency=20 Biosafety Officer or Equivalent. =20 Must ensure USDA biosafety and biosecurity policies are adhered = to at all=20 agency locations.


c       = Agency=20 Heads.  Agency heads = are=20 responsible for ensuring that their organizations adhere to USDA = biosafety and=20 biosecurity policies and procedures as outlined in this Manual. 


d       = Deputy=20 Administrators.   = Must=20 ensure USDA biosafety and biosecurity policies are implemented at all = sub-agency=20 levels.  =


e         =20 Center Director, Laboratory = Chief or=20 Director, or Research Leader.  Must ensure effective = biosafety and=20 biosecurity implementation at their facility or = institute.

           &nbs= p;  =20

      f       =20 Location Biosafety/Biosecurity/Quarantine Officer.  Must work with local line = managers to=20 ensure laboratories are adhering to agency policy on pathogen = inventories.=20


     =20 g      =20 Scientists.  = Must=20 ensure that all pathogens used in their laboratories are entered in the=20 repository database and that repository records are current and reflect = the=20 materials on hand.


           &nbs= p;  =20      =20



a      =20 Authorities.  = All Code=20 of Federal Regulation (CFR) citations can

be accessed via the Internet at  


        =20 b      =20 Biosafety Levels, Risk Assessment, and Agent Summary=20 Statements.


   Biosafety in = Microbiological and=20 Biomedical Laboratories,

   4th Edition

Published by the Office of Biological Safety,=20 CDC,

Stock Number 017-040-00547-4 available = from:  U.S. Superintendent of=20 Documents

        =20 U.S. Government Printing Office Washington, D.C.   20402   =20 202-275-3318


c       = Control=20 List.


   9 CFR 122, APHIS = Veterinary=20 Services, National Center for Import and Export.


           =20 USDA, APHIS

           =20 Veterinary Services, National Center for Imports and=20 Exports,

           =20   Products=20 Program

           =20 4700 River Road, Unit 40

           =20 Riverdale, Maryland USA 20737

           =20 http://www.aphis.USDA.= gov/OA/imexdir.html


7 CFR 330.200 =20 Subpart M-Movement of Plant Pests Regulated; permits required.=20

           &nbs= p;  =20

           =20 USDA, APHIS

           =20 Plant Protection and Quarantine

           =20 4700 River Road, Unit 133

           =20 Riverdale, Maryland USA 20737

           &nbs= p;  =20 rmits


d      =20 Personnel Suitability/Security.


           =20 The National Security Act of 1947, dated July 26, 1947, as=20 amended.


           =20 Executive Order 12968 access to classified information, August 4, = 1995.


5 CFR 731, suitability = regulations, revised March 19, 2001.


5 CFR 732, national = security=20 positions, revised January 1, 2001.


32 CFR 147, = adjudicative=20 guidelines for determining eligibility for access to classified = information,=20 July 1, 1999.


Executive Order 10450 = security=20 requirement for Government employees, April 27, = 1953.


e       = Physical=20 Security.


           =20 41 CFR Chapter 101, Federal Property Management=20 Regulations.


7 CFR Part 2, Delegations of Authority by the = Secretary=20 of Agriculture and general officers of the Department. =


Interagency Security = Committee=20 Security Design Criteria,

May 28, 2001.


f       =20 Shipping.


9 CFR 122, APHIS, Veterinary Services, = National Center=20 for Import and Export.


           =20 USDA, APHIS

           =20 Veterinary Services, National Center for Imports and=20 Exports,

           =20   Products=20 Program

           =20 4700 River Road, Unit 40

           =20 Riverdale, Maryland USA 20737

           =20 http://www.aphis.USDA.= gov/OA/imexdir.html


7  = CFR 330.200 =20 Subpart M-Movement of Plant Pests Regulated; permits required.=20


           =20 USDA, APHIS

           =20 Plant Protection and Quarantine

           =20 4700 River Road, Unit 133

           =20 Riverdale, Maryland USA 20737

           &nbs= p;  =20 rmits


49 CFR 171-180, U.S. Department of = Transportation=20 hazardous materials regulations.


49 CFR 173.143, Division 6.2, Definitions, = exemptions,=20 and packing group assignments.


42 CFR 72, Interstate Shipment of Etiologic = Agents.      =20 smtp://


15 CFR 742, 744, and 774, DOC Control Policy = and=20 Commerce.


International Air Transport Association (IATA) = Dangerous=20 Goods Regulations, 40th Edition, 1999.


39 CFR 111, U.S. Postal Service Domestic Mail=20 Manual.


42 CFR 71, USPHS = Foreign=20 Quarantine.


42 CFR 71.54, Etiologic agents, hosts, and=20 vectors.


IATA Dangerous Goods = Regulations, 36th Edition, 1995

IATA Publications=20 Assistant

2000 Peel=20 Street

Montreal, Quebec, = Canada H3A=20 2R4

514-844-3611 or = 800-716-6326=20 (phone); 514-844-9089 (fax)


International Civil Aviation Organization = (ICAO)=20 Technical Instructions for the Safe Transport of Dangerous Goods by=20 Air,

1995-1996 Edition

ICAO Document Sales Unit

1000 Sherbrooke=20 Street

Montreal, Quebec, = Canada H3A=20 2R2

514-285-8022 (phone); = 514-285-6769=20 (fax)


Guidelines for the Safe Transport of = Infectious=20 Substances and Diagnostic Specimens

   World Health = Organization,=20 1997 safety.html


g       = Work=20 Practices, Training.


29 CFR 1910.1030, = OSHA, Blood=20 Borne Pathogen Standard.



           =20 8      =20 INVENTORY CONTROL PROCEDURES


         =20 a      =20 Purpose.  = The purpose=20 of this section is to set policy on the handling, storage, shipping, = disposal,=20 record keeping, and monitoring of all biological agents.  The intent of this section is = also to=20 ensure proper chain of custody procedures are utilized.


(1)     = Accountability=20 Records.   = Three=20 types of accountability records are required: (a) a summary inventory at = USDA=20 agency headquarters, i.e., National Pathogen Inventory (NPI) = system;  b) a detailed inventory of = repository=20 materials to be kept at the research or diagnostic facility; and (c) = materials=20 accountability for experimental or working samples.  Records in the first two = systems must be=20 maintained electronically and backed up on a separate system.  The objective of maintaining = such=20 records is to ensure that the agency knows which pathogens are present, = or have=20 been present in its facilities, to ensure the accountability of = scientists for=20 the pathogens they store and use, and to know the final disposition of=20 pathogens, including destruction or shipping to another facility.  The NPI will allow an agency = to rapidly=20 identify the facilities at which particular agents are in use.  The format for each is = described=20 below:


(a)     = NPI.  Agencies will maintain a = summary=20 inventory database, consisting of the limited fields listed below, to = provide=20 management with the capability to rapidly determine pathogens in use at = each=20 facility. USDA agencies will use an NPI system for this=20 purpose.


Inventory records must = include:


   1   =20 Agent name

   2   =20 Agency/Location/Laboratory

   3   =20 Person responsible for pathogenic material (laboratory           &n= bsp; =20          =20  supervisor)

   4    Contact=20 information


(b)        =20 Facility = Inventory of=20 Repository Materials.  Each USDA facility that stores = or uses=20 any pathogen must maintain a current detailed inventory as outlined = below.  The information shall be=20

maintained in a standard database format.  Each facility will maintain a = current=20 master database reflecting the cumulative


pathogens of all management units at the = facility.  The database will not only = serve as a=20 record of current inventory but will also serve as a historical record = of=20 pathogens use at the facility. =20 Placing records no longer in use in an inactive file rather than = deleting=20 them will accomplish this.  = Inactive=20 records will be kept for at least 5 years. =20 The Center or Laboratory Director for retention of BSL-3 = pathogens in the=20 inventory must review records annually. =20


         Information = to be=20 included in the database is as follows:


1       =20 Agent = (scientific and=20 common name and strain where applicable);


2   =20 Amount (number of vials or contains = inventoried);


3   =20 Biosafety Level, Agent Type (bacteria, virus, = etc.)


4   =20 Storage location (building, room number, freezer=20 number);


5   =20 Storage conditions (refrigerator, freezer, -70oC,=20 -20oC, liquid N2., etc.);


6   =20 Date of change of status, i.e., removal, change of custody,=20 etc.;


7   =20 Site of usage (pinpoint to discrete locations such as building = numbers=20 and possibly room numbers);


8   =20 Disposition including shipping when removed from inventory, = including=20 method of destruction, when applicable;


9   =20 Scientist with contact information (telephone number=20 and

      address = of=20 researcher or diagnostician).


Any working cultures that become new = repository stocks=20 must be added to the inventory.  = New=20 pathogens (not already in inventory) identified in diagnostic or = experimental=20 samples or generated through recombinant technologies must be added to = the=20 repository and inventory database.


(c)     Material=20 Accountability of Experimental or Working Samples.  Experimental samples and = repository=20 stock aliquots used for working stocks or experimental purposes are = tracked by=20 laboratory records (laboratory notebooks, electronic systems, = etc.).  The location of material use = must be=20 included.  At the = conclusion of each=20 experiment, the disposition of the infectious material, including the = means of=20 disposal, must be verified by the signature of the researcher or = diagnostician,=20 or their designee.


(2)     Packaging = and=20 Shipping of Infectious Material. =20 Packing and shipping of pathogens will meet current national and=20 international regulations and guidelines, which are referenced in this = Manual=20 under Section 7, AUTHORTIES, REFERENCES, AND=20 ORGANIZATIONS.


Shipping and receiving of pathogens will meet = applicable=20 guidelines and be tracked by each agency. =20 Organisms and vectors may require an APHIS permit for transport = (9 CFR=20 Part 122 for Animal Pathogens and 7 CFR 330.200 for Plant=20 Pathogens).


USDA laboratories employ a small number of = agents=20 designated by the CDC as select agents. =20 Shipping and tracking of these agents will be done in accordance = with CDC=20 regulations found in 42 CFR Part 72.


The DOC regulations, including requirements = for export=20 permits, must be met for the export of pathogenic materials.  The Biosafety Officer will = review=20 shipping records in the database on at least an annual basis to ensure=20 compliance.


(3)     Physical = Review of=20 Accountability Records. =20 Scientists working with pathogens are responsible for the = accuracy of=20 electronic databases and laboratory notebook records, which are subject = to=20 review by their supervisor, Laboratory Director, and authorized agency=20 personnel. Physical review will be at least annually.  Methods used during physical = review or=20 reconciliation may include counts of entire inventory or statistical = sampling of=20 records and repository materials. =20 The Center Director, Laboratory Director, or equivalent is = responsible=20 for ensuring the physical reviews are accomplished.  Random reviews shall be = conducted on an=20 annual basis by the agency Biosafety Officer to ensure compliance at the = locations.  =


(4)     Pathogen=20 Security.  All = pathogens shall=20 be stored in secure freezers within the facility.  BSL-3 pathogens must be = secured within=20 the high containment facility.  = Only=20 personnel with the appropriate PSL will

have access to freezer keys and codes.  The biosafety level risk=20 group

or biosafety category of the storage unit will = be=20 determined by the

highest risk pathogen within the storage=20 unit.


(5)     Sample=20 Labeling.  All sample = vials in=20 the inventory shall be labeled in a permanent manner so that all = information is=20 readable.


(6)     = Inactivation and=20 Disposal of Pathogens. =20 Procedures must be in place at each location for this purpose and = must=20 include, as appropriate, autoclaving, other thermal inactivation = technology,=20 chemical treatment, or an equally effective comparable process.  All pathogens and contaminated = supplies=20 will be treated.


(7)        =20 Internal=20 Transfer.  A BSL-3 pathogen can be = transferred=20 internally to another scientist within the same facility, providing that = the=20 biosafety level for containment and the level of staff competence are=20 maintained. The receiving scientist must be added as the responsible = party in=20 the pathogen database and all required records must be updated to = document such=20 transfers.





a      =20 Purpose.  = This=20 sections sets policy to:


(1)    =20 Ensure appropriate levels of protection against unauthorized = access,=20 theft, diversion, or loss of custody of BSL-3 pathogens; loss or theft = of=20 information related to BSL-3 pathogens and other acts that may cause=20 unacceptable adverse impacts on national security or on the health and = safety of=20 USDA employees, the public, or the environment;


(2)    =20 Provide levels of protection in a graded manner in accordance = with the=20 potential consequences;


           &nbs= p;        =20 (3) Ensure effective = planning of=20 graded protection levels and prudent application of resources.

           &nbs= p;     =20

   = BSL-3=20 pathogens are ubiquitous, existing both in nature and in laboratories = around the=20 world.  However, it is = prudent to=20 limit access to BSL-3  = pathogens and=20 information related to BSL-3 pathogens to authorized individuals, and to = deter=20 and detect unauthorized access.



b       = Risk=20 Assessment.  The = physical=20 security system shall be designed according to a site-specific risk = assessment,=20 which will evaluate targets, adversary capabilities, consequences, and=20 vulnerabilities.  The risk = assessment shall be developed by qualified individuals who have = expertise in=20 physical and biological security. =20 The objectives and performance of the physical security system = shall be=20 reviewed regularly, but no less than every 5 years, by qualified = individuals who=20 have expertise in physical and biological security.


c      =20 Site-Specific=20 Considerations.  The physical security systems = will be=20 tailored to address site-specific characteristics and requirements, = ongoing=20 programs, and=20 operational needs, and to achieve acceptable protection levels using=20 current=20 technology in a cost-effective manner. =20 The protection strategy may be=20 tailored to address varying circumstances and may range from prevention=20 to=20 pursuit.


d      =20 Graded=20 Protection.  Physical security systems = shall provide=20 graded protection in accordance with the importance of the asset.  That is, USDA intends that the = highest=20 level of protection be given to security interests whose loss, theft,=20 compromise, and/or unauthorized use will seriously affect=20

the=20 national security, and/or the health and safety of USDA employees, the = public,=20 the environment, or USDA programs. =20 Therefore, protection of

BSL-3=20 pathogens will be given the highest level of protection.  Protection of other interests = will have=20 lower levels of protection.


        =20 It should be recognized that risks must be accepted (i.e., that = actions=20 cannot be taken to reduce the probability or consequences of all = malevolent=20 events to zero); however, an acceptable level of risk should be = determined based=20 on evaluation of a variety of facility-specific goals and = considerations.  Protection-related plans shall = describe,=20 justify, and document the graded protection provided to BSL-3 pathogens = and=20 information related to BSL-3 pathogens. =20 The plans shall be reviewed and updated annually.


        =20 The nature of the threat, the vulnerability of the asset, and the = potential consequences of an adversarial act shall be considered in = determining=20 the

appropriate level of protection against = risk.  Accordingly, physical security = systems=20 shall provide graded protection in accordance with the importance of the = asset.


Consequently, facilities shall consolidate = BSL-3=20 pathogens, concentrate intrusion detection and assessment systems at the = remaining locations where

the BSL-3 pathogens are kept, and control = access to=20 these locations.  To maintain the continuity = of=20 operation, the protection strategy shall be to mitigate the severity of = the=20 event through response and recovery option planning.


e      =20 Security = and=20 Restricted Access Areas.  Unescorted access shall be = limited to=20 authorized individuals.  = Any=20 unauthorized individual will be escorted at all times by an authorized=20 individual.  Local = authorities shall=20 establish appropriate escort-to-visitor ratios.


Controls shall be established to detect, = assess, and=20 deter unauthorized access to security areas.  Access control requirements = may be=20 layered as appropriate for the situation. =20 At succeeding boundaries, access controls may be increased.  Means shall be provided to = deter and=20 detect unauthorized intrusion into limited and exclusion areas as = defined=20 below.  Means include: use = of=20 intrusion detection sensors and alarm systems, random patrols, and/or = visual=20 observation.  The = protection program=20 shall include suitable means to assess alarms.

  f       =20 Property = Protection=20 Area--Lowest Level of Protection.  A property protection area is = a security=20 area established to protect against damage, destruction, or theft of = USDA-owned=20 property.  At each site, = the USDA=20 property boundary shall be identified, and signs prohibiting trespassing = shall=20 be posted.  Physical = barriers, where=20 determined to be necessary by local authority, shall be used to protect property and = facilities.  

   All buildings in the = property=20 protection area must be locked and security keys shall be = protected.  An accountability system for = security=20 keys shall be implemented.


g      =20 Limited=20 Area--Intermediate Level of Protection.  A=20 limited area shall have barriers identifying its boundaries and = encompassing the=20 designated space, as well as access controls to provide reasonable = assurance=20 that only authorized personnel are allowed to enter and exit the area = without=20 escort. For example, a limited area may be a building that contains an = exclusion=20 area.


        =20 Access to a limited area shall require a unique item (i.e., = proximity=20 card) and an appropriate level of intrusion detection.  Sufficient exterior lighting = should be=20 provided to allow the protective force to detect and assess = intrusions.


h      =20 Exclusion=20 Area--Highest Level of Protection.  An=20 exclusion area shall have barriers identifying its boundaries and = encompassing=20 the designated space, as well as access controls to provide reasonable = assurance=20 that only authorized personnel are allowed to enter and exit the = area.  For example, an exclusion area = may be a=20 laboratory containing BSL-3 pathogens or information related to BSL-3=20 pathogens.


        =20 Access to an exclusion area shall require a unique item (i.e., = proximity=20 card) and unique knowledge (i.e., personal identification = number), and an=20 appropriate level of intrusion detection. =20 Access control and intrusion detection shall be administered by=20 protective personnel and/or automated systems.


i       =20 Storage.  BSL-3=20 pathogens and information related to BSL-3 pathogens shall be stored in = an=20 exclusion area and secured within a locked security container or locked=20 room.  

j       =20 Access Control and Entry/Exit Inspections.  Access control points shall be designed to = provide=20 positive control over pedestrian traffic. =20 The access control points shall provide a barrier to personnel = entering=20 limited areas and exclusion areas until such time as entry is requested = and/or=20 authorized.  =

Automated access = control systems=20 shall read data entered by the person

requesting access, and = if the data=20 are successfully validated, the portal shall

be electrically = unlocked.


A security badge that electronically stores = information=20 relevant to the badge and badge holder shall be used for automated = access=20 control systems.  The = access=20 authorization list shall be updated when an individual=92s access = authorization=20 has changed or when an individual is transferred or reassigned. Badge = readers=20 shall be equipped with anti-pass back protection.


Door locks=20 opened by badge readers shall be designed to relock immediately after = the door=20 has closed to deter another person from opening the door without = following=20 procedures.


The system shall record all = transactions--authorized=20 access (for tracking purposes) and attempted unauthorized access.


   Keypad devices shall have = a visual=20 shielding device mounted so that an unauthorized person in the immediate = vicinity cannot observe the numbers entered.


k      =20 Intrusion Detection and Assessment Systems.  Intrusion detection systems shall be installed = to=20 provide reasonable assurance that breaches of security boundaries are = detected=20 and that assessment information is provided to protective = personnel.


   A means for timely = detection of=20 intrusion shall be provided by the use of intrusion detection systems = and/or=20 protective force fixed posts and/or mobile patrols.  Assessment of intrusion = detection system=20 alarms shall be provided by patrols and/or closed circuit = television.  When used for detection, = patrols shall=20 be conducted at random intervals at a documented frequency.


   Intrusion detection = systems shall=20 provide operable coverage in all local environmental conditions.


   There shall be an = effective method=20 by which to assess intrusion detection system alarms (e.g., intrusion, = false,=20 nuisance, and tamper).


   Response capability to = intrusion=20 detection system alarms shall be provided to protect USDA BSL-3 = pathogens and=20 information related to BSL-3 pathogens. =20 The response capability may be provided by assigned protective = personnel=20 or by the local law enforcement agency, as applicable.  Response times shall be = appropriate for=20 the protection strategy employed at the site.


   The intrusion detection = systems=20 shall be:  (1) monitored=20 continuously by assigned personnel to assess alarms and initiate = appropriate=20 responses; (2) operated and maintained in a manner ensuring that the = number of=20 false and nuisance alarms does not reduce the system credibility; and=20 (3)

   tamper-resistant or=20 tamper-alarmed.  A = facility=20 possessing BSL-3 pathogens shall have line supervision for security=20 sensors.  The security = sensors shall=20 not be connected to an open computer network.


   Compensatory measures = shall be=20 provided during times when the intrusion detection system is not in = operation or=20 at temporary locations where a permanent intrusion detection system is = not=20 practical or cost effective.


   Records shall be kept on = each=20 actual and/or false nuisance alarm. =20 The record shall be reviewed, analysis performed, and corrective = measures=20 taken to correct system malfunctions. =20 The record shall contain, at a minimum:  date and time of the alarm, = cause of the=20 alarm or a probable cause if definite cause cannot be established, and = the=20 identity of the recorder or the operator on duty.



Alarm monitoring systems shall be = self-checking and=20 shall enunciate system failure in the alarm station.  Systems shall indicate the = type and=20 location of the alarm source.


Systems shall be functionally tested in = accordance with=20 established procedures at a frequency that is documented.


Doors and hatches which provide access to = limited and=20 exclusion areas shall be equipped with intrusion detection system = devices.  A balanced magnetic switch, or = other=20 equally effective device, shall be used on each door to provide = detection of=20 attempted or actual unauthorized access.


Panic hardware or emergency exit mechanisms = used on=20 emergency doors located in limited and exclusion areas shall be operable = only=20 from inside the building or room and shall meet all applicable life = safety=20 codes.


Windows which provide access to exclusion = areas shall=20 have intrusion detection sensors or 18-gauge expanded metal securely = fastened on=20 the inside. This also applies to doors with windows.  All windows shall be closed = and locked=20 during non-working hours to preclude surreptitious entry.


Video recorders, when used, shall be activated = by alarm=20 signals operated automatically and sufficiently rapid to record an = actual=20 intrusion.


When used as the principal means of alarm = assessment and=20 to determine response level, closed-circuit television cameras shall=20 have

tamper-protection, loss-of-video alarm = enunciation, and=20 adequate lighting.


l       =20 Protection of Access Control and Intrusion Detection = Systems. 

        =20 Security-related equipment shall be protected from unauthorized = access in=20 a graded manner consistent with its importance; all detection/alarm = devices and=20 access control system components, including transmission lines to = enunciators,=20 shall be tamper-indicating in both the access and secure modes.  System components used for = protection of=20 other interests shall be protected, consistent with a cost/benefit = analysis=20 determined by each facility. Electronics enclosures and junction boxes = shall=20 be:  under lock and key = control;=20 have tamper switches; have tamper-resistant hardware; or be welded = shut.  Line supervision is = required.  Access to records and = information=20 concerning encoded data and personal identification numbers shall be = restricted=20 to authorized individuals.  = Records=20 reflecting active assignments

of badges, personal identification numbers, = levels of=20 access, and similar system-related records shall be maintained.  All records for access control = and=20 intrusion detection systems, including personnel removed from the = system, shall=20 be retained for 1 year.


m      = Auxiliary=20 power sources. =20 Auxiliary power shall = be=20 available and shall be capable of maintaining full operation of the = intrusion=20 detection and assessment system for 8 hours, or for such time as would = be needed=20 to implement contingency plans.  = The=20 period of time necessary to implement contingency plans shall be=20 documented.  Auxiliary = power sources=20 shall have the capability to facilitate operational testing or routine=20 maintenance.


        =20 Transfer to auxiliary power shall be automatic upon failure of = the=20 primary source and shall not effect operation of the security system or=20 device.  The alarm station = shall=20 receive an alarm indicating failure of the security system power and = transfer to=20 the auxiliary power source.


n      =20 Maintenance. =20 Security-related = subsystems and=20 components shall be maintained in an operable condition.  A regularly scheduled testing = and=20 maintenance program is required.  = Corrective maintenance shall be initiated within 72 hours of the=20 indication of malfunction. The local cognizant USDA or agency authority = for=20 physical security systems shall determine if compensatory measures are=20 necessary.


        =20 The following system elements shall be included in a preventive=20 maintenance program:  = intrusion=20 detection and assessment systems, central alarm station alarm = enunciators,=20 protective force equipment, personnel access control and inspection = equipment,=20 security lighting, and security system-related emergency power or = auxiliary=20 power supplies.


        =20 Personnel who test, maintain, or service security system elements = shall=20 have access authorization consistent with the protection level where the = maintenance is being performed.


        =20 Records of testing shall be retained for 1 year.


o      =20 Performance Testing. =20 Performance assurance = programs shall=20 provide for operability and effectiveness tests of security systems = and/or=20 components of systems.  = Testing=20 frequencies shall reflect site-specific conditions, operational needs, = and=20 threat levels.  However, = at least=20 annually, a performance test encompassing protection systems associated = with a=20

comprehensive site or = facility=20 threat scenario shall be conducted to

demonstrate overall facility physical security = system=20 effectiveness.  This = includes:  integrated systems of = equipment and=20 hardware, administrative procedures, protective forces, and other = staff.


The performance assurance program shall = provide for=20 operability and effectiveness tests. =20 The program will be implemented in a graded manner.  Elements that are determined = to be most=20 significant are those that provide protection for BSL-3 pathogens and=20 information related to BSL-3 pathogens.


p       = Response=20 Forces.  Response to intrusion detection alarms shall = be by=20 protective personnel, private security firms, or local law enforcement=20 personnel, as documented in approved biosecurity incident response = plans.  If the response time by local = law=20 enforcement is inappropriate for the protection strategy, the on-site = security=20 force shall be armed.


q       = Duress=20 Systems.  Activation of duress alarms shall be = accomplished in as=20 unobtrusive a manner as practicable. =20 Duress alarms shall not enunciate at the post initiating the = duress=20 alarm.  Mobile duress = alarms shall=20 enunciate at the central alarm station.


r       =20 Radios.  = A continuous electronic recording system shall = be=20 provided for all security radio traffic. =20 The logging recorder shall be equipped with a time track and = shall cover=20 all security channels.  = Portable=20 radios shall be capable of  = two-way=20 communication on the primary security channel from within critical = buildings and=20 structures--or an alternate means of communication =

shall be = provided.  Portable radios shall contain = sufficient=20 battery capacity to

operate for an 8-hour = period at=20 maximum expected duty cycle. =20 Procedures

for radio or battery = exchange, or=20 battery recharge, can be used to meet this



s       =20 Exit Inspections for Limited and Exclusion Zones.  Personnel, vehicles, and hand-carried items, = including=20 packages, briefcases, purses, and lunch pails, shall be subject to = random exit=20 inspections to deter and detect unauthorized removal of BSL-3 pathogens = and=20 information related to BSL-3 pathogens from security areas.


t       =20 prohibited Articles. =20 The following articles are prohibited from BSL-3 areas, = unless=20 approved by the cognizant USDA local authority for physical security = systems:=20 any dangerous weapon, explosive, or other dangerous instrument=20

or material likely to = produce=20 substantial injury or damage to persons or

property. Sites shall, = at a=20 minimum, employ administrative procedures to

prohibit these = articles.


u       = Visitor=20 Logs.  Visitor = logs are=20 required for limited areas and exclusion areas and shall be retained for = 1=20 year.





           =20 a   =20 Purpose.  = The purpose=20 of this section is to set policy to:


(1)    =20 Ensure that the required and appropriate level of = confidentiality,  specifically information = related to=20 BSL-3 pathogens, is preserved by the system that is used to acquire, = store,=20 manipulate, manage, move, control, display, switch, interchange, = receive, or=20 transmit that information;


(2      = Protect the physical, technical, and = administrative=20 controls and risk management processes that secure USDA information and=20 information related to BSL-3 pathogens;


(3)     Require that = each USDA=20 high-containment laboratory tailors the protection mechanisms, = implementation,=20 and security planning for its cybersecurity program to suit its = environment,=20 missions, and threats, while maintaining consistency and = interoperability with=20 USDA=92s overall cybersecurity policies and = procedures;


(4)     Ensure = prudent=20 application of resources.


The=20 Department and its contractors shall systematically integrate = cybersecurity into=20 management and work practices at all levels so that missions are = accomplished=20 while protecting electronic information and electronic information = systems.  This is to be accomplished = through=20 effective integration of cybersecurity management into all facets of = work=20 planning and execution.  = In other=20 words, the overall management of cybersecurity functions and activities = shall=20 become an integral part of mission accomplishment.


p;   b           &nbs=
p; Following are the general policies:
(1)           =
;     Cyber Resource Protection.  =
Each agency shall ensure that all USDA information resources, =
including USDA information related to 
p; high-consequence pathogens under its purview, are protected in =
a manner that is consistent with its threats and missions at all times. =
(2)           =
;     Risk Management.  =
Each agency shall use a risk-based approach to identify =
information resources and specifically those that are related to BSL-3 =
pathogens.  A documented =
risk assessment process shall be used to make informed decisions related =
to the adequacy of protection, cost implications of further enhanced =
protection, and acceptance of residual =
(3)        =
Resources.  =
Each agency shall plan, budget, allocate, and execute resources =
sufficient to ensure comprehensive implementation and maintenance of =
that organization=92s computer security program. 
(4)        Cybersecurity =
Program Plan.  Each =
agency shall document its cybersecurity program in an Information System =
Security Plan (ISSP). The ISSP shall be approved by the organization=92s =
local director, field office, and the Office of the Chief Information =
(OCIO), Cybersecurity.  USDA agencies may revise their =
ISSPs as required by new operational considerations, risks, =
vulnerabilities, etc.  =
Each agency shall submit the revised ISSP to its local director, =
field office, and to OCIO, Cybersecurity, for approval. =
(5)        ISSP Assessment and =
Review.  To ensure =
that the ISSP is properly implemented, it shall be subject to the =
following reviews:  =
1   =
Implementation of the ISSP =
shall be internally reviewed no less frequently than once every =
year.  =
2   =
The appropriate field =
office shall review the ISSP at least once every 3 years.  
3   =
Finally, the USDA Chief =
Information Officer shall maintain a continuous program of independent =
oversight for cybersecurity.  =
The independent oversight program will include announced and =
unannounced cybersecurity inspections, follow-up reviews, remote testing =
for network vulnerabilities (network scanning), and penetration =
(6)        Corrective =
Action Plans.  Each =
agency shall draft and implement corrective action plans to address =
security shortfalls revealed as a result of the oversight review =
process.  The corrective =
action plans shall include actions to be taken, responsible =
organizations and individuals for each action, the schedule (including =
key milestones), actions to address 
root causes and generic applicability, a =
process for tracking actions to
closure, and steps to verify effectiveness =
of actions prior to closure.
(7)        User =
Authentication.  Each =
agency shall employ user authentication techniques before allowing users =
to access systems that support multiple-user accounts or that contain =
hard-to-replace or sensitive data.  The organization=92s ISSP shall indicate the systems =
or enclaves that require authentication and the type of authentication =
that shall be employed.
(8)        Access =
Protection.  Access to =
each agency=92s information resources shall be protected commensurate =
with the risks and threats of its environment.  The ISSP shall specify the =
information resources to be protected and the protective mechanisms to =
be used.  =
(9)        =
Auditing.  =
Each agency shall be capable of recording and maintaining in an =
audit trail information regarding access to and modifications of all =
information resources, where this is identified as appropriate by risk =
and vulnerability analysis, and such capability is technically =
feasible.  The ISSP shall =
state the systems or enclaves that shall be audited, what information =
shall be captured in that audit trail, and how long the audit trail =
shall be maintained.
(10)      Continuity of =
Service.  Each agency =
shall employ procedures and mechanisms to curtail or recover from =
activities that can disrupt or otherwise interfere with system =
availability, where operationally necessary and technically =
feasible.  The ISSP shall =
identify the organization=92s systems and enclaves that require such =
mechanisms and procedures and shall detail the procedures and mechanisms =
(11)      Security Monitoring and =
Reporting.  Each =
agency shall report security incidents to the OCIO, Cybersecurity.  In addition, each agency shall =
provide 24-hour-a-day, 7-day-a-week monitoring of cybersecurity =
activities.  The ISSP =
shall specify the type of events that require monitoring, the enclaves =
and systems that will be subject to monitoring, how the 24x7 monitoring =
will be handled, and the composition of the organization incident =
response team.  
(12)      Training.  Personnel from agencies and =
contractors shall be appropriately trained in cybersecurity =
vulnerabilities, threats, protection strategies, and respective =
organizational and personal responsibilities.  The ISSP shall specify the =
details of the training program.
(13)      Malicious Code.  Each agency shall establish =
procedures and mechanisms consistent with the threat environment, to =
limit (as technically feasible) the introduction of malicious code into =
its information systems.  =
The ISSP shall specify the mechanisms used to detect and deter =
the installation of malicious code and the frequency of updating such =
(14)      System =
Administrator.  Each =
USDA organization shall have a system administrator, who is responsible =
for developing, updating, and implementing the ISSP; monitoring =
cybersecurity activities locally; responding to cyber incidents in =
coordination with the appropriate headquarters oversight office; and =
ensuring that there is local understanding of USDA cybersecurity =
policies and procedures. 

           =20 c    The = following=20 are the specific policies that should be documented in the ISSP:


(1)     Modem=20 Use.  All connections to the outside = world,=20 including modems, shall go through a firewall.  Modems that are not needed for = day-to-day work shall not be plugged into the phone system.  If a modem is needed for = outbound=20 traffic only, the internal call-in ability shall be disabled.  Systems with modems that are = both on the=20 Local Area Network (LAN) and are used for day-to-day dial up to = additional=20 networks shall have a personal firewall installed to deny access from = one=20 network to the other.   (2)    =20 Anti-Virus Software. =20 All systems shall have a virus scanner installed.  This virus scanner shall be = enabled to=20 automatically update either directly or via a virus-scanner proxy.  All E-mail shall be virus = checked before=20 it is delivered in or out of the LAN.


(3)    =20 Password Policy. =20 Passwords cannot be dictionary words or common names, and they = cannot be=20 the same as the login name.  = They=20 shall be eight characters or more. =20 If the system is in an open or public area, the system shall also = be=20 protected by a boot-up password.  = Passwords shall not be kept anywhere near the system or anywhere = in the=20 open.  Passwords for = networked=20 computers shall be changed every 60 days. =20 Systems in open or public areas shall have a locking screensaver; = systems=20 in locking offices should have a locking screensaver. 


(4)     External=20 Network.  Servers that are open to the = public=20 (such as external Web servers, E-mail servers, File Transfer Protocol = servers)=20 shall be on an isolated (external) network segment.  A firewall shall be used = and/or=20         =20 each system shall be secured to the maximum level possible at = both the=20         =20 operating system and application level.  Only public data can be on=20 this         =20 network.  

        =20 All Web servers shall have the Web content reviewed before public = release.  This is to = ensure that=20 details about the laboratory=92s facility and security system are not = openly=20 available, and information related to personnel and those who work with = BSL-3=20 pathogens is kept to an absolute minimum. =20


           &nbs= p;     =20 (5)    =20 Internet Network.  = The=20 internal systems and servers shall be on an isolated (internal) network = that is=20 fire walled.  There shall = be very=20 little to no traffic entering this network segment.  If the internal network needs = to be open=20 to an outside individual, an encrypted tunnel such as a Virtual Private = Network=20 (VPN) shall be used.  Only = select=20 traffic shall be allowed to travel from the external network to the = internal=20 network. 


(6)     Remote=20 Access.  If a user = needs to=20 access the internal network from a remote location, a VPN transport or=20 equivalent solution shall be utilized. The system at the user=92s end = shall use=20 =93VPN client=94 or an equivalent. 

The network end can use VPN tunneling or an=20 equivalent.  Systems on =

both ends of the VPN shall comply with this = security=20 policy.


(7)     E-mail=20 Policy.   All = E-mail sent=20 and received from an outside network shall be treated as open to public=20 view.  Sensitive data = traveling on=20 the Internet shall be encrypted; this includes E-mail and work performed = by=20 remote network users.=20


(8)     Outbound=20 Access.  Only = necessary traffic=20 shall be permitted to leave the internal network.  Necessary traffic may = include:  Web browsing,

        =20 E-mail, File Transfer Protocol servers, and other standard = Internet=20 applications. 


(9)    =20 Intrusion Detection. =20 Intrusion detection on the network is critical to verify the = security=20 measures are working.  An = Intrusion=20 Detections System (IDS) shall be installed on the internal network.  An IDS system shall also be = installed on=20 the external network.  The = System=20 Administrator shall review the IDS=92s logs and monitor unusual network=20 traffic.  Constant = analysis is=20 critical to securing and maintaining the security on a network.





           =20 a   =20 Purpose.   = This=20 section sets policy on suitability requirements for USDA and non-USDA = personnel=20 requiring access to BSL-3 facilities. =20


(1)     = Background Investigations.  = Following=20 Office of Procurement Policy Management instructions, the following=20 investigations will be conducted to determine the personnel = suitability: 


(a)  PSL1-National Agency Check = with Inquiry=20 (NACI) -  [Low Risk           &n= bsp;=20 Public Trust]


(b)   =20 PSL-2-Limited = Background=20 Investigation =96 [Moderate Risk

       = Public=20 Trust]


 (c) =20 PSL-3-Background Investigation =96 [High Risk Public Trust]


(2)     = pre-employment. =20 Recruitment announcements will notify all candidates for = permanent and=20 non-permanent positions that the position is located within a BSL-3 = facility and=20 appointment to the position is subject to a background = investigation. 


A pre-employment = Special Agency=20 Check must be completed for all

PSL-2 and PSL-3 = selectees prior to=20 appointment.  An appointee = to

        =20 PSL-1 positions may have the NACI completed after entering on = duty.  


(3)        =20 usda Employees.  Appointees to PSL-2 and PSL-3 positions must = have a=20 completed and favorably adjudicated background investigation prior to = assuming=20 duties with the BSL-3 facility.  = New=20 appointees may be assigned duties outside the BSL-3 area or may have = access to a=20 BSL-3 area only if escorted into the BSL-3 facility by a staff member = who has a=20 completed background investigation and appropriate facility = authorization. =20


           &nbs= p;            = ;  =20 Note:  =20 Personnel who have been granted a secret or top secret clearance = level=20 may be authorized unescorted access to the BSL-3 facility upon receipt = of their=20 security clearance. 


(4)        =20 non-USDA Personnel.  Includes personnel from = universities,=20 cooperators, contractors, students, visiting scientists, laboratory = visitors,=20 seminar attendees, etc.  Non-USDA personnel will be escorted = all times by=20 staff members who have a completed background investigation and = appropriate=20 facility authorization.  =


Note: =   Facility managers may = authorize non-USDA=20 personnel unescorted access if the non-USDA personnel have appropriate=20 background investigations. 




a    = Purpose.  This section sets policy = for=20 responses to specific types of incidents in order to protect personnel = and=20 secure pathogen holdings.


b    The biosecurity = plan must=20 include responses to the following types of incident:


           &nbs= p;     =20 (1)    =20 Biocontainment breach

(2)        =20 Biocontainment security breach

(3)    =20 Inventory violation

(4)    =20 Non-biological incident such as violence

(5)    =20 Cybersecurity breach


c  The = plan must=20 address the following issues:  =


(1)    =20 Personnel safety and health

(2)     = Containment

(3)    =20 Inventory control

(3)        =20 Notification of managers and responders


d Each = organizational=20 level responsible for a BSL-3 facility will submit a biosecurity = incident=20 response plan to headquarters for review.

           &nbs= p;            = ;        =20

The determination of a =20 biosecurity incident is by the Incident Response Chief (IRC) who = must be=20 notified by phone call or in person of a potential incident.  The IRC, after investigation, = will=20 determine if a  = biosecurity incident has = occurred.  If a potential threat exists = to either=20 facilities or personnel, the IRC will notify the Federal Protective = Service,=20 local police, and the USDA Office of Inspector General.