73.11—Security.

(a) An individual or entity required to register under this part must develop and implement a written security plan. The security plan must be sufficient to safeguard the select agent or toxin against unauthorized access, theft, loss, or release.
(b) The security plan must be designed according to a site-specific risk assessment and must provide graded protection in accordance with the risk of the select agent or toxin, given its intended use. The security plan must be submitted upon request.
(c) The security plan must:
(1) Describe procedures for physical security, inventory control, and information systems control,
(2) Contain provisions for the control of access to select agents and toxins,
(3) Contain provisions for routine cleaning, maintenance, and repairs,
(4) Establish procedures for removing unauthorized or suspicious persons,
(5) Describe procedures for addressing loss or compromise of keys, passwords, combinations, etc. and protocols for changing access numbers or locks following staff changes,
(6) Contain procedures for reporting unauthorized or suspicious persons or activities, loss or theft of select agents or toxins, release of select agents or toxins, or alteration of inventory records, and
(7) Contain provisions for ensuring that all individuals with access approval from the HHS Secretary or Administrator understand and comply with the security procedures.
(d) An individual or entity must adhere to the following security requirements or implement measures to achieve an equivalent or greater level of security:
(1) Allow access only to individuals with access approval from the HHS Secretary or Administrator,
(2) Allow individuals not approved for access from the HHS Secretary or Administrator to conduct routine cleaning, maintenance, repairs, or other activities not related to select agents or toxins only when continuously escorted by an approved individual,
(3) Provide for the control of select agents and toxins by requiring freezers, refrigerators, cabinets, and other containers where select agents or toxins are stored to be secured against unauthorized access (e.g., card access system, lock boxes),
(4) Inspect all suspicious packages before they are brought into or removed from the area where select agents or toxins are used or stored,
(5) Establish a protocol for intra-entity transfers under the supervision of an individual with access approval from the HHS Secretary or Administrator, including chain-of-custody documents and provisions for safeguarding against theft, loss, or release,
(6) Require that individuals with access approval from the HHS Secretary or Administrator refrain from sharing with any other person their unique means of accessing a select agent or toxin (e.g., keycards or passwords),
(7) Require that individuals with access approval from the HHS Secretary or Administrator immediately report any of the following to the Responsible Official:
(i) Any loss or compromise of keys, passwords, combination, etc.,
(ii) Any suspicious persons or activities,
(iii) Any loss or theft of select agents or toxins,
(iv) Any release of a select agent or toxin, and
(v) Any sign that inventory or use records for select agents or toxins have been altered or otherwise compromised, and
(8) Separate areas where select agents and toxins are stored or used from the public areas of the building.
(e) In developing a security plan, an entity or individual should consider, the document entitled “Laboratory Security and Emergency Response Guidance for Laboratories Working with Select Agents. Morbidity and Mortality Weekly Report December 6, 2002; 51:RR-19:1-6.” The document is available on the Internet at: http://www.cdc.gov/mmwr.
(f) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident.