Select Agent and Toxins Rules Published

I noted last weekend that OMB had approved final rules for both HHS/CDC and USDA regulation updates for Select Agent and Toxins; biosecurity. Yesterday both agencies published their rules in the Federal Register (HHS/CDC – 77 FR 61083-61115; USDA – 77 FR 61055-61081) yesterday. The two final rules make nearly identical amendments to 7 CFR 331, 9 CFR 121, and 42 CFR 73. I’m going to ignore the revisions to the lists of Select Agents and Toxins made in these rules; that’s better left to someone that can describe the difference between “C. perfringens epsilon toxin” and “conotoxins”.

Cybersecurity

Both rules briefly address cybersecurity issues for information security by adding a definition of information security to §XX.1. The definition is based upon the common ‘CIA’ definition (Confidentiality, Integrity, and Availability) routinely used by industry but the order has been switched in these rules. Both rules define it this way:

“Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

“(1) Integrity, which means guarding against improper information modification or destruction, and includes ensuring information authenticity;

“(2) Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

“(3) Availability, which means ensuring timely and reliable access to and use of information.”

Section XX.11(c)(9) in each of the three CFR revisions deals with information security. Having said that, the first requirement deals with control systems that are used to manage security at covered facilities. It requires that “all external connections to systems which manage security for the registered space are isolated or have controls that permit only authorized and authenticated users” {XX.11(c)(9)(i)}. The final subparagraph {XX.11(c)(9)(v)} also addresses security systems by requiring that backup systems are in place to back stop failures of access control systems, surveillance devices, and other required security systems.

The remaining three sub-paragraphs deal with very common and standard information security measures. It requires role based access to “to select agent and toxin related information, files, equipment (e.g., servers or mass storage devices) and applications” {XX.11(c)(9)(ii)}. The changes also require “that controls are in place that are designed to prevent malicious code (such as, but not limited to, computer virus, worms, spyware) from compromising the confidentiality, integrity, or availability [Note: they got the CIA sequence correct here] of information systems” {XX.11(c)(9)(iii)}. Finally there is a mandate to establish a configuration management program that requires “regular patching and updates made to operating systems and individual applications” {XX.11(c)(9)(iv)}.

These are all nice generic requirements that will apply without major changes being required as new generations of computer systems come on line. They do not require specific equipment or software, leaving substantial leeway for the security management team to design an appropriate security system for the deployed computer systems. One generic control was missed in these rules, a requirement to establish cyber-communications logs and conduct periodic reviews of those logs.

Actually a set of requirements like this could serve as a reasonable model for federal cybersecurity requirements for any high-risk critical infrastructure installation. The only thing that I would suggest to be included (besides the previously discussed comm-logs) would be a requirement to report and intrusion into the protected systems (to US-CERT/FBI for info systems and ICS-CERT/FBI for control systems).

Physical Security

The existing regulations already contain some physical security provisions under §XX.11. The crafters of these rule changes did determine that there was a necessity for defining one of the terms used in the regulation; ‘security barrier’. This definition was added to §XX.1; a security barrier is defined as a “a physical structure that is designed to prevent entry by unauthorized persons”.

Tier 1 Security Plans

It’s at this point that two of the sections diverge from the wording of the third. In the USDA rule 7 CFR §331.11(f) lists that sub-paragraph as “Reserved” meaning it contains no current requirements. In the USDA rule 9 CFR §121.11(f) (77 FR 61079) and in the HHS/CDC rule 42 CFR §73.11(f) (77 FR 61113) describe additional items to be addressed by the security plan for an individual or entity possessing a Tier 1 select agent or toxin. The additional requirements include requirements for:

• Conducting a pre-access suitability assessment of persons who will have access to a Tier 1 select agent or toxin {§XX.11(f)(1)};

• Coordinating the efforts of entity's responsible official with the entity's safety and security professionals to ensure security of Tier 1 select agents and toxins and share, as appropriate, relevant information{§XX.11(f)(2)};

• Conducting ongoing assessment of the suitability of personnel with access to a Tier 1 select agent or toxin {§XX.11(f)(3)};

• Providing additional security enhancement {§XX.11(f)(4)}; and

• For facilities that possess foot-and-mouth disease virus or rinderpest virus providing even more additional security enhancements {§XX.11(f)(5)}.

The additional security measures for general Tier 1 facilities include requirements for further limiting access to the facility; requirements for three security barriers including equipping at least one with an intrusion detection system (IDS); protection of registered spaces by an IDS when not occupied; and backup power for all powered security systems. Additionally the response time for security forces or police must be measured at less than 15 minutes and barriers should provide sufficient delay to allow the response to arrive before the intruder can reach the Tier 1 select agent or toxin.

The additional security measures for the two specific agents include requirements for a fourth barrier and the requirement that one of the four barriers be a perimeter fence which is continuously monitored by security personnel. There is also a requirement for an on-site armed response-force with a response time of less than 5 minutes. Closed circuit television surveillance is also required as is GPS tracking for any vehicle used to transport the special select agents.

No Inspections

While these three CFR sections require some relatively specific security measures and the development of a security plan (with an appropriate guidance document), there are no provisions made to require USDA or HHS/CDC to approve or inspect these plans. This certainly allows the program to avoid the problems that DHS/ISCD is currently having with the CFATS program; it also means that inadequate security programs will probably not be detected until after a select agent or toxin, or information about the same, walks out of one of these facilities into a terrorist attack.