Security Risk Assessment

PDF version

The statutory authority for the regulation of the possession, use, and transfer of select biological agents and toxins is the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. Under that Act, the Attorney General has the responsibility to conduct security risk assessments (SRA) of individuals that require access to select biological agents and toxins. Thus, all individuals or entities seeking to register with CDC under the provisions of 42 CFR Part 73 and/or with APHIS under the provisions of 7 CFR Part 331 and/or 9 CFR Part 121 must have a security risk assessment conducted by the Attorney General. The Attorney General, U.S. Department of Justice, has designated the Federal Bureau of Investigation (FBI), Criminal Justice Information Services Division (CJIS), to conduct the security risk assessments.

As part of the FBI’s security risk assessment, each individual who has been identified as requiring access to select biological agents and toxins, as well as the Responsible Official (RO), Alternate Responsible Official (ARO), and any individual who owns or controls the entity, must complete FBI Form FD-961 and submit two legible finger print cards to FBI/CJIS.

How is the owner of an entity defined? FBI/CJIS has determined that for the assessment under the Bioterrorism Act, an individual who owns or controls an entity is defined as:

"Except for an accredited academic institution, a person shall be deemed to own or control an entity if that person is a partner, officer, director, holder, or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to select agent possessed, used, or transferred by the entity. For an accredited academic institution, a person shall be deemed to control an entity if that person is a responsible official with regard to the select agent possessed, used, or transferred by the entity."

Note that if the entity is a local, state, or federal institution, then the owners do not require a security risk assessment (42 CFR 73.8(a)). Also, owners of accredited academic institutions do not require security risk assessments. An accredited academic institution is defined by the FBI/CJIS as:

"Postsecondary, language and vocational schools must be accredited by an accrediting agency recognized by the United States Department of Education. Proof that a school has been determined to be eligible under Title IV of the Higher Education Act of 1965 is sufficient to establish that a school is properly accredited, since such accreditation is a prerequisite for recognition under Title IV of the latter Act. The specific requirements for Title IV eligibility are specified at 34 CFR part 600."

Please note that ALL Responsible Officials, Alternate Responsible Official’s and individuals with access to select agents and toxins do require security risk assessment, regardless if they are with government or accredited academic institutions. Re-read the regulation if you are unfamiliar with Part 73.8.

The following process applies to a new application or an amendment to an existing application for any personnel changes that require a security risk assessment (SRA):

• The entity Responsible Official (RO) submits an application or amendment that includes a Table 4B (CDC Form 0.1319/USDA Form 2044) to their lead agency (APHIS or CDC, but not both). The lead agency serves as single point of contact for an entity and is responsible for coordinating all activities and communications with respect to new applications or amendments;
• The lead agency issues back to the entity a letter with the unique Department of Justice (DOJ) identifying number for each individual listed on the Table 4B or amended 4B;
• The RO forwards to each individual their unique DOJ identifying number;
• The individual fills out FBI form (FD-961) and puts their unique identifying number in block 17;
• The individual follows all of the FBI instructions (http://www.fbi.gov/hq/cjisd/takingfps.html) for submitting fingerprints; and
• The individual mails the FD-961 form and fingerprint cards as one package directly to the FBI, Criminal Justice Information Services Division (CJIS), not to APHIS or CDC. NOTE: All FBI FD-961 forms received by APHIS or CDC will be returned directly to the RO of the entity which will delay the processing of SRAs.

FBI, CJIS, Bioterrorism
1000 Custer Hollow Road, Module E-3
Clarksburg, WV 26306-0147

The RO is strongly encouraged to follow up on each individual listed on Table 4B as requiring access to select agents and toxins, to ensure that each individual has submitted both their completed FBI FD-961 form and fingerprint cards to FBI/CJIS.

If you have questions regarding completion of the FD-961 form, contact the FBI directly at (304) 625-4900 or visit http://www.fbi.gov/terrorinfo/bioterrorfd961.htm. Written requests may be faxed to (304) 625-5393 (for FD-961 forms) or (304) 625-3984 (for fingerprint cards). These faxed requests should include the following: entity name, point of contact or RO, mailing address, contact telephone number and the number of fingerprint card packets requested.

If you have any questions concerning the CJIS/FBI SRA process, please contact CJIS/FBI at 304-625-4900. If you have questions regarding how to obtain a CDC assigned DOJ Unique Identifying Number, please contact your designated CDC representative. If you are unsure who your CDC representative is, please call 404-498-2255.

Frequently asked questions:

1. What is the procedure if an individual from one registered entity wants to visit another registered entity?

• If the individual(s) will have access to select agents or toxins, the receiving entity RO should request the sending entity RO to provide a letter stating that the individual(s) is currently identified on Table 4B of the sending entity’s registration. The receiving entity is defined as the entity where the training, work or visit will take place. The sending entity is defined as the entity where the individual(s) are currently located. The individual must have a current SRA approval. The letter should include: individual’s full name, date of birth, date of issuance of the SRA approval and unique DOJ identifying number of the individual(s).
• The receiving entity RO should submit this letter and an amendment to the registration to the lead agency (APHIS or CDC). The amendment should provide updated Tables 4A and 4B, and Sections 5B through 5G, where applicable (e.g., Principal Investigator, specific agents or toxins, specific laboratory buildings/rooms, etc.).
• Once the visit is complete, the receiving entity RO should amend the entity’s registration to remove the visiting individual’s name from the Table 4B. In some circumstances the receiving entity RO may decide to leave the individual(s) on the registration, if the same individual(s) will be visiting the entity again.

2. What is the procedure if an individual from an unregistered entity wants to visit a registered entity?

• If an individual(s) will have access to select agents or toxins, they must have a current security risk assessment. Follow the process as indicated above.
• Once the visit is complete, the receiving entity RO should amend the entity’s registration to remove the visiting individual’s name from the Table 4B. In some circumstances the receiving entity RO may decide to leave the individual(s) on the registration, if the same individual(s) will be visiting the entity again.

3. What criteria are used for determining approval of a security risk assessment?

The security risk assessment will evaluate if an individual is a restricted person based on the criteria of the PATRIOT Act http://www.cdc.gov/od/sap/addres.htm, has committed a Federal crime, is involved with any group that engages in domestic or international terrorism or any organization that engages in intentional acts of violence, or is an agent of a foreign power.

4. How long is the security risk assessment valid?

It is valid for a period of five years unless terminated by the HHS Secretary sooner.

Some documents are available for viewing, printing, and downloading (saving) in Adobe Acrobat's portable document file (PDF) format. You will need the Adobe Acrobat Reader 5.0 or above on your computer and configured to work on your browser to access the file.

 If you do not have the latest version of Adobe Acrobat Reader, you may download a free copy from
Adobe

SAP Home | Site Map | Contact Us
Accessibility | Privacy Policy
CDC Home | Search | Health Topics A-Z

This page last reviewed July 15, 2004

United States Department of Health and Human Services
Centers for Disease Control and Prevention
Office of the Director
Select Agent Program