This is the accessible text file for GAO report number GAO-08-1092 entitled 'Biosafety Laboratories: Perimeter Security Assessment of the Nation's Five BSL-4 Laboratories' which was released on October 16, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: September 2008: Biosafety Laboratories: Perimeter Security Assessment of the Nation's Five BSL-4 Laboratories: GAO-08-1092: GAO Highlights: Highlights of GAO-08-1092, a report to congressional committees. Why GAO Did This Study: Biosafety labs under the U.S. Bioterrorism Act are primarily regulated and must be registered with either the Centers for Disease Control and Prevention (CDC) or the U.S. Department of Agriculture (USDA) under the Select Agent Regulations. Currently, all operational biosafety level (BSL) 4 labs are registered with the CDC and thus are regulated by the CDC, not USDA. BSL-4 labs handle the world’s most dangerous agents and diseases. In fact, of the four BSL designations, only BSL-4 labs can work with agents for which no cure or treatment exists. GAO was asked to perform a systematic security assessment of key perimeter security controls at the nation’s five operational BSL-4 labs. To meet this objective, GAO performed a physical security assessment of the perimeter of each lab using a security survey it developed. GAO focused primarily on 15 physical security controls, based on GAO expertise and research of commonly accepted physical security principles. What GAO Found: Select Agent Regulations do not mandate specific perimeter security controls that need to be in place at each BSL-4 lab, resulting in significant differences in perimeter security between the nation’s five labs. While three labs had all or nearly all of the key security controls GAO assessed—features such as perimeter barriers, roving armed guard patrols, and magnetometers in use at lab entrances—two labs demonstrated a significant lack of these controls. Specifically, one lab had all 15 security controls in place, one had 14, and another had 13 of the key controls. However, the remaining two labs had only 4 and 3 key security controls, respectively. The check marks in the table below indicate the presence of specific security features at the labs GAO assessed, illustrating the varying levels of perimeter physical security controls present at the labs for 5 of the 15 security controls GAO assessed. Table: Selected Results of Perimeter Security Assessment: Security controls: Command and control center; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. Security controls: Closed-circuit television (CCTV) monitored by the command and control center; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. Security controls: Active intrusion detection system integrated with CCTV; Lab A: [Empty]; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. Security controls: Camera coverage for all exterior lab building entrances; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. Security controls: Visible armed guard presence at all public entrances to lab; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: [Empty]; Lab E: [Empty]. Source: GAO. [End of figure] Although the presence of the security controls GAO assessed does not automatically ensure a secure perimeter, having most controls provides increased assurance that a strong perimeter security system is in place and reduces the likelihood of unauthorized intrusion. For example, the two labs with fewer security controls lacked both visible deterrents and a means to respond to intrusion. One lab even had a window that looked directly into the room where BSL-4 agents were handled. In addition to creating the perception of vulnerability, the lack of key security controls at these labs means that security officials have fewer opportunities to stop an intruder or attacker. The two labs with fewer security controls were approved by the CDC to participate in the Select Agent Program despite their weaknesses. During the course of our review, GAO noted that the three labs with all or nearly all of the key security controls GAO assessed were subject to additional federal security requirements imposed on them by agencies that owned or controlled the labs, not because of the Select Agent Regulations. What GAO Recommends: GAO recommends that the Director, CDC, take action to implement specific perimeter controls for all BSL-4 labs to provide assurance that each lab has a strong perimeter security system in place. HHS agreed that perimeter security is an important deterrent against theft of select agents. However, HHS indicated that the vulnerabilities GAO identified are the result of risk-based planning and that further study is required prior to additional regulation. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1092]. For more information, contact Gregory D. Kutz at (202) 512-6722 or kutzg@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Results of Security Assessment: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendix I: Perimeter Security Controls: Appendix II: Comments from the Department of Health and Human Services: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Results of Perimeter Physical Security Assessment: Table 2: Perimeter Physical Security Controls: Abbreviations: APHIS: Animal and Plant Health Inspection Service: BSL: biosafety level: CCTV: Closed-circuit television: CDC: Centers for Disease Control and Prevention: DSAT: Division of Select Agents and Toxins: HHS: Department of Health and Human Services: IG: Inspector General: USDA: U.S. Department of Agriculture: United States Government Accountability Office: Washington, DC 20548: September 17, 2008: The Honorable John D. Dingell: Chairman: The Honorable Joe Barton: Ranking Member: Committee on Energy and Commerce: House of Representatives: The Honorable Bart Stupak: Chairman: The Honorable John Shimkus: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Energy and Commerce: House of Representatives: Biosafety level (BSL) 4 laboratories (labs) handle the world's most dangerous biological agents and diseases--the Ebola virus, hemorrhagic fevers, and smallpox, for example--in the hope that this work may result in effective medical countermeasures or even a cure. In fact, of the four BSL designations, only BSL-4 labs can work with agents for which no cure or treatment exists. Although BSL-4 labs are required to protect the safety of researchers and the general public, recent security incidents have caused some concern. For example, in October 2007 GAO testified about the lack of oversight and security concerns regarding BSL-3 and BSL-4 labs[Footnote 1] and identified an hour-long power outage due to lightning strikes, in June 2007, at the Centers for Disease Control and Prevention's (CDC) newest BSL-4 facility. This incident raised questions about safety and security, as well as the backup power system design, and showed that even in the hands of experienced owners and operators, safety and security of high- containment labs can still be compromised. Among other things, the outage shut down the lab's negative air pressure system, one of the important components in place to keep dangerous agents from escaping the containment areas. Primary responsibility for regulatory control of select biological agents is divided between the CDC and the U.S. Department of Agriculture (USDA) under Select Agent Regulations--although some labs may have additional security requirements imposed on them by agencies that own or control these labs. While three of the BSL-4 labs are privately owned or operated by academic institutions, the other two are owned and operated by the federal government. As requested by the Department of Health and Human Services (HHS), we are not including the names of the five labs in this report for security reasons. Federal law requires all labs be registered with the CDC's Division of Select Agents and Toxins (DSAT) when handling select agents that pose a severe threat to public health and safety, including BSL-4 agents.[Footnote 2] Currently, all five operational BSL-4 labs are registered with the CDC's Select Agent Program and therefore are regulated by the CDC, not USDA. This registration process requires each lab to develop a security plan that is based on a site-specific risk assessment.[Footnote 3] According to regulations, the security plan must be sufficient to safeguard against unauthorized theft, loss, or release of select agents. The DSAT inspection is intended to ensure that the labs meet certain safety and security regulations, which vary according to the BSL ranking of the select agent being handled. However, a recent report by HHS's Office of Inspector General (IG)[Footnote 4] stated that labs regulated under the DSAT program had weaknesses in such areas as access control and security plan implementation that could have compromised their ability to safeguard select agents from accidental loss or theft.[Footnote 5] Performing research on select agents is critical for the development of effective medical countermeasures and, ultimately, the discovery of vaccines. However, given recent security concerns and the threat of biological terrorism, you are concerned that some BSL-4 labs could be vulnerable to terrorist attack or agent theft. To address these concerns, you requested that we perform a systematic physical security assessment of key perimeter security controls at the five operational BSL-4 labs in the United States. To meet our objective, we reviewed the site-specific risk assessments and security plans for each BSL-4 lab. We then performed a physical security assessment limited to the perimeter of each lab using a security survey we developed. We focused primarily on 15 physical security controls that contribute to a strong perimeter physical security system based on our expertise and research of commonly accepted physical security principles. Although BSL-4 labs may have different levels of inherent risk, we determined that these 15 controls (discussed in more detail in app. I) represent a baseline for BSL-4 lab perimeter physical security. We discussed the security of each lab with security personnel and lab officials at the conclusion of each site visit. Finally, we interviewed DSAT and Animal and Plant Health Inspection Service officials and reviewed the CDC's BSL-4 lab inspection reports. For the purposes of this report, we defined physical security as the combination of operational and security equipment, personnel, and procedures used to protect facilities, information, documents, or material against theft, sabotage, diversion, or other criminal acts. Our definition of physical security excludes, and we did not evaluate, intelligence-gathering, cybersecurity, and human capital training and effectiveness. We did not assess the security of the labs themselves or the threat of an insider attack, but focused on perimeter security leading up to the laboratory building points of entry. Additionally, we did not test perimeter security controls to determine whether they function as intended. Perimeter security is just one aspect of overall security provisions under the Select Agent Regulations, which includes personnel training and inventory control. Select Agent Regulations also require additional security measures inside the labs themselves, such as locks and other forms of physical control. We conducted our assessment from December 2007 through September 2008 in accordance with standards prescribed by the President's Council on Integrity and Efficiency. Results in Brief: Regulations issued by the CDC do not mandate specific perimeter security controls that need to be in place at each BSL-4 lab, resulting in significant differences in perimeter security between the nation's five labs. According to the regulations, each lab must implement a security plan that is sufficient to safeguard select agents against unauthorized access, theft, loss, or release. However, there are no minimum specific perimeter security standards that must be in place at every BSL-4 lab. While three labs had all or nearly all of the key security controls we assessed--features such as perimeter barriers, roving armed guard patrols, and magnetometers in use at lab entrances- -two labs demonstrated a significant lack of these controls. Specifically, one lab had all 15 security controls in place, one had 14, and another had 13 of the key controls. However, the remaining two labs had only 4 and 3 key security controls, respectively. Although the presence of the security controls we assessed does not automatically ensure a secure perimeter, having most controls provides increased assurance that a strong perimeter security system is in place and reduces the likelihood of unauthorized intrusion. For example, the two labs with fewer security controls lacked both visible deterrents and a means to respond to intrusion. One lab even had a window that looked directly into the room where BSL-4 agents were handled. In addition to creating the perception of vulnerability, the lack of key security controls at these labs means that security officials have fewer opportunities to stop an intruder or attacker. DSAT approved the security plans by the two labs lacking most key security controls. However, the three labs with all or nearly all of the key security controls we assessed were subject to additional requirements imposed on them by federal agencies other than DSAT. These labs incorporated additional specific security controls in their security plans because of this oversight. For example, one lab maintained a roving armed guard patrol--one of our 15 key controls--because the agency owning the lab required it, not because of DSAT regulation. To further enhance physical perimeter security at BSL-4 labs regulated by DSAT, we are recommending that the Director, CDC, take action to implement specific perimeter controls for all BSL-4 labs to provide assurance that each lab has a strong perimeter security system in place. The CDC should work with USDA to coordinate its efforts, given that both agencies have the authority to regulate select agents. In its response to this report, HHS agreed that perimeter security is an important deterrent against theft of select agents. They indicated that the difference in perimeter security at the five labs was the result of risk-based planning; however, they did not comment on the specific vulnerabilities we identified and whether these should be addressed. In regard to requiring specific perimeter controls for all BSL-4 labs, HHS stated that it would perform further study and outreach to determine whether additional federal regulations are needed. HHS also provided us with technical comments, which we have incorporated as appropriate. Background: The Public Health Security and Bioterrorism Preparedness and Response Act of 2002 created the government's Select Agent Regulations,[Footnote 6] dividing primary responsibility for regulatory control of select biological agents between HHS and USDA.[Footnote 7] While HHS is responsible for regulating select agents that can potentially pose a severe threat to public health and safety, USDA regulates select agents that can potentially pose a severe threat to animal and plant health or animal and plant products. A number of "overlap agents" can pose both a public health threat and a threat to animals; in these cases, labs must register with either agency, but are not required to register with both. As mentioned above, all five registered BSL-4 labs in the United States are registered with DSAT. When a lab registers with DSAT to handle a select agent, a site- specific risk assessment must be conducted. Regulations governing the assessment do not specify who must perform it, meaning that the assessment can be performed by officials for the lab itself. Further, labs registering with DSAT are required to develop and implement a written security plan based on the site-specific risk assessment. According to the regulations, the security plan must be sufficient to safeguard against unauthorized theft, loss, or release of select agents and meet all the requirements outlined in the Select Agent Regulations. DSAT authored and utilizes the Select Agents and Toxins Security Information Document to provide possible practices and procedures that entities may use to assist them in developing and implementing their written security plans. Additional requirements include a written biosafety or biocontainment plan that describes the safety and containment procedures, and an incident response plan that includes procedures for theft, loss, or release of an agent or toxin; inventory discrepancies; security breaches; natural disasters; violence; and other emergencies. Prior to being issued a certificate of registration, an entity must comply with all security requirements and all other provisions of the Select Agent Regulations. A registration in the CDC's Select Agent Program lasts for 3 years, after which it must be renewed if the entity chooses to retain possession of the select agents. In addition to the five registered and operational BSL-4 labs, there are more labs currently under construction or in the planning stages. While expansion is taking place within the federal sector as well-- there are many new federal facilities currently under construction or planned, which have one or more BSL-4 labs--there are also BSL-4 labs at universities, as part of state response, and in the private sector. These new facilities have not completed the registration process and were not fully operational as BSL-4 labs at the time of our assessment. Results of Security Assessment: CDC regulations do not mandate that specific perimeter security controls are present at all BSL-4 labs, resulting in a significant difference in perimeter security between the nation's five labs. According to the regulations, each lab must implement a security plan that is sufficient to safeguard select agents against unauthorized access, theft, loss, or release. However, there are no specific perimeter security controls that must be in place at every BSL-4 lab. While three labs had all or nearly all of the key security controls we assessed, two labs demonstrated a significant lack of these controls. The results of our perimeter physical security assessment of the five registered BSL-4 labs are presented in table 1. The check marks in the table indicate the presence of specific security features at the labs we assessed, illustrating the varying levels of perimeter physical security controls present at the labs. Table 1: Results of Perimeter Physical Security Assessment: No.: 1; Security controls: Outer/tiered perimeter boundary; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: Check. No.: 2; Security controls: Blast stand-off area (e.g., buffer zone) between lab and perimeter barriers; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 3; Security controls: Barriers to prevent vehicles from approaching lab; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 4; Security controls: Loading docks located outside the footprint of the main building; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: Check. No.: 5; Security controls: Exterior windows do not provide direct access to the lab; Lab A: Check; Lab B: Check; Lab C: Check; Lab D: Check; Lab E: [Empty]. No.: 6; Security controls: Command and control center; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 7; Security controls: Closed-circuit television (CCTV) monitored by the command and control center; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 8; Security controls: Active intrusion detection system integrated with CCTV; Lab A: [Empty]; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 9; Security controls: Camera coverage for all exterior lab building entrances; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 10; Security controls: Perimeter lighting of the complex[A]; Lab A: Check; Lab B: Check; Lab C: Check; Lab D: Check; Lab E: Check. No.: 11; Security controls: Visible armed guard presence at all public entrances to lab; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: [Empty]; Lab E: [Empty]. No.: 12; Security controls: Roving armed guard patrols of perimeter; Lab A: Check; Lab B: Check; Lab C: Check; Lab D: Check; Lab E: [Empty]. No.: 13; Security controls: X-ray magnetometer machines in operation at building entrances; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: [Empty]. No.: 14; Security controls: Vehicle screening; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: [Empty]; Lab E: [Empty]. No.: 15; Security controls: Visitor screening; Lab A: Check; Lab B: Check; Lab C: [Empty]; Lab D: Check; Lab E: Check. Source: GAO. [A] We did not perform our assessment at night, so for this category we relied on the lab security officials to provide this information. [End of table] Although the presence of the security controls we assessed does not automatically ensure a secure perimeter, having most controls provides increased assurance that a strong perimeter security system is in place and reduces the likelihood of unauthorized intrusion. As discussed in appendix I, the strongest perimeter security systems use an active, integrated approach to security that takes advantage of multiple layers. For example, an active, integrated system links perimeter intrusion alarms to a CCTV network, allowing security officers to instantly view the location of an alarm. A discussion of each security assessment follows. Lab A: The physical security controls of Lab A presented a strong visible deterrent from the outside, with 14 of the 15 key security controls in place. Lab A was located in a complex of other buildings that was separated from an urban environment by a perimeter security fence reinforced with airline cable to further strengthen the fence and deter unauthorized access. A roving patrol of armed guards was visible inside and outside the perimeter fence, while other guards manned gated entry inspection points. The gates incorporated technical support for the guards to assist them with the inspection of both private and commercial vehicles. Guards conducted ID checks at the gates and searched vehicles that did not have the appropriate access decals. Further, all trucks were required to enter a single gate containing an X-ray screening device. Past this outer perimeter, a further man-made barrier existed around the building containing the BSL-4 lab. Although Lab A had most of the security controls we focused on during our assessment, it did not have an active intrusion detection system integrated with the CCTV network covering the facility. This reduced the possibility that security officers could detect and quickly identify an intruder entering the building perimeter.[Footnote 8] Lab B: Lab B was the only one of the five BSL-4 labs that had all 15 security controls. The lab was in an urban environment, but located in a complex of other buildings enclosed within an outer fenced perimeter. Roving patrols consisting of both armed security guards and local police walked on the exterior of the perimeter fence. The fence itself was reinforced with airline cable to further strengthen it along areas that bordered roads, serving to further protect against unauthorized intrusion from these public areas. There was a single gated inspection point to enter the complex manned by armed security guards. The inspection point incorporated technical support for the guards to assist them with the inspection of both private and commercial vehicles. Once inside the gate, man-made barriers and a natural (i.e., landscaped) barrier system stood between the gate and the lab itself. More armed guards conducted roving patrols inside the complex and guarded the entrance to the lab itself. Lab B also had a strong active integrated security system. According to lab officials, the system featured an integrated emergency management response whereby appropriate fire and rescue vehicles were automatically dispatched after an alarm. Lab C: Lab C utilized only 3 of the 15 key security controls we assessed. The lab was in an urban environment and publicly accessible, with only limited perimeter barriers. During our assessment, we saw a pedestrian access the building housing the lab through the unguarded loading dock entrance. In addition to lacking any perimeter barriers to prevent unauthorized individuals from approaching the lab, Lab C also lacked an active integrated security system. By not having a command and control center or an integrated security system with live camera monitoring, the possibility that security officers could detect an intruder entering the perimeter and respond to such an intrusion is greatly reduced. Lab D: Although Lab D did not have an armed guard presence outside the lab or vehicle screening,[Footnote 9] it presented strong physical security controls in all other respects, with 13 of the key 15 controls we assessed. Lab D was located within the interior of a complex of buildings, providing a natural system of layered perimeter barriers that included bollards for vehicle traffic. When combined with the presence of roving armed guard patrols, Lab D projected strong visible deterrents. It also utilized an active integrated security system so that if an alarm was activated, personnel within the command and control center could survey the alarm area though monitors and utilize pan/tilt/zoom cameras to further assess the alarm area. This permits security personnel to better coordinate and determine the appropriate response. Lab E: Lab E was one of the weakest labs we assessed, with 4 out of the 15 key controls. It had only limited camera coverage of the outer perimeter of the facility and the only vehicular barrier consisted of an arm gate that swung across the road. Although the guard houses controlling access to the facility were manned, they appeared antiquated. The security force charged with protecting the lab was unarmed.[Footnote 10] Of all the BSL-4 labs we assessed, this was the only lab with an exterior window that could provide direct access to the lab. In lieu of a command and control center, Lab E contracts with an outside company to monitor its alarm in an off-site facility. This potentially impedes response time by emergency responders with an unnecessary layer that would not exist with a command and control center. Since the contracted company is not physically present at the facility, it is not able to ascertain the nature of alarm activation. Furthermore, there is no interfaced security system between alarms and cameras and a lack of live monitoring of cameras. DSAT approved the security plans for the two labs lacking most key security controls, and approved these labs to participate in the Select Agent Program as BSL-4 labs. Conversely, during our assessment, we noted that the three BSL-4 labs with all or nearly all of our 15 key controls were subject to additional federal security requirements outside the purview of the Select Agent Regulations. For example, the National Institutes of Health both funds research requiring high containment and provides guidance and requirements that are widely used to govern many of the activities in high-containment labs. Other examples of more stringent regulations for BSL-4 labs include those of military labs that also follow far stricter Department of Defense physical security requirements. For example, Lab B had several layers of security, including a perimeter security fence and roving patrol of armed guards, visible inside and outside the perimeter fence. Although these security controls are not necessary for BSL-4 labs registering with DSAT, Lab B utilized these security controls to comply with more stringent federal requirements imposed by the agency owning the facility and incorporated these controls into its security plan. Security officials at the two labs with fewer security controls (Labs C and E) told us that management and administration had little incentive to improve security because they already met DSAT requirements. Some security officials also suggested that budgetary restrictions limited attempts to make security improvements. Conclusions: Although numerous factors influence the security of a facility, two of the BSL-4 labs we assessed were lacking key perimeter security controls even though they met DSAT requirements. Our observation that the three labs with strong perimeter security all were subject to additional federal oversight outside of the DSAT program leads us to conclude that minimum specific perimeter security standards would provide assurance that all BSL-4 labs are held to the same security standard. Given that many new BSL-4 labs are under construction and will come online over the next few years, it is important for DSAT to ensure that there is no "weak link" in security among the nation's BSL-4 labs. Recommendation for Executive Action: To further enhance physical perimeter security at BSL-4 labs regulated by DSAT, we are recommending that the Director, CDC, take action to implement specific perimeter security controls for all BSL-4 labs to provide assurance that each lab has a strong perimeter security system in place. The CDC should work with USDA to coordinate its efforts, given that both agencies have the authority to regulate select agents. Agency Comments and Our Evaluation: We received written comments on a draft of this report from the Assistant Secretary for Legislation of HHS. HHS agreed that perimeter security is an important deterrent against theft of select agents. They indicated that the difference in perimeter security at the five labs was the result of risk-based planning; however, they did not comment on the specific vulnerabilities we identified (e.g., an unsecured loading dock at one building housing a BSL-4 lab) and whether these should be addressed. In regard to requiring specific perimeter controls at all BSL-4 labs, HHS stated that it would coordinate with APHIS to seek input from physical security experts and the scientific community; the regulated community; professional associations; State, local, and tribal officials; and the general public as to the need and advisability of requiring, by Federal regulation, specific perimeter controls at each registered entity having a BSL-4 lab. They explained that specific security controls are not in place because Select Agent Regulations are focused on performance objectives rather than specific methods of compliance. We are encouraged that HHS plans to study this matter further, and suggest that, as part of this study, HHS reconsider whether the lack of many specific perimeter security controls at two of the nation's five BSL-4 labs is acceptable. HHS also requested that we provide references for the research that identified our 15 security controls as being appropriate for the assessment of the perimeter security of BSL-4 labs, identify the security experts that we consulted, and indicate whether these 15 security controls had been peer reviewed. We have notified HHS that we will work with them to understand the controls in more detail. As discussed in our report, we developed the 15 security controls based on our expertise in performing security assessments and our research of commonly accepted physical security principles. These principles are reflected in the security survey tool we used to evaluate each of the five BSL-4 labs. We have used this survey tool for similar security assessments in the past. Although we acknowledge that the 15 security controls we selected are not the only measures that can be in place to provide perimeter security, we determined that these controls (discussed in more detail in app. I) represent a baseline for BSL-4 lab perimeter physical security and contribute to a strong perimeter security system. Many of these controls--such preventing direct access to a lab via windows, or ensuring visitors are screened prior to entering a building containing a BSL-4 lab--are common-sense security measures. HHS also provided us with technical comments, which we incorporated as appropriate. HHS's comment letter is reprinted in appendix II. As agreed with your office, unless you announce the contents of this report earlier, we will not distribute it until 30 days after its issue date. At that time, we will send copies of this report to the Secretary of Health and Human Services, the Director of the CDC, and other interested parties. The report will also be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions concerning this report, please contact me at (202) 512-6722 or kutzg@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: Gregory D. Kutz: Managing Director Forensic Audits and Special Investigations: [End of section] Appendix I: Perimeter Security Controls: To perform our perimeter security assessment of biosafety level (BSL) 4 labs, we identified 15 key perimeter security controls, based on our expertise and research of commonly accepted physical security principles, that contribute to a strong perimeter security system. A strong perimeter security system utilizes layers of security to deter, detect, delay, and deny intruders. * Deter. Physical security controls that deter an intruder are intended to reduce the intruder's perception that an attack will be successful- -an armed guard posted in front of a lab, for example. * Detect. Controls that detect an intruder could include video cameras and alarm systems. They could also include roving guard patrols. * Delay. Controls that delay an intruder increase the opportunity for a successful security response. These controls include barriers such as perimeter fences. * Deny. Controls that can deny an intruder include visitor screening that only permits authorized individuals to access the building housing the lab. Furthermore, a lack of windows or other obvious means of accessing a lab is an effective denial mechanism. Some security controls serve multiple purposes. For example, a perimeter fence is a basic security feature that can deter, delay, and deny intruders. However, a perimeter fence on its own will not stop a determined intruder. This is why, in practice, layers of security must be integrated in order to provide the strongest protection. Thus, a perimeter fence should be combined with an intrusion detection system that would alert security officials if the perimeter has been breached. A strong system would then tie the intrusion detection alarm to the closed-circuit television (CCTV) network, allowing security officers to immediately identify intruders. A central command center is a key element for an integrated, active system. It allows security officers to monitor alarm and camera activity--and plan the security response-- from a single location. Table 2 shows 15 physical security controls we focused on during our assessment work. Table 2: Perimeter Physical Security Controls: No.: 1; Perimeter physical security control: Outer/tiered perimeter boundary; Rationale: There should be a perimeter boundary outside the lab to prevent unauthorized access. Examples include a reinforced perimeter security fence or natural barrier system that uses landscaping techniques to impede access to buildings. Outer/tiered perimeter also includes other structures that screen visibility of the lab. No.: 2; Perimeter physical security control: Blast stand-off area (e.g., buffer zone) between lab and perimeter barriers; Rationale: To minimize effects of explosive damage if a bomb were to be detonated outside the lab, the perimeter line should be located as far as practical from the building exterior. No.: 3; Perimeter physical security control: Barriers to prevent vehicles from approaching lab; Rationale: A physical barrier consisting of natural or man-made controls, such as bollards, designed to keep vehicles from ramming or setting off explosives that could cause damage to the building housing the BSL-4 lab. No.: 4; Perimeter physical security control: Loading docks located outside the footprint of the main building; Rationale: Because they are areas where delivery vehicles can park, loading docks are vulnerable areas and should be kept outside the footprint of the main building. No.: 5; Perimeter physical security control: Exterior windows do not provide direct access to the lab; Rationale: Windows are typically the most vulnerable portion of any building; therefore there should be no exterior windows that provide direct access to the lab. No.: 6; Perimeter physical security control: Command and control center; Rationale: A command and control center is crucial to the administration and maintenance of an active, integrated physical security system. The control center monitors the employees, general public, and environment of the lab building and other parts of the complex and serves as the single, central contact area in the event of an emergency. No.: 7; Perimeter physical security control: CCTV monitored by the command and control center; Rationale: A video system that gives a signal from a camera to video monitoring stations at a designated location. The cameras give the control center the capability of monitoring activity within and outside the complex. No.: 8; Perimeter physical security control: Active intrusion detection system (IDS) integrated with CCTV; Rationale: An IDS is used to detect an intruder crossing the boundary of a protected area, including through the building's vulnerable perimeter barriers. Integration with CCTV is integral to the IDS's ability to alert security staff to potential incidents that require monitoring. No.: 9; Perimeter physical security control: Camera coverage for all exterior lab building entrances; Rationale: Cameras that cover the exterior building entrances provide a means to detect and quickly identify potential intruders. No.: 10; Perimeter physical security control: Perimeter lighting of the complex; Rationale: Security lighting of the site, similarly to boundary lighting, provides both a real and psychological deterrent, and allows security personnel to maintain visual-assessment capability during darkness. It is cost-effective in that it might reduce the need for security forces. No.: 11; Perimeter physical security control: Visible armed guard presence at all public entrances to lab; Rationale: All public entrances require security monitoring. This presence helps to prevent or impede attempts of unauthorized access to the complex. No.: 12; Perimeter physical security control: Roving armed guard patrols of perimeter; Rationale: The presence of roving armed guard patrols helps to prevent or impede attempts of unauthorized access and includes inspecting vital entrance areas and external barriers. No.: 13; Perimeter physical security control: X-ray magnetometer machines in operation at building entrances; Rationale: These machines provide a means of screening persons, items, and materials that may possess or contain weapons, contraband, or hazardous substances prior to authorizing entry or delivery into a facility. No.: 14; Perimeter physical security control: Vehicle screening; Rationale: Screening vehicles that enter the perimeter of the lab includes an ID check and vehicle inspection, to deny unauthorized individuals access and potentially detect a threat. No.: 15; Perimeter physical security control: Visitor screening; Rationale: Screening visitors to the lab reduces the possibility that unauthorized individuals will gain access. Visitor screening includes identifying, screening, or recording visitors through methods such as camera coverage or visitor logs so that their entry to the lab is recorded. Source: GAO. [End of table] [End of section] Appendix II: Comments from the Department of Health and Human Services: Department Of Health & Human Services: Office Of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: September 5, 2008: Gregory D. Kutz: Managing Director: Forensic Audits and Special Investigation: Government Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Mr. Kutz: Enclosed are the Department's comments on the U.S. Government Accountability Office's (GAO) draft report entitled: "Biosafety labs: Perimeter Security Assessments of the Nation's Five BSL-4 Laboratories" (GAO-08-1092). The Department appreciates the opportunity to review and comment on this report before its publication. Sincerely, Signed by: Vincent J. Ventimiglia, Jr.: Assistant Secretary for Legislation: Attachment: Comments Of The Department Of Health And Human Services (HHS) On The U.S. Government Accountability Office's (GAO) Draft Report Entitled, "Biosafety Labs: Perimeter Security Assessments Of The Nation's Five BSL-4 Laboratories" (GAO-08-1092): The Centers for Disease Control and Prevention (CDC) appreciates the opportunity to review and comment on the Government Accountability Office's (GAO) Draft Report: "Biosafety Labs: Perimeter Security Assessments of the Nation's Five BSL-4 Laboratories" (GAO-08-1092). Thank you for your review of this important issue. General Comments: Perimeter Security Just One Component of Overall Select Agent Security: As noted in your January 22, 2008 letter notifying CDC of this investigation, GAO conducted a limited security assessment of the nation's Biosafety Level (BSL) 4 laboratories that focused on each facility's outer perimeter security features, command and control center, and responsible personnel. While CDC agrees that perimeter security is an important deterrent against theft of select agents[Footnote 11], the Select Agent Regulations (42 CFR Part 73, 7 CFR Part 331, 9 CFR Part 121) require that entities registered for possession, use, and transfer of select agents take a comprehensive approach to securing select agents. Biosecurity experts describe the basic components of biosecurity as physical security, personnel security, information security, transport security, and material control and accountability.[Footnote 12] The security provisions of the Select Agent Regulations reflect this comprehensive approach to securing agents. The regulations contain more than 20 requirements that entities must implement to protect agents from theft, loss, or release. The provisions include: * Limiting access to buildings with select agents (e.g., guard station at the building entrance, locks on doors, card access system, biometric system, or intrusion detection system); * Limiting access to laboratory rooms with select agents (e.g., locks on doors, card access system, biometric system, or intrusion detection system); * Limiting access to select agents inside the room (e.g., locks on laboratory equipment (incubators, refrigerators, and freezers), locked boxes inside laboratory equipment (incubators, refrigerators, and freezers), biometric system, card access system, and intrusion detection system); * Monitoring access to areas where select agents are used or stored (e.g., electronic logs of access, manual sign in logs, and video camera surveillance); * Maintaining accurate, current inventory records for all select agents held in long-term storage; and: * Providing information and annual training to each individual who will have access to select agents. CDC notes that GAO did not assess the security of the laboratories themselves or the threat of an insider attack. The GAO limited security assessment focused only on the perimeter security leading up to the laboratory building points of entry. CDC recommends that the final report include additional clarification of how perimeter security fits into overall select agent security. Overall Security Measures are Based on Specific Conditions at Each Laboratory: The GAO draft report is correct that there are significant differences in perimeter security among the five entities that maintain BSL-4 laboratories. However, this is because there are significant differences in the risk present at each of the five registered entities, which vary not only by physical plant and location, but by the agents possessed and how those agents are used and stored. The report is also correct that the Select Agent Regulations are not prescriptive, "one size fits all" requirements but are performance standards. Presidential Executive Order 12866, as amended, requires that "each agency shall identify and assess alternative forms of regulation and shall, to the extent feasible, specify performance objectives, rather than specifying the behavior or manner of compliance that regulated entities must adopt." E.O. 12866, as amended, section 1(b)(8). Wide Range of Expertise Used to Develop Select Agent Security Guidance: The Select Agent Regulations are implemented jointly by the Department of Health and Human Services (HHS)/CDC and the U.S. Department of Agriculture (USDA)/Animal and Plant Health Inspection Service (APHIS). As noted earlier, the Select Agent Regulations require a comprehensive approach to select agent security, focusing on security measures beyond just perimeter security. This holistic approach to select agent security has been developed by CDC and APHIS through a comprehensive and deliberative process, involving critical stakeholders and experts in the law enforcement, security, and laboratory communities. In March 2006, CDC, in coordination with APHIS, hosted a meeting of physical security experts as a first step in the development of guidance that would assist entities in complying with the physical security requirements of the Select Agent Regulations. The meeting included representatives from the regulated entities, associations that represent laboratories, the Department of Justice, the Federal Bureau of Investigation, Department of Homeland Security, HHS/Office of Emergency Operations and Security Programs, CDC, the National Institutes of Health, the Department of Defense, and the USDA. As a result of the input from this meeting, CDC and APHIS released a Security Information Document and Security Plan Template to assist registered entities in complying with the physical security requirements of the Select Agent Regulations. These guidance documents are available at: [hyperlink, http://www.selectagents.gov/complianceAssistance.htm]. Criteria Used to Select the 15 Security Controls Assessed by GAO: In this investigation, GAO used 15 security controls to assess the perimeter security of the five BSL-4 laboratories; however, CDC is not aware of research identifying these specific 15 security controls as appropriate for the assessment. GAO states that these security controls were selected for assessment based on "GAO expertise and research of commonly accepted physical security principles." So that the report's findings can be considered in the appropriate context, CDC encourages GAO, in the final report, to provide references for the research that identified these 15 security controls as being appropriate for the assessment of the perimeter security of BSL-4 laboratories, identify the security experts that had been consulted in developing the list of security controls to use for the assessment, and to indicate whether the use of this set of security controls for perimeter security assessments has ever been peer- reviewed. Agency Response to GAO's Recommendation: In the draft report, GAO recommends that, "the Director, CDC, take action to implement specific perimeter security controls for all BSL-4 labs to provide assurance that each lab has a strong perimeter security system in place. CDC should work with USDA to coordinate its efforts, given that both agencies have the authority to regulate select agents." (CDC notes that the recommendation language differed slightly in the opening letter and in the text of the report; the quotation above is from the text of the report.) CDC appreciates GAO's commitment to improving security at laboratories across the nation and agrees that perimeter security is an important component of overall select agent security. Based on the findings and recommendation in the draft report, CDC will, in coordination with APHIS, seek input from physical security and scientific community, the regulated community, professional associations, State, local, and tribal officials, and the general public as to the need and advisability of requiring by Federal regulation specific perimeter control(s) at each registered entity having a BSL-4 laboratory. Using the GAO's list of four goals of a strong perimeter security system and 15 perimeter physical security elements as a starting point, we will seek input as to the: * Specific perimeter controls that would be appropriate for a facility which includes a BSL-4 laboratory; * Estimated initial and long-term cost for select agent registered entities to implement those controls; and * Impact, if any, upon the availability of select agents for research, education, and other legitimate purposes. This will allow CDC and APHIS to synthesize and benefit from the advice and expertise of security experts and the regulated community in considering which physical security enhancements are most appropriate for improvement of overall select agent security. The CDC also will seek advice on this matter from other Federal Departments and Agencies. The CDC is committed to enhancing security at our nation's BSL-4 laboratories based on risk and sound science, while balancing security enhancements against any impact on the important research being conducted by these laboratories. Our technical comments on the draft report are provided in the attachment. We appreciate your consideration of the comments contained in this memo and the technical comments as you develop the final report. We are happy to discuss any of these comments with you. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory D. Kutz (202) 512-6722 or kutzg@gao.gov: Acknowledgments: In addition to the contact named above, the following individuals made contributions to this report: Andy O'Connell, Assistant Director; Verginie Amirkhanian; Randall Cole; John Cooney; Elizabeth Isom; Barbara Lewis; Jeffrey McDermott; and Andrew McIntosh. [End of section] Footnotes: [1] GAO, High-Containment Biosafety Laboratories: Preliminary Observations on the Oversight of the Proliferation of BSL-3 and BSL-4 Laboratories in the United States, GAO-08-108T (Washington, D.C.: Oct. 4, 2007). [2] Alternatively, if any one of these agents is considered an "overlap agent" that also poses a threat to animal health, it may be registered with USDA's Animal and Plant Health Inspection Service (APHIS), but not both the CDC and APHIS. If the agents pose a risk to only animal and plant health or animal and plant products, they must be registered with APHIS. [3] A site-specific risk assessment must provide protection based on the risk and intended use of the select agent. It includes four assessments: an agent-specific risk assessment, threat assessment, vulnerability assessment, and graded protection determination. [4] Department of Health and Human Services, Office of Inspector General, Summary Report on State, Local, Private, and Commercial Laboratories' Compliance With Select Agent Regulations, A-04-06-01033 (Washington, D.C.: Jan. 9, 2008). [5] HHS IG regularly conducts reviews of BSL labs. These reviews could possibly include BSL-4 labs; however, the summary reports do not disclose the identity of the labs that were included in the IG's reviews. [6] 42 C.F.R part 73, 7 C.F.R part 331, 9 C.F.R part 121. [7] Pub. L. No. 107-188 (June 12, 2002). [8] Officials from Lab A have subsequently informed us that they installed an active intrusion alarm system and integrated it with their CCTV network. However, we did not verify this information. [9] At the time of our assessment, Lab D had a vehicle inspection station under construction that would be capable of screening and inspecting vehicles that arrive in the area of the BSL-4 lab building using both guards and technical equipment. [10] Although the security force was unarmed, there was one armed security supervisor patrolling the facility. [11] "Select agents" are biological agents (viruses, bacteria, fungi, prions, etc.) and toxins that have the potential to pose a severe threat to public health and safety, to animal or plant health or to animal and plant products. The agents and toxins are defined by lists that appear in sections §73.3 and §73.4 of the HHS/CDC Select Agent Regulations (42 CFR Part 73) and section §121.3, §121.4, and §331.3 of the USDA/APHIS Select Agent Regulations (7 CFR Part 331 and 9 CFR Part 121). [12] Sandia National Laboratories. Laboratory Biosecurity Handbook. Albuquerque, NM: Sandia National Laboratories; 2007. Available at: [hyperlink, http://www.biosecurity.sandia.gov/home.html]. GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: