This is the accessible text file for GAO report number GAO-08-1092 
entitled 'Biosafety Laboratories: Perimeter Security Assessment of the 
Nation's Five BSL-4 Laboratories' which was released on October 16, 
2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 

GAO: 

September 2008: 

Biosafety Laboratories: 

Perimeter Security Assessment of the Nation's Five BSL-4 Laboratories: 

GAO-08-1092: 

GAO Highlights: 

Highlights of GAO-08-1092, a report to congressional committees. 

Why GAO Did This Study: 

Biosafety labs under the U.S. Bioterrorism Act are primarily regulated 
and must be registered with either the Centers for Disease Control and 
Prevention (CDC) or the U.S. Department of Agriculture (USDA) under the 
Select Agent Regulations. Currently, all operational biosafety level 
(BSL) 4 labs are registered with the CDC and thus are regulated by the 
CDC, not USDA. BSL-4 labs handle the world’s most dangerous agents and 
diseases. In fact, of the four BSL designations, only BSL-4 labs can 
work with agents for which no cure or treatment exists. GAO was asked 
to perform a systematic security assessment of key perimeter security 
controls at the nation’s five operational BSL-4 labs. To meet this 
objective, GAO performed a physical security assessment of the 
perimeter of each lab using a security survey it developed. GAO focused 
primarily on 15 physical security controls, based on GAO expertise and 
research of commonly accepted physical security principles. 

What GAO Found: 

Select Agent Regulations do not mandate specific perimeter security 
controls that need to be in place at each BSL-4 lab, resulting in 
significant differences in perimeter security between the nation’s five 
labs. While three labs had all or nearly all of the key security 
controls GAO assessed—features such as perimeter barriers, roving armed 
guard patrols, and magnetometers in use at lab entrances—two labs 
demonstrated a significant lack of these controls. Specifically, one 
lab had all 15 security controls in place, one had 14, and another had 
13 of the key controls. However, the remaining two labs had only 4 and 
3 key security controls, respectively. The check marks in the table 
below indicate the presence of specific security features at the labs 
GAO assessed, illustrating the varying levels of perimeter physical 
security controls present at the labs for 5 of the 15 security controls 
GAO assessed. 

Table: Selected Results of Perimeter Security Assessment: 

Security controls: Command and control center; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

Security controls: Closed-circuit television (CCTV) monitored by the 
command and control center; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

Security controls: Active intrusion detection system integrated with 
CCTV; 
Lab A: [Empty]; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

Security controls: Camera coverage for all exterior lab building 
entrances; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

Security controls: Visible armed guard presence at all public entrances 
to lab; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: [Empty]; 
Lab E: [Empty]. 

Source: GAO. 

[End of figure] 

Although the presence of the security controls GAO assessed does not 
automatically ensure a secure perimeter, having most controls provides 
increased assurance that a strong perimeter security system is in place 
and reduces the likelihood of unauthorized intrusion. For example, the 
two labs with fewer security controls lacked both visible deterrents 
and a means to respond to intrusion. One lab even had a window that 
looked directly into the room where BSL-4 agents were handled. In 
addition to creating the perception of vulnerability, the lack of key 
security controls at these labs means that security officials have 
fewer opportunities to stop an intruder or attacker. 

The two labs with fewer security controls were approved by the CDC to 
participate in the Select Agent Program despite their weaknesses. 
During the course of our review, GAO noted that the three labs with all 
or nearly all of the key security controls GAO assessed were subject to 
additional federal security requirements imposed on them by agencies 
that owned or controlled the labs, not because of the Select Agent 
Regulations. 

What GAO Recommends: 

GAO recommends that the Director, CDC, take action to implement 
specific perimeter controls for all BSL-4 labs to provide assurance 
that each lab has a strong perimeter security system in place. HHS 
agreed that perimeter security is an important deterrent against theft 
of select agents. However, HHS indicated that the vulnerabilities GAO 
identified are the result of risk-based planning and that further study 
is required prior to additional regulation. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1092]. For more 
information, contact Gregory D. Kutz at (202) 512-6722 or 
kutzg@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Results of Security Assessment: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Perimeter Security Controls: 

Appendix II: Comments from the Department of Health and Human Services: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Results of Perimeter Physical Security Assessment: 

Table 2: Perimeter Physical Security Controls: 

Abbreviations: 

APHIS: Animal and Plant Health Inspection Service: 

BSL: biosafety level: 

CCTV: Closed-circuit television: 

CDC: Centers for Disease Control and Prevention: 

DSAT: Division of Select Agents and Toxins: 

HHS: Department of Health and Human Services: 

IG: Inspector General: 

USDA: U.S. Department of Agriculture: 

United States Government Accountability Office: 

Washington, DC 20548: 

September 17, 2008: 

The Honorable John D. Dingell: 
Chairman: 
The Honorable Joe Barton: 
Ranking Member: 
Committee on Energy and Commerce: 
House of Representatives: 

The Honorable Bart Stupak: 
Chairman: 
The Honorable John Shimkus: 
Ranking Member: 
Subcommittee on Oversight and Investigations: 
Committee on Energy and Commerce: 
House of Representatives: 

Biosafety level (BSL) 4 laboratories (labs) handle the world's most 
dangerous biological agents and diseases--the Ebola virus, hemorrhagic 
fevers, and smallpox, for example--in the hope that this work may 
result in effective medical countermeasures or even a cure. In fact, of 
the four BSL designations, only BSL-4 labs can work with agents for 
which no cure or treatment exists. Although BSL-4 labs are required to 
protect the safety of researchers and the general public, recent 
security incidents have caused some concern. For example, in October 
2007 GAO testified about the lack of oversight and security concerns 
regarding BSL-3 and BSL-4 labs[Footnote 1] and identified an hour-long 
power outage due to lightning strikes, in June 2007, at the Centers for 
Disease Control and Prevention's (CDC) newest BSL-4 facility. This 
incident raised questions about safety and security, as well as the 
backup power system design, and showed that even in the hands of 
experienced owners and operators, safety and security of high- 
containment labs can still be compromised. Among other things, the 
outage shut down the lab's negative air pressure system, one of the 
important components in place to keep dangerous agents from escaping 
the containment areas. 

Primary responsibility for regulatory control of select biological 
agents is divided between the CDC and the U.S. Department of 
Agriculture (USDA) under Select Agent Regulations--although some labs 
may have additional security requirements imposed on them by agencies 
that own or control these labs. While three of the BSL-4 labs are 
privately owned or operated by academic institutions, the other two are 
owned and operated by the federal government. As requested by the 
Department of Health and Human Services (HHS), we are not including the 
names of the five labs in this report for security reasons. Federal law 
requires all labs be registered with the CDC's Division of Select 
Agents and Toxins (DSAT) when handling select agents that pose a severe 
threat to public health and safety, including BSL-4 agents.[Footnote 2] 
Currently, all five operational BSL-4 labs are registered with the 
CDC's Select Agent Program and therefore are regulated by the CDC, not 
USDA. This registration process requires each lab to develop a security 
plan that is based on a site-specific risk assessment.[Footnote 3] 
According to regulations, the security plan must be sufficient to 
safeguard against unauthorized theft, loss, or release of select 
agents. The DSAT inspection is intended to ensure that the labs meet 
certain safety and security regulations, which vary according to the 
BSL ranking of the select agent being handled. However, a recent report 
by HHS's Office of Inspector General (IG)[Footnote 4] stated that labs 
regulated under the DSAT program had weaknesses in such areas as access 
control and security plan implementation that could have compromised 
their ability to safeguard select agents from accidental loss or 
theft.[Footnote 5] 

Performing research on select agents is critical for the development of 
effective medical countermeasures and, ultimately, the discovery of 
vaccines. However, given recent security concerns and the threat of 
biological terrorism, you are concerned that some BSL-4 labs could be 
vulnerable to terrorist attack or agent theft. To address these 
concerns, you requested that we perform a systematic physical security 
assessment of key perimeter security controls at the five operational 
BSL-4 labs in the United States. 

To meet our objective, we reviewed the site-specific risk assessments 
and security plans for each BSL-4 lab. We then performed a physical 
security assessment limited to the perimeter of each lab using a 
security survey we developed. We focused primarily on 15 physical 
security controls that contribute to a strong perimeter physical 
security system based on our expertise and research of commonly 
accepted physical security principles. Although BSL-4 labs may have 
different levels of inherent risk, we determined that these 15 controls 
(discussed in more detail in app. I) represent a baseline for BSL-4 lab 
perimeter physical security. We discussed the security of each lab with 
security personnel and lab officials at the conclusion of each site 
visit. Finally, we interviewed DSAT and Animal and Plant Health 
Inspection Service officials and reviewed the CDC's BSL-4 lab 
inspection reports. 

For the purposes of this report, we defined physical security as the 
combination of operational and security equipment, personnel, and 
procedures used to protect facilities, information, documents, or 
material against theft, sabotage, diversion, or other criminal acts. 
Our definition of physical security excludes, and we did not evaluate, 
intelligence-gathering, cybersecurity, and human capital training and 
effectiveness. We did not assess the security of the labs themselves or 
the threat of an insider attack, but focused on perimeter security 
leading up to the laboratory building points of entry. Additionally, we 
did not test perimeter security controls to determine whether they 
function as intended. Perimeter security is just one aspect of overall 
security provisions under the Select Agent Regulations, which includes 
personnel training and inventory control. Select Agent Regulations also 
require additional security measures inside the labs themselves, such 
as locks and other forms of physical control. 

We conducted our assessment from December 2007 through September 2008 
in accordance with standards prescribed by the President's Council on 
Integrity and Efficiency. 

Results in Brief: 

Regulations issued by the CDC do not mandate specific perimeter 
security controls that need to be in place at each BSL-4 lab, resulting 
in significant differences in perimeter security between the nation's 
five labs. According to the regulations, each lab must implement a 
security plan that is sufficient to safeguard select agents against 
unauthorized access, theft, loss, or release. However, there are no 
minimum specific perimeter security standards that must be in place at 
every BSL-4 lab. While three labs had all or nearly all of the key 
security controls we assessed--features such as perimeter barriers, 
roving armed guard patrols, and magnetometers in use at lab entrances-
-two labs demonstrated a significant lack of these controls. 
Specifically, one lab had all 15 security controls in place, one had 
14, and another had 13 of the key controls. However, the remaining two 
labs had only 4 and 3 key security controls, respectively. Although the 
presence of the security controls we assessed does not automatically 
ensure a secure perimeter, having most controls provides increased 
assurance that a strong perimeter security system is in place and 
reduces the likelihood of unauthorized intrusion. For example, the two 
labs with fewer security controls lacked both visible deterrents and a 
means to respond to intrusion. One lab even had a window that looked 
directly into the room where BSL-4 agents were handled. In addition to 
creating the perception of vulnerability, the lack of key security 
controls at these labs means that security officials have fewer 
opportunities to stop an intruder or attacker. DSAT approved the 
security plans by the two labs lacking most key security controls. 
However, the three labs with all or nearly all of the key security 
controls we assessed were subject to additional requirements imposed on 
them by federal agencies other than DSAT. These labs incorporated 
additional specific security controls in their security plans because 
of this oversight. For example, one lab maintained a roving armed guard 
patrol--one of our 15 key controls--because the agency owning the lab 
required it, not because of DSAT regulation. 

To further enhance physical perimeter security at BSL-4 labs regulated 
by DSAT, we are recommending that the Director, CDC, take action to 
implement specific perimeter controls for all BSL-4 labs to provide 
assurance that each lab has a strong perimeter security system in 
place. The CDC should work with USDA to coordinate its efforts, given 
that both agencies have the authority to regulate select agents. In its 
response to this report, HHS agreed that perimeter security is an 
important deterrent against theft of select agents. They indicated that 
the difference in perimeter security at the five labs was the result of 
risk-based planning; however, they did not comment on the specific 
vulnerabilities we identified and whether these should be addressed. In 
regard to requiring specific perimeter controls for all BSL-4 labs, HHS 
stated that it would perform further study and outreach to determine 
whether additional federal regulations are needed. HHS also provided us 
with technical comments, which we have incorporated as appropriate. 

Background: 

The Public Health Security and Bioterrorism Preparedness and Response 
Act of 2002 created the government's Select Agent Regulations,[Footnote 
6] dividing primary responsibility for regulatory control of select 
biological agents between HHS and USDA.[Footnote 7] While HHS is 
responsible for regulating select agents that can potentially pose a 
severe threat to public health and safety, USDA regulates select agents 
that can potentially pose a severe threat to animal and plant health or 
animal and plant products. A number of "overlap agents" can pose both a 
public health threat and a threat to animals; in these cases, labs must 
register with either agency, but are not required to register with 
both. As mentioned above, all five registered BSL-4 labs in the United 
States are registered with DSAT. 

When a lab registers with DSAT to handle a select agent, a site- 
specific risk assessment must be conducted. Regulations governing the 
assessment do not specify who must perform it, meaning that the 
assessment can be performed by officials for the lab itself. Further, 
labs registering with DSAT are required to develop and implement a 
written security plan based on the site-specific risk assessment. 
According to the regulations, the security plan must be sufficient to 
safeguard against unauthorized theft, loss, or release of select agents 
and meet all the requirements outlined in the Select Agent Regulations. 
DSAT authored and utilizes the Select Agents and Toxins Security 
Information Document to provide possible practices and procedures that 
entities may use to assist them in developing and implementing their 
written security plans. Additional requirements include a written 
biosafety or biocontainment plan that describes the safety and 
containment procedures, and an incident response plan that includes 
procedures for theft, loss, or release of an agent or toxin; inventory 
discrepancies; security breaches; natural disasters; violence; and 
other emergencies. Prior to being issued a certificate of registration, 
an entity must comply with all security requirements and all other 
provisions of the Select Agent Regulations. A registration in the CDC's 
Select Agent Program lasts for 3 years, after which it must be renewed 
if the entity chooses to retain possession of the select agents. 

In addition to the five registered and operational BSL-4 labs, there 
are more labs currently under construction or in the planning stages. 
While expansion is taking place within the federal sector as well-- 
there are many new federal facilities currently under construction or 
planned, which have one or more BSL-4 labs--there are also BSL-4 labs 
at universities, as part of state response, and in the private sector. 
These new facilities have not completed the registration process and 
were not fully operational as BSL-4 labs at the time of our assessment. 

Results of Security Assessment: 

CDC regulations do not mandate that specific perimeter security 
controls are present at all BSL-4 labs, resulting in a significant 
difference in perimeter security between the nation's five labs. 
According to the regulations, each lab must implement a security plan 
that is sufficient to safeguard select agents against unauthorized 
access, theft, loss, or release. However, there are no specific 
perimeter security controls that must be in place at every BSL-4 lab. 
While three labs had all or nearly all of the key security controls we 
assessed, two labs demonstrated a significant lack of these controls. 

The results of our perimeter physical security assessment of the five 
registered BSL-4 labs are presented in table 1. The check marks in the 
table indicate the presence of specific security features at the labs 
we assessed, illustrating the varying levels of perimeter physical 
security controls present at the labs. 

Table 1: Results of Perimeter Physical Security Assessment: 

No.: 1; 
Security controls: Outer/tiered perimeter boundary; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: Check. 

No.: 2; 
Security controls: Blast stand-off area (e.g., buffer zone) between lab 
and perimeter barriers; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 3; 
Security controls: Barriers to prevent vehicles from approaching lab; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 4; 
Security controls: Loading docks located outside the footprint of the 
main building; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: Check. 

No.: 5; 
Security controls: Exterior windows do not provide direct access to the 
lab; 
Lab A: Check; 
Lab B: Check; 
Lab C: Check; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 6; 
Security controls: Command and control center; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 7; 
Security controls: Closed-circuit television (CCTV) monitored by the 
command and control center; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 8; 
Security controls: Active intrusion detection system integrated with 
CCTV; 
Lab A: [Empty]; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 9; 
Security controls: Camera coverage for all exterior lab building 
entrances; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 10; 
Security controls: Perimeter lighting of the complex[A]; 
Lab A: Check; 
Lab B: Check; 
Lab C: Check; 
Lab D: Check; 
Lab E: Check. 

No.: 11; 
Security controls: Visible armed guard presence at all public entrances 
to lab; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: [Empty]; 
Lab E: [Empty]. 

No.: 12; 
Security controls: Roving armed guard patrols of perimeter; 
Lab A: Check; 
Lab B: Check; 
Lab C: Check; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 13; 
Security controls: X-ray magnetometer machines in operation at building 
entrances; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: [Empty]. 

No.: 14; 
Security controls: Vehicle screening; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: [Empty]; 
Lab E: [Empty]. 

No.: 15; 
Security controls: Visitor screening; 
Lab A: Check; 
Lab B: Check; 
Lab C: [Empty]; 
Lab D: Check; 
Lab E: Check. 

Source: GAO. 

[A] We did not perform our assessment at night, so for this category we 
relied on the lab security officials to provide this information. 

[End of table] 

Although the presence of the security controls we assessed does not 
automatically ensure a secure perimeter, having most controls provides 
increased assurance that a strong perimeter security system is in place 
and reduces the likelihood of unauthorized intrusion. As discussed in 
appendix I, the strongest perimeter security systems use an active, 
integrated approach to security that takes advantage of multiple 
layers. For example, an active, integrated system links perimeter 
intrusion alarms to a CCTV network, allowing security officers to 
instantly view the location of an alarm. A discussion of each security 
assessment follows. 

Lab A: The physical security controls of Lab A presented a strong 
visible deterrent from the outside, with 14 of the 15 key security 
controls in place. Lab A was located in a complex of other buildings 
that was separated from an urban environment by a perimeter security 
fence reinforced with airline cable to further strengthen the fence and 
deter unauthorized access. A roving patrol of armed guards was visible 
inside and outside the perimeter fence, while other guards manned gated 
entry inspection points. The gates incorporated technical support for 
the guards to assist them with the inspection of both private and 
commercial vehicles. Guards conducted ID checks at the gates and 
searched vehicles that did not have the appropriate access decals. 
Further, all trucks were required to enter a single gate containing an 
X-ray screening device. Past this outer perimeter, a further man-made 
barrier existed around the building containing the BSL-4 lab. Although 
Lab A had most of the security controls we focused on during our 
assessment, it did not have an active intrusion detection system 
integrated with the CCTV network covering the facility. This reduced 
the possibility that security officers could detect and quickly 
identify an intruder entering the building perimeter.[Footnote 8] 

Lab B: Lab B was the only one of the five BSL-4 labs that had all 15 
security controls. The lab was in an urban environment, but located in 
a complex of other buildings enclosed within an outer fenced perimeter. 
Roving patrols consisting of both armed security guards and local 
police walked on the exterior of the perimeter fence. The fence itself 
was reinforced with airline cable to further strengthen it along areas 
that bordered roads, serving to further protect against unauthorized 
intrusion from these public areas. There was a single gated inspection 
point to enter the complex manned by armed security guards. The 
inspection point incorporated technical support for the guards to 
assist them with the inspection of both private and commercial 
vehicles. Once inside the gate, man-made barriers and a natural (i.e., 
landscaped) barrier system stood between the gate and the lab itself. 
More armed guards conducted roving patrols inside the complex and 
guarded the entrance to the lab itself. Lab B also had a strong active 
integrated security system. According to lab officials, the system 
featured an integrated emergency management response whereby 
appropriate fire and rescue vehicles were automatically dispatched 
after an alarm. 

Lab C: Lab C utilized only 3 of the 15 key security controls we 
assessed. The lab was in an urban environment and publicly accessible, 
with only limited perimeter barriers. During our assessment, we saw a 
pedestrian access the building housing the lab through the unguarded 
loading dock entrance. In addition to lacking any perimeter barriers to 
prevent unauthorized individuals from approaching the lab, Lab C also 
lacked an active integrated security system. By not having a command 
and control center or an integrated security system with live camera 
monitoring, the possibility that security officers could detect an 
intruder entering the perimeter and respond to such an intrusion is 
greatly reduced. 

Lab D: Although Lab D did not have an armed guard presence outside the 
lab or vehicle screening,[Footnote 9] it presented strong physical 
security controls in all other respects, with 13 of the key 15 controls 
we assessed. Lab D was located within the interior of a complex of 
buildings, providing a natural system of layered perimeter barriers 
that included bollards for vehicle traffic. When combined with the 
presence of roving armed guard patrols, Lab D projected strong visible 
deterrents. It also utilized an active integrated security system so 
that if an alarm was activated, personnel within the command and 
control center could survey the alarm area though monitors and utilize 
pan/tilt/zoom cameras to further assess the alarm area. This permits 
security personnel to better coordinate and determine the appropriate 
response. 

Lab E: Lab E was one of the weakest labs we assessed, with 4 out of the 
15 key controls. It had only limited camera coverage of the outer 
perimeter of the facility and the only vehicular barrier consisted of 
an arm gate that swung across the road. Although the guard houses 
controlling access to the facility were manned, they appeared 
antiquated. The security force charged with protecting the lab was 
unarmed.[Footnote 10] Of all the BSL-4 labs we assessed, this was the 
only lab with an exterior window that could provide direct access to 
the lab. In lieu of a command and control center, Lab E contracts with 
an outside company to monitor its alarm in an off-site facility. This 
potentially impedes response time by emergency responders with an 
unnecessary layer that would not exist with a command and control 
center. Since the contracted company is not physically present at the 
facility, it is not able to ascertain the nature of alarm activation. 
Furthermore, there is no interfaced security system between alarms and 
cameras and a lack of live monitoring of cameras. 

DSAT approved the security plans for the two labs lacking most key 
security controls, and approved these labs to participate in the Select 
Agent Program as BSL-4 labs. Conversely, during our assessment, we 
noted that the three BSL-4 labs with all or nearly all of our 15 key 
controls were subject to additional federal security requirements 
outside the purview of the Select Agent Regulations. For example, the 
National Institutes of Health both funds research requiring high 
containment and provides guidance and requirements that are widely used 
to govern many of the activities in high-containment labs. Other 
examples of more stringent regulations for BSL-4 labs include those of 
military labs that also follow far stricter Department of Defense 
physical security requirements. For example, Lab B had several layers 
of security, including a perimeter security fence and roving patrol of 
armed guards, visible inside and outside the perimeter fence. Although 
these security controls are not necessary for BSL-4 labs registering 
with DSAT, Lab B utilized these security controls to comply with more 
stringent federal requirements imposed by the agency owning the 
facility and incorporated these controls into its security plan. 
Security officials at the two labs with fewer security controls (Labs C 
and E) told us that management and administration had little incentive 
to improve security because they already met DSAT requirements. Some 
security officials also suggested that budgetary restrictions limited 
attempts to make security improvements. 

Conclusions: 

Although numerous factors influence the security of a facility, two of 
the BSL-4 labs we assessed were lacking key perimeter security controls 
even though they met DSAT requirements. Our observation that the three 
labs with strong perimeter security all were subject to additional 
federal oversight outside of the DSAT program leads us to conclude that 
minimum specific perimeter security standards would provide assurance 
that all BSL-4 labs are held to the same security standard. Given that 
many new BSL-4 labs are under construction and will come online over 
the next few years, it is important for DSAT to ensure that there is no 
"weak link" in security among the nation's BSL-4 labs. 

Recommendation for Executive Action: 

To further enhance physical perimeter security at BSL-4 labs regulated 
by DSAT, we are recommending that the Director, CDC, take action to 
implement specific perimeter security controls for all BSL-4 labs to 
provide assurance that each lab has a strong perimeter security system 
in place. The CDC should work with USDA to coordinate its efforts, 
given that both agencies have the authority to regulate select agents. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from the 
Assistant Secretary for Legislation of HHS. HHS agreed that perimeter 
security is an important deterrent against theft of select agents. They 
indicated that the difference in perimeter security at the five labs 
was the result of risk-based planning; however, they did not comment on 
the specific vulnerabilities we identified (e.g., an unsecured loading 
dock at one building housing a BSL-4 lab) and whether these should be 
addressed. In regard to requiring specific perimeter controls at all 
BSL-4 labs, HHS stated that it would coordinate with APHIS to seek 
input from physical security experts and the scientific community; the 
regulated community; professional associations; State, local, and 
tribal officials; and the general public as to the need and 
advisability of requiring, by Federal regulation, specific perimeter 
controls at each registered entity having a BSL-4 lab. They explained 
that specific security controls are not in place because Select Agent 
Regulations are focused on performance objectives rather than specific 
methods of compliance. We are encouraged that HHS plans to study this 
matter further, and suggest that, as part of this study, HHS reconsider 
whether the lack of many specific perimeter security controls at two of 
the nation's five BSL-4 labs is acceptable. 

HHS also requested that we provide references for the research that 
identified our 15 security controls as being appropriate for the 
assessment of the perimeter security of BSL-4 labs, identify the 
security experts that we consulted, and indicate whether these 15 
security controls had been peer reviewed. We have notified HHS that we 
will work with them to understand the controls in more detail. As 
discussed in our report, we developed the 15 security controls based on 
our expertise in performing security assessments and our research of 
commonly accepted physical security principles. These principles are 
reflected in the security survey tool we used to evaluate each of the 
five BSL-4 labs. We have used this survey tool for similar security 
assessments in the past. Although we acknowledge that the 15 security 
controls we selected are not the only measures that can be in place to 
provide perimeter security, we determined that these controls 
(discussed in more detail in app. I) represent a baseline for BSL-4 lab 
perimeter physical security and contribute to a strong perimeter 
security system. Many of these controls--such preventing direct access 
to a lab via windows, or ensuring visitors are screened prior to 
entering a building containing a BSL-4 lab--are common-sense security 
measures. 

HHS also provided us with technical comments, which we incorporated as 
appropriate. HHS's comment letter is reprinted in appendix II. 

As agreed with your office, unless you announce the contents of this 
report earlier, we will not distribute it until 30 days after its issue 
date. At that time, we will send copies of this report to the Secretary 
of Health and Human Services, the Director of the CDC, and other 
interested parties. The report will also be available at no charge on 
the GAO Web site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
contact me at (202) 512-6722 or kutzg@gao.gov. Contact points for our 
Offices of Congressional Relations and Public Affairs may be found on 
the last page of this report. GAO staff who made major contributions to 
this report are listed in appendix III. 

Signed by: 

Gregory D. Kutz: 

Managing Director Forensic Audits and Special Investigations: 

[End of section] 

Appendix I: Perimeter Security Controls: 

To perform our perimeter security assessment of biosafety level (BSL) 4 
labs, we identified 15 key perimeter security controls, based on our 
expertise and research of commonly accepted physical security 
principles, that contribute to a strong perimeter security system. A 
strong perimeter security system utilizes layers of security to deter, 
detect, delay, and deny intruders. 

* Deter. Physical security controls that deter an intruder are intended 
to reduce the intruder's perception that an attack will be successful-
-an armed guard posted in front of a lab, for example. 

* Detect. Controls that detect an intruder could include video cameras 
and alarm systems. They could also include roving guard patrols. 

* Delay. Controls that delay an intruder increase the opportunity for a 
successful security response. These controls include barriers such as 
perimeter fences. 

* Deny. Controls that can deny an intruder include visitor screening 
that only permits authorized individuals to access the building housing 
the lab. Furthermore, a lack of windows or other obvious means of 
accessing a lab is an effective denial mechanism. 

Some security controls serve multiple purposes. For example, a 
perimeter fence is a basic security feature that can deter, delay, and 
deny intruders. However, a perimeter fence on its own will not stop a 
determined intruder. This is why, in practice, layers of security must 
be integrated in order to provide the strongest protection. Thus, a 
perimeter fence should be combined with an intrusion detection system 
that would alert security officials if the perimeter has been breached. 
A strong system would then tie the intrusion detection alarm to the 
closed-circuit television (CCTV) network, allowing security officers to 
immediately identify intruders. A central command center is a key 
element for an integrated, active system. It allows security officers 
to monitor alarm and camera activity--and plan the security response-- 
from a single location. 

Table 2 shows 15 physical security controls we focused on during our 
assessment work. 

Table 2: Perimeter Physical Security Controls: 

No.: 1; 
Perimeter physical security control: Outer/tiered perimeter boundary; 
Rationale: There should be a perimeter boundary outside the lab to 
prevent unauthorized access. Examples include a reinforced perimeter 
security fence or natural barrier system that uses landscaping 
techniques to impede access to buildings. Outer/tiered perimeter also 
includes other structures that screen visibility of the lab. 

No.: 2; 
Perimeter physical security control: Blast stand-off area (e.g., buffer 
zone) between lab and perimeter barriers; 
Rationale: To minimize effects of explosive damage if a bomb were to be 
detonated outside the lab, the perimeter line should be located as far 
as practical from the building exterior. 

No.: 3; 
Perimeter physical security control: Barriers to prevent vehicles from 
approaching lab; 
Rationale: A physical barrier consisting of natural or man-made 
controls, such as bollards, designed to keep vehicles from ramming or 
setting off explosives that could cause damage to the building housing 
the BSL-4 lab. 

No.: 4; 
Perimeter physical security control: Loading docks located outside the 
footprint of the main building; 
Rationale: Because they are areas where delivery vehicles can park, 
loading docks are vulnerable areas and should be kept outside the 
footprint of the main building. 

No.: 5; 
Perimeter physical security control: Exterior windows do not provide 
direct access to the lab; 
Rationale: Windows are typically the most vulnerable portion of any 
building; 
therefore there should be no exterior windows that provide direct 
access to the lab. 

No.: 6; 
Perimeter physical security control: Command and control center; 
Rationale: A command and control center is crucial to the 
administration and maintenance of an active, integrated physical 
security system. The control center monitors the employees, general 
public, and environment of the lab building and other parts of the 
complex and serves as the single, central contact area in the event of 
an emergency. 

No.: 7; 
Perimeter physical security control: CCTV monitored by the command and 
control center; 
Rationale: A video system that gives a signal from a camera to video 
monitoring stations at a designated location. The cameras give the 
control center the capability of monitoring activity within and outside 
the complex. 

No.: 8; 
Perimeter physical security control: Active intrusion detection system 
(IDS) integrated with CCTV; 
Rationale: An IDS is used to detect an intruder crossing the boundary 
of a protected area, including through the building's vulnerable 
perimeter barriers. Integration with CCTV is integral to the IDS's 
ability to alert security staff to potential incidents that require 
monitoring. 

No.: 9; 
Perimeter physical security control: Camera coverage for all exterior 
lab building entrances; 
Rationale: Cameras that cover the exterior building entrances provide a 
means to detect and quickly identify potential intruders. 

No.: 10; 
Perimeter physical security control: Perimeter lighting of the complex; 
Rationale: Security lighting of the site, similarly to boundary 
lighting, provides both a real and psychological deterrent, and allows 
security personnel to maintain visual-assessment capability during 
darkness. It is cost-effective in that it might reduce the need for 
security forces. 

No.: 11; 
Perimeter physical security control: Visible armed guard presence at 
all public entrances to lab; 
Rationale: All public entrances require security monitoring. This 
presence helps to prevent or impede attempts of unauthorized access to 
the complex. 

No.: 12; 
Perimeter physical security control: Roving armed guard patrols of 
perimeter; 
Rationale: The presence of roving armed guard patrols helps to prevent 
or impede attempts of unauthorized access and includes inspecting vital 
entrance areas and external barriers. 

No.: 13; 
Perimeter physical security control: X-ray magnetometer machines in 
operation at building entrances; 
Rationale: These machines provide a means of screening persons, items, 
and materials that may possess or contain weapons, contraband, or 
hazardous substances prior to authorizing entry or delivery into a 
facility. 

No.: 14; 
Perimeter physical security control: Vehicle screening; 
Rationale: Screening vehicles that enter the perimeter of the lab 
includes an ID check and vehicle inspection, to deny unauthorized 
individuals access and potentially detect a threat. 

No.: 15; 
Perimeter physical security control: Visitor screening; 
Rationale: Screening visitors to the lab reduces the possibility that 
unauthorized individuals will gain access. Visitor screening includes 
identifying, screening, or recording visitors through methods such as 
camera coverage or visitor logs so that their entry to the lab is 
recorded. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix II: Comments from the Department of Health and Human Services: 

Department Of Health & Human Services: 
Office Of The Secretary: 

Assistant Secretary for Legislation: 
Washington, DC 20201: 

September 5, 2008: 

Gregory D. Kutz: 
Managing Director: 
Forensic Audits and Special Investigation: 
Government Accountability Office: 
441 G Street NW: 
Washington, DC 20548: 

Dear Mr. Kutz: 

Enclosed are the Department's comments on the U.S. Government 
Accountability Office's (GAO) draft report entitled: "Biosafety labs: 
Perimeter Security Assessments of the Nation's Five BSL-4 Laboratories" 
(GAO-08-1092). 

The Department appreciates the opportunity to review and comment on 
this report before its publication. 

Sincerely, 

Signed by: 

Vincent J. Ventimiglia, Jr.:  

Assistant Secretary for Legislation: 

Attachment: 

Comments Of The Department Of Health And Human Services (HHS) On The 
U.S. Government Accountability Office's (GAO) Draft Report Entitled, 
"Biosafety Labs: Perimeter Security Assessments Of The Nation's Five 
BSL-4 Laboratories" (GAO-08-1092):  

The Centers for Disease Control and Prevention (CDC) appreciates the 
opportunity to review and comment on the Government Accountability 
Office's (GAO) Draft Report: "Biosafety Labs: Perimeter Security 
Assessments of the Nation's Five BSL-4 Laboratories" (GAO-08-1092). 
Thank you for your review of this important issue.

General Comments: 

Perimeter Security Just One Component of Overall Select Agent 
Security:  

As noted in your January 22, 2008 letter notifying CDC of this 
investigation, GAO conducted a limited security assessment of the 
nation's Biosafety Level (BSL) 4 laboratories that focused on each 
facility's outer perimeter security features, command and control 
center, and responsible personnel. 

While CDC agrees that perimeter security is an important deterrent 
against theft of select agents[Footnote 11], the Select Agent 
Regulations (42 CFR Part 73, 7 CFR Part 331, 9 CFR Part 121) require 
that entities registered for possession, use, and transfer of select 
agents take a comprehensive approach to securing select agents. 
Biosecurity experts describe the basic components of biosecurity as 
physical security, personnel security, information security, transport 
security, and material control and accountability.[Footnote 12] The 
security provisions of the Select Agent Regulations reflect this 
comprehensive approach to securing agents. The regulations contain more 
than 20 requirements that entities must implement to protect agents 
from theft, loss, or release. The provisions include: 

* Limiting access to buildings with select agents (e.g., guard station 
at the building entrance, locks on doors, card access system, biometric 
system, or intrusion detection system); 

* Limiting access to laboratory rooms with select agents (e.g., locks 
on doors, card access system, biometric system, or intrusion detection 
system); 

* Limiting access to select agents inside the room (e.g., locks on 
laboratory equipment (incubators, refrigerators, and freezers), locked 
boxes inside laboratory equipment (incubators, refrigerators, and 
freezers), biometric system, card access system, and intrusion 
detection system); 

* Monitoring access to areas where select agents are used or stored 
(e.g., electronic logs of access, manual sign in logs, and video camera 
surveillance); 

* Maintaining accurate, current inventory records for all select agents 
held in long-term storage; and: 

* Providing information and annual training to each individual who will 
have access to select agents. 

CDC notes that GAO did not assess the security of the laboratories 
themselves or the threat of an insider attack. The GAO limited security 
assessment focused only on the perimeter security leading up to the 
laboratory building points of entry. CDC recommends that the final 
report include additional clarification of how perimeter security fits 
into overall select agent security. 

Overall Security Measures are Based on Specific Conditions at Each 
Laboratory: 

The GAO draft report is correct that there are significant differences 
in perimeter security among the five entities that maintain BSL-4 
laboratories. However, this is because there are significant 
differences in the risk present at each of the five registered 
entities, which vary not only by physical plant and location, but by 
the agents possessed and how those agents are used and stored. 

The report is also correct that the Select Agent Regulations are not 
prescriptive, "one size fits all" requirements but are performance 
standards. Presidential Executive Order 12866, as amended, requires 
that "each agency shall identify and assess alternative forms of 
regulation and shall, to the extent feasible, specify performance 
objectives, rather than specifying the behavior or manner of compliance 
that regulated entities must adopt." E.O. 12866, as amended, section 
1(b)(8). 

Wide Range of Expertise Used to Develop Select Agent Security Guidance: 

The Select Agent Regulations are implemented jointly by the Department 
of Health and Human Services (HHS)/CDC and the U.S. Department of 
Agriculture (USDA)/Animal and Plant Health Inspection Service (APHIS). 
As noted earlier, the Select Agent Regulations require a comprehensive 
approach to select agent security, focusing on security measures beyond 
just perimeter security. This holistic approach to select agent 
security has been developed by CDC and APHIS through a comprehensive 
and deliberative process, involving critical stakeholders and experts 
in the law enforcement, security, and laboratory communities. 

In March 2006, CDC, in coordination with APHIS, hosted a meeting of 
physical security experts as a first step in the development of 
guidance that would assist entities in complying with the physical 
security requirements of the Select Agent Regulations. The meeting 
included representatives from the regulated entities, associations that 
represent laboratories, the Department of Justice, the Federal Bureau 
of Investigation, Department of Homeland Security, HHS/Office of 
Emergency Operations and Security Programs, CDC, the National 
Institutes of Health, the Department of Defense, and the USDA. As a 
result of the input from this meeting, CDC and APHIS released a 
Security Information Document and Security Plan Template to assist 
registered entities in complying with the physical security 
requirements of the Select Agent Regulations. These guidance documents 
are available at: [hyperlink, 
http://www.selectagents.gov/complianceAssistance.htm]. 

Criteria Used to Select the 15 Security Controls Assessed by GAO: 

In this investigation, GAO used 15 security controls to assess the 
perimeter security of the five BSL-4 laboratories; however, CDC is not 
aware of research identifying these specific 15 security controls as 
appropriate for the assessment. GAO states that these security controls 
were selected for assessment based on "GAO expertise and research of 
commonly accepted physical security principles." So that the report's 
findings can be considered in the appropriate context, CDC encourages 
GAO, in the final report, to provide references for the research that 
identified these 15 security controls as being appropriate for the 
assessment of the perimeter security of BSL-4 laboratories, identify 
the security experts that had been consulted in developing the list of 
security controls to use for the assessment, and to indicate whether 
the use of this set of security controls for perimeter security 
assessments has ever been peer- reviewed. 

Agency Response to GAO's Recommendation: 

In the draft report, GAO recommends that, "the Director, CDC, take 
action to implement specific perimeter security controls for all BSL-4 
labs to provide assurance that each lab has a strong perimeter security 
system in place. CDC should work with USDA to coordinate its efforts, 
given that both agencies have the authority to regulate select agents." 
(CDC notes that the recommendation language differed slightly in the 
opening letter and in the text of the report; the quotation above is 
from the text of the report.) CDC appreciates GAO's commitment to 
improving security at laboratories across the nation and agrees that 
perimeter security is an important component of overall select agent 
security. 

Based on the findings and recommendation in the draft report, CDC will, 
in coordination with APHIS, seek input from physical security and 
scientific community, the regulated community, professional 
associations, State, local, and tribal officials, and the general 
public as to the need and advisability of requiring by Federal 
regulation specific perimeter control(s) at each registered entity 
having a BSL-4 laboratory. Using the GAO's list of four goals of a 
strong perimeter security system and 15 perimeter physical security 
elements as a starting point, we will seek input as to the: 

* Specific perimeter controls that would be appropriate for a facility 
which includes a BSL-4 laboratory; 

* Estimated initial and long-term cost for select agent registered 
entities to implement those controls; and 

* Impact, if any, upon the availability of select agents for research, 
education, and other legitimate purposes. 

This will allow CDC and APHIS to synthesize and benefit from the advice 
and expertise of security experts and the regulated community in 
considering which physical security enhancements are most appropriate 
for improvement of overall select agent security. The CDC also will 
seek advice on this matter from other Federal Departments and Agencies. 
The CDC is committed to enhancing security at our nation's BSL-4 
laboratories based on risk and sound science, while balancing security 
enhancements against any impact on the important research being 
conducted by these laboratories. 

Our technical comments on the draft report are provided in the 
attachment. We appreciate your consideration of the comments contained 
in this memo and the technical comments as you develop the final 
report. We are happy to discuss any of these comments with you. 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Gregory D. Kutz (202) 512-6722 or kutzg@gao.gov: 

Acknowledgments: 

In addition to the contact named above, the following individuals made 
contributions to this report: Andy O'Connell, Assistant Director; 
Verginie Amirkhanian; Randall Cole; John Cooney; Elizabeth Isom; 
Barbara Lewis; Jeffrey McDermott; and Andrew McIntosh. 

[End of section] 

Footnotes: 

[1] GAO, High-Containment Biosafety Laboratories: Preliminary 
Observations on the Oversight of the Proliferation of BSL-3 and BSL-4 
Laboratories in the United States, GAO-08-108T (Washington, D.C.: Oct. 
4, 2007). 

[2] Alternatively, if any one of these agents is considered an "overlap 
agent" that also poses a threat to animal health, it may be registered 
with USDA's Animal and Plant Health Inspection Service (APHIS), but not 
both the CDC and APHIS. If the agents pose a risk to only animal and 
plant health or animal and plant products, they must be registered with 
APHIS. 

[3] A site-specific risk assessment must provide protection based on 
the risk and intended use of the select agent. It includes four 
assessments: an agent-specific risk assessment, threat assessment, 
vulnerability assessment, and graded protection determination. 

[4] Department of Health and Human Services, Office of Inspector 
General, Summary Report on State, Local, Private, and Commercial 
Laboratories' Compliance With Select Agent Regulations, A-04-06-01033 
(Washington, D.C.: Jan. 9, 2008). 

[5] HHS IG regularly conducts reviews of BSL labs. These reviews could 
possibly include BSL-4 labs; however, the summary reports do not 
disclose the identity of the labs that were included in the IG's 
reviews. 

[6] 42 C.F.R part 73, 7 C.F.R part 331, 9 C.F.R part 121. 

[7] Pub. L. No. 107-188 (June 12, 2002). 

[8] Officials from Lab A have subsequently informed us that they 
installed an active intrusion alarm system and integrated it with their 
CCTV network. However, we did not verify this information. 

[9] At the time of our assessment, Lab D had a vehicle inspection 
station under construction that would be capable of screening and 
inspecting vehicles that arrive in the area of the BSL-4 lab building 
using both guards and technical equipment. 

[10] Although the security force was unarmed, there was one armed 
security supervisor patrolling the facility. 

[11] "Select agents" are biological agents (viruses, bacteria, fungi, 
prions, etc.) and toxins that have the potential to pose a severe 
threat to public health and safety, to animal or plant health or to 
animal and plant products. The agents and toxins are defined by lists 
that appear in sections §73.3 and §73.4 of the HHS/CDC Select Agent 
Regulations (42 CFR Part 73) and section §121.3, §121.4, and §331.3 of 
the USDA/APHIS Select Agent Regulations (7 CFR Part 331 and 9 CFR Part 
121). 

[12] Sandia National Laboratories. Laboratory Biosecurity Handbook. 
Albuquerque, NM: Sandia National Laboratories; 2007. Available at: 
[hyperlink, http://www.biosecurity.sandia.gov/home.html]. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: