This is the accessible text file for GAO report number GAO-09-851 entitled 'Biosafety Laboratories: BSL-4 Laboratories Improved Perimeter Security Despite Limited Action by CDC' which was released on August 6, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: July 2009: Biosafety Laboratories: BSL-4 Laboratories Improved Perimeter Security Despite Limited Action by CDC: GAO-09-851: GAO Highlights: Highlights of GAO-09-851, a report to congressional requesters. Why GAO Did This Study: Biosafety laboratories are primarily regulated by either the Department of Health and Human Services (HHS) or the U.S. Department of Agriculture (USDA), depending on whether the substances they handle pose a threat to the health of humans or plants, animals, and related products, respectively. Currently, all operational biosafety level 4 (BSL-4) labs are overseen by HHS’s Centers for Disease Control and Prevention (CDC). BSL-4 labs handle the world’s most dangerous agents and toxins that cause incurable and deadly diseases. In September 2008, GAO reported that two of the five operational BSL-4 labs had less than a third of the key perimeter security controls GAO assessed and recommended that CDC implement specific perimeter controls for all BSL- 4 labs. GAO was asked to (1) provide an update on what action, if any, CDC took to address the 2008 recommendation; (2) determine whether perimeter security controls at the two deficient BSL-4 labs had improved since the 2008 report; and (3) provide other observations about the BSL-4 labs it assessed. To meet these objectives, GAO reviewed CDC’s statement to Congress as well as other agency and HHS documentation on actions taken or to be taken with respect to the 2008 recommendation, reviewed new security plans for the two deficient BSL-4 labs, and performed another physical security assessment of these two labs. GAO is not making any recommendations. What GAO Found: Significant perimeter security differences continue to exist among the nation’s five BSL-4 laboratories operational at the time of GAO’s assessment. In 2008, GAO reported that three of the five labs had all or nearly all of the 15 key controls GAO evaluated. Two labs, however, demonstrated a significant lack of these controls, such as camera coverage for all exterior lab entrances and vehicle screening. As a result, GAO recommended that CDC work with USDA to require specific perimeter security controls at high-containment facilities. However, to date, CDC has taken limited action on the GAO recommendation. The two labs GAO found to be deficient made progress on their own despite CDC’s limited action. One made a significant number of improvements, thus reducing the likelihood of intrusion. The second made a few changes and formed a committee to consider and prioritize other improvements. The following table shows progress on 9 of the 15 controls GAO initially assessed. Table: Progress on Perimeter Security Controls at Two BSL-4 Labs as of March 2009: Security control: Visitor screening; Lab C: [Check]; Lab E: Previously in place. Security control: Command and control center; Lab C: [Check]; Lab E: Not in place. Security control: Camera coverage for all exterior entrances; Lab C: [Check]; Lab E: Not in place. Security control: Closed-circuit television (CCTV) monitored by command and control center; Lab C: In progress; Lab E: Not in place. Security control: Active intrusion detection system integrated with CCTV; Lab C: In progress; Lab E: Not in place. Security control: Visible armed guard presence at all public entrances; Lab C: Partially addressed; Lab E: Not in place. Security control: Loading docks located outside the footprint of the main building; Lab C: Partially addressed; Lab E: Previously in place. Security control: Barriers to prevent vehicles from approaching lab; Lab C: Not in place; Lab E: [Check]. Security control: Blast stand-off area (e.g. buffer zone) between lab and perimeter barriers; Lab C: Not in place; Lab E: [Check]. Note: [Check] signifies control in place after GAO’s 2008 report was issued. Source: GAO. [End of table] Two additional observations about BSL-4 labs concern the significant perimeter security differences among the five labs GAO originally assessed for its 2008 report. First, labs with stronger perimeter controls had additional security requirements mandated by other federal agencies. For example, one lab is a military facility subject to far stricter Department of Defense physical security requirements. Second, CDC inspection officials stated their training and experience has been focused on safety. CDC officials said they are developing a comprehensive strategy for safety and security of labs and will adjust the training and inspection process to match this strategy. In commenting on findings from this report, CDC and the two labs provided additional information on steps taken in response to GAO’s prior recommendation and findings. View [hyperlink, http://www.gao.gov/products/GAO-09-851] or key components. For more information, contact Gregory D. Kutz at (202) 512- 6722 or kutzg@gao.gov. [End of section] Contents: Letter: Security Assessment from Prior Report: CDC Has Taken Limited Action to Require Specific Perimeter Security Controls: Two Labs Take Action to Improve Perimeter Security Controls: Additional Observations on Federal Oversight of BSL-4 Labs: Agency and Third-Party Comments and Our Evaluation: Appendix I: Perimeter Security Controls: Appendix II: GAO Contact and Staff Acknowledgments: Tables: Table 1: Results of Perimeter Physical Security Assessment: Table 2: Progress on Perimeter Security Controls at Labs C and E as of March 2009: Table 3: Perimeter Physical Security Controls: Abbreviations: BSL-4: Biosafety level 4: CCTV: Closed-Circuit Television: CDC: Centers for Disease Control and Prevention: DOD: Department of Defense: HHS: Department of Health and Human Services: IDS: Intrusion Detection System: USDA: U.S. Department of Agriculture: WG: Working Group: WMD: Weapon of Mass Destruction: [End of section] United States Government Accountability Office: Washington, DC 20548: July 7, 2009: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Tom Coburn, M.D. Ranking Member: Permanent Subcommittee on Investigations: Committee on Homeland Security and Governmental Affairs: United States Senate: This report responds to continuing congressional interest in perimeter security at the nation's biosafety[Footnote 1] level 4 (BSL-4) laboratories, which handle substances that cause incurable and deadly diseases. According to the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism, a major hurdle for terrorists seeking biological weapons has been the difficulty in acquiring disease-causing microbes and toxins that can be used to harm humans, livestock, or crops.[Footnote 2] According to the commission, dangerous pathogens can be isolated from natural sources, but it would generally be easier for terrorists to steal or divert well- characterized "hot" strains from a research lab or culture collection. In December 2008, the commission wrote that it believed unless the world community acts decisively and with great urgency, it is more likely than not that a weapon of mass destruction will be used in a terrorist attack somewhere in the world by the end of 2013. The commission also stated it believed that terrorists are more likely to be able to obtain and use a biological weapon than a nuclear weapon. Labs that work with infectious microorganisms or hazardous biological materials are classified into four ascending levels of containment, based on origin, risk of infection, severity of disease, and other factors.[Footnote 3] BSL-4 labs handle the world's most dangerous substances --those that are exotic in origin and easily transmit life- threatening diseases for which no treatment exists, such as the Ebola and smallpox viruses. Federal law gives regulatory control for pathogens and toxins to either the Department of Health and Human Services (HHS) or the U.S. Department of Agriculture (USDA), depending on whether these substances pose a threat to humans or to plants, animals, and products made from them, respectively.[Footnote 4] The law requires HHS and USDA to review and publish a list of these substances, called select agents and toxins. All labs handling select agents must be registered with either HHS or USDA. The nation's operational BSL-4 labs are currently all overseen by HHS's Centers for Disease Control and Prevention (CDC), since they work with substances deemed a threat to humans. Regulations for select agents[Footnote 5] require labs to conduct a site-specific risk assessment and develop a plan to guard against unauthorized access, theft, loss, or release,[Footnote 6] but they do not mandate specific perimeter security controls be put in place. This report summarizes our findings and recommendation from our report [Footnote 7] last year on key perimeter security controls at five of the nation's operational[Footnote 8] BSL-4 labs.[Footnote 9] In addition, we were asked to provide an update on what efforts, if any, CDC has taken to address our recommendation from that report. Further, this report describes the improvements, if any, that have been made to the perimeter security controls at the two labs found to be deficient. Finally, this report provides other observations about the BSL-4 labs we assessed. This report is partly based on our previously issued report, which was conducted in accordance with standards prescribed by the President's Council on Integrity and Efficiency. In obtaining an update on whether CDC addressed our recommendation, we obtained and reviewed CDC's statement to congressional committees on actions taken or to be taken by the agency. We also asked that CDC officials apprise us on any other efforts they made to address our recommendation. To determine what improvements the deficient BSL-4 labs made, we asked lab officials to provide us with a list of perimeter security enhancements implemented since our report was issued. After we received the information, we conducted site inspections to verify the improvements and received briefings by lab officials on other planned enhancements. We also evaluated whether the planned and executed improvements fulfilled any of the 15 physical security controls we assessed in our prior report. Although BSL-4 labs may have different levels of inherent risk, we determined that these 15 controls (discussed in more detail in app. I) represent a baseline for strong perimeter security. We did not test whether the controls the labs did have in place were operating effectively. We conducted our assessment from January 2009 through March 2009 in accordance with standards prescribed by the Council of the Inspectors General on Integrity and Efficiency. We provided officials from CDC and the two deficient BSL-4 labs with the pertinent sections of a draft of this report. We received written comments from these officials and have incorporated their comments throughout the report, as appropriate. Security Assessment from Prior Report: Select agent regulations do not mandate that specific perimeter security controls be present at BSL-4 labs, resulting in a significant difference in perimeter security between the nation's five labs. According to the regulations, each lab must implement a security plan that is sufficient to safeguard select agents against unauthorized access, theft, loss, or release. However, there are no specific perimeter security controls that must be in place at every BSL-4 lab. While three labs had all or nearly all of the key security controls we assessed, our September 2008 report demonstrated that two labs had a significant lack of these controls (see table 1 below). Table 1: Results of Perimeter Physical Security Assessment: No. 1; Security controls: Outer/tiered perimeter boundary; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Check]. No. 2; Security controls: Blast stand-off area (e.g., buffer zone) between lab and perimeter barriers; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 3; Security controls: Barriers to prevent vehicles from approaching lab; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 4; Security controls: Loading docks located outside the footprint of the main building; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Check]. No. 5; Security controls: Exterior windows do not provide direct access to the lab; Lab A: [Check]; Lab B: [Check]; Lab C: [Check]; Lab D: [Check]; Lab E: [Empty]. No. 6; Security controls: Command and control center; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 7; Security controls: Closed-circuit television (CCTV) monitored by the command and control center; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 8; Security controls: Active intrusion detection system integrated with CCTV; Lab A: [Empty]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 9; Security controls: Camera coverage for all exterior lab building entrances; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 10; Security controls: Perimeter lighting of the complex[A]; Lab A: [Check]; Lab B: [Check]; Lab C: [Check]; Lab D: [Check]; Lab E: [Check]. No. 11; Security controls: Visible armed guard presence at all public entrances to lab; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Empty]; Lab E: [Empty]. No. 12; Security controls: Roving armed guard patrols of perimeter; Lab A: [Check]; Lab B: [Check]; Lab C: [Check]; Lab D: [Check]; Lab E: [Empty]. No. 13; Security controls: X-ray magnetometer machines in operation at building entrances; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Empty]. No. 14; Security controls: Vehicle screening; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Empty]; Lab E: [Empty]. No. 15; Security controls: Visitor screening; Lab A: [Check]; Lab B: [Check]; Lab C: [Empty]; Lab D: [Check]; Lab E: [Check]. Source: GAO. [A] We did not perform our assessment at night, so for this category we relied on the lab security officials to provide this information. [End of table] Lab C: Lab C had in place only 3 of the 15 key security controls we assessed. The lab was in an urban environment and publicly accessible, with only limited perimeter barriers. During our assessment, we saw a pedestrian access the building housing the lab through the unguarded loading dock entrance. In addition to lacking any perimeter barriers to prevent unauthorized individuals from approaching the lab, Lab C also lacked an active integrated security system. By not having a command and control center or an integrated security system with real-time camera monitoring, the possibility that security officers could detect an intruder entering the perimeter and respond to such an intrusion is greatly reduced. Lab E: Lab E was one of the weakest labs we assessed, with 4 out of the 15 key controls in place. It had only limited camera coverage of the outer perimeter of the facility and the only vehicular barrier consisted of an arm gate that swung across the road. Although the guard houses controlling access to the facility were manned, they appeared antiquated and thus did not portray a strong, professional security infrastructure. The security force charged with protecting the lab was unarmed.[Footnote 10] Of all the BSL-4 labs we assessed, this was the only lab with an exterior window that could provide direct access to the lab. In lieu of a command and control center, Lab E contracts with an outside company to monitor its alarm in an off-site facility. This potentially impedes response time by emergency responders with an unnecessary layer that would not exist with a command and control center. Since the contracted company is not physically present at the facility, it is not able to ascertain the nature of alarm activation. Furthermore, there is no interfaced security system between alarms and cameras and a lack of real-time monitoring of cameras. Although the presence of the controls we assessed does not automatically ensure a secure perimeter, having most of these controls in place and operating effectively reduces the likelihood of intrusion. As such, we recommended that the Director of the CDC take action to implement specific perimeter controls for all BSL-4 labs to provide assurance that each lab has a strong perimeter security system in place. As part of this recommendation, we stated that the CDC should work with USDA to coordinate its efforts, given that both agencies have the authority to regulate select agents. In its response to the report, HHS agreed that perimeter security is an important deterrent against theft of select agents. HHS indicated that the difference in perimeter security at the five labs was the result of risk-based planning; however, they did not comment on the specific vulnerabilities we identified and whether these should be addressed. In regard to requiring specific perimeter controls for all BSL-4 labs, HHS stated that it would perform further study and outreach to determine whether additional federal regulations are needed. CDC Has Taken Limited Action to Require Specific Perimeter Security Controls: Significant perimeter security differences continue to exist among the nation's five BSL-4 labs operational at the time of our most recent assessment. As of May 2009, CDC has taken limited steps to address our recommendation that it should take action to implement specific perimeter security controls for all BSL-4 labs. Since the release of our report in September 2008, CDC stated that the following actions have been taken: * In late 2007, CDC, along with other federal agencies, established a U.S. Government Trans-Federal Task Force on Optimizing Biosafety and Biocontainment Oversight. The task force was formed to assess the current framework for local and federal oversight of high-containment laboratory research activities and facilities, including the identification and assessment of pertinent laws, regulations, policies, guidelines, and examination of the current state of biosafety oversight systems. The task force held a public consultation meeting in December 2008. According to CDC, the task force will communicate specific recommendations about the nation's lab safety and security issues to the Secretaries of both HHS and USDA. * CDC and USDA hosted a workshop series in Greenbelt, Maryland, in December 2008 for all of its registered entities and partners. CDC stated that it included several safety and security topics, including discussion of physical security and operational security. * In January 2009, in response to Executive Order 13486, a federal working group (WG) was convened to review current laws, regulations, and guidelines in place to prevent theft, misuse, or diversion to unlawful activity of select agents and toxins. The WG is chaired by HHS and the Department of Defense (DOD) and includes representatives from several federal agencies and includes a subgroup that is focused on physical and facility security of biolabs. The WG is expected to issue its final report to the President by July 2009. Although CDC has taken some modest steps for studying how to improve perimeter security controls for all BSL-4 labs, CDC has not established a detailed plan to implement our recommendation. In addition, we requested documentation (e.g., minutes, interim reports) from the WG to substantiate whether progress was made in addressing our concerns. However, the WG responded to our request stating that they do not expect to make any interim reports, and they refused to provide us the minutes of their meetings. Without a detailed plan from CDC on what corrective actions are planned or information on any progress from the WG, it is impossible to monitor CDC's progress in implementing our recommendation to improve perimeter security controls for all BSL-4 labs. The ability to monitor progress openly and in a transparent manner is especially important because a sixth BSL-4 lab recently became operational, as mentioned above, and CDC expects more BSL-4 labs to be operational in the future. Two Labs Take Action to Improve Perimeter Security Controls: Although CDC has taken limited action to address our original findings, the two deficient BSL-4 labs have made progress on their own. One BSL- 4 lab made a significant number of improvements to increase perimeter security, thus reducing the likelihood of intrusion. The second one made three changes and formed a committee to consider and prioritize other changes. Lab C: We confirmed the following improvements at Lab C: * Visitors are screened by security guards and issued visitor badges. * A command and control center was established. * Camera coverage includes all exterior lab entrances. * CCTV is monitored by the command and control center. The cameras currently cover the exterior of the building. Guards can control the cameras by panning, zooming, or tilting. * One visible guard is present at the main entrance to the lab, but the guard is not armed. A guard mans the entrance 24 hours a day, 7 days a week. Although the guard is unarmed, this improvement does partially address the requirement for guard presence at lab public entrances. Lab officials described installing armed guards as cost prohibitive. * While the loading dock is still located inside the footprint of the main building, Lab C improved its loading dock security by building a loading dock vehicle gate. Moreover, a pedestrian gate with a sign forbidding entry was built to prevent pedestrians from entering the building through the loading dock; pedestrians were previously allowed to enter the building through the loading dock as a way of taking a short-cut into the building. These new gates prevent individuals from walking into the building, or vehicles driving up to the building, unchallenged. Lab officials said additional enhancements would be completed by fall 2009. These include an active intrusion detection system that is integrated with CCTV and the addition of 14 new interior cameras with pan, tilt, and zoom capabilities. The new cameras will enhance the interior perimeter security of the lab. The command and control center also will have access to and control of these new cameras. After these improvements are finished, the lab will have 8 of the 15 controls we tested in place plus 2 others that were partially addressed. Lab E: We verified three improvements were made at Lab E: heavy concrete planters were added as a vehicle barricade along the roadside adjacent to the building; the window was frosted to block sight lines into the lab from nearby rooftops; and a vehicle barricade is being constructed to block unauthorized access to the parking lot adjacent to the lab, thereby increasing the blast stand-off area. The lab also formed a committee to consider additional perimeter security measures such as widening buffer zones and increasing lighting at the perimeter fence. In all, the lab now has 6 of the 15 controls we assessed in place. Although lab officials made three improvements and are considering others, the lab's head of research operations at the facility objected to the findings of our 2008 report and has challenged the 15 controls we deemed critical to strong perimeter security. He said that the officials from the lab were not afforded an opportunity to respond to the report and correct "inaccuracies." Specifically, he made the following comments on our previous findings: * He questioned the basis for our selection of the specific 15 controls we identified as critical to perimeter security, and noted that CDC also expressed similar concerns in its comments on our 2008 report. * The lab windows do not provide direct access to the lab. He maintained that a number of features prohibited entry by these windows: the lowermost edge of the windows is more than 7 feet 8 inches above ground level; the windows are certified bulletproof glass and are equipped with inside bars; and breaching the integrity of the outer bulletproof glass triggers alarms for the local guard force. Furthermore, he said that having such a window was deemed programmatically important when the laboratory was designed in order to provide light-dark orientation for laboratory workers. Finally, he represented that a group of nationally recognized security experts has opined that the windows are not a security threat, but did not provide evidence of these experts' assessment. * Armed guards are present on the campus. He stated that a table in our 2008 report indicates that armed guards are not present on the campus, although a footnote on a subsequent page acknowledges that an armed security supervisor patrols the facility. * A vehicle barrier does surround the perimeter of that portion of the laboratory building housing select agents, including the BSL-4 laboratory. He said it was recommended and approved by the Federal Bureau of Investigation during consultations on the safety of the building and installed in 1999 prior to initiation of research in this facility. We continue to believe that our assessment of perimeter controls at Lab E is accurate. Specifically, we disagree with Lab E's position as follows: * As stated in the report, we developed the 15 security controls based on our expertise in performing security assessments and our research of commonly accepted physical security principles. Although we acknowledge that the 15 security controls we selected are not the only measures that can be in place to provide effective perimeter security, we determined that these controls (discussed in more detail in app. I) represent a baseline for BSL-4 lab perimeter physical security and contribute to a strong perimeter security system. Having a baseline provides fair representation as to what key perimeter security controls do or do not exist at these facilities. The controls represent commonly accepted physical security principles. A lack of such controls represents a potential security vulnerability. For example, as mentioned above, at the time of our original assessment Lab E had only limited camera coverage of the outer perimeter of the facility. Camera coverage of a building's exterior provides a means to detect and quickly identify potential intruders. * As mentioned above, Lab E was the only lab with an exterior window that could provide direct access to the lab. This window allowed for direct "visual" access into the lab area from an adjacent rooftop. Lab E in essence acknowledged this when it informed us in a letter that it "Frosted the BSL-4 laboratory windows to block sight lines from adjacent rooftops." While we credit Lab E for obscuring visual access to the lab by frosting this window, the window continues to pose a security vulnerability because it is not blast proof. * Armed guards are not present on the campus. As mentioned above, Lab E's head of research operations pointed out that our 2008 report acknowledged that an armed security supervisor patrols the facility. However, employing one armed security supervisor does not support the plural definition of "guards." The supervisor also is not generally at the entrances to the facility. He normally responds to incidents and would not generally be in a position to confront an intruder at the point of attack. Furthermore, placing armed guards at entrances also functions as a deterrent. * The vehicle barrier did not surround the full perimeter of the BSL-4 lab building as it adjoined another lab building at the time of our original assessment. The facility has since placed additional barriers as noted in this report to give full coverage, thus validating our original assessment. Furthermore, part of the barrier in the area between a small parking lot and the BSL-4 lab building did not provide an adequate blast stand-off area. The lab, as noted in this report, has since erected barriers to this parking lot to allow only deliveries into the area. The following table summarizes the progress the two labs have made on 9 of the 15 controls we initially assessed: Table 2: Progress on Perimeter Security Controls at Labs C and E as of March 2009: Security control: Visitor screening; Lab C: [Check]; Lab E: Previously in place. Security control: Command and control center; Lab C: [Check]; Lab E: Not in place. Security control: Camera coverage for all exterior entrances; Lab C: [Check]; Lab E: Not in place. Security control: CCTV monitored by command and control center; Lab C: In progress; Lab E: Not in place. Security control: Active intrusion detection system integrated with CCTV; Lab C: In progress; Lab E: Not in place. Security control: Visible armed guard presence at all public entrances; Lab C: Partially addressed; Lab E: Not in place. Security control: Loading docks located outside the footprint of the main building; Lab C: Partially addressed; Lab E: Previously in place. Security control: Barriers to prevent vehicles from approaching lab; Lab C: Not in place; Lab E: [Check]. Security control: Blast stand-off area (e.g., buffer zone) between lab and perimeter barriers; Lab C: Not in place; Lab E: [Check]. Source: GAO. Note: [Check] signifies control in place after our 2008 report was issued. [End of table] Additional Observations on Federal Oversight of BSL-4 Labs: During the course of our work, we made two additional observations that concern perimeter security differences among the nation's five BSL-4 labs that were operational at the time of our assessment: * All five BSL-4 labs operating in 2008 had a security plan in place when we assessed them. Yet significant perimeter security differences exist among these high-containment labs. A reason for the discrepancies can be found in the additional federal security requirements the three labs with strong perimeter security controls in place had to follow beyond the select agent regulations. For example, Lab B is a military facility subject to far stricter DOD physical security requirements. It had a perimeter security fence and roving patrol guards visible inside and outside this fence. Labs A and D also must meet additional mandates from the federal agencies that oversee them. A lack of minimum perimeter security requirements contributes to sharp differences among BSL-4 labs as well. * CDC inspection officials stated their training and experience had been mainly in the area of safety. They also noted that their philosophy is a layered approach to security and safety. According to CDC officials, they are developing a comprehensive strategy for safety and security of biosafety labs and will adjust the training and inspection process accordingly to match this comprehensive strategy. Agency and Third-Party Comments and Our Evaluation: We briefed CDC on the results of our work, and received comments from CDC by e-mail. In its response, CDC stated that it agrees that perimeter security is an important deterrent against theft of select agents and should be considered as one component of overall security at select laboratories. CDC stated that a comprehensive approach to securing select agents should be taken, and should include basic components such as physical security, personnel security, information security, transport security, and material control and accountability. CDC stated that its Select Agent Regulations reflect this comprehensive approach to securing agents and provide performance standards that entities must implement to protect agents from theft, loss, or release. CDC also stated that multiple groups are assessing the issue of laboratory security and developing related recommendations. CDC stated that it will consider our prior recommendation and the reports from the multiple groups together before developing a detailed plan to address security at select agent laboratories. As part of this commitment, CDC stated that it is in the process of hiring a Security Officer to ensure that CDC has a continuing focus on security at the laboratories. According to CDC, the Security Officer will work with USDA to consider the recommendations from us and others in developing the plan to enhance security at select agent laboratories. In addition, CDC stated that it, in coordination with USDA, will seek input as to the need and advisability of requiring by federal regulation specific perimeter controls at each registered entity having a BSL-4 laboratory. CDC will initiate this process once all of the recommendations from the aforementioned groups have been received. CDC's stated intent to study our prior recommendation in improving laboratory security is an important response to the security issues that have been identified. We also provided officials from Lab C and Lab E with the pertinent sections of a draft of this report that covered the results of our most recent perimeter security assessment of their labs, to which they responded with comments. Lab C officials provided additional details about several changes they made or plan to make to the lab's perimeter security controls, including changes to its CCTV, camera coverage, loading dock, barriers, and blast stand-off area. For example, Lab C officials said they are extending the sidewalks and installing landscaping features around the lab building to increase the size of the blast stand-off area. According to officials from Lab E, they plan to submit a grant application for additional perimeter security improvements, including an intrusion detection system at the perimeter fence and expanded CCTV coverage of key perimeter areas. We did not verify the perimeter security enhancements from Lab C and Lab E because these changes were made or planned subsequent to our most recent assessment. Officials from these labs also provided technical comments on the draft language from our report that we have incorporated throughout the report, as appropriate. As agreed with your office, unless you announce the contents of this report earlier, we will not distribute it until 30 days after its issue date. At that time, we will send copies of this report to the Secretary of Health and Human Services, the Director of CDC, and other interested parties. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you or your staff have any questions regarding this report, please contact me at (202) 512-6722 or kutzg@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix II. Signed by: Gregory D. Kutz: Managing Director: Forensic Audits and Special Investigations: [End of section] Appendix I: Perimeter Security Controls: To perform our perimeter security assessment of biosafety level 4 (BSL- 4) labs, we identified 15 key perimeter security controls. We based their selection on our expertise and research of commonly accepted physical security principles that contribute to a strong perimeter security system. A strong perimeter security system uses layers of security to deter, detect, delay, and deny intruders: * Deter. Physical security controls that deter an intruder are intended to reduce the intruder's perception that an attack will be successful-- an armed guard posted in front of a lab, for example. * Detect. Controls that detect an intruder could include video cameras and alarm systems. They could also include roving guard patrols. * Delay. Controls that delay an intruder increase the opportunity for a successful security response. These controls include barriers such as perimeter fences. * Deny. Controls that can deny an intruder include visitor screening that only permits authorized individuals to access the building housing the lab. Furthermore, a lack of windows or other obvious means of accessing a lab is an effective denial mechanism. Some security controls serve multiple purposes. For example, a perimeter fence is a basic security feature that can deter, delay, and deny intruders. However, a perimeter fence on its own will not stop a determined intruder. This is why, in practice, layers of security must be integrated in order to provide the strongest protection. Thus, a perimeter fence should be combined with an intrusion detection system that would alert security officials if the perimeter has been breached. A strong system would then tie the intrusion detection alarm to the closed-circuit television (CCTV) network, allowing security officers to immediately identify intruders. A central command center is a key element for an integrated, active system. It allows security officers to monitor alarm and camera activity--and plan the security response-- from a single location. Table 3 shows 15 physical security controls we focused on during our assessment work. Table 3: Perimeter Physical Security Controls: No. 1; Perimeter physical security control: Outer/tiered perimeter boundary; Rationale: There should be a perimeter boundary outside the lab to prevent unauthorized access. Examples include a reinforced perimeter security fence or natural barrier system that uses landscaping techniques to impede access to buildings. Outer/tiered perimeter also includes other structures that screen visibility of the lab. No. 2; Perimeter physical security control: Blast stand-off area (e.g., buffer zone) between lab and perimeter barriers; Rationale: To minimize effects of explosive damage if a bomb were to be detonated outside the lab, the perimeter line should be located as far as practical from the building exterior. No. 3; Perimeter physical security control: Barriers to prevent vehicles from approaching lab; Rationale: A physical barrier consisting of natural or man-made controls, such as bollards, designed to keep vehicles from ramming or setting off explosives that could cause damage to the building housing the BSL-4 lab. No. 4; Perimeter physical security control: Loading docks located outside the footprint of the main building; Rationale: Because they are areas where delivery vehicles can park, loading docks are vulnerable areas and should be kept outside the footprint of the main building. No. 5; Perimeter physical security control: Exterior windows do not provide direct access to the lab; Rationale: Windows are typically the most vulnerable portion of any building; therefore, there should be no exterior windows that provide direct access to the lab. No. 6; Perimeter physical security control: Command and control center; Rationale: A command and control center is crucial to the administration and maintenance of an active, integrated physical security system. The control center monitors the employees, general public, and environment of the lab building and other parts of the complex and serves as the single, central contact area in the event of an emergency. No. 7; Perimeter physical security control: CCTV monitored by the command and control center; Rationale: A video system that gives a signal from a camera to video monitoring stations at a designated location. The cameras give the control center the capability of monitoring activity within and outside the complex. No. 8; Perimeter physical security control: Active intrusion detection system (IDS) integrated with CCTV; Rationale: An IDS is used to detect an intruder crossing the boundary of a protected area, including through the building's vulnerable perimeter barriers. Integration with CCTV is integral to the IDS's ability to alert security staff to potential incidents that require monitoring. No. 9; Perimeter physical security control: Camera coverage for all exterior lab building entrances; Rationale: Cameras that cover the exterior building entrances provide a means to detect and quickly identify potential intruders. No. 10; Perimeter physical security control: Perimeter lighting of the complex; Rationale: Security lighting of the site, similar to boundary lighting, provides both a real and psychological deterrent, and allows security personnel to maintain visual-assessment capability during darkness. It is cost-effective in that it might reduce the need for security forces. No. 11; Perimeter physical security control: Visible armed guard presence at all public entrances to lab; Rationale: All public entrances require security monitoring. This presence helps to prevent or impede attempts of unauthorized access to the complex. No. 12; Perimeter physical security control: Roving armed guard patrols of perimeter; Rationale: The presence of roving armed guard patrols helps to prevent or impede attempts of unauthorized access and includes inspecting vital entrance areas and external barriers. No. 13; Perimeter physical security control: X-ray magnetometer machines in operation at building entrances; Rationale: These machines provide a means of screening persons, items, and materials that may possess or contain weapons, contraband, or hazardous substances prior to authorizing entry or delivery into a facility. No. 14; Perimeter physical security control: Vehicle screening; Rationale: Screening vehicles that enter the perimeter of the lab includes an identification check and vehicle inspection, in order to deny unauthorized individuals access and potentially detect a threat. No. 15; Perimeter physical security control: Visitor screening; Rationale: Screening visitors to the lab reduces the possibility that unauthorized individuals will gain access. Visitor screening includes identifying, screening, or recording visitors through methods such as camera coverage or visitor logs so that their entry to the lab is recorded. Source: GAO. [End of table] [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory D. Kutz, (202) 512-6722 or kutzg@gao.gov. Acknowledgments: In addition to the contact named above, the following individuals made contributions to this report: Andy O'Connell, Assistant Director; Matt Valenta, Assistant Director; Christopher W. Backley; Randall Cole; John Cooney; Craig Fischer; Vicki McClure; Anthony Paras; and Verginie Tarpinian. [End of section] Footnotes: [1] Biosafety is the discipline addressing the safe handling and containment of infectious microorganisms and hazardous biological materials. The principles of biosafety are containment and risk assessment. Containment includes the practices, equipment, and facility safeguards that protect personnel, the environment, and the public from exposure to substances handled and stored in the lab. Risk assessment is the process that enables the appropriate selection of practices, equipment, and facility safeguards that can prevent lab-associated infections. [2] Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism, World at Risk: The Report of the Commission on the Prevention of WMD Proliferation and Terrorism (Washington, D.C.: Dec. 2008). The creation of the commission, which was established by Pub. L. 110-53, § 1851, 121 Stat. 266, 501 (Aug. 3, 2007), implements a key recommendation of the independent, bipartisan 9/11 Commission to address the grave threat that the proliferation of weapons of mass destruction poses to our country. [3] HHS, Biosafety in Microbiological and Biomedical Laboratories, 5th ed. (Washington, D.C.: 2007). [4] Pursuant to the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, Pub. L 107-188, § 201, 116 Stat. 594, 637 (codified at 42 U.S.C. § 262a) (Jun. 12, 2002), HHS is required to establish and maintain a list of biological agents and toxins that have the potential to pose a severe threat to public health and safety. Title II, Subtitle B of the Public Health Security and Bioterrorism Preparedness and Response Act is known as the Agricultural Bioterrorism Protection Act of 2002. Section 212, 116 Stat. 594, 647 (codified at 7 U.S.C. § 8401) of this Act requires USDA to establish and maintain a list of biological agents that have the potential to pose a severe threat to animal health and safety, plant health and safety, or to the safety of animal or plant products (select agents). The departments share responsibility for some agents because they potentially threaten both humans and animals (overlap select agents). [5] 42 C.F.R. Part 73, 7 C.F.R. Part 331, and 9 C.F.R. Part 121. [6] Additional requirements include a written biosafety plan that describes safety and containment procedures and an incident response plan that includes procedures for theft, loss, or release of an agent or toxin; inventory discrepancies; security breaches; natural disasters; violence; and other emergencies. [7] GAO, Biosafety Laboratories: Perimeter Security Assessment of the Nation's Five BSL-4 Laboratories, [hyperlink, http://www.gao.gov/products/GAO-08-1092] (Washington, D.C.: Sept. 17, 2008). [8] CDC informed us in June 2009 that a sixth BSL-4 lab has become operational. However, we are excluding it from the scope of this report due to its recency in becoming operational. [9] For the purposes of this report, we defined physical security as the combination of equipment, personnel, and operational procedures used to protect facilities, information, documents, or material against theft, sabotage, diversion, or other criminal acts. Our definition of physical security excludes, and we did not evaluate, intelligence gathering, cyber security, and human capital training and effectiveness. We did not assess the overall security of the labs or the threat of an insider attack, but focused on perimeter security leading up to each building's points of entry. Additionally, we did not test perimeter security controls to determine whether they function as intended. Perimeter security is just one aspect of overall security provisions under the Select Agent Regulations, which includes personnel training and inventory control. Select Agent Regulations also require additional security measures inside the labs themselves, such as locks and other forms of physical control. [10] Although the security force was unarmed, there was one armed security supervisor patrolling the facility. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: