OIG evaluated whether APHIS’ controls over select agents adequately reduced the threat to public, animal, and plant safety, and animal and plant products.
The Federal Select Agent Program (FSAP) is jointly administered by the Centers for Disease Control and Prevention (CDC) and the Animal and Plant Health Inspection Service (APHIS). FSAP oversees the possession, use, and transfer of biological select agents and toxins (BSAT), which have the potential to pose a severe threat to public, animal, or plant health, or to animal or plant products. Biological select agents and toxins that pose a potential severe risk to plant and animal health or to animal and plant products, such as foot-and-mouth disease and potato wart, are regulated by the United States Department of Agriculture (USDA) as “select agents or toxins” (select agents). The Agricultural Bioterrorism Protection Act of 2002 (the Act) gives USDA authority to designate certain plant and animal biological agents and toxins as select agents by listing them in the Federal Register on a biennial basis.
The Act requires the Secretary of Agriculture to establish and maintain a list of each select agent that the Secretary determines has the potential to pose a severe threat to animal or plant health, or to animal or plant products. The Act also requires the Secretary to establish and enforce standards and procedures governing the possession and use of select agents. Persons possessing, using, or transferring select agents must register with the Secretary to verify that they have a lawful purpose to possess, use, or transfer select agents. In USDA, APHIS’ Agriculture Select Agent Services (AgSAS) enforces the Act. Further, the Act requires the national database to include the name of select agents; the names of personnel and location of registered entities authorized to possess, use, and transfer select agents; and the type of select agents the registered entities possessed, used, or transferred. To accomplish this, APHIS uses the Electronic Federal Select Agent Program (eFSAP) database.
APHIS regulates select agents by establishing and enforcing:
- safety procedures for transferring listed agents, including measures to ensure proper training and appropriate skills to handle select agents, and proper laboratory facilities to contain and dispose of select agents;
- security measures to prevent access to select agents for use in domestic or international terrorism or for any other criminal purpose; and
- procedures to protect public safety and animal and plant health and products if select agents are transferred or potentially transferred in violation of the established safety procedures, safeguards, and security measures.
All entities that possess, use, or transfer select agents must register with the appropriate regulatory agency. Currently, 34 entities—including Government agencies, State and local governments, academic institutions, private non-profit corporations, and commercial entities—are registered with APHIS to possess, use, and transfer select agents. Registered entities are defined as facilities at one physical location (such as a room, a building, or a group of buildings) where the responsible official (RO) will be able to perform all the responsibilities of the select agent program.
Each entity must designate an RO who is responsible for day-to-day program administration and compliance. The entity may also designate one or more alternate ROs, who may act in the absence of the RO. As part of the registration process, an entity’s RO, the alternate RO, the entity, and the individual who owns or controls the entity, must undergo a security risk assessment (SRA) by the Criminal Justice Information Service (CJIS) Division of the Federal Bureau of Investigation (FBI). Moreover, all individuals who handle or use select agents must undergo an SRA by the FBI’s CJIS Division.
Executive Order 13546 states that a robust and productive scientific enterprise that utilizes select agents is essential to national security. This directive states that heads of executive departments and agencies must take security measures in a coordinated manner, through consistent policies and practices to secure select agents. Further, select agents must be secured in a manner appropriate to their risk of misuse, theft, loss, and accidental release. As part of this coordinated approach, select agents must be tiered to identify those that pose the greatest risk of deliberate misuse and to establish physical security standards for those select agents.
When an entity registers with APHIS, it submits a security plan based on a site-specific risk assessment detailing the physical security of the select agents and the laboratories that house them. In addition, the entity submits biosafety, biocontainment, and incident response plans. As a part of the registration process, APHIS reviews these plans and inspects the entity’s relevant facility and laboratories. Once approved, the entity’s certificate of registration is approved for a maximum of 3 years. To ensure entities comply with Federal regulations and biosafety standards, APHIS conducts various categories of inspections. APHIS inspectors complete inspections of entities using standardized checklists to certify that laboratories have the appropriate safety and security measures in place. APHIS inspectors use their professional judgment to make determinations based on checklist questions related to Federal regulations by selecting “pass,” “fail,” “not applicable,” or “not assessed.” Once an inspection is scheduled, APHIS’ eFSAP database automatically creates the relevant checklists for the inspection when the inspection category is selected. eFSAP is programmed to automatically select the appropriate questions related to the inspection category and eliminate questions that are not relevant. For instance, if the entity is not a tier 1 entity, questions related to tier 1 select agents would automatically be marked “not applicable” by the eFSAP database. During the inspection process, if an inspector does not assess a question, it will be marked “not assessed.”
In 2012, we reported that APHIS needed to strengthen its internal controls over the critical program areas related to monitoring the movement of select agents to alternate facilities, controlling access to select agents, ensuring that individuals handling select agents have up-to-date security clearances, and ensuring that ROs are adequately trained. As part of the objectives of our current audit, we planned to evaluate the actions APHIS implemented to address the 12 recommendations from the 2012 report.
The objective of this audit was to evaluate the effectiveness of APHIS’ controls over select agents as part of FSAP to adequately reduce the threat to public, animal, and plant safety, and animal and plant products. Additionally, we followed up on prior audit recommendations from Audit 33701-0001-AT to determine whether corrective actions were adequately implemented and operating effectively.
We found APHIS’ FSAP oversight and internal controls processes need to be improved to effectively reduce the threat of select agents and toxins to the public, animal, and plant safety, and animal and plant products. However, due to a scope limitation, we are not reporting on the implementation and operating effectiveness of prior audit recommendations.
What OIG Found
The Federal Select Agent Program (FSAP) is jointly administered by the Centers for Disease Control and Prevention (CDC) and the Animal and Plant Health Inspection Service (APHIS). FSAP oversees the possession, use, and transfer of biological select agents and toxins, which have the potential to pose a severe threat to public, animal, or plant health, or to animal or
We found several areas of FSAP that APHIS needs to improve. First, the Electronic FSAP (eFSAP) system, which APHIS uses to monitor entities’ compliance with Federal regulations, did not always include accurate and complete information. As a result, APHIS may not be able to ensure select agents and toxins are adequately secured by registered entities. Second, we identified two deficiencies in APHIS’ oversight process. APHIS does not require its inspectors
to support “pass” determinations that entities complied with Federal regulations. Additionally, APHIS officials did not ensure that entities timely resolved noncompliances identified during prior inspections.
Finally, from 2017 to 2019, the Office of Inspector General (OIG) determined that APHIS did not report to Congress 13 losses and 3 releases of select agents or toxins. This occurred because APHIS officials do not consider it a loss when an entity cannot account for but eventually finds select agents or toxins. OIG concluded that, without accurate reports, Congress cannot make
informed decisions concerning APHIS’ oversight of registered entities’ handling of dangerous select agents and toxins.
We accepted management decision on 3 of the 11 recommendations. Further action from the agency is needed before management decision can be reached on the remaining recommendations.