NSAR Banner Logo

Security Risk Assessment

The statutory authority for the regulation of the possession, use, and transfer of select biological agents and toxins is the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. Under that Act, the Attorney General has the responsibility to conduct security risk assessments (SRA) of individuals that require access to select biological agents and toxins. Thus, all individuals or entities seeking to register with CDC under the provisions of 42 CFR Part 73 and/or with APHIS under the provisions of 7 CFR Part 331 and/or 9 CFR Part 121 must have a security risk assessment conducted by the Attorney General. The Attorney General, U.S. Department of Justice, has designated the Federal Bureau of Investigation (FBI), Criminal Justice Information Services Division (CJIS), to conduct the security risk assessments.

Who Needs a Security Risk Assessment?

As part of the FBI’s security risk assessment, each individual who has been identified as requiring access to select biological agents and toxins, as well as the Responsible Official (RO), Alternate Responsible Official (ARO), and any individual who owns or controls the entity, must complete FBI Form FD-961 and submit two legible finger print cards to FBI/CJIS.

How is the owner of an entity defined? FBI/CJIS has determined that for the assessment under the Bioterrorism Act, an individual who owns or controls an entity is defined as:

Except for an accredited academic institution, a person shall be deemed to own or control an entity if that person is a partner, officer, director, holder, or owner of 50 percent or more of its voting stock and is in a managerial or executive capacity with regard to select agent possessed, used, or transferred by the entity. For an accredited academic institution, a person shall be deemed to control an entity if that person is a responsible official with regard to the select agent possessed, used, or transferred by the entity.

Note that if the entity is a local, state, or federal institution, then the owners do not require a security risk assessment (42 CFR 73.8(a)). Also, owners of accredited academic institutions do not require security risk assessments. An accredited academic institution is defined by the FBI/CJIS as:

Postsecondary, language and vocational schools must be accredited by an accrediting agency recognized by the United States Department of Education. Proof that a school has been determined to be eligible under Title IV of the Higher Education Act of 1965 is sufficient to establish that a school is properly accredited, since such accreditation is a prerequisite for recognition under Title IV of the latter Act. The specific requirements for Title IV eligibility are specified at 34 CFR part 600.

Please note that ALL Responsible Officials, Alternate Responsible Official’s and individuals with access to select agents and toxins do require security risk assessment, regardless if they are with government or accredited academic institutions. Re-read the regulation if you are unfamiliar with Part 73.8.

Security Risk Assessment Process

The following process applies to a new application or an amendment to an existing application for any personnel changes that require a security risk assessment (SRA):

  1. The entity Responsible Official (RO) submits an application or amendment that includes a Table 4B (APHIS / CDC Form 1) to their lead agency (APHIS or CDC, but not both). The lead agency serves as single point of contact for an entity and is responsible for coordinating all activities and communications with respect to new applications or amendments;

  2. The lead agency issues back to the entity a letter with the unique Department of Justice (DOJ) identifying number for each individual listed on the Table 4B or amended 4B;

  3. The RO forwards to each individual their unique DOJ identifying number;

  4. The individual fills out FBI form (FD-961PDF version (PDF format)) and puts their unique identifying number in block 15;

  5. The individual follows all of the FBI instructions (http://www.fbi.gov/hq/cjisd/takingfps.html) for submitting fingerprints;

  6. Individuals should be fingerprinted by a law enforcement agency or by an entity trained to do so.

  7. The entity or individual mails the FD-961 form and fingerprint cards as one package directly to the FBI, Criminal Justice Information Services Division (CJIS), not to APHIS or CDC.

    Federal Bureau of Investigation Bioterrorism Security Risk Assessment Module E-3
    Criminal Justice Information Services Division
    1000 Custer Hollow Road, Module E-3
    Clarksburg, WV 26306-0147

NOTE: All FBI FD-961 forms received by APHIS or CDC will be returned directly to the RO of the entity which will delay the processing of SRAs.

The RO is strongly encouraged to follow up on each individual listed on Table 4B as requiring access to select agents and toxins, to ensure that each individual has submitted both their completed FBI FD-961 form and fingerprint cards to FBI/CJIS.

If you have questions regarding completion of the FD-961 form, contact the FBI directly at (304) 625-4900 or visit http://www.fbi.gov/terrorinfo/bioterrorfd961.htm. Written requests may be faxed to (304) 625-5393 (for FD-961 forms) or (304) 625-3984 (for fingerprint cards). These faxed requests should include the following: entity name, point of contact or RO, mailing address, contact telephone number and the number of fingerprint card packets requested.

If you have any questions concerning the CJIS/FBI SRA process, please contact CJIS/FBI at 304-625-4900. If you have questions regarding how to obtain a CDC assigned DOJ Unique Identifying Number, please contact your designated CDC representative. If you are unsure who your CDC representative is, please call 404-498-2255.

Frequently asked questions:

  1. Who has to have a security risk assessment?

    All entities (except for Federal, State, or local governmental agencies), the RO, alternate RO, and all individuals with access to select agents or toxins must have an approved security risk assessment. Please see our website http://www.selectagents.gov/sra.htm or the FBI website http://www.fbi.gov/terrorinfo/bioterrorfd961.htm for additional information.

  2. Is there anything I can do to avoid delays in the security risk assessment results?

    Common errors may delay the security risk assessment process. Please pay careful attention to:

    • The name (including the middle initial), the date of birth and address, (including zip code) for individuals listed on the Table 4B (APHIS / CDC Form 1). This information should be identical to that given on the Form FD-961 submitted to CJIS for each individual.
    • Typographical errors regarding date of birth are very common.
    • Information for staff, agent, principal investigator, or room that do not agree with corresponding information on file for principal investigator, agents and rooms already registered will delay the processing of amendments or update to an application. These errors must be resolved prior to the release of a SRA approval letter by the CDC Select Agent Program.
  3. What is the procedure if an individual from one registered entity wants to visit another registered entity?

    • If the individual(s) will have access to select agents or toxins, the receiving entity RO should request the sending entity RO to provide a letter stating that the individual(s) is currently identified on Table 4B of the sending entity’s registration. The receiving entity is defined as the entity where the training, work or visit will take place. The sending entity is defined as the entity where the individual(s) are currently located. The individual must have a current SRA approval. The letter should include: individual’s full name, date of birth, date of issuance of the SRA approval and unique DOJ identifying number of the individual(s).

    • An individual who is SRA approved at the sending entity, can work with other select agent and toxins at the receiving entity during the training program even though the individual is not specifically approved to work with the agents. The individual should receive instructions on the risks of handling the select agents and toxins to be used during the training program.

    • The receiving entity RO should submit this letter and an amendment to the registration to the lead agency (APHIS or CDC). The amendment should provide updated Tables 4A and 4B, and Sections 5B through 5G, where applicable (e.g., Principal Investigator, specific agents or toxins, specific laboratory buildings/rooms, etc.).

    • Once the training is complete, the receiving entity RO should amend the entity’s registration to remove the visiting individual’s name from the Table 4B. In some circumstances the receiving entity RO may decide to leave the individual(s) on the registration, if the same individual(s) will be visiting the entity on a regular basis.

  4. What is the procedure if an individual from an unregistered entity wants to visit a registered entity?

    • If an individual(s) will have access to select agents or toxins, they must have a current security risk assessment. Follow the process as indicated above.

    • Once the training is complete, the receiving entity RO should amend the entity’s registration to remove the visiting individual’s name from the Table 4B. In some circumstances the receiving entity RO may decide to leave the individual(s) on the registration, if the same individual(s) will be visiting the entity on a regular basis.

  5. What criteria are used for determining approval of a security risk assessment?

    The security risk assessment will evaluate if an individual is a restricted person based on the criteria of the USA PATRIOT Act PDF version (PDF format), has committed a Federal crime, is involved with any group that engages in domestic or international terrorism or any organization that engages in intentional acts of violence, or is an agent of a foreign power.

  6. How long is the security risk assessment valid?

    It is valid for a period of five years unless terminated by the HHS Secretary sooner.

  7. What is the process for obtaining an SRA for the entity?

    The Select Agent Programs will initiate the SRA for the entity.

  8. Why is CJIS requesting renewals of security risk assessments that have not yet expired?

    The Select Agent Regulations indicate that SRAs are effective for a period not to exceed five years. However, in an effort to prevent a repeat of the backlog in the processing of SRAs that was experienced after the passing of the Interim Final Rule, a staggered renewal process is being implemented.

  9. How will I know which individuals at my entity are in need of an SRA renewal?

    CJIS will provide a list of individuals at your entity that are scheduled for Security Risk Assessments renewal. CDC will send the RO a letter, along with this list of individuals, and an explanation of the process.

  10. What do I (the RO) need to do in order to comply with CJIS’s request?

    Within 30 days of the letter, individuals identified for SRA renewal should submit a new FD-961 form. CJIS requests the word "Renewal" be written on the top of the form. Since fingerprints are on file with CJIS, an additional fingerprint card is not required for the renewal. After receiving the list, notify CDC of any employees who no longer require access to the rooms and agents on file, and any who do not require access for greater than the current five year period. If you have any questions after you have received the letter, please call your lead inspector to discuss them.