Biometrics required for new DOD bio/toxins lab access in response to security lapses
Various forms of biometrics are being incorporated at all Department of Defense (DOD) laboratories and other facilities using dangerous Biological Select Agents and Toxins (BSAT) pursuant to revised access controls for use with respect to individuals working with BSATs in response to serious security lapses involving hazardous pathogens at some of the 276 government, private, and academic laboratories in the United States that conduct research on biological select agents and toxins.
That’s according to a Government Accountability Office (GAO) official involved in the recent GAO audit report, Actions Needed to Improve Management of DOD’s Biosafety and BiosecurityProgram (PDF), who spoke to Biometric Update.
“I do not have info on specific biometrics,” the official said, but, “The general requirement to include biometrics (among other things) was in DOD’s revised 2016 Security Standards for Safeguarding Biological Select Agents and Toxins.”
The official said biometrics will be part of the new personnel and other access controls as discussed in DOD’s revised BSAT security standards, especially for Tier I BSATs.
Tier 1 BSATs include pathogens like, anthrax, Ebola, Tularemia, Marburg virus, Smallpox, Plague, and Botulism that obviously have been determined to have the potential to pose a severe threat to public health and safety. Laboratories conduct research on such BSATs for a variety of reasons, including identifying their characteristics and developing vaccines and other measures to help diagnose, prevent, or treat exposure to or infection by these agents.
GAO said, “In May 2015, DOD discovered that one of its laboratories—formerly called the Life Sciences Division—at Dugway Proving Ground, Utah, had inadvertently shipped incompletely inactivated (i.e., live) Bacillus anthracis to 194 laboratories and contractors worldwide over the course of 12 years. In response to this discovery, the Deputy Secretary of Defense ordered an immediate 30-day review in May 2015 that resulted in a moratorium on the production, handling, testing, and shipment of inactivated Bacillus anthracis.”
DoD components include “BSAT entities in Combating Terrorism and Antiterrorism Programs for a collective, proactive effort focused on the prevention and detection of terrorist attacks pursuant to the requirements, policy, and responsibilities specified in DoDI 2000.12 (Reference (p)),” the new security standards explained.
As GAO pointed out, “Safety lapses involving hazardous pathogens have occurred in the past at some DOD laboratories that handle BSAT to conduct research on medical and physical countermeasures to protect the warfighter from biological threats. Such incidents raise concerns about whether oversight of biosafety and biosecurity in these laboratories is effective.”
GAO reported “DOD has made progress by taking a number of actions to address the 35 recommendations from the Army’s 2015 investigation report on the inadvertent shipments of live Bacillus anthracis (anthrax). However, DOD has not yet developed an approach to measure the effectiveness of these actions. As of March 2018, DOD reports 18 recommendations as having been implemented, and 17 as having actions under way to implement them.”
“These actions are part of a broader effort to improve biosafety, biosecurity, and overall program management,” GAO stated, noting, “for example, in March 2016, DOD established the Biological Select Agents and Toxins Bio-risk Program Office [BBPO] to assist in overseeing the BSAT Biosafety and Biosecurity Program and implementation of the recommendations,” which includes DOD’s Instruction 5210.88, Security Standards for Safeguarding Biological Select Agents and Toxins, which established security standards for safeguarding BSAT materials and identified roles and responsibilities for BSAT biosecurity, including greater use of biometrics, although the biometrics mandates were not addressed in GAO’s audit report.
DOD and the military services have issued a number of policies and guidance aimed at ensuring safety and security for BSAT materials, and establishing standards for the handling of BSAT within DOD facilities.
The Instruction 5210.88 security standards include oversight responsibilities for the BSAT security program, which is led by the Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs. Oversight responsibilities include establishing security standards for safeguarding BSAT, coordinating with the Federal Select Agent Program, and establishing and maintaining a secured database of all BSAT at DOD covered facilities.
GAO said, “Measuring the effectiveness of each implemented recommendation would help better determine if the actions taken are working, if there are unintended consequences, or if further action is necessary.”
“In response to DOD Instruction 5210.88, each of the military services has received waivers or issued separate policies for securing BSAT materials,” GAO said, noting that, “The Army has been granted a waiver to its existing policies that are inconsistent with DOD Instruction 5210.88 and, according to Army officials, is in the process of updating its policies to align with the DOD instruction. According to Navy officials, the Navy has been granted waivers while it is updating existing policies that [also] do not currently align with DOD Instruction 5210.88.”
The Air Force, however, has issued policies directing alignment with the DOD instruction.
According to the “execution of the DoD BSAT Security Program,” required physical security systems for Tier 1 BSAT facilities are required to have – among the enhancements to the security plan – “Procedures for management of access controls (e.g., keys, card keys, common access card (CAC), access logs, biometrics, and other access control measures) for each of the security barriers in the security plan.”
Revised access control measures are to ensure only authorized individuals have access to BSAT, or to areas where BSAT is present.
An automated entry control system (AECS) to control access will authenticate the identification of an individual and verify the person’s authority to enter the area through two separate methods of identification that may include ID badges, cards, a personal identification number (PIN) entry device, or biometric device. An AECS ID badge or key card will use embedded sensors, integrated circuits, magnetic strips or other means of encoding data that identifies the entity and the individual to whom the card is issued.
Smart card technology will be implemented, and “all individuals approved for access to BSAT registered spaces and BSAT must wear visible ID badges in front, between the neck and waist that include, at a minimum, a photograph, the wearer’s name, and an expiration date. Visitors will be clearly identified as having escorted or unescorted access. Entity administrators will consider using easily recognizable marks on the ID badges to indicate access to sensitive and secure areas. Visible ID badges are not required when working in appropriate protective clothing or in BSL-3 or -4 containment suites.”
Under DOD’s revised 2016 Security Standards for Safeguarding Biological Select Agents and Toxins, for control of access for BSAT registered spaces, there must be:
• An information protection plan to ensure the appropriate security of information on BSAT and the research or mission being conducted;
• Initial and annual training of personnel in procedures for securing BSAT registered spaces, security and positive control of keys, changing access numbers or locks following staff changes, reporting and removing unauthorized individuals, access control and records requirements, inventory control, and other appropriate security measures;
• Procedures, reporting requirements, and administrative actions for lost or compromised keys, passwords, combinations, and security incidents and violations;
• Procedures for removal of suspicious or unauthorized persons and procedures for reporting of unauthorized or suspicious persons or activities and potential, attempted, or actual loss or theft of BSAT or alteration of inventory records; and
• Procedures for management control of closed circuit television recording or surveillance, if used by an entity to address a risk or vulnerability.
Required access control measures are to ensure only authorized individuals … have access to BSAT or to areas where BSAT is present. Access control systems “will include provisions for the safeguarding of animals and plants exposed to or infected with BSAT” in accordance with applicable laws and regulations.
In addition, each individual authorized access to BSAT will have a unique means of accessing the agent. BSAT entity personnel will review access logs (automated or manual) monthly, and these logs will reflect the name of the individual, date and time of entry, and name of escort, if appropriate, into a BSAT registered space. The entity will modify the access control system when an individual’s authorization for access changes.
Smart card technology will be implemented in accordance with DoD regulations, and all individuals approved for access to BSAT registered spaces and BSAT must wear visible identification badges in front, between the neck and waist that include, at a minimum, a photograph, the wearer’s name, and an expiration date. Visitors will be clearly identified as having escorted or unescorted access. Entity administrators will consider using easily recognizable marks on the ID badges to indicate access to sensitive and secure areas. Visible ID badges are not required when working in appropriate protective clothing or in BSL-3 or -4 containment suites.
“An automated entry control system (AECS) may be used to control access in lieu of visual control if it meets the criteria stated in” DOD’s revised 2016 Security Standards for Safeguarding Biological Select Agents and Toxins, “for control of access for BSAT registered spaces. The AECS will authenticate the identification of an individual and verify the person’s authority to enter the area through two separate methods of identification that may include ID badges, cards, a personal identification number (PIN) entry device, or biometric device. An AECS ID badge or key card will use embedded sensors, integrated circuits, magnetic strips or other means of encoding data that identifies the entity and the individual to whom the card is issued.”
Personal identity verification via biometrics devices may be used to identify the individual requesting access by one or more unique personal characteristics. Personal characteristics may include fingerprints, hand geometry, handwriting, retina scans, or voice recognition.
GAO reported, “We found that BBPO’s approach to planning for and executing actions to implement the 2015 Army recommendations and other recommendations fulfills the monitoring element of the internal control standards,” but that, “BBPO has not, however, systematically carried out the evaluation element. Based on our review of DOD documentation, such as the quarterly information briefs on status of recommendations, and on subsequent interviews with BBPO officials, we found that BBPO has not developed an approach to assess the effectiveness of each implemented recommendation in achieving its intended purpose. According to DOD officials, BBPO has been focused on implementing not only the recommendations from the 2015 Army investigation report, but also its broader efforts for the DOD BSAT Biosafety and Biosecurity Program and has not yet formalized an approach to evaluating the effectiveness of actions taken to address the recommendations from the 2015 Army investigation report.”
The Secretary of the Army, as Executive Agent for DOD’s BSAT Biosafety and Biosecurity Program, is responsible for implementing the recommendations from the 2015 investigation report, and “has implemented a BSAT Biosafety and Biosecurity Program to improve management, coordination, safety, and quality assurance for the DOD BSAT enterprise, but, as GAO reported, DOD has not developed a strategy and implementation plan for managing the program.”