Inspection of the FBI's Security Risk Assessment Program
for Individuals Requesting Access to Biological Agents and Toxins
E&I Report No. I-2005-003
Office of the Inspector General
This report presents the results of an Office of the Inspector General (OIG) inspection of the Security Risk Assessment (SRA) program that the Federal Bureau of Investigation (FBI) established under the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (Bioterrorism Act), Pub. Law No. 107 188. The OIG initiated the inspection in response to concerns about a backlog at the FBI of pending SRA applications submitted by researchers seeking access to dangerous biological agents and toxins controlled under the Bioterrorism Act. The objectives of our inspection were to:
We initiated our review on September 20, 2004, and analyzed productivity data through January 10, 2005.
Congress drafted the Bioterrorism Act shortly after anthrax was released through the U.S. mail in the fall of 2001, killing 5 people, making 17 others ill, and widely disrupting business and government activities at an estimated cost of more than $5 billion.1 The President signed the Bioterroism Act in June 2002. Among other provisions, the Act controls access to select biological agents and toxins that can pose severe threats to the health of humans, animals, and plants – substances that include anthrax and the Ebola virus.2
In passing the Bioterrorism Act, Congress set three goals for the provisions pertaining to select agents and toxins:
Title II of the Act provides that these select biological agents and toxins may be accessed only by people who have demonstrated a legitimate need to handle these substances and who have been cleared based on an SRA. The SRAs are intended to keep individuals who have engaged in criminal or terrorist activities from gaining access to dangerous materials. Civil and criminal penalties also can be imposed on individuals and laboratory facilities for allowing anyone to possess, use, or transfer a select agent or toxin if that person has not registered and had their access approved by the government.3
Violations of the Bioterrorism Act can result in substantial fines or imprisonment for up to five years, or both. In addition, violations can result in a civil money penalty of up to $250,000 for individuals and $500,000 for a laboratory. As discussed below, the Bioterrorism Act and the USA Patriot Act (Pub. Law No. 107-56) provide specific criteria for determining who may possess and use select agents and toxins.
The SRA program is part of an interagency effort by the Departments of Health and Human Services (HHS), Agriculture (USDA), and Justice (Department) to regulate the possession and use of biological agents and toxins in the United States. Title II of the Bioterrorism Act provides for SRAs and states that a laboratory may not provide an individual with access to a select agent or toxin unless the individual has been approved by the Secretary of either HHS or USDA, based on an SRA conducted by the Attorney General, who has delegated that responsibility to the FBI.
Most of the responsibility for carrying out the Bioterrorism Act’s provisions rests with the HHS’s Centers for Disease Control and Prevention (CDC), the USDA’s Animal and Plant Health Inspection Service (APHIS), and the FBI’s Criminal Justice Information Services (CJIS) Division. CDC and APHIS are responsible for regulating the possession of biological agents and toxins that pose a severe threat to public health and safety and for enforcing safety standards and procedures for the possession, use, and transfer of these agents. They also have authority to grant or deny access to select agents and toxins based on the results of an SRA conducted by the FBI’s CJIS Division.
In December 2002, CDC and APHIS issued interim regulations that established requirements for possessing and using select agents and toxins, including requirements for obtaining an SRA. In general, the regulations apply "to academic institutions and biomedical centers; commercial manufacturing facilities (the pharmaceutical industry); federal, state, and local laboratories, including clinical and diagnostic laboratories; and research facilities."4 These laboratories use select agents and toxins in research critical for biodefense, public health, and the battle against infectious diseases. Laboratories affected by the regulations are required to identify a responsible official to ensure compliance with the Bioterrorism Act. For each laboratory, SRAs must be obtained by the laboratory owner, responsible official, alternate responsible official, and researchers who need access to select agents and toxins.5
Laboratories must ensure that they meet all work safety requirements for select agents and toxins, keep records of select agents and toxins transferred to and from their facilities, and ensure that only authorized personnel have access to select agents and toxins. According to federal regulations, CDC and APHIS certify laboratories before allowing them to use, possess, or transfer select agents and toxins. Certification is valid for three years.
On March 25, 2003, the FBI Director assigned responsibility for conducting SRAs to the CJIS Division. The CJIS Division receives applications submitted by individuals requesting access to specific agents or toxins, and uses electronic databases and other sources of information to conduct SRAs of those individuals. The CJIS Division carries out its responsibilities for conducting SRAs through its Bioterrorism Risk Assessment Group (BRAG), which was established in April 2003 at the CJIS Division facility in Clarksburg, West Virginia.
BRAG employees conduct SRAs on all persons applying for access to select agents and toxins. In conducting SRAs, BRAG employees search electronic databases and conduct fingerprint checks to determine whether an individual is eligible for access based on specific criteria described below. BRAG is responsible for reporting the results of its SRAs to CDC and APHIS. BRAG also maintains a database that includes the names and locations of persons granted access to select agents and toxins. BRAG employees refer to this database as the Bioterrorism Database.
To begin the SRA process, BRAG employees review application packages, which must include FBI Form FD-961 and two sets of legible fingerprint cards.6 An FBI Form FD-961 includes basic identifying information such as name, date and place of birth, Social Security number, address, and place of employment. It also includes applicants’ answers to questions concerning criminal indictments and convictions, fugitive status, controlled substance abuse, alien status, mental health history, and whether they have been dishonorably discharged from the U.S. Armed Services.
BRAG employees enter the applicants’ information into the Bioterrorism Database and check a series of other national databases that contain criminal, mental health, immigration, military, intelligence, counterterrorism, and fingerprint records. BRAG’s objectives are to determine whether applicants meet one or more criteria that would render them ineligible for access to select agents and toxins.
BRAG has limited discretion in determining eligibility because the criteria for possessing, using, or transferring select agents, which are outlined in the USA Patriot Act and the Bioterrorism Act, are specific. Along with the eight criteria found in the USA Patriot Act (listed in the box on this page), under the Bioterrorism Act BRAG must designate applicants as "restricted persons" if they are reasonably suspected by a federal law enforcement or intelligence agency of:
Although there are 11 specific criteria defined by law, BRAG combined the 2 criteria that deal with involvement with organizations engaging in or supporting domestic or international crimes of violence or terrorism in their procedural guidance. Consequently, BRAG’s concept of operations refers to only ten criteria.
Once BRAG determines an individual’s eligibility for access, it forwards a recommendation on access to CDC or APHIS, which makes the final decision on whether the individual will be allowed access to select agents and toxins. CDC or APHIS reports their access decision to the individual applicant. Unless CDC or APHIS terminates approval sooner, an SRA is valid for five years. However, BRAG re-runs fingerprint checks every three years. Chart 1 provides a diagram of BRAG’s SRA process.
Chart 1: BRAG's SRA Process
[ Image Not Available Electronically ]
Source: BRAF approved OIG modification of BRAG flow chart.
We initiated this inspection on September 20, 2004, in response to concerns expressed by the HHS OIG about a large number of pending SRAs in BRAG’s Bioterrorism Database. We concluded our data collection and analysis on January 10, 2005. During our review, we analyzed SRA-related legislation and regulations to determine program responsibilities and requirements, and we interviewed BRAG’s program managers and personnel security specialists to assess the SRA process and to identify any processing issues that might result in a large number of pending SRA applications. We also compared background checks done for SRA purposes with other types of background checks conducted by federal agencies. In addition, we talked with OIG officials at HHS and USDA and officials of the CDC and APHIS about BRAG’s SRA program.
We also assessed the consistency of data in the Bioterrorism Database by comparing monthly productivity reports from April 2003 to January 2005, and we analyzed BRAG’s work to reconcile discrepancies BRAG found in the CDC and APHIS applicant databases. By March 2004 BRAG had determined that the CDC and APHIS databases contained over 1,300 duplicate records when compared to the Bioterrorism database. CDC and APHIS created a new database record each time individuals who had already applied for access submitted additional SRA applications because of job or name changes. BRAG identified the duplications and significantly reconciled the CDC and APHIS databases with its Bioterrorism Database. We also reviewed all case files of appeals of SRA decisions.
Determining whether restricted persons appropriately were being denied access to select agents and toxins is the responsibility of HHS and USDA, and therefore we did not conduct that type of review. Rather, we reviewed BRAG’s role in conducting SRAs, which are intended to detect individuals who should not have access to select agents and toxins.