Unsettling lack of security at Level 4 Biosafety Labs

Published 17 October 2008

Biosafety labs (BSLs) handle the world’s most dangerous agents and diseases; only BSL-4 labs can work with agents for which no cure or treatment exists; there are five BSL-4 labs in the United States, and GAO conducted a study of these labs’ perimeter security; you are not going to like what the GAO found

This cannot be good news. Biosafety labs (BSLs) are dangerous places. They do research on the deadliest pathogens, and the accidental release of even a tiny amount of such pathogens could wreak havoc — death, illness — on humans and animals for miles. These labs operate under the U.S. Bioterrorism Act and are primarily regulated and must be registered with either the Centers for Disease Control and Prevention (CDC) or the U.S. Department of Agriculture (USDA) under the Select Agent Regulations.

Currently, all operational biosafety level (BSL) 4 labs are registered with the CDC and thus are regulated by the CDC, not USDA. BSL-4 labs, that is, the labs with highest security designation, handle the world’s most dangerous agents and diseases. Of the four BSL designations, only BSL-4 labs can work with agents for which no cure or treatment exists.

Now, the Government Accountability Office (GAO) was asked to perform a systematic security assessment of key perimeter security controls at the nation’s five operational BSL-4 labs. GAO performed a physical security assessment of the perimeter of each lab using a security survey it developed. GAO focused primarily on fifteen physical security controls, based on GAO expertise and research of commonly accepted physical security principles.

GAO says that Select Agent Regulations do not mandate specific perimeter security controls that need to be in place at each BSL-4 lab, resulting in significant differences in perimeter security among the U.S. five labs. While three labs had all or nearly all of the key security controls GAO assessed — features such as perimeter barriers, roving armed guard patrols, and magnetometers in use at lab entrances — two labs demonstrated a significant lack of these controls. Specifically, one lab had all 15 security controls in place, one had 14, and another had 13 of the key controls. The remaining two labs, however, had only 4 and 3 key security controls, respectively.

The government’s watchdog stressed that although the presence of the security controls GAO assessed does not automatically ensure a secure perimeter, having most controls provides increased assurance that a strong perimeter security system is in place and reduces the likelihood of unauthorized intrusion. For example, the two labs with fewer security controls lacked both visible deterrents and a means to respond to intrusion. One lab even had a window that looked directly into the room where BSL-4 agents were handled. In addition to creating the perception of vulnerability, the lack of key security controls at these labs means that security officials have fewer opportunities to stop an intruder or attacker. The two labs with fewer security controls were approved by the CDC to participate in the Select Agent Program despite their weaknesses. “During the course of our review, GAO noted that the three labs with all or nearly all of the key security controls GAO assessed were subject to additional federal security requirements imposed on them by agencies that owned or controlled the labs, not because of the Select Agent Regulations,” GAO says.

GAO does not identify the labs under discussion, but rather refers to them as “Lab A,” “Lab B,” etc.