9 CFR 121.14 – Incident response. 12
(a) An individual or entity required to register under this part must develop and implement a written incident response plan
(b) The incident response plan must fully describe the entity’s response procedures for the theft, loss, or release of a select agent or toxin; inventory discrepancies; security breaches (including information systems); severe weather and other natural disasters; workplace violence; bomb threats and suspicious packages; and emergencies such as fire, gas leak, explosion, power outage, and other natural and man-made events.
(c) The response procedures must account for hazards associated with the select agent or toxin and appropriate actions to contain such select agent or toxin, including any animals (including arthropods) or plants intentionally or accidentally exposed to or infected with a select agent.
(d) The incident response plan must also contain the following information:
(1) The name and contact information (e.g., home and work) for the individual or entity (e.g., responsible official, alternate responsible official(s), biosafety officer, etc.);
(2) The name and contact information for the building owner and/or manager, where applicable;
(3) The name and contact information for tenant offices, where applicable;
(4) The name and contact information for the physical security official for the building, where applicable;
(5) Personnel roles and lines of authority and communication;
(6) Planning and coordination with local emergency responders;
(7) Procedures to be followed by employees performing rescue or medical duties;
(8) Emergency medical treatment and first aid;
(9) A list of personal protective and emergency equipment, and their locations;
(10) Site security and control;
(11) Procedures for emergency evacuation, including type of evacuation, exit route assignments, safe distances, and places of refuge; and
(12) Decontamination procedures.
(e) Entities with Tier 1 select agents and toxins must have the following additional incident response policies or procedures:
(1) The incident response plan must fully describe the entity’s response procedures for failure of intrusion detection or alarm system; and
(2) The incident response plan must describe procedures for how the entity will notify the appropriate Federal, State, or local law enforcement agencies of suspicious activity that may be criminal in nature and related to the entity, its personnel, or its select agents or toxins.
(f) The plan must be reviewed annually and revised as necessary. Drills or exercises must be conducted at least annually to test and evaluate the effectiveness of the plan. The plan must be reviewed and revised, as necessary, after any drill or exercise and after any incident. Drills or exercises must be documented to include how the drill or exercise tested and evaluated the plan, any problems that were identified and corrective action(s) taken, and the names of registered entity personnel participants.