Food-Processing Security
Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully Assess Their Implementation
Gao ID: GAO-03-342 February 14, 2003
The events of September 11, 2001, have placed added emphasis on ensuring the security of the nation's food supply. GAO examined (1) whether FDA and USDA have sufficient authority under current statutes to require that food processors adopt security measures, (2) what security guidelines FDA and USDA have provided to industry, and (3) what security measures food processors have adopted.
Federal food safety statutes give the Food and Drug Administration (FDA) and the U.S. Department of Agriculture (USDA) broad authority to regulate the safety of the U.S. food supply but do not specifically authorize them to impose security requirements at food-processing facilities. However, these agencies' food safety statutes can be interpreted to provide authority to impose certain security measures. FDA believes that its statutes authorize it to regulate food security to the extent that food security and safety overlap but observes that there is little overlap between security and safety. USDA believes that it could require food processors to adopt certain security measures that are closely related to sanitary conditions inside the facility. USDA also believes that the statutes, however, cannot be interpreted to authorize the regulation of security measures that are not associated with the immediate food-processing environment, such as requiring fences, alarms, and outside lighting. Neither agency believes that it has the authority to regulate all aspects of security at food-processing facilities. Both FDA and USDA issued voluntary security guidelines to help food processors identify measures to prevent or mitigate the risk of deliberate contamination. Because these guidelines are voluntary, neither agency enforces, monitors, or documents their implementation. Both FDA and USDA have asked their inspectors to be vigilant and to discuss security with managers at food-processing facilities, but the agencies have stressed that inspectors should not enforce the implementation of security measures or document any observations because of the possible release of this information under the Freedom of Information Act and the potential for the misuse of this information. Since FDA and USDA do not monitor and document food processors' implementation of security guidelines, the extent of the industry's adoption of security measures is unknown. According to officials of trade associations and the five facilities we visited, however, food processors are implementing a range of security measures. In addition, the FDA and USDA field inspectors we surveyed indicated that most facilities have implemented some security measures, such as installing fences. However, the inspectors were less able to comment on security measures that were not as obvious, such as accounting for missing stock and implementing proper mail-handling practices. The inspectors also noted that while USDA has provided some of its field supervisory personnel with security training on the voluntary security guidelines it issued, it has not provided most of its inspectors with such training. FDA has not provided its staff with any training on the security guidelines. Without training on the security guidelines, inspectors are limited in their ability to conduct informed discussions regarding security with managers at food-processing facilities.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-03-342, Food-Processing Security: Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully Assess Their Implementation
This is the accessible text file for GAO report number GAO-03-342
entitled 'Food-Processing Security: Voluntary Efforts Are Under Way,
but Federal Agencies Cannot Fully Assess Their Implementation' which
was released on March 18, 2003.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to Congressional Requesters:
United States General Accounting Office:
GAO:
February 2003:
Food-Processing Security:
Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully
Assess Their Implementation:
GAO-03-342:
GAO Highlights:
Highlights of GAO-03-342, a report to Senators Richard J. Durbin and
Tom Harkin:
Why GAO Did This Study:
The events of September 11, 2001, have placed added emphasis on
ensuring the security of the nation‘s food supply. GAO
examined (1) whether FDA and USDA have sufficient authority
under current statutes to require that food processors adopt security
measures, (2) what security guidelines FDA and USDA have
provided to industry, and (3) what security measures food processors
have adopted.
What GAO Found:
Federal food safety statutes give the Food and Drug Administration
(FDA) and the U.S. Department of Agriculture (USDA) broad authority to
regulate the safety of the U.S. food supply but do not specifically
authorize them to impose security requirements at food-processing
facilities. However, these agencies‘ food safety statutes can be
interpreted to provide authority to impose certain security measures.
FDA believes that its statutes authorize it to regulate food security
to the extent that food security and safety overlap but observes that
there is little overlap between security and safety. USDA believes
that it could require food processors to adopt certain security
measures that are closely related to sanitary conditions inside the
facility. USDA also believes that the statutes, however, cannot be
interpreted to authorize the regulation of security measures tha are
not associated with the immediate food-processing environment, such
as requiring fences, alarms, and outside lighting. Neither agency
believes that it has the authority to regulate all aspects of
security at food-processing facilities.
Both FDA and USDA issued voluntary security guidelines to help food
processors identify measures to prevent or mitigate the risk of
deliberate contamination. Because these guidelines are voluntary,
neither agency enforces, monitors, or documents their implementation.
Both FDA and USDA have asked their inspectors to be vigilant and to
discuss security with managers at food-processing facilities, but the
agencies have stressed that inspectors should not enforce the
implementation of security measures or document any observations
because of the possible release of this information under the Freedom
of Information Act and the potential for the misuse of this
information.
Since FDA and USDA do not monitor and document food processors‘
implementation of security guidelines, the extent of the industry‘s
adoption of security measures is unknown. According to officials of
trade associations and the five facilities we visited, however, food
processors are implementing a range of security measures. In addition,
the FDA and USDA field inspectors we surveyed indicated that most
facilities have implemented some security measures, such as installing
fences. However, the inspectors were less able to comment on security
measures that were not as obvious, such as accounting for missing stock
and implementing proper mail-handling practices. The inspectors also
noted that while USDA has provided some of its field supervisory
personnel with security training on the voluntary security guidelines
it issued, it has not provided most of its inspectors with such
training. FDA has not provided its staff with any training on the
security guidelines. Without training on the security guidelines,
inspectors are limited in their ability to conduct informed discussions
regarding security with managers at food-processing facilities.
What GAO Recommends:
This report recommends that the Secretaries of the Departments of
Health and Human Services and Agriculture study their agencies‘
existing statutes to identify what additional authorities they may
need relating to security measures at food-processing facilities to
reduce the risk of deliberate contamination of the food supply.
On the basis of these studies‘ results, the agencies should seek
additional authority from the Congress, as needed.
GAO also recommends that the agencies provide training for all
food inspection personnel to enhance their awareness and
ability to discuss security measures with plant personnel.
USDA agreed with this report‘s recommendations. FDA agreed
with the recommendation to provide training for all food
inspection personnel but took no position on GAO‘s other
recommendation.
www.gao.gov/cgi-bin/getrpt?GAO-03-342.
To view the full report, including the scope and methodology, click
on the link above. For more information, contact Lawrence J.
Dyckman at (202) 512-3841 or dyckmanl@gao.gov.
Contents:
Letter:
Results in Brief:
Background:
Existing Food Safety Statutes Do Not Provide Sufficient Authority to
Regulate All Aspects of Security at Food-Processing Facilities:
FDA and FSIS Issued Voluntary Security Guidelines to Food Processors
but Do Not Track or Document the Extent to Which They Are Being
Implemented:
Food Processors Are Implementing a Range of Security Measures, but
Extent of Implementation Is Largely Unknown to FDA and FSIS:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II; FDA Survey Results:
Appendix III: FSIS Survey Results:
Appendix IV: Comments from the U.S. Department of Agriculture:
Appendix V: Comments from the Food and Drug Administration:
Appendix VI: GAO Contacts and Staff Acknowledgments:
Table:
Table 1: State Officials‘ Satisfaction with Federal, State, and
Industry Efforts to Safeguard Food Products from Deliberate
Contamination:
Figures:
Figure 1: Examples of Security Measures Contained in FDA and FSIS
Guidelines:
Figure 2: Percentage of Survey Responses Indicating Observation or
Knowledge of More Visible Security Measures:
Figure 3: Percentage of Survey Responses Indicating Observation or
Knowledge of Less Visible Security Measures:
Abbreviations:
CDC: Centers for Disease Control and Prevention:
EPA: Environmental Protection Agency:
FBI: Federal Bureau of Investigation:
FDA: Food and Drug Administration:
FSIS: Food Safety and Inspection Service:
GAO: General Accounting Office:
HACCP: Hazard Analysis and Critical Control Point:
ISAC: Information Sharing and Analysis Center:
USDA: U.S. Department of Agriculture:
This is a work of the U.S. Government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. It may contain
copyrighted graphics, images or other materials. Permission from the
copyright holder may be necessary should you wish to reproduce
copyrighted materials separately from GAO‘s product.
February 14, 2003:
The Honorable Richard J. Durbin
Ranking Democratic Member
Subcommittee on Oversight of
Government Management,
the Federal Workforce,
and the District of Columbia
Committee on Governmental Affairs
United States Senate:
The Honorable Tom Harkin
Ranking Democratic Member
Committee on Agriculture, Nutrition
and Forestry
United States Senate:
Ensuring the safety of the nation‘s food supply--protecting the food
supply from unintentional contamination--is a key objective of the
Department of Health and Human Service‘s Food and Drug Administration
(FDA) and the Food Safety and Inspection Service (FSIS) of the U.S.
Department of Agriculture (USDA). Since the terrorist attacks of
September 11, 2001, however, ensuring food security--that is,
protecting the food supply from deliberate contamination--has also
become a heightened concern of these agencies. Bioterrorism experts,
government officials, and scientists at the Centers for Disease Control
and Prevention (CDC) and the National Academies warn that U.S. food-
processing facilities are vulnerable to terrorist attack and that the
deliberate introduction of biological and chemical agents into food
supplies could sicken large numbers of people and possibly cause many
deaths. Some experts note that terrorist groups could introduce
infectious disease agents and chemicals into the food supply to confuse
public health officials into believing that outbreaks were naturally
occurring, thus delaying detection and action. Recognizing this risk,
on October 8, 2001, the President added the agriculture and food
industries to the list of critical infrastructure sectors needing
protection from terrorist attack.
Although the U.S. food supply has been mostly secure from deliberate
contamination, a few such incidents have occurred. In 1984, for
example, a cult group poisoned salad bars in some Oregon restaurants
with Salmonella bacteria, and about 750 people became ill. Some large
naturally occurring outbreaks of foodborne illness that result from
accidental contamination illustrate how widespread and costly the
effects of deliberate contamination could be. In 1994, for example,
224,000 people nationwide were infected with Salmonella enteritidis
after eating a national brand of ice cream. This outbreak was estimated
to have cost about $18.1 million, including $6.9 million for medical
care and $11.2 million in time lost from work.
The intentional contamination of the food supply could have severe
consequences for the economy and the health of the American public.
Security measures that could minimize the risk of such an event at
food-processing facilities range from restricting visitor access,
securing hazardous chemicals, and restricting access to in-plant
laboratories to conducting employee background checks, building fences
around facilities, and designating a food security management
coordinator.
In this context, you asked us to determine (1) the extent to which
federal statutes can be effectively used to regulate food security at
food-processing facilities; (2) what actions FDA and USDA have taken to
help food processors prevent or reduce the risk of deliberate food
contamination and how these agencies determine the extent to which
food-processing facilities are implementing security measures; and
(3) the extent to which industry is implementing security measures to
better protect food products against deliberate contamination. While
experts acknowledge that a terrorist attack could be aimed also at
livestock and crops on farms or at foods at retail stores, this review
focused on the food-processing segment of the farm-to-table food
continuum--that is, from the farm gate to the retail level. Also, we
confined our review to domestic food processors, although we recognize
that both FDA and USDA have intensified their efforts to enhance the
oversight of imported foods at U.S. ports of entry.
In conducting our work, we sought the cooperation of industry
associations to survey a representative number of food-processing
facilities. We also sought permission to visit some food-processing
facilities to discuss the extent to which they are implementing
security measures, although we acknowledge that industry is not
obligated to respond to our inquiries. We were unsuccessful in our
attempts to survey a representative number of food-processing
facilities because companies were concerned about sharing information
on security measures; however, we were able to secure visits to five
companies. To obtain a broader overview of the security measures being
adopted, we also surveyed FDA and USDA food inspectors to obtain their
views on the extent of security they have observed at food-processing
facilities they inspect across the country. We also asked state audit
offices in all 50 states to interview a selected number of state food
safety regulatory officials concerning their food security activities,
if any. Eleven agreed to participate. Appendix I contains the details
of our scope and methodology. We conducted our review from February
through December 2002 in accordance with generally accepted government
auditing standards.
Results in Brief:
Federal food safety statutes provide FDA and USDA with broad authority
to regulate the safety of the U.S. food supply but do not specifically
authorize them to impose security requirements at food-processing
facilities. However, while these agencies‘ food safety statutes can be
interpreted to provide authority to impose certain security
requirements, as opposed to food safety requirements, neither agency
believes it has the authority to regulate all aspects of security. FDA
believes that its authorities under the Federal Food, Drug, and
Cosmetic Act and the Public Health Service Act would extend to the
regulation of facility security measures to prevent the intentional
contamination of food products to the extent that they overlap with
food safety. However, FDA observes that there is little overlap between
safety and security. USDA believes that the Federal Meat, Poultry
Products, and Egg Products Inspection Acts can be construed to
authorize it to require food processors to adopt certain security
measures that are closely related to sanitary conditions inside food-
processing plants. In addition, USDA believes that the statutes cannot
be interpreted to authorize the regulation of security measures that
are not associated with the immediate food-processing environment. As a
result, USDA does not believe it has the authority to require that food
processors adopt measures to ensure security outside the premises, such
as installing fences, or to require that food processors conduct
employee background checks.
Both FDA and USDA have issued voluntary guidelines to help food
processors identify measures they can implement to prevent or mitigate
the risk of deliberate contamination. Because these guidelines are
voluntary, neither agency monitors or documents their implementation.
Also, FDA and FSIS have instructed their food safety inspectors to be
familiar with the agencies‘ guidelines as they conduct regular food
safety inspections and to discuss, but not interpret, the security
guidelines with facility personnel. The agencies have told inspectors
not to document the existence or lack of security measures because of
the possible release of this information under the Freedom of
Information Act and the potential for the misuse of this information.
As a result, FDA and FSIS do not have information on the extent of
security at food-processing facilities or whether gaps in security may
exist in specific industry sectors.
FDA and USDA lack comprehensive information on the extent to which
food-processing companies are adopting security measures. However,
officials from the food trade associations that we contacted believe
that food processors are voluntarily implementing a range of security
measures, including those in the federal guidelines--from limiting
access to facilities to evaluating plant security. Although we found
this to be the case at the five food-processing facilities we visited,
we could not verify the extent to which industry has adopted security
measures nationwide--in part, because food-processing facilities
prefer not to share information about their security measures with
federal agencies. They are concerned that this sensitive information
could be released to the public under the Freedom of Information Act.
In particular, the industry is worried that if security gaps at food-
processing facilities were made public they could provide a road map
for terrorist groups. FDA and FSIS officials also cited this concern as
a factor that limits the amount of information they believe they can
collect. In addition, according to FDA and FSIS food inspectors we
surveyed, the food-processing facilities they regularly inspect are
voluntarily implementing a range of security measures and most
facilities have implemented measures to enhance perimeter fencing and
lighting. On the other hand, these inspectors were less able to comment
on less-visible security measures, such as accounting for missing stock
and implementing proper mail-handling practices. The inspectors also
indicated that larger food-processing facilities are implementing more
security measures than smaller ones. Finally, the FDA inspectors that
we surveyed stated that they had not received training on food security
even though the agency encourages them to discuss security matters with
plant personnel. FSIS has provided training to its supervisory field
inspection personnel, who reported that it would be beneficial if the
field inspectors--who are most directly involved with daily processing
activities at each plant--were also trained on security measures.
This report recommends that the Secretary of the Department of Health
and Human Services and the Secretary of Agriculture study what
additional authorities their agencies may need relating to security
measures at food-processing facilities to reduce the risk of deliberate
contamination of the food supply. On the basis of the results of these
studies, the agencies should seek additional authority from the
Congress, as needed. The report also recommends executive action aimed
at ensuring that the agencies‘ field personnel are provided with
training on food security measures.
We provided FDA and USDA with a draft of this report for their review
and comment and received written and oral comments from both agencies
on the report‘s contents and its recommendations. The agencies also
provided technical comments, which we incorporated into the report as
appropriate. USDA agreed with the two recommendations made in this
report. FDA agreed with our recommendation that it provide all food
inspection personnel with training on security measures. FDA did not
have an opinion on our recommendation that the agency study what
additional authorities it may need relating to security measures at
food-processing facilities. USDA‘s comments are contained in appendix
IV, and FDA‘s comments are provided in appendix V.
Background:
Under the Federal Meat Inspection Act, the Poultry Products Inspection
Act, and the Egg Products Inspection Act, USDA, through FSIS, is
responsible for ensuring the safety of meat, poultry, and certain egg
products. Under the Federal Food, Drug, and Cosmetic Act and the Public
Health Service Act, FDA is responsible for all other foods, including
fruits and vegetables; dairy products; seafood; and certain canned,
frozen, and packaged foods. The food-processing sector is generally
described as the middle segment of the farm-to-table continuum--it
extends from the time livestock and crops leave the farm for slaughter
and processing into food until it reaches retail establishments.
FDA and FSIS work to ensure the safety of food products processed in
the United States through a regulatory system of preventive controls
that identifies hazards early in the production process to minimize the
risk of contamination. Known as the Hazard Analysis and Critical
Control Point (HACCP) system, it makes food-processing facilities
responsible for developing a plan that identifies harmful
microbiological, chemical, and physical hazards that are reasonably
likely to occur and establishes critical control points to prevent or
reduce contamination.[Footnote 1] Through their inspection programs,
FDA and FSIS verify that food processors are implementing their HACCP
plans. FDA inspects over 57,000 food facilities every 5 years on
average, and USDA inspects over 6,000 meat and poultry slaughter and
processing facilities daily. Individual states also conduct yearly
inspections of about 300,000 food-processing facilities, including
small firms with fewer than 10 employees and large corporations with
thousands of employees and multiple processing plants located in many
states. Both FDA and FSIS have the authority to take enforcement
actions as necessary to ensure that facilities meet the agencies‘
safety and sanitation regulatory requirements. As we reported in 2001,
in fiscal year 1999, the latest year for which such information was
available, FDA, FSIS, and the states spent a total of about $1.3
billion on food safety activities.[Footnote 2]
Following the events of September 11, 2001, the federal government
intensified its efforts to address the potential for deliberate
contamination of agriculture and food products. On October 8, 2001, the
President issued an executive order establishing the Office of Homeland
Security, which added the agriculture and food industries to the list
of critical infrastructure systems needing protection from terrorist
attack. In addition, the Congress provided FDA and USDA with emergency
funding to prevent, prepare for, and respond to potential bioterrorist
attacks through the Department of Defense Appropriation Act of 2002:
$97 million for FDA and $15 million for FSIS. For the most part, FDA
has used the emergency funds to enhance the security of imported food
by hiring new inspectors and increasing inspections at U.S. ports of
entry. FSIS has used its emergency funds to support its food security
activities, which include, among other things, providing educational
and specialized training. FDA‘s fiscal year 2003 budget builds upon
funding received from the fiscal year 2002 appropriation plus the
fiscal year 2002 emergency supplemental funding of $97 million to
counter terrorism. FDA plans to seek additional funding in the future
for food safety activities and security activities related to
terrorism. FSIS is asking for an additional $28 million. The Congress
also enacted the Public Health Security and Bioterrorism Preparedness
and Response Act of 2002, which contains numerous provisions designed
to enhance the safety and security of the food, drug, and water
industries.[Footnote 3]
In addition, both FDA and USDA have taken many actions to better
protect the food supply against deliberate contamination. For example,
FDA has hired 655 new food safety investigators and laboratory
personnel in the field. In addition, it has participated in several
exercises at the federal and state levels to enhance emergency response
procedures. Furthermore, FDA is working with CDC to initiate and
implement a nationwide Laboratory Response Network for foods to
identify laboratory capacity for testing agents that could be used to
deliberately contaminate food. It has also provided additional
laboratory training for food safety personnel and sought stakeholders‘
input to develop regulations that are required by the new bioterrorism
legislation. Moreover, FDA worked with the Office of the Surgeon
General, U.S. Air Force, to adapt a version of the Operational Risk
Management approach to examine the relative risks of intentional
contamination during various stages of food production and
distribution.[Footnote 4] Within the Department of Health and Human
Services, both FDA and CDC have worked closely with federal, state, and
local agencies to enhance their surveillance of diseases caused by
foodborne pathogens. FDA‘s efforts to reduce food security risks also
include working with other federal agencies, trade associations, and
the Alliance for Food Security.
USDA has formed a Homeland Security Council to develop a Department-
wide plan to coordinate efforts between all USDA agencies and offices.
The Department has also established the FSIS Office of Food Security
and Emergency Preparedness to centralize the Department‘s work on
security matters. USDA has also coordinated with other government
agencies, such as the Office of Homeland Security, the Federal Bureau
of Investigation (FBI), and FDA, to develop prevention, detection, and
response procedures to better protect the nation‘s food
supply.[Footnote 5] USDA will be increasing the number of import
inspectors by 20. These inspectors will place special emphasis on food
security in addition to their traditional food safety role. In
addition, USDA has participated in several exercises at the federal and
state levels to enhance response procedures and has conducted risk
assessments for domestic and imported food. Since this review began,
USDA has conducted three simulation exercises at the Department and
agency level to test the Department‘s response to a terrorist attack
and is planning three additional simulations for the spring of 2003.
USDA has also conducted preparedness-training sessions for
veterinarians and circuit supervisors. (Circuit supervisors supervise
the work of in-plant inspection personnel and discuss the security
guidelines with them.):
Experts from government and academia generally agree that terrorists
could use food products as a vehicle for introducing harmful agents
into the food supply. Just recently, the National Academies reported
that terrorists could use toxic chemicals or infectious agents to
contaminate food production facilities and that, although much
attention has been paid to ensuring safety and purity throughout the
various stages of processing and distribution, protecting the food
supply from intentional contamination has not been a major focus of
federal agencies.[Footnote 6] Among other things, the report says that
FDA should act promptly to extend its HACCP methodology so that it
could be used to deal effectively with the deliberate contamination of
the food supply. In February 2002, CDC reported that although the food
and water systems in the United States are among the safest in the
world, the nationwide outbreaks due to unintentional food or water
contamination demonstrate the ongoing need for vigilance in protecting
food and water supplies.[Footnote 7] All of the bioterrorism experts
whom we consulted from academia agreed that the food supply is at risk.
Existing Food Safety Statutes Do Not Provide Sufficient Authority to
Regulate All Aspects of Security at Food-Processing Facilities:
The food safety statutes do not specifically authorize FDA or USDA to
require food processors to implement any type of security measures
designed to prevent the intentional contamination of the foods they
produce.[Footnote 8] While these agencies‘ food safety statutes can be
interpreted to provide authority to impose certain security
requirements, as opposed to food safety requirements, neither agency
believes it has the authority to regulate all aspects of security.
Counsel in the Department of Health and Human Service‘s Office of the
Assistant Secretary for Legislation advised that FDA‘s authorities
under the Federal Food, Drug, and Cosmetic Act and the Public Health
Service Act provide FDA with tools to adopt measures to control
insanitary preparation, packing, and holding conditions that could lead
to unsafe food; detect contamination of food; and control contaminated
food. However, Counsel also advised that FDA‘s food safety authorities
do not extend to the regulation of physical facility security measures.
FDA‘s counsel provided a similar assessment, telling us that, to the
extent that food safety and security overlap, FDA might be able to
require the industry to take precautionary steps to improve security
but observed that there is little overlap between safety and security.
One area where safety and security do overlap is in the handling of
hazardous materials. FDA‘s existing safety regulations specify that
hazardous chemicals should be stored so that they cannot contaminate
food products. This requirement overlaps with FDA‘s food security
guidelines advising that hazardous chemicals be stored in a secure area
and that access to them be limited.
USDA, on the other hand, has a somewhat more expansive view of the
extent to which its statutory authority allows it to require food
processors to adopt certain security measures. USDA‘s general counsel
concluded that to the extent that security precautions pertain to
activities closely related to sanitary conditions in the food
preparation process, FSIS has the authority to require food processors
to implement certain security measures.[Footnote 9] The general counsel
concluded that FSIS could require facilities to develop and maintain a
food security management plan concerning their response to an actual
threat involving product tampering, since this is directly related to
food adulteration. Such a plan could be added to a current HACCP plan
or it could be entirely separate. USDA also believes that FSIS has
authority to mandate its ’inside security“ guidelines, such as
controlling or restricting access to certain areas, monitoring the
operation of equipment to prevent tampering, and keeping accurate
inventories of restricted ingredients and hazardous chemicals.
Similarly, USDA believes that many of its security measures that
address shipping and receiving food products or protecting water and
ice used in processing products also could be made mandatory. These
measures include putting tamper-proof seals on incoming and outgoing
shipments and controlling access to water lines and ice storage.
On the other hand, USDA believes that the ’outside security“ measures
included in its guidelines, such as securing plant boundaries and
providing guards, alarms, and outside lighting, have little to do with
sanitation in the facility or the immediate food-processing environment
and, therefore, could not be made mandatory under existing authorities.
With respect to the guidelines‘ personnel security measures, USDA noted
that FSIS has limited authority over personnel matters at food-
processing facilities and could not require facilities to perform
personnel background checks before hiring.
FDA and FSIS Issued Voluntary Security Guidelines to Food Processors
but Do Not Track or Document the Extent to Which They Are Being
Implemented:
In response to the nation‘s growing concerns regarding the potential
for deliberate contamination of the food supply, FDA and USDA issued
guidelines to the food-processing industry suggesting measures to
enhance security at their facilities. Among other things, the
guidelines suggests conducting a risk assessment, developing a plan to
address security risks at plants, and adopting a wide range of security
measures inside and outside the premises. Food-processing facilities
are not required to adopt any of the security measures but are
encouraged to adopt those that they feel are best suited for their
operations. Although both agencies have alerted their field inspection
personnel to be vigilant about security issues, they have also told the
inspectors that they are not authorized to enforce these measures and
have instructed them not to document their observations regarding
security because of the possible release of this information under the
Freedom of Information Act and the potential for the misuse of this
information. As a result, FDA and USDA currently do not know the extent
to which food security measures are being implemented at food-
processing facilities. In contrast, the Congress directed medium-size
and large-size community water systems, which are privately or publicly
owned, to assess their vulnerability to terrorist attacks and to
develop an emergency response plan to prepare for such an event. The
act also authorized funding to be used for basic security enhancements,
such as the installation of fencing, gating, lighting, or security
cameras. This approach enables the Environmental Protection Agency
(EPA) to monitor the water industry‘s security efforts and could be a
possible model for the food safety agencies.
Industry‘s Compliance with Security Guidelines Is Voluntary:
In 2002, FDA and FSIS each issued voluntary security guidelines to the
food-processing industry to help federal-and state-inspected plants
identify ways to enhance their security.[Footnote 10] The agencies
encouraged food processors, among others, to review their current
operations and adopt those security measures suggested in the
guidelines that they believed would be best suited for their
facilities. Officials from both FDA and FSIS told us that there was
little or no coordination between the two agencies in developing these
guidelines. The FDA guidance contains over 100 recommended security
measures covering seven areas of plant operation, such as managing food
security, physical (outside) security, and computer security. FSIS‘s
guidelines contain 68 security measures and cover seven areas of plant
operation. Figure 1 summarizes key aspects of both agencies‘ voluntary
security guidelines for industry. FDA and FSIS have made the guidelines
available on the Internet.[Footnote 11] These guidelines are very
similar--one difference is that FSIS‘s contain security measures for
slaughter facilities.
Figure 1: Examples of Security Measures Contained in FDA and FSIS
Guidelines:
[See PDF for image]
[End of figure]
Some state governments have also acted to protect food products from
deliberate contamination. We learned from 11 state auditing offices
that food safety regulatory officials from most of these states are
providing industry or state inspectors with guidelines, either in the
form of the FDA and FSIS guidelines or guidelines developed by the
state officials themselves.[Footnote 12] In addition, three states have
enacted new legislation or regulations addressing the security of food
products.
FDA and FSIS Instruct Their Inspectors to Be Observant:
Although FDA and FSIS do not assess the extent to which food processors
are implementing security measures, the agencies have asked their field
inspection personnel to be on heightened alert and to discuss, but not
interpret, the security guidance with facility officials during their
routine food safety inspections.[Footnote 13] However, both FDA and
USDA have instructed their field inspection personnel to refrain from
enforcing any aspects of the security guidelines because the agencies
generally believe that they lack such authority. They have also
instructed their field personnel not to document plants‘ security
measures because they are concerned that such information would be
subject to Freedom of Information Act requests.
More specifically, FDA‘s instructions to its field personnel specify
that they should neither perform a comprehensive food security audit of
the establishment nor conduct extensive interviews to determine the
extent to which preventive measures suggested in the guidelines have
been adopted. The goals, according to FDA, are to heighten industry‘s
awareness of food security practices, facilitate an exchange of
information between FDA and industry on the subject of food security,
and encourage plant management to voluntarily implement those
preventive measures that they believe are most appropriate for their
operation. In short, FDA inspectors are encouraged to discuss food
security concerns with plant management and to provide them with copies
of the guidelines. Although the exact details of such discussions are
not to be recorded, inspectors are required to document in their
inspection reports that such discussions took place and that they gave
a copy of the guidelines to facility management.
Similarly, FSIS has informed its field inspectors that they have no
regulatory duties regarding the enforcement of the guidelines.
Initially, the agency instructed its inspectors to refer any questions
from facility managers to USDA‘s Technical Service Center in Omaha,
Nebraska.[Footnote 14] Recently the agency modified its position
regarding direct discussions of food security and now allows inspectors
to discuss, but not interpret, security with facility management.
Inspectors are still instructed not to document these conversations or
enforce the adoption of any security measure.
Officials from both agencies expressed concerns about gathering
security information from facilities because it could be subject to
public disclosure through Freedom of Information Act requests. If
terrorists gained access to this information, it could give them a road
map to target the most vulnerable areas in a food-processing plant.
Water Security Provisions in the 2002 Bioterrorism Act Are a Possible
Model for the Food Safety Agencies:
Recent congressional efforts to better protect the nation‘s drinking
water from terrorist acts may offer a model for FDA and USDA to help
monitor security measures adopted at food-processing facilities as well
as to identify any security gaps that may exist at these facilities.
Although there are differences in how the government regulates drinking
water and food, food and water are essential daily consumption
elements, and both are regulated to ensure their safety.
In June 2002, the Congress enacted the Public Health Security and
Bioterrorism Preparedness and Response Act of 2002, which, among other
things, amended the Safe Drinking Water Act. The Bioterrorism Act
requires medium-size and large-size community water systems (those
serving over 3,300 people), which are privately and publicly owned, to
certify to EPA that they have assessed their vulnerability to a
terrorist attack and developed emergency plans to prepare for and
respond to such an attack. These water systems serve 91 percent of the
United States‘ population. Each community‘s water system is required to
conduct a vulnerability assessment and submit a copy of the assessment
to EPA.[Footnote 15] The act specifies that the vulnerability
assessment is exempt from disclosure under the Freedom of Information
Act, except for the identity of the community water system and the date
on which it certifies compliance. Community water systems are also
required to prepare an emergency response plan that incorporates the
results of their vulnerability assessments. In addition, the act
authorizes funding for financial assistance to community water systems
to support the purchasing of security equipment, such as fencing,
gating, lighting, or security cameras.
Food Processors Are Implementing a Range of Security Measures, but
Extent of Implementation Is Largely Unknown to FDA and FSIS:
FDA and FSIS lack comprehensive information on the extent to which
food-processing companies are adopting security measures. However,
officials from the majority of the food trade associations that we
contacted believe that their members are implementing a range of
measures to enhance security at their facilities. We found that the
five food-processing facilities we visited in various geographic
regions around the country are also implementing an array of security
measures that range from developing risk assessment plans to hiring
security contractors.[Footnote 16] Furthermore, our survey of FDA and
FSIS inspectors indicates that, generally, food-processing facilities
are implementing a range of security measures. The survey responses
indicate, however, that the inspectors were more aware of those
security measures that were the most visible to them during the course
of their regular food safety inspections.[Footnote 17]
Trade Association Officials Indicate That Industry Is Implementing
Various Security Measures:
According to trade association officials, food processors are
voluntarily taking steps to prevent the deliberate contamination of
their products, including adopting many of the measures suggested by
FDA and FSIS, such as installing fences, requiring that employees wear
identification, and restricting access to certain plant areas.
Association officials told us that most large food-processing
facilities already have ample security plans that include many of the
recommendations made by FDA and FSIS. One trade association recently
conducted a survey of its members and asked for their opinions about
FSIS‘s Guidelines. Most of the respondents indicated that they were
aware of the guidelines; they believed the guidelines were for the most
part practical and workable; and they used them in their security
plans. However, these officials were unable to provide data on the
extent to which the food-processing industry is implementing security
measures to prevent or mitigate the potential deliberate contamination
of food products.[Footnote 18]
Trade association officials also said that they provided FDA and FSIS
with comments on the voluntary guidelines and, in some cases, have also
issued their own food security guidelines to their members. Although
the officials generally believe that the agencies‘ guidelines are
reasonable, they do not want the government to regulate food security.
They also feel that some companies, especially small facilities with
limited resources, are unable to implement all the measures in the
guidelines. Therefore, these officials believe it is important for the
guidelines to remain voluntary.
The industry is involved in improving food security in other ways as
well. For example, the food industry associations formed the Alliance
for Food Security to facilitate the exchange of information about food
security issues. The Alliance is composed of trade associations
representing the food chain, from commodity production through
processing, packaging, distribution, and retail sale, as well as
government agencies responsible for food and water safety, public
health, and law enforcement. Similarly, led by the Food Marketing
Institute, the food industry and FBI established the Information
Sharing and Analysis Center (ISAC), which serves as a contact point for
gathering, analyzing, and disseminating information among companies and
the multiagency National Infrastructure Protection Center based at FBI
headquarters. Through ISAC, FBI officials have notified food
manufacturers of warnings and threats that the Center deems to be
credible. ISAC also provides a voluntary mechanism for reporting
suspicious activity in a confidential manner and for developing
solutions.
Five Processing Facilities Provide Some Indication about Industry‘s
Efforts:
We visited five food-processing facilities, including a slaughter plant
and facilities that produce beverages and ready-to-eat products.
Although these facilities are not in any way representative of all
food-processing plants nationwide, they provide some information about
the types of security measures that some facilities are implementing.
All five facilities had conducted risk analyses and, on the basis of
the results, had implemented a number of security measures similar to
those suggested in the FDA and FSIS guidelines. For example, all five
facilities limited access to the facility through such means as
requiring visitors to enter through a guard shack and to provide
identification. In addition, employees at three of the facilities could
enter the facility only by using magnetic cards.
However, managers at the five facilities offered differing opinions
about personnel security. Although all of the facilities we visited
performed background checks on their employees that included
verification of social security numbers, only some verified prior work
experience, criminal history, and level of education. One company also
required that its contractors, such as construction companies working
in the facility, perform employment, education, and criminal checks of
their own employees. The facilities also used different protocols for
employee access to different areas within the plant. For example, at
four of the facilities, employees were limited to those areas of the
plant in which they worked.
While the managers at these facilities generally complimented FDA‘s and
USDA‘s security guidelines, they said that they do not want the
agencies to regulate security. Rather, they believe that the agencies
should develop a nonprescriptive framework or strategy for industry and
then leave them to decide how to meet their individual requirements.
One manager believes that food security responsibilities should be
moved to the Department of Homeland Security.
Finally, our discussions with trade association officials and food-
processing industry officials revealed that the industry is very
concerned about sharing security information with federal agencies
because of the possibility that it could provide a road map for
terrorist groups if it were released under the Freedom of Information
Act. Although the act exempts from public release certain national
security, trade secret, and commercial or financial information,
industry officials are generally skeptical about the government‘s
ability to prevent the release of sensitive security information at
food-processing facilities. FBI officials told us that they have cited
these exemptions when assuring ISAC members that security information
shared with them will be protected from public release. These officials
explained that the courts have generally ruled that the commercial
information exemption protects those who voluntarily provide the
government with information if the information is of a kind that the
provider would not ordinarily release to the public.[Footnote 19]
However, the FBI officials we interviewed believe that the government
should find some way of assuring industry that sensitive security
information is protected from public release.
FDA and FSIS Survey Respondents Indicate That Processing Facilities Are
Implementing a Range of Security Measures:
FDA and FSIS survey respondents observed a range of security measures
being implemented at food-processing facilities, although both FDA and
FSIS respondents were able to provide more information about those
security measures that were most visible during the course of their
normal inspection duties. Figure 2 shows selected categories of
security measures recommended in the FDA and FSIS security guidelines
that were most visible to inspectors.[Footnote 20] The majority of the
FDA survey respondents said they were able to observe security
measures, such as fencing around the plants‘ perimeter, limiting access
to restricted areas, securing hazardous materials, and providing
adequate interior and exterior lighting. Likewise, most of FSIS‘s
circuit supervisors were able to observe outside security measures
including alarmed emergency exits, plant perimeter protection, positive
employee identification, and the inspection of incoming and outgoing
vehicles.
Figure 2: Percentage of Survey Responses Indicating Observation or
Knowledge of More Visible Security Measures:
[See PDF for image]
[End of figure]
Note: GAO survey of FDA and FSIS inspectors.
Survey respondents provided fewer observations regarding other types of
security measures included in the FDA and FSIS guidelines--in some
instances because these measures were less visible to them. For
example, FDA respondents were less able to comment on whether they
noticed or knew of the presence of security measures designed to
account for missing stock or for other finished product irregularities.
(See fig. 3.) Similarly, FSIS respondents were less unable to comment
on the extent to which facilities were performing background checks on
new employees or implementing proper mail-handling practices.
Figure 3: Percentage of Survey Responses Indicating Observation or
Knowledge of Less Visible Security Measures:
[See PDF for image]
[End of figure]
Figure 4: Note: GAO survey of FDA and FSIS inspectors.
[See PDF for image]
[End of figure]
More than half of FSIS‘s survey respondents stated that large plants--
those with at least 500 employees--had implemented a range of security
measures, including the areas of outside security, storage, slaughter
and processing, and personnel security. Fewer of these respondents
observed these security measures at smaller plants. Some FDA and FSIS
respondents provided additional comments that the very small firms
typically lack the financial resources to implement many of the
security measures suggested in the government guidelines. Similarly,
some respondents commented that many of the security measures might not
be necessary at smaller establishments.
Additionally, most of the FDA respondents reported that they had not
received training on food security; while nearly all of the FSIS
respondents reported that they had recently received such training.
Some of the FSIS respondents further stated that although they had
received food security training, further training was greatly needed in
the field. Such training would be beneficial because field personnel
are encouraged to discuss security measures with managers at the
facilities they inspect.
Finally, responses to our survey showed that FDA and FSIS respondents
have different levels of ’satisfaction“ with or ’confidence“ in the
efforts of the processing facilities they inspect to ensure the
protection of food from acts of deliberate contamination.[Footnote 21]
While nearly half of the FSIS respondents said they were somewhat or
very confident of the efforts made by the food processors they inspect,
slightly over one-fourth of the FDA respondents were satisfied or very
satisfied with the efforts made by the food processors they inspect.
Regulatory Officials from 11 States Indicate Some Level of Satisfaction
with Security Efforts:
Thirty-seven food regulatory officials interviewed by state auditors in
11 states provided opinions on their overall level of satisfaction with
federal, state, and industry efforts to protect food from intentional
contamination. Table 1 shows that nearly half of the state regulatory
officials interviewed expressed satisfaction with the efforts made by
federal, state, and industry to safeguard food products--though these
results cannot be generalized to all state regulatory officials.
Table 1: State Officials‘ Satisfaction with Federal, State, and
Industry Efforts to Safeguard Food Products from Deliberate
Contamination:
Questions asked of 37 state food safety regulatory officials: (11
states): How satisfied are you with the federal government‘s efforts?;
Percentage of officials very satisfied or
satisfied: 43.3; Percentage of officials neither satisfied nor
dissatisfied: 32.4; Percentage of officials dissatisfied or very
dissatisfied: 24.3.
Questions asked of 37 state food safety regulatory officials: (11
states): How satisfied are you with the state government‘s efforts?;
Percentage of officials very satisfied or
satisfied: 56.8; Percentage of officials neither satisfied nor
dissatisfied: 29.7; Percentage of officials dissatisfied or very
dissatisfied: 13.5.
Questions asked of 37 state food safety regulatory officials: (11
states): How satisfied are you with industry‘s efforts?; Percentage of
officials very satisfied or
satisfied: 43.2; Percentage of officials neither satisfied nor
dissatisfied: 45.9; Percentage of officials dissatisfied or very
dissatisfied: 10.8.
[End of table]
Source: State audit offices.
Notes: Combined state survey of 37 state regulatory officials.
Percentages may not total 100 because of rounding.
Finally, most of the state officials interviewed by state auditors
believed it was either ’important“ or ’very important“ for states to
monitor whether companies have adopted security measures to prevent
acts of deliberate contamination; 3 of the 11 states are already
requiring their inspectors to do so.
Conclusions:
The vulnerability of the food supply to potential acts of deliberate
contamination is a national concern. The President addressed this
concern in the October 8, 2001, executive order establishing the Office
of Homeland Security and adding the agriculture and food industries to
the list of critical infrastructure systems needing protection from
terrorist attack. The National Academies have also concluded in a
recently released report that infectious agents and toxic chemicals
could be used by terrorists to contaminate food-processing facilities.
Among other things, the report says that FDA should act promptly to
extend its Hazard Analysis and Critical Control Point methodology so it
might be used to deal effectively with deliberate contamination of the
food supply. The Centers for Disease Control and Prevention also
reported recently on the need to better protect our nation‘s food and
water supplies.
These assessments underscore the need to enhance security at food-
processing facilities. Although FDA and FSIS recognize that need and
have taken action to encourage food processors to voluntarily adopt
security measures, these actions may be insufficient. Because the
agencies believe that they generally lack authority to mandate security
measures and are concerned that such information would be subject to
Freedom of Information Act requests, they do not collect information on
industry‘s voluntary implementation of security measures. The agencies
are, therefore, unable to determine the extent to which food processors
have voluntarily implemented such measures. Both FDA and USDA have
completed risk assessments. However, without the ability to require
food-processing facilities to provide information on their security
measures, these federal agencies cannot fully assess industry‘s efforts
to prevent or reduce the vulnerability of the nation‘s food supply to
deliberate contamination. Similarly, they cannot advise processors on
needed security enhancements. Furthermore, lacking baseline
information on the facilities‘ security condition, the agencies would
be unprepared to advise food-processing facilities on any additional
actions needed if the federal government were to go to a higher threat
alert.
Finally, the lack of security training for FDA food inspectors on the
voluntary security guidelines issued for food processors and the
limited number of FSIS inspectors that have so far received training on
the voluntary security guidelines hamper the inspectors‘ ability to
conduct informed discussions regarding security measures with facility
personnel as they are currently instructed to do.
Recommendations for Executive Action:
In order to reduce the risk of deliberate contamination of food
products, we are recommending that the Secretary of Health and Human
Services and the Secretary of Agriculture study their agencies‘
existing statutes and identify what additional authorities they may
need relating to security measures at food-processing facilities. On
the basis of the results of these studies, the agencies should seek
additional authority from the Congress, as needed.
To increase field inspectors‘ knowledge and understanding of food
security issues and facilitate their discussions about the voluntary
security guidelines with plant personnel, we are also recommending that
the Secretary of Health and Human Services and the Secretary of
Agriculture provide training for their agencies‘ field staff on the
security measures discussed in the voluntary guidelines.
Agency Comments and Our Evaluation:
We provided FDA and USDA with a draft of this report for their review
and comment. We received written and clarifying oral comments from each
agency. The agencies also provided technical comments, which we
incorporated into the report as appropriate. FDA agreed with our
recommendation that it provide all food inspection personnel with
training on security measures. Subsequently, FDA officials told us that
the agency did not have an opinion on our recommendation that it study
what additional authorities it may need relating to security measures
at food-processing facilities. In its written comments, FDA stated that
the report is factual and describes accurately the events and actions
that FDA has taken on food security. FDA also commented that one of the
goals of its voluntary guidance to industry is to heighten awareness of
food security practices and that the role of its investigators is first
and foremost food safety. FDA also said that it does not have
sufficient security expertise to provide industry with consultation in
this area. FDA further commented that although HACCP and other
preventive controls are appropriate measures to enhance food safety,
HACCP does not afford similar advantages for addressing deliberate
contamination, tampering, and/or terrorist actions related to the food
supply. Our report underscores that the role of FDA‘s investigators is
primarily one of food safety. Nevertheless, we believe that it is also
crucial for cognizant agencies to have information about industry‘s
security efforts so that they can assess the extent to which the risk
of deliberate contamination is being mitigated. We also believe that
possessing such information is important if it becomes necessary to
advise food processors on needed security enhancements. With regard to
HACCP, our report does not take a position on the feasibility of using
HACCP as a means to control deliberate contamination; instead, we
report on the opinion of the National Academies. FDA‘s comments are
presented in appendix V.
In its written comments, USDA agreed with the contents of our report.
Subsequently, USDA‘s food safety officials confirmed that the agency
also agrees with the report‘s recommendations. In its letter, USDA
commented that it has already conducted a comprehensive risk assessment
of the food supply without plant security information and that knowing
whether a plant employed one or several security measures was not
needed to assess the risk. Our report acknowledges that USDA has
conducted a comprehensive risk assessment, but we believe that it is
crucial for cognizant agencies to have information about industry‘s
security efforts so that they can assess the extent to which the risk
of deliberate contamination is being mitigated. USDA‘s comments are
presented in appendix IV.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies to the
Secretaries of Agriculture and Health and Human Services; the Director
of the Federal Bureau of Investigation; the Director, Office of
Management and Budget; and other interested parties. We will also make
copies available to others upon request. In addition, the report will
be available at no charge on the GAO Web site at http://www.gao.gov.
If you have any questions about this report, please contact Maria
Cristina Gobin or me at (202) 512-3841. Key contributors to this report
are listed in appendix VI.
signed by Lawrence J. Dyckman:
Lawrence J. Dyckman
Director, Natural Resources
and Environment:
[End of section]
Appendix I: Scope and Methodology:
To determine the extent to which the current federal food safety
statutes can be effectively used to regulate security at food-
processing facilities, we analyzed the Food and Drug Administration‘s
(FDA) and the U.S. Department of Agriculture‘s (USDA) existing
statutory authorities. We discussed these authorities with FDA and USDA
counsel and requested a legal opinion to determine the extent to which
each agency believes its existing authorities allow it to regulate food
security. We then independently reviewed these authorities to draw our
own conclusions.
To describe the actions that FDA and USDA have taken to help food
processors prevent or reduce the risk of deliberate food contamination,
we met with staff from FDA and FSIS to review the voluntary guidelines
issued by each agency. To better understand the provisions of the
guidelines, we met with agency program staff responsible for issuing
the guidelines and for receiving industry comments on it. To learn how
the guidelines would be implemented, we met with FDA and USDA‘s Food
Safety and Inspection Service (FSIS) officials responsible for field
operations and with staff from field offices in Atlanta, Georgia, and
Beltsville, Maryland. Finally, to gather additional information about
the vulnerability of the food supply to acts of deliberate
contamination, we contacted nine experts from academia, including
experts in food safety and in bioterrorism.
To describe how the government is determining the extent to which food-
processing companies are implementing security procedures, we asked FDA
and FSIS program officials about the nature of the information they are
collecting about industry security measures. We also conducted surveys
of agency field personnel to obtain their observations about and
knowledge of food security measures taken at facilities they regularly
inspect for food safety. Our FDA survey, which was Web-based, was
administered to all 150 field investigators who recorded 465 or more
hours for domestic food inspection from June 1, 2001 to May 31, 2002.
Our survey of FSIS staff was a telephone survey of a randomly selected
stratified sample of 50 circuit supervisors. Our response rate for
these surveys was higher than 85 percent for FDA and 90 percent for
FSIS, and respondents included participants from all the agencies‘
geographic regions. Before administering the surveys, we discussed with
and obtained input from FDA and FSIS program officials. We also
pretested the surveys at field locations to ensure that our questions
were valid, clear, and precise and that responding to the survey did
not place an undue burden on the respondents. In addition, we contacted
state audit offices in all 50 states to collect information about state
government actions designed to prevent the deliberate contamination of
food products. Of the 50 state audit offices we contacted, only 11
agreed to help us collect this information: Arizona, Florida, Maryland,
Michigan, New York, North Carolina, Oklahoma, Oregon, Pennsylvania,
Tennessee, and Texas.
To determine the extent to which the food-processing industry is
implementing security measures to better protect its products against
deliberate contamination, we contacted officials from 13 trade
associations representing, among others, the meat and poultry, dairy,
egg, and fruits and vegetables industries and the food-processing
industry. We discussed the guidelines that their organizations have
issued, and they described what actions their constituents are taking
to protect their products. We also visited five food-processing
facilities in various geographic regions to ask corporate and plant
officials about the actions they have taken to protect their products
and facilities against intentional contamination. These facilities
included a slaughter plant as well as facilities that produce beverages
and ready-to-eat products. We recognize that the efforts of these five
facilities are not necessarily representative of the whole food-
processing industry. To identify the concerns that the industry has
about sharing sensitive information with federal agencies, we spoke
with industry representatives as well as officials from the Federal
Bureau of Investigation‘s National Infrastructure Protection Center.
We conducted our review from February through December 2002 in
accordance with generally accepted government auditing standards.
[End of section]
Appendix II: FDA Survey Results:
[End of section]
[See PDF for image]
[End of section]
Appendix III: FSIS Survey Results:
[End of section]
[See PDF for image]
[End of section]
Appendix IV: Comments from the U.S. Department of Agriculture:
Mr. Lawrence J. Dyckman:
Director, Natural Resources and Environment Team Food and Agriculture
Issues:
United States General Accounting Office 441 G Street, NW, Room 2T23
Washington, DC 20548:
Dear Mr. Dyckman:
Thank you for the opportunity to review and comment on the GAO Draft
Report (GAO-03-342), ’FOOD SECURITY: Voluntary Efforts Are Underway,
but Federal Agencies Cannot Fully Assess Their Implementation“ draft
report. We generally agree with the contents of this report. However,
please consider the following comment.
On page 22 GAO concluded that the ’...federal agencies cannot fully
assess the vulnerability of the nation‘s food supply, or advise
processors on needed security enhancements. Restate sentence to read:
’...federal agencies may have a difficult time assessing the
vulnerability of the nation‘s food supply...“:
FSIS, as acknowledged on page 7 of the report, has completed a risk
assessment of the food supply from farm to table. However, FSIS did not
require information on the plant security measures to conduct its risk
assessment. FSIS made the assumption that plant security measures could
be overcome by a determined terrorist and that certain commodities or
processes could be more at risk than others to an attack. Security
measures could lessen the risk, but the risk would still exist. The
risk assessment evaluated which agents could be used on the food
supply, which agents are easy to obtain or produce, and assessed
whether the food-processing product had any mitigation factors that
would prevent or lessen an intentional attack. These assumptions were
then used to develop a risk model. Knowing whether a plant employed one
or several security measures was not needed to assess the risk.
We have enclosed a few editorial comments for your consideration.
Sincerely,
Signed by Garry L. McKee:
Garry L. McKee, Ph.D., M.P.H. Administrator:
[End of section]
Appendix V: Comments from the Food and Drug Administration:
DEPARTMENT OF HEALTH & HUMAN SERVICES:
Food and Drug Administration Rockville MD 20857:
January 22, 2003:
Mr. Lawrence J. Dyckman:
Director, Natural Resources and Environment United States General
Accounting Office 441 G Street, NW:
Washington, DC 20548:
Dear Mr. Dyckman:
Please find the enclosed comments from the Food and Drug Administration
on the GAO draft report entitled, FOOD SECURITY: Voluntary Efforts Are
Underway, but Federal Agencies Cannot Fully Assess Their Implementation
(GAO-03-342). The Agency provided extensive technical comments directly
to your staff.
We appreciate the opportunity to review and comment on this draft
report before its publication as well as the opportunity to work with
your staff in developing this report.
Sincerely,
Signed by Mark B. McClellan:
Mark B. McClellan, M.D., Ph.D. Commissioner of Food and Drugs:
Enclosure:
General Comments by the Department of Health and Human Service‘s Food
and Drug Administration (FDA) on General Accounting Office‘s (GAO)
Draft Report FOOD SECURITY: Voluntary Efforts Are Underway, but Federal
Agencies Cannot Fully Assess Their Implementation GAO-03-342):
FDA appreciates the opportunity to comment on GAO‘s draft report. The
report is factual and describes accurately the events and actions taken
by FDA related to food security as well as the sensitive nature of the
information related to security measures taken by the food-processing
industry.
GAO also accurately acknowledges efforts taken by FDA and other
government agencies to enhance safety and security of regulated
products. These efforts, in conjunction with the Public Health Security
and Bioterrorism Preparedness and Response Act of 2002, are primarily
directed toward imported products.
The draft report discusses the different views between USDA and FDA on
its authorities to address security concerns. In point of fact, our
positions are very similar and any slight difference is more an issue
of semantics rather than of substance.
FDA would like to stress that the goal of its voluntary guidance to
industry on security is not only to facilitate an exchange of
information between FDA and industry on the subject of food security
but also to heighten awareness of their food security practices. FDA
does not possess sufficient resources in security expertise per se to
provide consultation to the industry in this area. However, if we
heighten awareness of security issues, the industry can consult with
security experts to review their facility and adopt appropriate
procedures. The role of the FDA investigator is first and foremost food
safety and, as an ancillary role, to observe food security measures as
they relate to the food safety investigation. FDA is only obliged to
observe and comment when certain measures are not easily visible and do
not link up and when they coincide with the primary purpose of the
investigation.
In addition, FDA agrees with GAO that Hazards Analysis Critical Control
Points (HACCP) and other preventive controls are appropriate measures
to reduce and or eliminate food safety contamination but do not believe
HACCP affords similar advantages to deliberate contamination, tampering
and or terrorist actions to the food supply. Accordingly, and in
cooperation with the U.S. Air Force, FDA employed the Operational Risk
Management approach to identify and minimize food security risks.
GAO‘s Recommendations for Executive Action:
1. In order to reduce the risk of deliberate contamination of food
products, we are recommending that the Secretary of Health and Human
Services and the Secretary of the Agriculture study their existing
statutes and identify what additional authorities they may need
relating to security measures at food-processing facilities. Based on
the results of the study, the agencies should seek additional authority
from the Congress, as needed.
FDA response:
FDA believes that its authorities under the Federal Food, Drug, and
Cosmetic Act and the Public Health Service Act would extend to the
regulation of facility security measures to prevent the intentional
contamination of food products to the extent they overlap with food
safety.
As we have previously reported, the General Counsel in the Department
of Health and Human Service‘s Offic e of the Assistant Secretary for
Legislation advised that FDA‘s authorities under the Federal Food,
Drug, and Cosmetic Act and the Public Health Service Act provide FDA
with tools to adopt measures to control insanitary preparation,
packing, and holding conditions that may lead to unsafe food, detect
contamination of food, and control contaminated food. However, HHS
counsel also advised that FDA‘s food safety authorities do not extend
to the regulation of physical facility security measures to prevent
intentional contamination of food products. FDA counsel believes that
to the extent that food safety and security overlap, FDA might be able
to require industry to take steps to improve security depending on the
particular measure at issue, but observed that there is likely to be
little overlap between safety and security in various areas, e.g.,
background checks of employees.
2. To increase field inspectors‘ knowledge and understanding of food
security issues and facilitate their discussions about the voluntary
security guidelines with plant personnel, we are also recommending that
the Secretary of the Department of Health and Human Services and the
Secretary of Agriculture provide training for the agency‘s field staff
on the security measures discussed in the voluntary guidelines.
FDA response:
FDA plans to conduct ’formal“ training on the guidance to industry on
food security in addition to the formal instructions previously
provided to FDA field staff on the guidance. We agree that the training
FDA delivers to field staff will:
*Discuss the content of the guidance and how food security activities
are integrated into a food safety inspection;
*Address food security as it relates to the guidance to industry as an
ancillary function of a food safety inspection and/or investigation;
*Encourage inspectors not to delve beyond those facility operations
that are directly a part of a food safety investigation; and:
*Not be considered to confer expert credentials for security upon FDA
investigators but simply improve their abilities to heighten awareness
of facility management on food security at the time of the food safety
investigation.
[End of section]
Appendix VI: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Lawrence J. Dyckman, (202) 512-3841
Maria Cristina Gobin, (202) 512-8418:
Acknowledgments:
In addition to those named above, John Johnson, John Nicholson, Jr.,
Stuart Ryba, and Margaret Skiba made key contributions to this report.
Nancy Crothers, Doreen S. Feldman, Oliver Easterwood, Evan Gilman, and
Ronald La Due Lake also made important contributions.
FOOTNOTES
[1] FDA‘s HACCP program applies only to seafood and juice, not to all
FDA-regulated food.
[2] See U.S. General Accounting Office, Food Safety: Overview of
Federal and State Expenditures, GAO-01-177 (Washington, D.C.: Feb. 20,
2001).
[3] This act contains provisions that provide FDA with new authority to
detain products that are believed to present a serious health threat.
It also authorizes FDA to debar importers who have been convicted of
certain food import violations, which results in the denial of delivery
of products to those importers.
[4] Operational Risk Management is an approach to risk assessment that
increases operational effectiveness by anticipating hazards and
reducing the potential for loss.
[5] On November 25, 2002, President Bush signed the Homeland Security
Act of 2002, which created the Department of Homeland Security. The
Department will replace the Office of Homeland Security.
[6] See National Research Council of the National Academies, Making the
Nation Safer: The Role of Science and Technology in Countering
Terrorism (Washington, D.C: June 2002).
[7] See Centers for Disease Control and Prevention, Public Health
Assessment of Potential Biological Terrorism Agents, Emerging
Infectious Diseases (Atlanta, Ga.: February 2002).
[8] FDA, under the Federal Food, Drug, and Cosmetic Act and the Public
Health Service Act, and USDA, under the Federal Meat Inspection Act,
Poultry Products Inspection Act, and the Egg Products Inspection Act,
have broad authority to regulate food safety. These laws require that
food products be processed under sanitary conditions, be unadulterated,
and be properly labeled.
[9] USDA‘s view on its authority to impose security requirements that
are closely related to sanitary conditions is derived from the food
safety laws‘ prohibitions against adulteration. Adulterated food is
virtually identically defined in the Federal Food, Drug, and Cosmetic
Act and the Federal Meat, Poultry Products, and Egg Products Inspection
Acts as food that has been ’prepared, packed, [’packaged“ in the egg
inspection act] or held under insanitary conditions whereby it may have
become contaminated with filth, or whereby it may have been rendered
injurious to health.“ See 21 U.S.C. 342(a)(4), 21 U.S.C. 601(m)(4), 21
U.S.C. 453(g)(4) and 21 U.S.C. 1033(a)(4).
[10] FDA was first to issue guidelines in January 2002; FSIS
subsequently issued its guidelines in May 2002.
[11] See www.cfsan.fda.gov/~dms/secguid.html for FDA and
www.fsis.usda.gov/oa/topics/securityguide.htm for FSIS.
[12] Eleven of the 50 state audit offices we contacted for assistance
in interviewing their food regulatory officials responded to our
request. The participating state auditing offices were Arizona,
Florida, Maryland, Michigan, New York, North Carolina, Oklahoma,
Oregon, Pennsylvania, Tennessee, and Texas. Because the state auditors
collected information from only 11 states, these observations cannot be
generalized.
[13] According to an FSIS memorandum to its field personnel,
’heightened alert“ is defined as identifying and reporting any
suspicious activities that could adversely affect our nation‘s
security.
[14] The Technical Service Center provides field inspection personnel
with technical assistance, advice, and guidance regarding the
implementation of national policies, programs, and procedures. The
center also serves as a central point for reporting and responding to
suspicious activities related to food security.
[15] The vulnerability assessment must include, among other things, a
review of pipes and constructed conveyances; physical barriers; and
water collection, pretreatment, treatment, storage, and distribution
facilities.
[16] The facilities vary in size from 100 to 800 employees.
[17] We surveyed 50 FSIS Circuit Supervisors (obtained responses from
45) who oversee the activities of the agency‘s field inspectors and 150
FDA investigators (obtained responses from 128) who perform the
inspections of food-processing facilities to ask about the security
measures they have observed at the plants they inspect. Our survey
included questions about outside security, visitor access, employee
screening, and shipping and handling, among others. The methods used
and results from these surveys are contained in appendixes II and III.
[18] The National Food Processors Association is in the process of
evaluating the results from its food security survey of its members,
but not all of the results were ready in time to be included in this
report.
[19] See, for example, Critical Mass Energy Project v. Nuclear
Regulatory Commission, 975 F. 2d 871 (D.C. Cir. 1992) (en banc) cert.
denied, 507 U.S. 984 (1993) (information in safety reports
voluntarily provided to the Nuclear Regulatory Commission by nuclear
safety groups was confidential and thus exempt from disclosure under
the Freedom of Information Act‘s exemption for financial or commercial
information).
[20] Security measures listed in FDA‘s and FSIS‘s food security
guidelines are somewhat different. The agencies developed their
guidelines in January and May 2002, respectively, and did not
coordinate their efforts.
[21] FDA preferred that we ask about the level of ’satisfaction,“ while
FSIS wanted us to ask about the level of ’confidence.“
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: