[Federal Register Volume 81, Number 103 (Friday, May 27, 2016)]
[Rules and Regulations]
[Pages 34166-34223]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-12373]



[[Page 34165]]

Vol. 81

Friday,

No. 103

May 27, 2016

Part IV





Department of Health and Human Services





-----------------------------------------------------------------------





 Food and Drug Administration





-----------------------------------------------------------------------





21 CFR Parts 11 and 121





Mitigation Strategies To Protect Food Against Intentional Adulteration; 
Final Rule

  Federal Register / Vol. 81 , No. 103 / Friday, May 27, 2016 / Rules 
and Regulations  

[[Page 34166]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

21 CFR Parts 11 and 121

[Docket No. FDA-2013-N-1425]
RIN 0910-AG63


Mitigation Strategies To Protect Food Against Intentional 
Adulteration

AGENCY: Food and Drug Administration, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or we) is issuing this 
final rule to require domestic and foreign food facilities that are 
required to register under the Federal Food, Drug, and Cosmetic Act 
(the FD&C Act) to address hazards that may be introduced with the 
intention to cause wide scale public health harm. These food facilities 
are required to conduct a vulnerability assessment to identify 
significant vulnerabilities and actionable process steps and implement 
mitigation strategies to significantly minimize or prevent significant 
vulnerabilities identified at actionable process steps in a food 
operation. FDA is issuing these requirements as part of our 
implementation of the FDA Food Safety Modernization Act (FSMA).

DATES: This rule is effective July 26, 2016. See section VIII for 
compliance dates.

FOR FURTHER INFORMATION CONTACT: Ryan Newkirk, Center for Food Safety 
and Applied Nutrition (HFS-005), Food and Drug Administration, 5100 
Paint Branch Pkwy., College Park, MD 20740, 240-402-3712, email: 
[email protected].

SUPPLEMENTARY INFORMATION: 

Table of Contents

 Executive Summary
    Purpose and Coverage of the Rule
    Summary of the Major Provisions of the Rule
    Costs and Benefits
I. Background
    A. FDA Food Safety Modernization Act
    B. Proposed Rule on Intentional Adulteration
    C. Appendix 4 to Draft Risk Assessment
    D. Public Comments
II. Legal Authority
    A. Section 103 of FSMA
    B. Section 106 of FSMA
    C. Intrastate Activities
III. General Comments on the Proposed Rule
    A. Comments on Overall Framework for the Regulatory Approach
    B. One Set of Requirements Under Sections 418 and 420 of the 
FD&C Act
    C. Require Measures Only in the Event of a Credible Threat
    D. General Comments on Implementation and Compliance
    E. Comments on Requests for Additional Exemptions
    F. Other General Comments
    G. Other Issues Discussed in the Proposed Rule
IV. Subpart A: Comments on Specific Provisions
    A. Revisions to Definitions Also Used in Section 415 
Registration Regulations (21 CFR Part 1, Subpart H) and Section 414 
Recordkeeping Regulations (21 CFR Part 1, Subpart J)
    B. Other Definitions That We Proposed To Establish in Part 121
    C. Additional Definitions to Clarify Terms Not Defined in the 
Proposed Rule
    D. Comments Asking FDA to Establish Additional Definitions or 
Otherwise Clarify Terms Not Defined in the Rule
    E. Proposed Sec.  121.5--Exemptions
V. Subpart C: Comments on Food Defense Measures
    A. Proposed Sec.  121.126--Requirement for a Food Defense Plan
    B. Proposed Sec.  121.130--Identification of Actionable Process 
Steps
    C. Proposed Sec.  121.135--Focused Mitigation Strategies for 
Actionable Process Steps
    D. Final Sec.  121.138--Mitigation Strategies Management 
Components
    E. Proposed Sec.  121.140--Monitoring
    F. Proposed Sec.  121.145--Corrective Actions
    G. Proposed Sec.  121.150--Verification
    H. Proposed Sec.  121.160--Training (Final Sec.  121.4)
    VI. Subpart D: Comments on Requirements Applying to Records That 
Must Be Established and Maintained
    A. Proposed Sec.  121.301--Records Subject to the Requirements 
of This Subpart D
    B. Proposed Sec.  121.305--General Requirements Applying to 
Records
    C. Proposed Sec.  121.310--Additional Requirements Applying to 
the Food Defense Plan
    D. Proposed Sec.  121.315--Requirements for Record Retention
    E. Proposed Sec.  121.320--Requirements for Official Review
    F. Proposed Sec.  121.325--Public Disclosure
    G. Proposed Sec.  121.330--Use of Existing Records
VII. Subpart E: Comments on Compliance--Proposed Sec.  121.401
VIII. Effective and Compliance Dates
IX. Executive Order 13175
X. Final Regulatory Impact Analysis
XI. Paperwork Reduction Act of 1995
XII. Analysis of Environmental Impact
XIII. Federalism
XIV. References

Executive Summary

Purpose and Coverage of the Rule

    This regulation implements three provisions of the FD&C Act, as 
amended by FSMA, that relate to the intentional adulteration of food. 
Section 418 of the FD&C Act (21 U.S.C. 350g) addresses intentional 
adulteration in the context of facilities that manufacture, process, 
pack, or hold food and are required to register under section 415 of 
the FD&C Act (21 U.S.C. 350d). Section 419 of the FD&C Act (21 U.S.C. 
350h) addresses intentional adulteration in the context of fruits and 
vegetables that are raw agricultural commodities. Section 420 of the 
FD&C Act (21 U.S.C. 350i) addresses intentional adulteration in the 
context of high-risk foods and exempts farms except for farms that 
produce milk. FDA is implementing the intentional adulteration 
provisions in sections 418, 419, and 420 of the FD&C Act in this 
rulemaking.
    The purpose of this rule is to protect food from intentional acts 
of adulteration where there is an intent to cause wide scale public 
health harm. This rule applies to both domestic and foreign facilities 
that are required to register under section 415 of the FD&C Act. This 
rule establishes several exemptions as follows:
     The rule does not apply to a very small business (i.e., a 
business, including any subsidiaries or affiliates, averaging less than 
$10,000,000, adjusted for inflation, per year, during the 3-year period 
preceding the applicable calendar year in both sales of human food plus 
the market value of human food manufactured, processed, packed, or held 
without sale, e.g., held for a fee), except that the facility is 
required to provide for official review, upon request, documentation 
sufficient to show that the facility qualifies for this exemption.
     This rule does not apply to the holding of food, except 
the holding of food in liquid storage tanks.
     This rule does not apply to the packing, re-packing, 
labeling, or re-labeling of food where the container that directly 
contacts the food remains intact.
     This rule does not apply to activities of a farm that are 
subject to section 419 of the Federal Food, Drug, and Cosmetic Act 
(Standards for Produce Safety).
     This rule does not apply with respect to alcoholic 
beverages at a facility that meets certain conditions.
     This rule does not apply to the manufacturing, processing, 
packing, or holding of food for animals other than man.
     This rule does not apply to on-farm manufacturing, 
processing, packing, or holding by a small or very small business of 
certain foods identified as having low-risk production practices if 
such activities are the only activities conducted by the business 
subject to section 418 of the FD&C Act.

[[Page 34167]]

Summary of the Major Provisions of the Final Rule

    This rule establishes various food defense measures that an owner, 
operator, or agent in charge of a facility is required to implement to 
protect against the intentional adulteration of food. Specifically:
     Prepare and implement a written food defense plan that 
includes a vulnerability assessment to identify significant 
vulnerabilities and actionable process steps, mitigation strategies, 
and procedures for food defense monitoring, corrective actions, and 
verification (Sec.  121.126).
     Identify any significant vulnerabilities and actionable 
process steps by conducting a vulnerability assessment for each type of 
food manufactured, processed, packed, or held at the facility using 
appropriate methods to evaluate each point, step, or procedure in a 
food operation (Sec.  121.130).
     Identify and implement mitigation strategies at each 
actionable process step to provide assurances that the significant 
vulnerability at each step will be significantly minimized or prevented 
and the food manufactured, processed, packed, or held by the facility 
will not be adulterated. For each mitigation strategy implemented at 
each actionable process step, include a written explanation of how the 
mitigation strategy sufficiently minimizes or prevents the significant 
vulnerability associated with the actionable process step (Sec.  
121.135).
     Establish and implement mitigation strategies management 
components, as appropriate to ensure the proper implementation of each 
such mitigation strategy, taking into account the nature of the 
mitigation strategy and its role in the facility's food defense system 
(Sec.  121.138).
     Establish and implement food defense monitoring 
procedures, for monitoring the mitigation strategies, as appropriate to 
the nature of the mitigation strategy and its role in the facility's 
food defense system (Sec.  121.140).
     Establish and implement food defense corrective action 
procedures that must be taken if mitigation strategies are not properly 
implemented, as appropriate to the nature of the actionable process 
step and the nature of the mitigation strategy (Sec.  121.145).
     Establish and implement specified food defense 
verification activities, as appropriate to the nature of the mitigation 
strategy and its role in the facility's food defense system (Sec.  
121.150).
     Conduct a reanalysis of the food defense plan (Sec.  
121.157).
     Ensure that all individuals who perform required food 
defense activities are qualified to perform their assigned duties 
(Sec.  121.4).
     Establish and maintain certain records, including the 
written food defense plan (vulnerability assessment, mitigation 
strategies and procedures for food defense monitoring, corrective 
actions, and verification) and documentation related to training of 
personnel. All records are subject to certain general recordkeeping and 
record retention requirements (Sec. Sec.  121.301 to 121.330).
     The effective date is 60 days after this final rule is 
published. However, we are providing for a longer timeline for 
facilities to come into compliance. Facilities, other than small and 
very small businesses, have 3 years after the effective date to comply 
with part 121. Small businesses (i.e., those employing fewer than 500 
full-time equivalent employees) have 4 years after the effective date 
to comply with part 121. Very small businesses (i.e., businesses that 
have less than $10,000,000, adjusted for inflation, per year, during 
the 3-year period preceding the applicable calendar year in both sales 
of human food plus the market value of human food manufactured, 
processed, packed, or held without sale, e.g., held for a fee) have 5 
years after the effective date to comply with Sec.  121.5(a).
    As discussed in detail in later sections of the rule, we made 
several major revisions to the provisions of this rule, mainly in 
response to comments, to provide for greater flexibility and clarity. 
These major revisions to the regulatory text include the following:
     We removed the key activity types (KATs); however, the use 
of the KATs is still permissible to conduct a vulnerability assessment 
and will be further discussed in guidance.
     We specified three elements that must be evaluated when 
conducting a vulnerability assessment: (1) The potential public health 
impact (e.g., severity and scale) if a contaminant were added; (2) the 
degree of physical access to the product; and (3) the ability of an 
attacker to successfully contaminate the product.
     We specified that the vulnerability assessment must 
consider the possibility of an inside attacker.
     We removed the distinction between ``broad'' and 
``focused'' mitigation strategies.
     We made the mitigation strategy management components 
(food defense monitoring, corrective actions, and verification) more 
flexible by providing that they are required ``as appropriate to ensure 
the proper implementation of the mitigation strategies, taking into 
account the nature of each such mitigation strategy and its role in the 
facility's food defense system.''
     We revised the terminology used for the food defense 
management components such that monitoring, corrective actions, and 
verification are now food defense monitoring, food defense corrective 
actions, and food defense verification.
     We made the requirement to document food defense 
monitoring more flexible by providing for use of exception records.
     We made the food defense corrective actions requirement 
more flexible by providing that it is required ``as appropriate to the 
nature of the actionable process step and the nature of the mitigation 
strategy.''
     We made the requirement for verifying proper 
implementation of mitigation strategies more flexible by providing for 
``other activities appropriate for verification of proper 
implementation of mitigation strategies.''
     We exempted records required by this rule from the 
requirements of 21 Code of Federal Regulations, part 11.
     We provided for the use of existing records if certain 
conditions are met.
     We removed the term ``qualified facility'' and instead 
refer to ``very small business'' in the exemption under 121.5(a).
     We established an exemption for certain on-farm 
manufacturing, processing, packing, or holding by small and very small 
businesses of certain foods identified as having low-risk production 
processes.
     We added a new definition for ``qualified individual'' and 
included new requirements to ensure that all individuals who perform 
activities required under subpart C are qualified to perform their 
assigned activities.
     We provided longer timelines for facilities to come into 
compliance with the rule.

Costs and Benefits

    The total cost of the rule, annualized over 10 years at a 7 percent 
discount rate, is between $280 and $490 million. With a 3 percent 
discount rate, the annualized cost is between $270 and $480 million. 
The first-year cost is between $680 and $930 million. Counting only 
domestic firms, the total annualized costs are between $90 and $150 
million, with initial costs of between $220 and $300 million. The 
average annualized cost per covered facility is between $9,000 and 
$16,000,

[[Page 34168]]

and the average annualized cost per covered firm is between $27,000 and 
$47,000.
    The benefits of the actions required by the rule are a reduction in 
the possibility of illness and death resulting from intentional 
adulteration of food. We monetize the damage that various intentional 
adulteration scenarios might cause, and present a breakeven analysis 
showing the number of prevented attacks at which the benefits are 
larger than the costs. For attacks that are similar in impact to acts 
of intentional adulteration that have happened in the United States in 
the past, the breakeven threshold, counting only producer costs, is 28 
to 48 attacks prevented every year. For attacks causing similar 
casualties as major historical outbreaks of food-related illness, the 
breakeven threshold is one or two attacks every year. For catastrophic 
terrorist attacks causing thousands of fatalities, the breakeven 
threshold is one attack prevented every 270 to 460 years.
    The table shows the approximate, rounded, mean values for various 
cost components of the rule:

                  Annualized Cost and Benefit Overview
------------------------------------------------------------------------
  All Numbers are USD 2014 (millions),
        annualized over 10 years            3% Discount     7% Discount
------------------------------------------------------------------------
Costs:
    Learning about Rule.................              $3              $4
    Creating Food Defense Plans.........              10              11
    Mitigation Costs....................              26              28
    Monitoring, Corrective Action,                    62              62
     Verification.......................
    Employee Training...................               5               6
    Documentation.......................               9               9
    Subtotal (Domestic cost)............             115             119
    Cost to Foreign Firms...............             247             256
                                         -------------------------------
      Total.............................             362             375
Benefits:
                                         -------------------------------
    Lower Chance of Intentional
     Adulteration.......................           Unquantified
------------------------------------------------------------------------

I. Background

A. FDA Food Safety Modernization Act

    The FDA Food Safety Modernization Act (FSMA) (Pub. L. 111-353), 
signed into law by President Obama on January 4, 2011, is intended to 
allow FDA to better protect public health by helping to ensure the 
safety and security of the food supply. FSMA enables us to focus more 
on preventing food safety problems rather than relying primarily on 
reacting to problems after they occur. The law also provides new 
enforcement authorities to help achieve higher rates of compliance with 
risk-based, prevention-oriented safety standards and to better respond 
to and contain problems when they do occur. In addition, the law 
contains important new tools to better ensure the safety of imported 
foods and encourages partnerships with State, local, tribal, and 
territorial authorities. A top priority for FDA are those FSMA-required 
regulations that provide the framework for industry's implementation of 
preventive controls and enhance our ability to oversee their 
implementation for both domestic and imported food. To that end, we 
proposed the seven foundational rules listed in table 1 and requested 
comments on all aspects of these proposed rules.

    Table 1--Published Foundational Rules for Implementation of FSMA
------------------------------------------------------------------------
              Title                  Abbreviation         Publication
------------------------------------------------------------------------
Current Good Manufacturing        2013 proposed       78 FR 3646,
 Practice and Hazard Analysis      human preventive    January 16, 2013.
 and Risk-Based Preventive         controls rule.
 Controls for Human Food.
Standards for the Growing,        2013 proposed       78 FR 3504,
 Harvesting, Packing, and          produce safety      January 16, 2013.
 Holding of Produce for Human      rule.
 Consumption.
Current Good Manufacturing        2013 proposed       78 FR 64736,
 Practice and Hazard Analysis      animal preventive   October 29, 2013.
 and Risk-Based Preventive         controls rule.
 Controls for Food for Animals.
Foreign Supplier Verification     2013 proposed FSVP  78 FR 45730, July
 Programs (FSVP) for Importers     rule.               29, 2013.
 of Food for Humans and Animals.
Accreditation of Third-Party      2013 proposed       78 FR 45782, July
 Auditors/Certification Bodies     third-party         29, 2013.
 to Conduct Food Safety Audits     certification
 and to Issue Certifications.      rule.
Focused Mitigation Strategies To  2013 proposed       78 FR 78014,
 Protect Food Against              intentional         December 24,
 Intentional Adulteration.         adulteration rule.  2013.
Sanitary Transportation of Human  2014 proposed       79 FR 7006,
 and Animal Food.                  sanitary            February 5, 2014.
                                   transportation
                                   rule.
------------------------------------------------------------------------

    We also issued a supplemental notice of proposed rulemaking for the 
rules listed in table 2 and requested comments on specific issues 
identified in each supplemental notice of proposed rulemaking.

[[Page 34169]]



 Table 2--Published Supplemental Notices of Proposed Rulemaking for the
              Foundational Rules for Implementation of FSMA
------------------------------------------------------------------------
              Title                  Abbreviation         Publication
------------------------------------------------------------------------
Current Good Manufacturing        2014 supplemental   79 FR 58524,
 Practice and Hazard Analysis      human preventive    September 29,
 and Risk-Based Preventive         controls notice.    2014.
 Controls for Human Food.
Standards for the Growing,        2014 supplemental   79 FR 58434,
 Harvesting, Packing, and          produce safety      September 29,
 Holding of Produce for Human      notice.             2014.
 Consumption.
Current Good Manufacturing        2014 supplemental   79 FR 58476,
 Practice and Hazard Analysis      animal preventive   September 29,
 and Risk-Based Preventive         controls notice.    2014.
 Controls for Food for Animals.
Foreign Supplier Verification     2014 supplemental   79 FR 58574,
 Programs (FSVP) for Importers     FSVP notice.        September 29,
 of Food for Humans and Animals.                       2014.
------------------------------------------------------------------------

    We have finalized six of the foundational rulemakings, as listed in 
table 3.

 Table 3--Published Foundational Final Rules for Implementation of FSMA
------------------------------------------------------------------------
              Title                  Abbreviation         Publication
------------------------------------------------------------------------
Current Good Manufacturing        PCHF final rule...  80 FR 55908,
 Practice, Hazard Analysis and                         September 17,
 Risk-Based Preventive Controls                        2015.
 for Human Food.
Current Good Manufacturing        PCAF final rule...  80 FR 56170,
 Practice, Hazard Analysis and                         September 17,
 Risk-Based Preventive Controls                        2015.
 for Food for Animals.
Standards for the Growing,        Produce final rule  80 FR 74354,
 Harvesting, Packing, and                              November 27,
 Holding of Produce for Human                          2015.
 Consumption.
Foreign Supplier Verification     FSVP final rule...  80 FR 74226,
 Programs (FSVP) for Importers                         November 27,
 of Food for Humans and Animals.                       2015.
Accreditation of Third-Party      Third-party final   80 FR 74570,
 Certification Bodies to Conduct   rule.               November 27,
 Food Safety Audits and to Issue                       2015.
 Certifications.
Sanitary Transportation of Human  Transport final     81 FR 20092, April
 and Animal Food.                  rule.               6, 2016.
------------------------------------------------------------------------

    As FDA finalizes these seven foundational rulemakings, we are 
putting in place a framework for food safety that is modern and brings 
to bear the most recent science on provisions to enhance food safety 
and food defense, that is risk-based and focuses effort where the 
hazards are most significant, and that is flexible and practical given 
our current knowledge of food safety and food defense practices. To 
achieve this, FDA has engaged in a great deal of outreach to the 
stakeholder community to find the right balance in these regulations of 
flexibility and accountability.
    Since FSMA was enacted in 2011, we have been involved in 
approximately 600 engagements on FSMA and the proposed rules, including 
public meetings, Webinars, listening sessions, farm tours, and 
extensive presentations and meetings with various stakeholder groups 
(Ref. 1) (Ref. 2). As a result of this stakeholder dialogue, FDA 
decided to issue the four supplemental notices of proposed rulemaking 
to share our current thinking on key issues and get additional 
stakeholder input on those issues. As we move forward into the next 
phase of FSMA implementation, we intend to continue this dialogue and 
collaboration with our stakeholders, through guidance, education, 
training, and assistance, to ensure that stakeholders understand and 
engage in their roles in food safety and food defense. FDA believes 
these seven foundational final rules, when implemented, will fulfill 
the paradigm shift toward prevention that was envisioned in FSMA and be 
a major step forward for food safety and food defense that will protect 
consumers into the future.

B. Proposed Rule on Intentional Adulteration

    In the Federal Register of December 24, 2013 (78 FR 78014), we 
issued a proposed rule to implement the intentional adulteration 
provisions in sections 103, 105, and 106 of FSMA (proposed rule). We 
initially requested public comments on the proposed rule by March 31, 
2014. We extended the comment period for the proposed rule until June 
30, 2014, in response to several requests for an extension.
    The proposed rule proposed to require various food defense measures 
that an owner, operator, or agent in charge of a facility would be 
required to implement to protect against the intentional adulteration 
of food, and can be summarized as follows:
     Prepare and implement a written food defense plan that 
includes actionable process steps, focused mitigation strategies, and 
procedures for monitoring, corrective actions, and verification 
(proposed Sec.  121.126).
     Identify any actionable process steps, using one of two 
procedures. In the proposed rule, we explained that FDA has analyzed 
vulnerability assessments conducted using the CARVER+Shock methodology 
and identified four key activity types: Bulk liquid receiving and 
loading; Liquid storage and handling; Secondary ingredient handling; 
and Mixing and similar activities. We further explained that FDA has 
determined that the presence of one or more of these key activity types 
at a process step (e.g., manufacturing, processing, packing, or holding 
of food) indicates a significant vulnerability under section 418 of the 
FD&C Act and that the food is at high risk of intentional adulteration 
caused by acts of terrorism under section 420 of the FD&C Act. We 
proposed that facilities may identify actionable process steps using 
the FDA-identified key activity types as described in proposed Sec.  
121.130(a) or conduct their own facility-specific vulnerability 
assessments as provided in proposed Sec.  121.130(b).
     Identify and implement focused mitigation strategies at 
each actionable

[[Page 34170]]

process step to provide assurances that the significant vulnerability 
at each step will be significantly minimized or prevented and the food 
manufactured, processed, packed, or held by the facility will not be 
adulterated (proposed Sec.  121.135).
     Establish and implement procedures, including the 
frequency with which they are to be performed, for monitoring the 
focused mitigation strategies (proposed Sec.  121.140)
     Establish and implement corrective action procedures that 
must be taken if focused mitigation strategies are not properly 
implemented (proposed Sec.  121.145).
     Verify that monitoring is being conducted and appropriate 
decisions about corrective actions are being made; verify that the 
focused mitigation strategies are consistently implemented and are 
effectively and significantly minimizing or preventing the significant 
vulnerabilities; and conduct a reanalysis of the food defense plan 
(proposed Sec.  121.150).
     Ensure that personnel and supervisors assigned to 
actionable process steps receive appropriate training in food defense 
awareness and their respective responsibilities in implementing focused 
mitigation strategies (proposed Sec.  121.160).
     Establish and maintain certain records, including the 
written food defense plan; written identification of actionable process 
steps and the assessment leading to that identification; written 
focused mitigation strategies; written procedures for monitoring, 
corrective actions, and verification; and documentation related to 
training of personnel. All such records are subject to certain 
recordkeeping requirements, record retention requirements, requirements 
for official review and public disclosure requirements (proposed 
Sec. Sec.  121.301 to 121.325).
     Proposed the effective date as 60 days after this final 
rule is published. However, we proposed for a longer timeline for 
facilities to come into compliance. Facilities, other than small and 
very small businesses, would have 1 year after the effective date to 
comply with part 121. Small businesses (i.e., those employing fewer 
than 500 persons) would have 2 years after the effective date to comply 
with part 121. Very small businesses (i.e., businesses that have less 
than $10,000,000 in total annual sales of food, adjusted for inflation) 
would be considered a qualified facility and have 3 years after the 
effective date to comply with Sec.  121.5(a).
    We requested comment on all aspects of the proposed requirements. 
In addition, we described our thinking and sought comment on other 
issues, including the framework of the rule; activities that occur on 
produce farms; transportation carriers; food for animals; acts of 
disgruntled employees, consumers, or competitors; economically 
motivated adulteration; low-risk activities at farm mixed-type 
facilities; activities that occur on dairy farms; and other ways to 
focus on foods with a high risk of intentional adulteration caused by 
terrorism.

C. Appendix 4 to Draft Risk Assessment

    We issued for public comment an ``Appendix 4 to Draft Qualitative 
Risk Assessment of Risk of Activity/Food Combinations for Activities 
(Outside the Farm Definition) Conducted in a Facility Co-Located on a 
Farm'' (the draft RA Appendix) (78 FR 78064, December 24, 2013). The 
purpose of the draft RA Appendix was to provide a science-based risk 
analysis of those foods whose production processes would be considered 
low risk with respect to the risk of intentional adulteration caused by 
acts of terrorism. We used the tentative conclusions of the section 
103(c)(1)(C) draft RA Appendix to seek comment in the proposed rule on 
possible exemptions or modified requirements for this final rule (78 FR 
78014 at 78029). We are including the final appendix to the risk 
assessment in the docket established for this document (Ref. 3).

D. Public Comments

    We received more than 200 public submissions on the proposed rule, 
each containing one or more comments. We received submissions from 
diverse members of the public, including food facilities (including 
facilities co-located on a farm); farms; cooperatives; coalitions; 
trade organizations; consulting firms; law firms; academia; public 
health organizations; public advocacy groups; consumers; consumer 
groups; Congress, Federal, State, local, and tribal Governments; and 
other organizations. Some submissions included signatures and 
statements from multiple individuals. Comments addressed virtually 
every provision of the proposed rule, including our requests for 
comment on including additional provisions that we did not include in 
the proposed regulatory text. In the remainder of this document, we 
describe these comments, respond to them, and explain any revisions we 
made to the proposed rule.
    Some comments address issues that are outside the scope of this 
rule. For example, some comments express concern about overregulation 
in general. Some comments believe the Department of Homeland Security 
is the Federal Agency that should protect the food supply. Some 
comments express concern about ``genetically modified organisms'', 
while other comments express concern about the amount of chemicals in 
food. Some comments express concern that extreme consolidation of our 
food system is the main reason that it could be a target for terrorism 
or other intentional acts aimed at causing widespread human casualties. 
These comments state that decentralization is the most resilient 
defense against those who wish to contaminate the food supply. We do 
not discuss such comments in this document.

II. Legal Authority

    The proposed rule contained an explanation of its legal basis under 
authorities in the FDA Food Safety Modernization Act and section 701 of 
the FD&C Act. After considering the comments received in response to 
the proposed rule, FDA made changes in the final rule. The legal 
authorities relied on in the final rule are the same as those in the 
proposed rule unless otherwise described in the sections that follow.

A. Section 103 of FSMA

    Section 103 of FSMA, Hazard Analysis and Risk-Based Preventive 
Controls, amends the FD&C Act to create a new section 418, which 
mandates rulemaking. Section 418(n)(1)(A) of the FD&C Act requires that 
the Secretary issue regulations ``to establish science-based minimum 
standards for conducting a hazard analysis, documenting hazards, 
implementing preventive controls, and documenting the implementation of 
the preventive controls. . . .'' Section 418(n)(1)(B) of the FD&C Act 
requires that the regulations define the terms ``small business'' and 
``very small business,'' taking into consideration the study of the 
food processing sector required by section 418(l)(5) of the FD&C Act. 
Further, section 103(e) of FSMA creates a new section 301(uu) in the 
FD&C Act (21 U.S.C. 331(uu)) to prohibit ``[t]he operation of a 
facility that manufactures, processes, packs, or holds food for sale in 
the United States if the owner, operator, or agent in charge of such 
facility is not in compliance with section 418 [of the FD&C Act].''
    In addition to rulemaking requirements, section 418 contains 
requirements applicable to the owner, operator, or agent in charge of a 
facility

[[Page 34171]]

required to register under section 415. Section 418(a) is a general 
provision that requires the owner, operator, or agent in charge of a 
facility to evaluate the hazards that could affect food manufactured, 
processed, packed, or held by the facility, identify and implement 
preventive controls, monitor the performance of those controls, and 
maintain records of the monitoring. In addition to the general 
requirements in section 418(a) of the FD&C Act, sections 418(b)-(i) 
contain more specific requirements applicable to facilities, including 
several provisions explicitly directed at intentional adulteration. For 
example, section 418(b)(2) of the FD&C Act specifies that the owner, 
operator, or agent in charge of a facility shall identify and evaluate 
hazards that may be intentionally introduced, including by acts of 
terrorism. Section 418(c)(2) of the FD&C Act specifies that the owner, 
operator, or agent in charge of a facility shall identify and implement 
preventive controls to provide assurances that any hazards that relate 
to intentional adulteration will be significantly minimized or 
prevented and addressed, consistent with section 420 of the FD&C Act.
    Sections 418(j)-(m) of the FD&C Act and sections 103(c)(1)(D) and 
(g) of FSMA provide authority for certain exemptions and modifications 
to the requirements of section 418 of the FD&C Act. These include 
provisions related to seafood and juice hazard analysis critical 
control point (HACCP), and low-acid canned food (section 418(j)); 
activities of facilities subject to section 419 of the FD&C Act 
(Standards for Produce Safety) (section 418(k)); qualified facilities 
(section 418(l)); facilities that are solely engaged in the production 
of food for animals other than man, the storage of raw agricultural 
commodities (other than fruits and vegetables) intended for further 
distribution or processing, or the storage of packaged foods that are 
not exposed to the environment (section 418(m)); facilities engaged 
only in certain low risk on-farm activities on certain foods conducted 
by small or very small businesses (section 103(c)(1)(D) of FSMA), and 
dietary supplements (section 103(g) of FSMA). We are issuing all of the 
provisions of the rule under section 418 of the FD&C Act, except with 
respect to facilities that are exempt from its coverage.

B. Section 106 of FSMA

    Section 106 of FSMA, Protection Against Intentional Adulteration, 
amends the FD&C Act to create a new section 420, which mandates 
rulemaking. Section 420 of the FD&C Act requires FDA to issue 
regulations to protect against the intentional adulteration of food. 
Section 420(b)(1) of the FD&C Act requires that such regulations are to 
specify how a person is to assess whether the person is required to 
implement mitigation strategies or measures intended to protect against 
the intentional adulteration of food. Section 420(b)(2) of the FD&C Act 
requires that the regulations specify appropriate science-based 
mitigation strategies or measures to prepare and protect the food 
supply chain at specific vulnerable points, as appropriate. Section 
420(c) of the FD&C Act provides that such regulations are to apply only 
to food for which there is a high risk of intentional adulteration and 
for which such intentional adulteration could cause serious adverse 
health consequences or death to humans or animals. Section 420(c)(1) 
provides that such foods are to include those for which FDA has 
identified clear vulnerabilities. Section 420(d) of the FD&C Act limits 
applicability on farms to farms that produce milk. Further, section 
106(d) of FSMA creates a new section 301(ww) in the FD&C Act to 
prohibit ``[t]he failure to comply with section 420 [of the FD&C 
Act].'' We are issuing all of the provisions of the rule under section 
420 of the FD&C Act.

C. Intrastate Activities

    FDA concludes that the rule should apply to activities that are 
intrastate in character. Facilities are required to register under 
section 415 of the FD&C Act regardless of whether the food from the 
facility enters interstate commerce (Sec.  1.225(b)). The plain 
language of section 418 of the FD&C Act applies to facilities that are 
required to register under section 415 of the FD&C Act (section 
418(o)(2)) and does not exclude a facility because food from such a 
facility is not in interstate commerce. Similarly, the plain language 
of section 420 of the FD&C Act requires FDA to issue regulations to 
protect against the intentional adulteration of food and does not 
include a limitation to interstate commerce. Further, the prohibited 
act provisions in sections 301(uu) and (ww) of the FD&C Act (21 U.S.C. 
331(uu) and (ww)) do not require an interstate commerce nexus. Notably, 
other subsections in section 301 of the FD&C Act, and section 304 of 
the FD&C Act (21 U.S.C. 334) demonstrate that Congress has included a 
specific interstate commerce nexus in the provisions of the FD&C Act 
when that is its intent. Accordingly, it is reasonable to interpret 
sections 418, 420, 301(uu), and 301(ww) of the FD&C Act as not limited 
to those facilities with a direct connection to interstate commerce.

III. General Comments on the Proposed Rule

A. Comments on Overall Framework for the Regulatory Approach

    We proposed a HACCP-type approach, like the one proposed for the 
systematic control of food safety hazards in the PCHF proposed rule, as 
the most effective means of ensuring that mitigation strategies are 
consistently applied once the significant vulnerabilities are 
identified and appropriate mitigation strategies are developed. We 
requested comment on the appropriateness of a HACCP-type system to 
ensure that mitigation strategies designed to significantly minimize or 
prevent intentional adulteration related to terrorism are effective and 
implemented as intended. We also requested comment about whether there 
are other approaches that would be more suitable to address intentional 
adulteration related to terrorism.
    In the following paragraphs, we discuss the comments that disagree 
with, or request changes to, the proposed approach. After considering 
these comments, we are continuing to require an approach based on an 
analysis of hazards/vulnerabilities and the implementation of measures 
to mitigate the identified hazards/vulnerabilities (a HACCP-type 
approach); however, we are providing for additional flexibility, as 
requested.
    (Comment 1) Some comments state food defense and food safety 
require different approaches because they are different disciplines. 
The comments explain that the science is different, that food safety 
deals with known and identifiable risks whereas food defense deals with 
unknown, often unidentifiable, and ever changing threats and that food 
safety risks can be prevented or reduced to an acceptable level but 
food defense threats only can be mitigated. The comments conclude that 
regulatory requirements addressing food defense must reflect these key 
differences between food defense and food safety and use different 
terminology. Some comments state that FSMA does not require a 
preventive controls approach for food defense, and a traditional HACCP 
approach is too rigorous and prescriptive for food defense. Conversely, 
other comments support regulatory requirements for food defense that 
are based on the proactive approach found in HACCP, specifically HACCP 
concepts related to

[[Page 34172]]

analyzing problems and devising appropriate solutions.
    (Response 1) We disagree that food safety and food defense require 
entirely different approaches to ensure that food is not adulterated. 
We agree that there are important, specific differences between food 
safety and food defense, and these differences require different 
requirements for particular components of the approaches. However, we 
believe that food safety and food defense are more similar than they 
are different. For both food safety and food defense, the framework for 
preventing adulteration, whether it is intentional or unintentional, is 
the same: (1) An analysis is needed to identify the hazards for which 
measures should be taken to mitigate the hazard; (2) appropriate 
measures must be identified and implemented; and (3) management 
components are needed to ensure systematically that the measures are 
functioning as intended. This is the foundation of the HACCP approach, 
and we continue to believe this approach is appropriate for food 
defense as well as food safety. In food defense terms, the three 
elements are as follows: (1) A vulnerability assessment is needed to 
identify significant vulnerabilities; (2) mitigation strategies must be 
identified and implemented; and (3) mitigation strategy management 
components are needed to ensure systematically that the mitigation 
strategies are functioning as intended. See the proposed rule (78 FR 
78014 at 78025) for a discussion of how the hazard analysis/preventive 
control model is consistent with a vulnerability assessment/mitigation 
strategy model.
    We agree that the nature of the hazards being analyzed for food 
safety and food defense purposes are different, but we disagree that 
this means they need a different analytical approach. As discussed more 
in the responses to Comment 71 and Comment 72, the vulnerabilities 
considered for food defense, while not as predictable as some food 
safety hazards, lend themselves to analytical assessment because they 
have commonalities that would make them attractive to an attacker, 
particularly an inside attacker. In this rule, we are focusing on 
preventing the actions of an inside attacker. Our interactions with the 
intelligence community, as well as the conclusions reached during 
vulnerability assessments conducted in collaboration with industry, 
have identified the inside attacker as the highest threat. Though FDA 
is not aware of any information that points to an imminent, credible 
threat to the food supply, achieving public health harm through an 
attack via food remains an advocated option for terrorist groups (Ref. 
4). Additionally, recent events have shown a general evolution in 
terrorist activity away from large, centrally planned attacks to 
attacks that are locally planned and implemented. These locally planned 
attacks may be conducted by assailants inspired by terrorist groups but 
who otherwise have no formal connection to, or regular contact with, a 
terrorist organization (Ref. 5, 6, 7). Moreover, recent attacks 
indicate that terrorist groups are adept at responding to protections 
put in place to harden certain targets and will evolve their thinking 
toward less-protected targets. Given the potential for wide scale 
public health harm from intentional adulteration of the food supply, we 
believe that a comprehensive, systematic approach, such as a HACCP-type 
approach, is the most appropriate one and is not too rigorous. Further, 
as an example of what can happen when someone intending harm has inside 
access, in December 2013 a contract employee at Aqlifoods (a subsidiary 
of Naruha Nichiro Holdings, Japan's largest seafood company), 
intentionally adulterated several frozen foods with the pesticide 
malathion. Japanese authorities believe the assailant brought malathion 
to the plant and injected it into frozen foods during the manufacturing 
process (Ref. 8). The employee exploited his access to the food prior 
to packaging to introduce the agent. The adulteration resulted in at 
least 2,843 mild foodborne illnesses and a recall of 6.4 million 
packages of frozen seafood (Ref. 9). Though this assailant was most 
likely trying to harm the company and not trying to cause massive 
public health harm, this example indicates the damage that can be done 
by an inside attacker.
    Section 103 of FSMA reflects a Congressional determination that the 
``hazard analysis and risk-based preventive controls'' approach is 
appropriate for food defense. Section 103 directs us to promulgate a 
framework for intentional adulteration that includes concepts that are 
similar to those in HACCP. Section 103 of FSMA contains requirements 
applicable to the owner, operator, or agent in charge of a facility 
required to register under section 415 of the FD&C Act. Section 103(a) 
of FSMA is a general provision that requires the owner, operator, or 
agent in charge of a facility to evaluate the hazards that could affect 
food manufactured, processed, packed, or held by the facility, identify 
and implement preventive controls, monitor the performance of those 
controls, and maintain records of the monitoring. Section 103(a) 
specifies that the purpose of the preventive controls is to ``prevent 
the occurrence of such hazards and provide assurances that such food is 
not adulterated under section 402 [of the FD&C Act] or misbranded under 
section 403(w) [of the FD&C Act]. . . .'' In addition to the general 
requirements in section 418(a) of the FD&C Act, sections 418(b)-(i) 
contain more specific requirements applicable to facilities. These 
include hazard analyses for both unintentionally and intentionally 
introduced hazards (section 418(b)(1)(2)), preventive controls for both 
unintentionally and intentionally introduced hazards (section 418(c) 
(1)(2)), monitoring (section 418(d)), corrective actions (section 
418(e)), verification (section 418(f)), recordkeeping (section 418(g)), 
a written plan and documentation (section 418(h)), and reanalysis of 
hazards (section 418(i)). Therefore, we believe that FSMA directs us to 
take a ``preventive controls approach'' for food defense, as well as 
food safety.
    We agree that, while the regulatory approaches for food defense and 
food safety fundamentally should be similar, there need to be 
differences in how the approach is implemented for food defense. We do 
not agree that a HACCP-type approach is too prescriptive in general for 
food defense, but additional flexibility is needed in the application 
of the approach for food defense given the difference in the nature of 
the potential adulteration and the implementation of mitigation 
strategies that are not likely to be process-oriented or readily lend 
themselves to validation. We also agree that differences in terminology 
are appropriate. (See responses to Comment 2, Comment 45, and Comment 
47.)
    (Comment 2) While some comments acknowledge that section 103 of 
FSMA directs us to promulgate a framework for intentional adulteration 
that includes concepts that are similar to those in HACCP, these 
comments also request that we provide more flexibility than a 
traditional HACCP framework, with specific requests for flexibility in 
the management components of monitoring, corrective actions, and 
verification.
    (Response 2) We agree that the intentional adulteration regulatory 
framework should provide more flexibility than that of a traditional 
HACCP approach. We believe there are key disciplinary differences 
between food safety and food defense that argue for additional 
flexibility in the intentional adulteration framework. Most 
significantly, improper implementation of preventive controls is more 
likely to result in adulterated

[[Page 34173]]

food than is improper implementation of mitigation strategies. 
Preventive controls are more likely to be process-oriented and lend 
themselves to being scientifically validated. Mitigation strategies are 
more likely to be implemented to reduce physical access to a point, 
step, or procedure, and/or reduce the opportunity for an attacker to 
successfully contaminate the food and, in most instances, do not lend 
themselves to scientific validation. These differences indicate a need 
to apply the concepts of the HACCP approach in a more flexible manner 
for food defense.
    Recognizing the differences in the likelihood of adulteration and 
the differences in mitigation strategies compared to the process-
oriented preventive controls, the intentional adulteration corrective 
actions requirements contain neither provisions for the evaluation of 
all affected food for safety in the event a corrective action is 
required nor provisions for unanticipated corrective actions (see Sec.  
121.145). Further, the intentional adulteration verification 
requirement does not contain provisions for validation, calibration, 
product testing, environmental monitoring, review of records for 
calibration, testing, or supplier verification (see Sec.  121.150). We 
believe this more flexible approach for food defense is appropriate and 
adds flexibility compared to the provisions of the PCHF final rule.
    We also have added flexibility to the identification of mitigation 
strategies similar to the flexibility added to the identification of 
preventive controls in the PCHF final rule (80 FR 55908 at 56020). 
Although each facility subject to this rule must prepare and implement 
a food defense plan, the mitigation strategies that the facility would 
establish and implement would depend on the facility, the food, and the 
outcome of the facility's vulnerability assessment to identify 
actionable process steps (Sec. Sec.  121.130 and 121.135). For examples 
of this added flexibility related to mitigation strategies, see the 
discussion in section V.C.
    As requested in comments, we also have changed regulatory text to 
reflect the inclusion of more flexibility in monitoring, corrective 
actions, and verification (see Sec. Sec.  121.138, 121.140, 121.145, 
and 121.150 and discussed in more detail in the relevant sections later 
in this document). These changes are similar to those made in the 
regulatory text for preventive controls management components.
    As we have concluded that similar regulatory approaches are 
appropriate for both food safety and food defense, we have adopted the 
flexibility included in the PCHF final rule management components 
regulatory text, as appropriate for these intentional adulteration 
requirements. The intentional adulteration provisions for mitigation 
strategies management components make clear that mitigation strategies 
management components are required as appropriate to ensure the proper 
implementation of each such mitigation strategy, taking into account 
the nature of the mitigation strategy and its role in the facility's 
food defense system, and we have added Sec.  121.138 to reflect this 
change. Likewise, the provisions for each of the individual mitigation 
strategies management components (i.e., food defense monitoring, food 
defense corrective actions and food defense verification) individually 
provide flexibility, either by specifying that the provisions apply as 
appropriate to the nature of the mitigation strategy and its role in 
the facility's food defense system (i.e., for food defense monitoring 
and food defense verification) or as appropriate to both the nature of 
the mitigation strategy and the nature of the significant vulnerability 
(i.e., for food defense corrective actions) (see Sec. Sec.  121.140, 
121.145, and 121.150). For additional discussion of the flexibility 
added for the mitigation strategies management components, see sections 
V.E, V.F, and V.G and in particular the responses to Comment 88, 
Comment 89, Comment 90, Comment 92, Comment 93, and Comment 95.
    (Comment 3) Some comments state that the intentional adulteration 
proposed HACCP approach is ``one size fits all.''
    (Response 3) We disagree. The intentional adulteration requirements 
to conduct a vulnerability assessment to identify actionable process 
steps, identify and implement mitigation strategies, and use mitigation 
strategies management components provide significant flexibility, are 
tailored to the facility and its processes, and are therefore not 
``one-size-fits-all.'' Although each facility with significant 
vulnerabilities is required to identify and implement mitigation 
strategies, the mitigation strategies that the facility would establish 
and implement would depend on the facility, the food, and the outcome 
of the facility's vulnerability assessment (Sec. Sec.  121.130 and 
121.135). In addition, the mitigation strategies management components 
(i.e., food defense monitoring, food defense corrective actions, and 
food defense verification) that a facility would establish and 
implement for its mitigation strategies would be established as 
appropriate to ensure the proper implementation of the mitigation 
strategies, taking into account the nature of each such mitigation 
strategy and its role in the facility's food safety system (Sec.  
121.138).
    (Comment 4) Some comments state that management and oversight 
activities of mitigation strategies should occur if they are 
``appropriate'' (suitable for a particular purpose or capable of being 
applied) and ``necessary'' (taking into account the nature of both the 
significance of the vulnerability and the particular mitigation 
strategy) for food defense.
    (Response 4) We agree that mitigation strategies management 
components of the HACCP-type framework should occur if they are 
appropriate and necessary. As we have concluded that similar regulatory 
approaches are appropriate for food safety and food defense, we have 
adopted the flexibility included in the PCHF final rule management 
components regulatory text (Sec.  117.140(a)), as appropriate for these 
intentional adulteration requirements. The intentional adulteration 
provisions for mitigation strategies management components make clear 
that mitigation strategies management components are required as 
appropriate to ensure the proper implementation of the mitigation 
strategies, taking into account the nature of each such mitigation 
strategy and its role in the facility's food defense system, and we 
have revised proposed requirements for monitoring, corrective actions, 
and verification to reflect these changes (see Sec. Sec.  121.138, 
121.140, 121.145, and 121.150).
    (Comment 5) Some comments state that the requirement for the amount 
of paperwork associated with a HACCP-type approach, and the information 
contained therein, may be counterproductive to the goal of mitigating 
or preventing vulnerabilities because individuals or groups interested 
in conducting these types of attacks may try to access this 
information.
    (Response 5) We disagree. A written food defense plan and its 
required contents, which include the vulnerability assessment, the 
identification and implementation of mitigation strategies, and 
mitigation strategies management components, are essential to 
significantly minimizing or preventing significant vulnerabilities 
related to intentional adulteration of food, where the intent of the 
adulteration is to cause wide scale public health harm. The required 
documentation of the plan and implementation of the plan are necessary 
so that both the facility and FDA can ensure that the significant

[[Page 34174]]

vulnerabilities are being addressed properly. We encourage facilities 
covered by this rule to adequately protect food defense plans and 
associated information and records. For a more detailed discussion 
related to protecting food defense plan information, see section VI.F.
    (Comment 6) One comment disagrees with the HACCP framework, and 
requests we use a current good manufacturing practice (CGMP) approach. 
This comment states that such an approach provides facilities with 
sufficient flexibility to address intentional adulteration. Another 
comment supports using a HACCP approach in the context of allowing 
facilities to utilize prerequisite programs.
    (Response 6) We disagree that a CGMP approach is the most 
appropriate approach. We address the appropriateness and flexibility of 
the HACCP-type approach in responses to Comment 1 and Comment 2. We 
address the potential to consider pre-existing activities while 
conducting a vulnerability assessment and identifying and implementing 
mitigation strategies in Response 72 and Response 83.
    We are requiring a HACCP-type approach rather than a CGMP-type 
approach for several reasons. First, the management components in a 
HACCP-type approach are the most effective means, as discussed in the 
response to Comment 1, of ensuring that the mitigation strategies are 
consistently applied. Second, as with food safety, there are hazards 
(or in food defense terms, vulnerabilities) that warrant requirements 
that are more rigorous than general, non-targeted CGMP provisions. The 
vulnerabilities that warrant such requirements are those that we have 
concluded are the highest risk, namely intentional adulteration 
conducted at actionable process steps, including those vulnerabilities 
associated with an inside attacker, intended to cause wide scale public 
health harm. It is precisely these attacks at these points that require 
the most robust and rigorous system to ensure that vulnerabilities are 
assessed, significant vulnerabilities are identified, and mitigation 
strategies are properly implemented to reduce these significant 
vulnerabilities. General, non-targeted CGMP requirements (e.g., 
restricting access to outsiders) would not necessarily focus on the 
significant vulnerabilities or ensure that mitigation strategies are 
implemented to harden the potential targets. Finally, section 418 of 
the FD&C Act requires that hazards intentionally introduced be 
addressed in a HACCP-type framework.
    (Comment 7) One comment asserts that because we already have 
required food safety plans for facilities under a separate rulemaking, 
and because an act of intentional adulteration of food that would cause 
wide scale public health harm is not likely to occur, a separate food 
defense plan, and thus this rule, is not necessary.
    (Response 7) We disagree. Although it is true that most facilities 
covered by this rule will also have a food safety or HACCP plan, the 
focus of those plans is on preventing the contamination of food from 
hazards that are unintentionally introduced and, therefore, the control 
points and the measures implemented in those plans differ from those in 
a food defense plan. It is unlikely that a facility would choose 
preventive controls under the PCHF final rule that would be sufficient 
to address vulnerabilities to intentional adulteration. For example, it 
is unlikely that a facility conducting a hazard analysis would identify 
the step of holding a liquid, such as a syrup, in a tank in a facility 
as a hazard requiring a preventive control. In conducting a hazard 
analysis, the facility would likely be considering whether there are 
hazards associated with the incoming syrup or ingredients for the syrup 
or the syrup production process (inadequate heating), but would not 
likely identify the step of holding the syrup as requiring a preventive 
control. However, in a vulnerability assessment, the step of holding 
liquid syrup may be identified as a significant vulnerability if (1) 
there would be significant public health consequences if a contaminant 
were added, (2) there is access to the product while being held, and 
(3) an attacker would be able to successfully contaminate the product.
    With regard to the statement that an act of intentional 
adulteration is not likely to occur, we agree that the likelihood of an 
incident is low. However, given the potential for a successful 
intentional adulteration of food to cause wide scale public health 
harm, it is prudent for the largest facilities to take preventive 
measures, and it is required by sections 418 and 420 of the FD&C Act 
that they do so.

B. One Set of Requirements Under Sections 418 and 420 of the FD&C Act

    (Comment 8) One comment asserts that the proposed rule blends 
sections 103 and 106 of FSMA into one set of requirements and disagrees 
with that approach. The comment states that section 103 requires basic 
foundational food defense activities, including food defense plans at 
all registered food facilities. The comment contrasts this with section 
106, which it states provides FDA with the authority to designate 
certain foods as ``high risk,'' and to require certain escalated food 
defense activities for those foods. The comment asserts that FDA should 
designate foods as ``high risk'' based on real-time actionable 
intelligence of a credible threat. The comment acknowledges that 
section 103 of FSMA does not apply to facilities required to comply 
with the seafood HACCP program, the juice HACCP program, or the dietary 
supplement CGMPs, but because none of these regulations address food 
defense programs, the comment asserts the Agency can use other legal 
authority to require these food facilities to have food defense 
programs.
    (Response 8) The final rule requires ``basic foundation[al] food 
defense activities'' as well as providing for ``escalated food 
defensive activities'' where warranted. To provide for foundational 
food defense, the rule requires a food defense plan (i.e., a 
vulnerability assessment, mitigation strategies, and procedures for 
food defense monitoring, corrective actions, and verification) and 
associated actions. These requirements are the minimum measures 
necessary to provide assurances that hazards that relate to intentional 
adulteration intended to cause wide scale public health harm will be 
significantly minimized or prevented. Weakening these provisions, such 
as by eliminating the requirement to implement mitigation strategies to 
address significant vulnerabilities at each actionable process step, 
would result in food defense measures inadequate to address the threat 
of an inside attacker. As discussed in response to Comment 1, our 
interactions with the intelligence community, as well as the 
conclusions reached during vulnerability assessments conducted in 
collaboration with industry, have identified an inside attacker as the 
highest threat.
    Further, the suggested approach would place too much reliance on 
FDA having real-time actionable intelligence of a credible threat. As 
discussed in the responses to Comment 11 and Comment 12, there are a 
number of limitations to this approach. FDA may not receive specific, 
real-time, credible threat intelligence. Further, rapidly communicating 
even specific, actionable information to the food industry so that it 
is received by all of the relevant facilities would present challenges. 
Although some facilities may be able to identify some or all actionable 
process steps and implement mitigation strategies within a short

[[Page 34175]]

timeframe, many other facilities would not be able to identify and 
implement the necessary mitigation strategies and the mitigation 
strategies management components (e.g., food defense monitoring, 
corrective actions, verification) within the short time period that 
could be required in the event of a credible threat. In addition, 
taking action only in the event of a credible threat may not be 
sufficient to prevent wide scale public health harm. Measures taken 
after the threat is known may not be sufficient to prevent an attack if 
the intelligence does not provide enough specific information, such as 
the food product, contaminant, point of attack in a facility, and 
geographic location of an attack.
    Because the vulnerability assessment identifies the specific foods 
at specific process steps at greatest risk, it also serves to identify 
those foods that must be protected against intentional adulteration 
under section 420. Having one set of requirements for food defense 
measures helps ensure that the significant vulnerabilities will be 
significantly minimized or prevented and addressed consistently across 
sections 418 and 420 (see section 418(c)(2)). Further, as suggested by 
the comment, the rule provides for escalated food defense activities 
when necessary. Specifically, Sec.  121.157(b)(4) requires reanalysis 
of a food defense plan (which could lead to the identification of 
additional needed mitigation strategies) whenever FDA requires it to 
respond to new vulnerabilities or credible threats to the food supply.
    (Comment 9) One comment asserts that the proposed combination of 
provisions under sections 418 and 420 of the FD&C Act has created 
complexity that could be eliminated by removing acts intended to cause 
massive public health harm from section 418 and covering them solely 
under section 420. The comment further asserts that although section 
418 includes ``acts of terrorism'' within the hazard analysis, Congress 
did not intend to add this level of complexity to the rule and create 
new work that is inconsistent with materials previously created to 
address food defense. Further, the comment states that it appears these 
new requirements were included in the rule as a consequence of the 
statutory language rather than to reduce risk.
    The comment states that one key difference between sections 418 and 
420 is that section 418 requires the facility to identify hazards 
related to intentional adulteration while section 420 requires FDA to 
identify vulnerabilities that could result in serious adverse health 
consequences. The comment asserts that due to the confidentiality of 
information that serves as the basis for the FDA vulnerability 
assessments, it would be more appropriate for FDA to perform the 
assessment for acts that could cause massive public health harm and for 
the facility to perform a vulnerability assessment for other types of 
intentional adulteration that may be specific to a facility and are 
outside of the FDA's vulnerability assessment.
    (Response 9) FDA believes that a single unified set of requirements 
(i.e., this rule) is more clear and less complex than dividing the 
types of intentional adulteration covered by this rule into two 
categories with two sets of requirements, as suggested by the comment. 
It is not clear what would be covered under section 418 if it applied 
only to ``other types of intentional adulteration that may be specific 
to a facility,'' as suggested by the comment. Further, we do not 
believe the provisions of the rule are inconsistent with our current 
guidance; rather, they are more comprehensive and robust. FDA believes 
that these new requirements will reduce risk beyond what is contained 
in our current guidance documents. Our guidance documents mainly focus 
on assessing vulnerabilities and identifying mitigation strategies, but 
do not include recommendations for mitigation strategy management 
components. We believe the management components (part of a HACCP-type 
framework) are critical to ensuring that any hazards that relate to 
intentional adulteration intended to cause wide scale public health 
harm will be significantly minimized or prevented. Further, the 
confidentiality of vulnerability assessments that FDA conducted is not 
a barrier to a facility conducting a vulnerability assessment under 
this rule. The key activity types that FDA has identified were derived 
from FDA's vulnerability assessments and using key activity types to 
conduct a vulnerability assessment remains a permissible option under 
the final rule.
    In addition, as recognized by the comment, section 418 explicitly 
applies to ``acts of terrorism.'' Specifically, 418(b)(2) requires that 
a hazard analysis identify and evaluate hazards that may be 
intentionally introduced, including by acts of terrorism. Further, 
section 418(i) authorizes FDA to require a reanalysis to respond to new 
hazards including, as appropriate, results from terrorism risk 
assessments. Generally, acts of terrorism involving the food supply 
would be committed with the intention to cause wide scale public health 
harm. Therefore, they are clearly covered by section 418.
    (Comment 10) Some comments suggest that FDA require a hybrid 
approach where all facilities subject to section 103 are required to 
conduct a vulnerability assessment and develop and implement a basic 
food defense plan. Under the hybrid approach, if a credible threat is 
identified, then section 106 would serve as an escalation provision and 
allow FDA to designate specific food(s) associated with the credible 
threat as ``high risk.'' Comments suggest that FDA could then require 
facilities with these high risk foods to reassess their food defense 
plans and implement appropriate mitigation strategies that FDA may 
specify to address the threat. Comments argue that if all potential 
mitigation strategies need to be identified through the vulnerability 
assessment and are managed in the absence of actionable intelligence of 
a credible threat, then there is no ability to escalate the plan with 
respect to certain mitigation strategies when needed.
    (Response 10) FDA agrees with the comment in part. As discussed in 
response to Comment 8, this rule requires facilities to conduct a 
vulnerability assessment and develop and implement foundational food 
defense activities. Further, the rule provides a mechanism which serves 
a similar function to the ``escalation provision'' described in the 
comment. Specifically, under Sec.  121.157(b)(4), FDA can require 
facilities to reassess their food defense plans, which could trigger a 
requirement to implement additional mitigation strategies.
    FDA disagrees that the rule requires ``all potential mitigation 
strategies'' to be identified and managed. We believe we have 
appropriately balanced the need to provide assurances that hazards 
associated with intentional adulteration are being prevented with the 
low likelihood of a successful attack on the food supply. The rule does 
not mandate specific mitigation strategies be implemented at actionable 
process steps but rather allows strategies to be tailored to the 
facility and its procedures. We also disagree that there is ``no 
ability to escalate the plan with respect to certain mitigation 
strategies.'' In response to a credible threat involving a specific 
agent, a covered facility could reanalyze its food defense plan with 
specific focus on the relevant agent. The facility then could implement 
specific mitigation strategies to counter this threat (such as 
processing changes, product testing, or other appropriate measures) 
that are not currently required by the rule.

[[Page 34176]]

C. Require Measures Only in the Event of a Credible Threat

    In the proposed rule, we sought comment on whether it would be 
feasible to require measures to protect against intentional 
adulteration only in the event of a credible threat. We also sought 
comment on whether such an approach would be consistent with the 
intentional adulteration provisions of FSMA and how such requirements 
would be communicated to industry in a timely and actionable manner.
    Many comments agree with the requirements as proposed that measures 
to protect food against intentional adulteration be required even in 
the absence of a credible threat but some comments support requirements 
only in the event of a credible threat. Some comments assert that FDA 
has the tools available in the Registration of Food Facility database 
to establish a communications protocol to notify industry if there is a 
credible threat. A few comments express concern over the difficulty of 
developing and implementing food defense plans in a timely manner in 
the event of a credible threat.
    In the following paragraphs, we discuss these comments and our 
responses. After considering the comments, we have revised the 
regulatory text in Sec.  121.157(b)(4) to include specific language 
that provides for FDA to require facilities to conduct a reanalysis of 
their food defense plans to, among other things, respond to credible 
threats to the food supply.
    (Comment 11) Some comments state that this rule should only go into 
effect in the event of a credible threat. One of these comments argues 
that the oilseed processing industry that they represent has never been 
the target of attacks or threats and therefore they are unlikely 
targets for intentional adulteration and should be exempted from the 
rule unless there is a credible threat against a facility or industry 
as a whole.
    (Response 11) We disagree with these comments. The fact that the 
oilseed processing industry and other food industry sectors have not 
been attacked in the past does not mean that these industry sectors 
will never be attacked. Nor does it mean that preventive mitigation 
strategies are unnecessary. As discussed in response to Comment 8, 
taking action only in the event of a credible threat may not be 
sufficient to prevent wide scale public health harm.
    (Comment 12) Some comments encourage FDA to collaborate with the 
U.S. Department of Homeland Security (DHS), the Federal Bureau of 
Investigation (FBI), and other Federal and State Agencies to ensure 
that the relevant stakeholders of the food industry are notified in a 
timely manner upon discovery of a credible threat. These comments 
discuss that alerting the food industry to known credible threat 
information would be valuable because there may be additional 
mitigation strategies that could be put into place when there is a 
threat. The comments further explain that having such knowledge would 
allow for industry stakeholders with specific, technical knowledge of 
their products, equipment and plant security to better collaborate and 
support the efforts of law enforcement. Some comments recommend that we 
establish and formalize a mechanism and process to communicate credible 
threat information to relevant stakeholders in industry and that the 
Food Facility Registration database could help facilitate this. The 
comments also recommend that we conduct exercises to test this 
mechanism so that all stakeholders are aware of the established 
communications process and can make adjustments and improvements as 
necessary. Several comments recommended that we convene a panel of 
industry stakeholders annually to discuss threat intelligence at the 
``Secret'' level.
    (Response 12) We concur with the recommendation that we should 
collaborate with our Federal and State Agency partners on the discovery 
and communication of credible threats in a timely manner. Currently, 
FDA regularly meets and communicates with DHS, FBI, the U.S. Department 
of Agriculture (USDA), and State and local Agency partners through the 
Food and Agriculture Sector Government Coordinating Council (GCC) to 
discuss food defense issues and research activities and introduce new 
initiatives for mutual evaluation, implementation, and education. FDA's 
Office of Criminal Investigations (OCI) works closely with the FBI and 
other Agencies on a regular basis on threats against FDA-regulated 
products, including food. We also agree that notifying relevant 
stakeholders within industry of credible threats is essential to 
protecting the food supply. The Food and Agriculture Sector GCC and 
Sector Coordinating Council (consisting of private sector members) hold 
in-person joint meetings twice a year and, when needed, classified 
meetings at the ``Secret'' level are held to exchange information. As 
we move towards implementing this rule, we will continue to work with 
our partners--both in government and the private sector--to include 
them in discussions regarding communicating credible threat 
information.
    (Comment 13) One comment states that the term ``credible threat'' 
is not adequately defined in the proposed rule, nor is the relationship 
between a ``credible threat'' and a ``reasonably foreseeable hazard'' 
adequately described. The same comment also notes that because the term 
``credible threat'' is commonly used to discuss sensitive or classified 
information, the use of the term may place an unrealistic expectation 
for sharing of sensitive or classified threat information between 
government agencies and the private sector. The comment suggests either 
removing the term ``credible threat'' from the rule or including a 
definition with an explanation of the mechanism for sharing information 
about credible threats with the food industry.
    (Response 13) We disagree with this comment and decline the request 
to include a definition for credible threat. It is not possible to 
identify with precision what constitutes a credible threat. There are 
many factors to consider in regards to how, what, when, or why those 
who intend to cause harm may take action. As such, it is not possible 
to write a definition for credible threat that is neither so broad that 
it covers potentially any piece of intelligence, nor so narrow that it 
is unnecessarily limiting. FDA routinely works with other agencies to 
maintain situational awareness of potential threats to the food supply 
and will consider that information in determining whether intelligence 
rises to the level of a credible threat.
    Within the context of protecting food against intentional 
adulteration with the intent to cause wide scale public health harm, we 
see no direct relationship between a ``credible threat'' and a 
``reasonably foreseeable hazard.'' ``Known or reasonably foreseeable 
hazard'' is defined in the PCHF final rule to mean a biological, 
chemical (including radiological), or physical hazard that is known to 
be, or has the potential to be, associated with the facility or the 
food. We do not use the phrase ``reasonably foreseeable'' within the 
context of intentional adulteration because it does not apply.
    We acknowledge that there will be challenges to sharing sensitive 
or classified threat information between government agencies and the 
private sector. That is one of several reasons that we are not making 
the requirement for mitigation strategies dependent on a particular 
credible threat. In the event such information was to become known, FDA 
intends to work with its

[[Page 34177]]

government partners to determine the appropriate course of action.
    (Comment 14) Some comments recommend that in the event of a 
credible threat, a facility could conduct a reassessment or reanalysis 
of its food defense plan so that it could better tailor its mitigation 
strategies to the threat. Some comments recommend that FDA revise the 
regulatory text within proposed Sec.  121.150 for reanalysis to require 
facilities to reassess their food defense plans when the Agency has 
actionable intelligence of a credible threat of intentional 
adulteration.
    (Response 14) In the proposed rule, we describe that we may require 
a reanalysis of the food defense plan in the event of a credible 
threat. However, this was not specifically stated within the regulatory 
text. Therefore, we have revised Sec.  121.157(b)(4) to provide that 
reanalysis may be required by FDA to respond to credible threats to the 
food supply. We did not see the need to include ``actionable 
intelligence'' in the regulatory text because we believe that 
``credible threat to the food supply'' implies a threat that also 
requires actionable intelligence.

D. General Comments on Implementation and Compliance

    We received a substantial number of comments with regard to how the 
Agency will implement this rule. Many comments focused specifically on 
the need for inspectors to be provided food defense training to enable 
them to make informed decisions during inspections and compliance 
activities. Another issue raised by many comments is that the Agency 
should make available guidance resources, tools, training, and other 
information to help facilities comply with the final rule. In the 
section that follows, comments related to implementation and compliance 
are discussed.
    (Comment 15) Some comments state that existing regulatory 
inspections should include evaluation of the intentional adulteration 
rule requirements for the best use of time and resources.
    (Response 15) FDA is currently considering the best approach for 
structuring and conducting food defense inspections. We recognize that 
inspections require resources from facilities and recognize that some 
facilities may prefer that food defense inspections be conducted as 
part of an inspection for other regulatory programs, such as preventive 
controls for human food. We will consider this when developing our 
enforcement strategy.
    (Comment 16) Some comments express concern about the level of 
training that will be needed for inspectors. These comments state that 
the inspectors must be trained specifically on food defense and that 
FDA should be transparent about the training that we provide the 
inspectors. Comments emphasize the importance that FDA provide 
specialized training to ensure consistent compliance and enforcement 
activity by the Agency.
    (Response 16) FDA understands and agrees with comments that state 
that training for inspectors conducting food defense inspections is 
critical to a consistent and adequate inspection, compliance, and 
enforcement system. We agree with the comment that specialized training 
in food defense will be required for inspection and compliance staff to 
evaluate a facility's compliance with this rule. FDA has begun the 
process of assessing its training needs for inspectors on food defense. 
It is our intention that training provided to our inspection and 
compliance staff will be consistent with that training for industry 
that will be provided by the Intentional Adulteration subcommittee 
organized within the Food Safety Preventive Controls Alliance (see 
Comment 105) to facilitate consistent implementation of this rule. This 
strategy is consistent with the other FSMA food safety regulations and 
training strategies.
    (Comment 17) Some comments state that inspections should have a 
``big picture'' focus, and focus on the evaluation of the facility's 
vulnerability assessment. Additionally, comments state that this 
inspection should not compare the mitigation strategies used at other 
facilities to the facility being inspected.
    (Response 17) We agree. The rule is designed to provide flexibility 
such that facilities can select appropriate mitigation strategies that 
are best suited for their operations. FDA investigators will consider a 
facility's written explanations regarding identification of actionable 
process steps and selection of mitigation strategies when evaluating a 
food defense plan to understand a facility's rationale. In addition, we 
will work to educate industry before and while we regulate to assist 
industry to gain and maintain compliance with the rule.
    (Comment 18) Some comments request that FDA not cite food defense-
related items on FDA's Form 483 until the facilities and inspectors 
learn about compliance with the intentional adulteration rule. 
Additionally, some comments state concerns about FDA including 
potentially sensitive information from food defense plans when citing 
food defense-related items on Form 483.
    (Response 18) FDA is currently in the process of developing its 
inspection and compliance strategy for the intentional adulteration 
rule and an important part of this strategy development will include 
methods and processes for information exchange with regulated industry. 
We recognize that food defense inspections could include evaluation of 
sensitive information, including vulnerability assessments and 
mitigation strategies. For a more detailed discussion on how FDA will 
protect food defense-related information, see section VI.F, Public 
disclosure.
    (Comment 19) Some comments request that FDA include State 
departments of agriculture in the process to develop and implement 
inspection and compliance programs.
    (Response 19) As mentioned previously, FDA is currently in the 
process of developing its inspection and compliance strategy for the 
intentional adulteration rule. FDA's implementation working group for 
this rule includes representation from State partners, and State 
partners will continue to play an essential and collaborative role 
throughout the process.
    (Comment 20) Several comments state that an alliance would be 
beneficial for the implementation of the intentional adulteration rule.
    (Response 20) Training alliances have played an important role in 
facilitating industry compliance with many regulations in the past. We 
agree with the comment and are in the initial stages of organizing and 
establishing the Intentional Adulteration subcommittee within the Food 
Safety Preventive Controls Alliance operated out of the Institute for 
Food Safety and Health at the Illinois Institute of Technology. We 
anticipate the Intentional Adulteration training subcommittee will 
assist industry compliance with this final rule by supporting the 
development and dissemination of training resources. We further 
anticipate that the curriculum developed through the Intentional 
Adulteration subcommittee will form the basis of training for 
regulators as well.
    (Comment 21) Some comments state that equal enforcement of this 
rule across companies domestically and globally may require FDA to 
adopt different enforcement mechanisms.
    (Response 21) We intend to enforce this rule in a consistent manner 
with regard to imported and domestically produced foods. FDA is 
currently in the

[[Page 34178]]

process of developing its inspection and compliance strategy, including 
how facilities will be selected for inspections and how inspections 
will be conducted for both domestic and foreign facilities. Further, we 
intend to engage in significant outreach activities--both domestically 
and internationally--to facilitate industry compliance with this rule 
and to communicate the Agency's current thinking on inspection, 
compliance, and enforcement strategies. Additionally, we intend to 
develop fact sheets, FAQ documents, guidance documents, and other 
informational materials as needed to support domestic and foreign 
industry compliance with the rule.
    (Comment 22) Several comments recommend that food defense 
activities conducted under programs, such as the Department of Homeland 
Security's (DHS) Customs-Trade Partnership Against Terrorism (C-TPAT) 
and mutually recognized international programs, the Chemical Facility 
Anti-Terrorism Standards (CFATS), the USDA Food Safety and Inspection 
Services (FSIS) food defense plan template, should be recognized as 
meeting the requirements of this rule. Several comments state that 
there are global food safety schemes that include food defense 
requirements which could be leveraged in inspections and 
implementation. Comments suggest that audits and private certifications 
done under these food safety schemes should be sufficient for meeting 
the requirements of this rule.
    (Response 22) We disagree. The programs identified by comments are 
not sufficient to substitute for compliance with this rule. For 
example, they do not require mitigation strategies at all actionable 
process steps and therefore are not sufficient to significantly 
minimize or prevent intentional adulteration intended to cause wide 
scale public health harm. Further, even if currently they were 
sufficient for compliance for this rule, they could change at any time.
    C-TPAT is a voluntary supply-chain security certification program 
led by U.S. Customs and Border Protection (CBP) that focuses on private 
companies (including food companies) implementing anti-terrorism 
measures to protect their supply chains. When companies join C-TPAT, 
they sign an agreement to work with CBP to identify supply chain 
security gaps and implement specific security measures and best 
practices. CBP has found that the security standards of some foreign 
industry partnership programs are similar to those of the C-TPAT 
program.
    CFATS is a DHS program which regulates high-risk chemical 
facilities to ensure they have anti-terrorism measures in place to 
reduce risks associated with the storage and use of these high-risk 
chemicals. Any facility that possesses ``chemicals of interest,'' as 
identified by DHS, in certain quantities is considered a covered 
facility that must meet some or all of the requirements under CFATS. 
Some agriculture and food facilities are subject to CFATS requirements. 
Covered chemical facilities are required to prepare Security 
Vulnerability Assessments that identify facility security 
vulnerabilities and to develop and implement Site Security Plans that 
identify measures that satisfy risk-based performance standards. These 
risk-based performance standards focus on physical security of the 
chemicals.
    Although both CFATS and C-TPAT programs address some of the 
security concerns related to some food facilities, neither program 
addresses the unique vulnerabilities associated with the food being 
manufactured, processed, packed or held at the facility. In general, 
voluntary security programs such as C-TPAT focus on global supply chain 
security measures involved in the transportation of goods from location 
to location. The CFATS program focuses on reducing risks related to 
chemicals, even in facilities that are mainly geared toward food 
production. In contrast, vulnerability assessments required by this 
rule require identification of significant vulnerabilities at discrete 
processing steps within a facility, where the intent of the attack is 
to cause wide scale public health harm by contaminating the food 
supply. Further, a vulnerability assessment must consider the threat 
stemming from an inside attacker. Once these significant 
vulnerabilities are identified, mitigation strategies are implemented 
at or near those most vulnerable processing steps. Given these 
differences, it is unlikely that facilities would be compliant with 
this rule were they to rely wholly on assessments and mitigation 
strategies conducted as part of other programs.
    The food defense plan template from USDA FSIS is voluntary for 
FSIS-regulated facilities, and is organized in four sections: (1) 
Outside Security Measures, (2) Inside Security Measures, (3) Personnel 
Security Measures, and (4) Incident Response Security Measures. The 
template focuses on a facility's physical security measures, which are 
analogous to recommended, but not required, facility wide security 
measures in this rule. FSIS-regulated facilities are encouraged to read 
and sign the template, adopt it as their food defense plan, and then 
implement, test, and maintain the plan.
    There are important similarities between the plan template and some 
requirements in this rule. For example, some security measures listed 
in the template are similar to some mitigation strategies included in 
the FDA Mitigation Strategies Database. The testing of the plan is 
somewhat similar to food defense monitoring. The plan template also 
suggests awareness training for employees, which is similar to a food 
defense awareness training requirement in this rule. The similarities 
reflect FDA and USDA collaboration on food defense activities for many 
years as discussed in the proposed rule (78 FR 78014 at 78021).
    However, food defense plans developed using the FSIS template would 
not meet all requirements of this final rule. Specifically, FSIS's food 
defense plan template does not include a vulnerability assessment of 
the points, steps, or procedures in a food process, nor does it include 
implementation of mitigation strategies specific to the vulnerable 
points. Additionally, the plan template does not include food defense 
monitoring, food defense corrective action, food defense verification, 
and some training required by this rule.
    In addition, we recognize that there are existing global food 
safety schemes that include food defense requirements and that many in 
the food industry have already adopted and implemented these 
requirements. For example, the Global Food Safety Initiative's (GFSI) 
Guidance Document Sixth Edition (Ref. 10) addresses food defense. 
Subsequently, many of the GFSI-recognized schemes include more specific 
food defense requirements. The Safe Quality Foods (SQF) Code, edition 
7.1 is a process and product certification standard that specifies 
various food defense elements, including that the methods, 
responsibility, and criteria for preventing food adulteration caused by 
a deliberate act of sabotage or terrorist-like incident shall be 
documented, implemented and maintained (Ref. 11). Another example of 
industry standards that incorporate food defense elements is the 
International Featured Standards (IFS) Food Version 6 Standard, which 
specifies that areas critical to security be identified, food defense 
hazard analysis and assessment of associated risks be conducted 
annually or upon changes that affect food integrity, and an appropriate 
alert system be defined and periodically tested for effectiveness (Ref. 
12). We recognize that some in the food industry have already 
voluntarily taken steps to incorporate and implement food

[[Page 34179]]

defense measures; however, they are not adequate to substitute for 
meeting the requirements of this rule.
    Although participation with global food safety schemes and other 
programs administered by our Federal partners are not substitutes for 
compliance with this rule, we believe that participation in programs 
such as C-TPAT, CFATS, the use of the FSIS food defense plan template, 
or international programs granted mutual recognition status as that of 
C-TPAT, for example, decreases a facility's vulnerability to 
intentional adulteration and can work in concert with the requirements 
of the final rule. Additionally, a facility's participation in such 
programs may be considered by FDA as we prioritize risk-based 
inspections of facilities subject to the final rule. Further, we note 
that a facility may use existing records (e.g., records that are kept 
as part of these other programs) to meet the requirements of this rule, 
if they contain all of the required information and, facilities may 
supplement existing records as necessary to include all of the 
information required by this rule (Sec.  121.330).
    (Comment 23) Some comments state that laws in the European Union 
currently require food facilities to take necessary measures to prevent 
intentional adulteration, and it is therefore not justified to request 
additional safety or security requirements for facilities subject to 
these laws.
    (Response 23) We disagree. This rule contains those measures FDA 
has determined are necessary to protect food against intentional 
adulteration. To the extent a facility is already taking actions that 
are required by this rule, a facility will have to make fewer changes 
to its operations. These security measures should be evaluated on a 
case-by-case basis to determine if they qualify as a mitigation 
strategy under this rule.
    (Comment 24) Some comments request that FDA focus on education over 
enforcement and use discretion during inspections.
    (Response 24) As FSMA as a whole is a substantial change in how FDA 
approaches regulating the food and agriculture sector, we recognize 
that significant outreach, education, and training will be required to 
facilitate industry compliance with all FSMA rules. As previously 
stated by the Agency, one of the guiding principles for implementing 
FSMA is that the Agency will educate before and while we regulate. This 
includes a focus on sector-specific guidance, education, outreach, and 
technical assistance for industry. The intentional adulteration rule 
implementation will include these efforts to ensure facilities gain 
understanding and awareness to comply with the rule. In addition, we 
are providing for a longer timeline for facilities to come into 
compliance, allowing for more outreach and dialogue with industry. 
Facilities, other than small and very small businesses, have 3 years 
after the effective date to comply with part 121. Small businesses 
(i.e., those employing fewer than 500 full-time equivalent employees) 
have 4 years after the effective date to comply with part 121. Very 
small businesses (i.e., businesses that have less than $10,000,000, 
adjusted for inflation, per year, during the 3-year period preceding 
the applicable calendar year in both sales of human food plus the 
market value of human food manufactured, processed, packed, or held 
without sale, e.g., held for a fee) have 5 years after the effective 
date to comply with Sec.  121.5(a).
    (Comment 25) Some comments recommend that FDA update the Food 
Defense Plan Builder software tool to capture the elements of a food 
defense plan required by the final rule, such as monitoring, corrective 
actions, and verification.
    (Response 25) FDA plans to update existing tools and resources, 
including the Food Defense Plan Builder software, to assist industry 
with meeting the requirements for the final rule.
    (Comment 26) Several comments request that FDA periodically update 
its online tools and resources for companies to have access to 
information about broad mitigation strategies, although they are not 
required under the rule.
    (Response 26) FDA intends to publish guidance to support industry 
compliance with the final rule. This guidance will include information 
relevant to the required provisions of the final rule and also will 
likely include helpful information on facility-wide security measures 
as well as other best practices and recommendations to assist 
facilities in their development of a comprehensive food defense 
program. In addition, FDA has a number of tools and resources currently 
available on our Web site (http://www.fda.gov/fooddefense) that were 
developed for our voluntary food defense program that can assist 
industry.

E. Comments on Requests for Additional Exemptions

    In the proposed rule we specifically requested comments on whether 
there are other ways in which the coverage of this regulation can be 
further focused on foods that present a high risk of intentional 
adulteration caused by acts of terrorism. In this document we discuss 
comments we received with specific recommendations on foods or 
activities to exempt from the rule.
    (Comment 27) Some comments assert that facilities engaged solely in 
cooling, holding, handling, packing, repacking, packaging and shipping 
of raw, intact fresh produce, similar to activities that may be 
performed on farms, are unlikely to be engaged in any of the key 
activity types and should be exempt from this rule. The comments 
describe activities conducted by these facilities, including 
application of fungicide, food grade wax coating, sorting and placing 
whole intact produce into boxes for shipping. The comments further 
state that whole intact produce would not be an attractive or feasible 
target for an act of intentional adulteration with the intent to cause 
wide scale public health harm, regardless of where the activities 
occur.
    (Response 27) We decline the requested exemption for facilities 
engaged solely in cooling, holding, handling, packing, repacking, 
packaging and shipping of raw, intact fresh produce. We recognize that 
some of these facilities may not have any significant vulnerabilities; 
however, some may. For example, packaging may be a significant 
vulnerability, depending on the degree of access to the food and the 
characteristics of the packaging area (e.g., in a minimally trafficked 
area where individuals are working alone for extended periods of time, 
or if the product is being sprayed with fumigant or fungicide 
applications that may serve to apply a contaminant onto the food). 
Therefore, to determine whether any mitigation strategies are needed, 
each facility must conduct a facility specific vulnerability assessment 
that considers, at a minimum: (1) The potential public health impact if 
a contaminant were added (e.g., severity and scale); (2) the degree of 
physical access to product; and (3) the ability of an attacker to 
successfully contaminate the product. Any of the activities described 
in the comments that are otherwise covered by existing exemptions do 
not need to be considered in the vulnerability assessment. For example, 
holding of foods other than in liquid storage tanks is exempt from the 
rule (Sec.  121.5(b)). Also, packing or re-packing of food where the 
container that directly contacts the food remains intact is exempt 
(Sec.  121.5(c)).
    If after conducting a vulnerability assessment, a facility 
appropriately concludes that it has no actionable process steps, the 
facility would not be required to implement mitigation strategies. The 
facility's food defense plan would include the vulnerability

[[Page 34180]]

assessment, the conclusion that no actionable process steps are 
present, and an explanation for this conclusion at each step. In 
contrast, facilities with actionable process steps are required to 
implement mitigation strategies and the appropriate mitigation 
strategies management components.
    (Comment 28) One comment suggests that we exempt food additives 
used in low dosages. The comment asserts that ``the dosage of food 
additives are approximately 0.01--1 percent of the total food, and the 
final amount of the food additive absorbed into the human body should 
be very small, roughly 1/100--1/10,000 of the total food consumed.'' 
The comment further asserts that if a contaminant is added to a food 
additive used in low dosages, the risk to public health is very small.
    (Response 28) We decline this request. Our vulnerability 
assessments considered a number of factors when evaluating a product's 
vulnerability to acts of intentional adulteration and the potential 
public health consequences of such an act, including a wide variety of 
threat agents. Our vulnerability assessments concluded that there were 
situations where an act of intentional adulteration could still result 
in wide scale public health harm even if the dose of the adulterant 
were at or below the levels highlighted in this comment. Moreover, the 
concentration of a food additive in the finished product may vary 
depending on the nature of the product (e.g., citric acid can be added 
to a food as a flavor enhancer in relatively low concentrations, or to 
other foods in higher concentrations as a color retention agent).
    (Comment 29) One comment recommends that we exempt production and 
packaging of food ingredients from the rule. The comment asserts that 
terrorist groups are more likely to attack finished food production 
than food ingredient production because they want the publicity 
associated with seeing the harm that their act causes. The comment 
further asserts that it may be months or years before a contaminated 
ingredient reaches consumers, and therefore it would not be a likely or 
attractive target for terrorists who want to make a more immediate 
impact. The comment also states that a contaminant can be degraded, 
inactivated, or destroyed in further processing or prolonged storage if 
it is added to an ingredient. The comment maintains that it is far 
easier to select an appropriate contaminant with some knowledge of what 
types of processing it will have to survive. The comment requests that, 
at a minimum, we exempt the production and packaging of food 
ingredients from requirements for focused mitigation strategies and 
make them subject only to requirements for broad mitigation strategies.
    (Response 29) We decline this request. As discussed in section 
IV.B.3, the rule now refers to ``mitigation strategy'' rather than 
``focused mitigation strategy.'' Further, our vulnerability assessments 
concluded that an act of intentional adulteration could still result in 
wide scale public health harm even if the adulteration occurred during 
the production of an ingredient. Ingredients have many different 
distribution paths. Many ingredients can be sold in bulk to 
manufacturing facilities for inclusion in processed finished foods or 
be sold in consumer sized packaging for home use. Some ingredients can 
be used in later processing as a primary ingredient or as a secondary 
ingredient added in much lower volumes. In either case, the ingredient 
manufacturer could be an effective point for an attacker to achieve 
wide scale public health harm.
    (Comment 30) One comment supports our proposed exemption Sec.  
121.5(c) applicable to packing, repacking, labeling, or re-labeling of 
food where the container that directly contacts the food remains 
intact. The comment would like us to further exempt the transportation 
and holding of foods in retail packaged form from coverage under this 
rule.
    (Response 30) The holding of food, except for holding of food in 
liquid storage tanks, is exempt under Sec.  121.5(b). Therefore, the 
holding of foods in retail packaged form is exempt from this rule. 
Furthermore, as explained in section III.G.1, transportation carriers 
are not included in the scope of this rule.
    (Comment 31) One comment requests that food gases be considered for 
an exemption for several reasons. The comment states that food gas 
containers are extremely difficult to breach. Further, the comment 
states that food gases may be stored in bulk storage tanks either 
during manufacture, or prior to containerization (i.e., pressurized 
cylinders) or transport (i.e., cryogenic tankers) but a person 
intentionally trying to contaminate the product during storage or 
transportation would require use and knowledge of specialized equipment 
that is not readily available. The comment argues therefore that food 
gases are not at high risk for intentional adulteration. In addition, 
the comment notes that there are several uses for food gases, such as 
processing aids (e.g., freezing, chilling, pressure transfer) that will 
have minimal contact with the food provided to consumers, and whether 
used as a food additive or an ingredient the gas comprises a very small 
percentage of the final food product.
    (Response 31) We decline the request. The comment identifies that 
food gases may be stored in bulk storage tanks either during 
manufacture, or prior to containerization or transport. We recognize at 
some facilities manufacturing food gas may not have any significant 
vulnerabilities; however, each covered facility must conduct a facility 
specific vulnerability assessment, and that assessment must consider, 
at a minimum: (1) The potential public health impact if a contaminant 
were added (e.g., severity and scale); (2) the degree of physical 
access to product; (3) the ability of an aggressor to successfully 
contaminate the product. The comment mentions that breaching food gas 
containers would require use and knowledge of specialized equipment 
that is not readily available. However, the vulnerability assessment 
must include consideration of an inside attacker, so this information 
may be available to such an individual. The comment also mentions that 
gases can be stored or transported in liquid form. Based on our 
vulnerability assessments, liquids storage and handling has been 
identified as potentially significantly vulnerable. Therefore, 
facilities manufacturing food gas would need to evaluate their 
manufacturing process through a vulnerability assessment. If after 
conducting a vulnerability assessment, the facility appropriately 
concludes that there are no actionable process steps in the facility, 
the facility would not be required to implement mitigation strategies. 
The food defense plan at this facility would include the vulnerability 
assessment, the conclusion that no actionable process steps are 
present, and an explanation for this conclusion at each step.
    (Comment 32) Some comments request that FDA exempt research and 
development (R&D) and pilot plants from the rule. These comments argue 
that a vulnerability assessment conducted at such a facility would in 
all likelihood conclude that there are no significant vulnerabilities 
due to the low volume of product produced, because such products are 
not typically for retail sale, and because of the narrow scope of 
consuming individuals, if any.
    (Response 32) We decline the request. We note that if food at an 
R&D facility is not for consumption, the facility is not required to 
register and would not be subject to this rule. Food processed at R&D 
facilities may be consumed as samples, distributed at special events, 
or

[[Page 34181]]

may take other routes to public consumption. As with other facilities 
covered by the rule, it is possible, based on a facility specific 
vulnerability assessment, that an R&D facility may conclude that it 
does not contain any significant vulnerabilities. If, after conducting 
a vulnerability assessment, the facility appropriately concludes that 
it has no actionable process steps, the facility would not be required 
to implement mitigation strategies. The facility's food defense plan 
would include the vulnerability assessment, the conclusion that no 
actionable process steps are present, and an explanation for this 
determination at each step. In contrast, an R&D facility with 
actionable process steps is required to implement mitigation strategies 
and the appropriate mitigation strategies management components.

F. Other General Comments

    (Comment 33) Some comments ask us to publish a revised proposed 
rule or an interim rule before proceeding to a final rule because of 
anticipated, significant changes resulting from comments that we 
received in response to the proposed rule. Some comments state that 
food defense is a new and evolving area without existing regulatory 
requirements or a long history of broadly accepted practices and that 
further substantive dialogue with industry is needed. Some comments 
state that a reproposal would serve the same purpose as an Advance 
Notice of Proposed Rulemaking which was FDA's stated intent prior to 
the imposition of judicial deadlines. Some comments state that because 
FSMA rules are dependent on one another, some proposed FSMA rules 
should be issued concurrently so that a concurrent evaluation and 
comment period may be conducted. Some comments state that industry must 
first get used to the new food safety regulations and then concentrate 
on new food defense regulations and believe reproposing at a later date 
will give industry a chance to comply with all the new regulations.
    (Response 33) We decline these requests. These revisions in the 
final rule more closely align the rule with many current food defense 
best practices and increase flexibility for facilities to comply. With 
regard to the suggestion that we should issue the FSMA foundational 
proposed rules simultaneously for comment, this was not feasible given 
our judicial deadlines for the seven rules (Ref. 13). We believe that 
stakeholders were given adequate opportunity to comment on the proposed 
rules, and we extended many comment periods. With regard to the 
comments that suggest we repropose this rule to give industry more time 
to comply, we have addressed this issue by extending the compliance 
dates by an additional 2 years (see section VIII).
    (Comment 34) One comment disagrees with the exemption for holding 
non-liquid bulk food. The comment asserts that most bulk foods, 
irrespective of their physical form, are likely to be mixed or blended 
at some point after receipt by the end-user (i.e., the manufacturer or 
packager that will convert the bulk food into retail packaged food), 
and are likely to be processed into a much larger volume of finished 
food. Thus, the comment maintains that any contamination introduced 
into a bulk food during storage prior to its use in the preparation of 
a retail packaged food may affect a large volume of finished food and 
may thereby cause massive public health harm.
    (Response 34) As discussed in the proposed rule, based on an 
analysis of the vulnerability assessments that FDA has conducted using 
the CARVER+Shock methodology, we identified four key activity types 
(Bulk liquid receiving and loading; Liquid storage and handling; 
Secondary ingredient handling; and Mixing and similar activities) as 
production processes that require focused mitigation strategies. With 
the exception of the holding of food in liquid storage tanks, which is 
not included in the exemption, we are not aware of activities performed 
during the holding of food that fit within any of these four key 
activity types (see 78 FR 78014 at 78036). There is no likely way that 
a contaminant can be homogeneously mixed throughout a non-liquid bulk 
food during storage. We found in our vulnerability assessments that the 
potential for uniform distribution of a contaminant into the food is a 
major factor in elevating vulnerability. Since it is highly unlikely 
that an inside attacker would be able to evenly distribute a 
contaminant into a dry bulk ingredient during storage, the 
vulnerability associated with these steps did not rise to the level 
associated with the vulnerability associated with the key activity 
types.

G. Other Issues Discussed in the Proposed Rule

1. Transportation Carriers
    In the proposed rule, we tentatively determined that there is a 
significant vulnerability to intentional adulteration during bulk 
liquid receiving and loading, one of the four key activity types 
included in the proposal as an option to identify actionable process 
steps. We did not identify receiving and loading of other types of 
foods (e.g., non-bulk liquid, solid, gaseous) as key activity types 
because we determined through our vulnerability assessments that they 
do not present the same level of risk. Further, we tentatively 
concluded that requiring receivers and shippers of bulk liquids to 
implement mitigation strategies at actionable process steps involving 
loading and receiving of bulk liquid foods would significantly minimize 
or prevent the potential for intentional adulteration of these foods 
during transportation.
    Based on our vulnerability assessments, we proposed to require that 
mitigation strategies to ensure the integrity of food during transport 
would be implemented by facilities, rather than carriers. Where such 
measures are implemented by the shippers and receivers of bulk liquids, 
we tentatively concluded that the food would be sufficiently protected, 
and that no further actions by a carrier would be needed. For this 
reason, we did not propose to cover transportation carriers in the 
proposed rule. We requested comment on our analysis and tentative 
conclusion.
    Some comments agree with the tentative conclusion in the proposed 
rule to exclude transportation carriers. Some comments oppose this 
approach. In the following paragraphs, we discuss comments that 
disagree with the proposed approach. After considering the comments, we 
are finalizing the rule as proposed with regard to transportation 
carriers.
    (Comment 35) Some comments disagree with our conclusion that 
implementing mitigation strategies at the receiving and loading steps 
for bulk liquids will adequately protect food during transportation. 
Some comments argue that transport of food is one of the most 
vulnerable stages in a process, as food is not protected by a secure 
facility and may often be parked at a truck stop or other unsecure 
locations for extended periods of time which provides the opportunity 
for an attacker to gain access. One comment states that food shipments 
have consistently been documented as either the first or second most 
stolen truckloads on U.S. highways, and if terrorists were to use this 
mode of attack on the food supply, the result could be a major event 
for which we were not only unprepared, but for which we could have 
foreseen the risk.
    (Response 35) We disagree with these comments. Based on our 
vulnerability assessments, we determined that the most practical 
mitigation strategies to

[[Page 34182]]

ensure the integrity of food during transport would be implemented by 
facilities, rather than by carriers. For example, to significantly 
minimize or prevent the product from being intentionally adulterated 
during transport, a shipper may elect to use seals to secure access 
points, such as doors or hatches, on the transport conveyance. The 
shipper seals the load prior to departure from its facility by using 
seals with unique identification numbers. The shipper includes the seal 
numbers on shipping documentation and transmits the seal numbers to the 
receiving facility. Once the shipment arrives at the receiving 
facility, the receiver would verify the seals are in place and that the 
identification numbers match. This mitigation strategy ensures the food 
was not accessible during transport. To ensure that the driver cannot 
exploit his position to gain access and intentionally adulterate the 
food during transport, the carrier has no role in the seal mitigation 
strategy. If seals are missing or the identification numbers do not 
match the shipping documentation, the receiving facility would reject 
the load and notify the shipper.
    Facilities are required to implement mitigation strategies that 
significantly minimize or prevent significant vulnerabilities 
associated with actionable process steps. Therefore, if a food 
operation has a significant vulnerability associated with 
transportation, the facility must choose a mitigation strategy or 
combination of strategies to significantly reduce the vulnerability at 
the receiving or loading step. Mitigation strategies implemented at 
inbound receiving and outbound shipping would work complementary to 
each other to protect the food during transport. For example, if the 
vulnerability assessment concludes that loading is an actionable 
process step because of a vulnerability during transportation, the 
facility would implement mitigation strategies to protect its outbound 
food from intentional adulteration (e.g., sealing the bulk liquid 
tanker truck access points). Likewise, if the facility receiving the 
food identifies receiving as an actionable process step because of a 
vulnerability during transportation, it would implement mitigation 
strategies to reduce the vulnerability of the food to intentional 
adulteration during shipping. The mitigations employed at the 
receiving/unloading step may include procedures to accept only 
scheduled shipments, verification of shipping documentation, procedures 
to investigate delayed or missing shipments, inspecting loads prior to 
receipt, and rejecting damaged or suspect items. These steps together 
will then work to significantly reduce the significant vulnerabilities 
associated with the transport of food. With respect to the prevalence 
of theft of food during transport, such theft is economically 
motivated; the scope of this rule is limited to acts of intentional 
adulteration where the intent is to cause wide scale public health 
harm.
    (Comment 36) One comment states that the use of seals or tamper-
evident containers is insufficient to protect bulk foods during 
transportation and/or holding because tamper-evident seals can be 
defeated and cannot be expected to prevent a determined attacker. The 
comment further states that tamper-evident containers or seals should 
be used in combination with other measures.
    (Response 36) Mitigation strategies are ``risk-based,'' 
``reasonably appropriate measures'' employed to ``significantly 
minimize or prevent'' significant vulnerabilities. They cannot always 
eliminate entirely any possibility of intentional adulteration. 
Furthermore, each facility has some degree of discretion in determining 
how, and whether, each mitigation strategy is properly implemented, as 
part of the facility's written explanation of how the mitigation 
strategy sufficiently minimizes or prevents the significant 
vulnerability associated with the actionable process step. Facilities 
are required to implement mitigation strategies that significantly 
minimize or prevent the significant vulnerability; therefore, if a 
significant vulnerability is identified, the mitigation strategy or 
combination of strategies chosen by the facility must be sufficient to 
reduce the vulnerability to an acceptable level at these steps.
    In many cases the use of tamper evident seals may be an appropriate 
mitigation strategy for limiting access to the product. Additionally, 
if a tamper evident seal had been circumvented by an attacker, a close 
inspection of the seal at receiving may reveal suspicious activity or 
tampering which reduces the likelihood of a successful attack. However 
if the facility concludes that tamper evident seals are not by 
themselves sufficient to significantly reduce the vulnerability, they 
should employ other or additional measures (such as directing carriers 
to travel directly to the end destination without stop-overs, or 
requiring teamed drivers to prevent the load from being unsupervised 
during transport).
    (Comment 37) One comment requests clarification of expectations in 
situations where only one of the entities involved is covered by the 
intentional adulteration rule (e.g., the shipper is covered, but the 
receiver is exempt due to size or vice versa) and states that FDA may 
need to take a closer look into exemption of carriers.
    (Response 37) A covered facility may ship food to or receive food 
from a facility that is not covered by the rule (e.g., it is a very 
small business). The covered facility is responsible for implementing 
mitigation strategies to address transportation if it has a significant 
vulnerability associated with transportation at the receiving or 
shipping steps. The mitigation strategies used by the covered facility 
must significantly minimize or eliminate the significant vulnerability 
at this step. Mitigation strategies are available to protect the food 
during transport regardless of whether the shipper or receiver is 
exempt from the rule. If the receiving facility is exempt, the shipping 
facility can address the vulnerability by implementing mitigation 
strategies such as those discussed in Response 36. If the shipping 
facility is exempt, the receiving facility can address the 
vulnerability by implementing mitigation strategies such as visually 
inspecting seals and cargo to identify any suspicious activity or 
tampering, verifying shipping documents are accurate, ensuring only 
scheduled deliveries are accepted, and investigating delayed or 
inaccurate shipments. Additionally, we do not believe a shipping and/or 
receiving facility that qualifies for the very small business exemption 
is an attractive target for attackers intending to cause wide scale 
public health harm, as detailed in section IV.B.11.
    (Comment 38) Some comments state that covering carriers under this 
rule may not be the best approach and this component of the food sector 
may be better addressed in guidance. Some comments ask us to continue 
to develop materials, guidelines and other tools to promote voluntary 
compliance of food defense measures by the transportation component of 
the food sector.
    (Response 38) We agree with these comments. As resources allow, we 
will continue to develop best practices for the transportation industry 
to assist with voluntary compliance with food defense measures.

[[Page 34183]]

2. Other Types of Intentional Adulteration: Disgruntled Employees, 
Consumers, and Competitors; and Economically Motivated Adulteration
a. Disgruntled Employees, Consumers, and Competitors
    In the proposed rule, we explained that when we considered the 
spectrum of risk associated with intentional adulteration of food, 
attacks conducted with the intent of causing massive casualties and to 
a lesser extent, economic disruption, would be ranked as relatively 
high risk. (Note that to further clarify the rule's focus we have 
removed the reference to economic disruption from the definition of 
``food defense.'') We further explained that attacks by disgruntled 
employees, consumers, or competitors would be consistently ranked as 
relatively low risk mainly because their public health and economic 
impact would be generally quite small. We further stated that 
disgruntled employees are generally understood to be interested 
primarily in attacking the reputation of the company and otherwise have 
little interest in public health harm. Typically, acts of disgruntled 
employees, consumers, or competitors target food and the point(s) in 
its production that are convenient (i.e., a point at which they can 
easily access the food and contaminate it). To minimize or prevent this 
type of adulteration would require restricting access to nearly all 
points in the food system. Instead, we proposed to focus on those 
points in the food system where an attack would be expected to cause 
massive adverse public health impact.
    We received comments supporting the proposed approach; comments 
stating that measures should be required to protect against acts of 
terrorism and disgruntled employees; and a comment stating that 
disgruntled employees can be recruited by terrorist organizations. The 
final rule is focused on protecting food against intentional 
adulteration where the intent of the adulteration is to cause wide 
scale public health harm. In the circumstance described by the comment 
where a disgruntled employee is recruited by a terrorist organization, 
the motivation of the employee has changed from harming the reputation 
of the company to that of the terrorist organization intending to cause 
wide-scale public health harm. The rule is designed to reduce the 
likelihood that such an attack would be successful. Further, the 
protections required by the rule would be effective in minimizing the 
likelihood of success of a disgruntled employee, consumer, or 
competitor who attempts an act of intentional adulteration at an 
actionable process step--even if that act of intentional adulteration 
is not intended to cause wide-scale public health harm. We continue to 
believe that an approach that does not focus on preventing wide-scale 
public health harm, but rather attempts to address intentional acts 
regardless of their potential severity, would require restricting 
access to nearly all points in the food system because these types of 
attacks are typically conducted at areas of convenience and could occur 
at any point in the food system.
b. Economically Motivated Adulteration
    In the proposed rule, we stated that the goal of the perpetrator of 
economically motivated adulteration is for the adulteration to go 
undetected so the perpetrator can continue to obtain the desired 
economic benefit. Unlike with intentional adulteration, where the 
intent is to cause wide scale public health harm through instances such 
as acts of terrorism focused on the food supply, occurrences of 
economically motivated adulteration are expected to be long term, and 
would not be appropriately viewed as a rare occurrence, but rather as 
reasonably likely to occur. Because of these reasons, we concluded that 
the approaches in the PCHF and PCAF final rules are better suited to 
address economically motivated adulteration. We sought comment on our 
conclusions.
    We received numerous comments related to economically motivated 
adulteration, including comments suggesting economically motivated 
adulteration is best addressed in this rule, comments suggesting it is 
best addressed in the PCHF and PCAF final rules, comments recommending 
different hazard identification methodologies, comments related to 
terminology and definitions, and comments requesting postponement of 
any economically motivated adulteration-associated requirements.
    We continue to believe that the approaches in the PCHF and PCAF 
final rules are better suited to address economically motivated 
adulteration, and have finalized this rule with no requirements related 
to economically motivated adulteration for facilities covered by those 
rules. For further discussion see the PCHF final rule (80 FR 55908 at 
56028-56029) and the PCAF final rule (80 FR 56170 at 56243-56246).
    In the proposed rule, we also tentatively decided not to require 
produce farms subject to section 419 of the FD&C Act and farms that 
produce milk (also referred to in this document as ``dairy farms'') 
subject to section 420 of the FD&C Act to take measures to address 
economically motivated adulteration. With regard to produce farms, we 
tentatively concluded that there are not procedures, processes, or 
practices that are reasonably necessary to be implemented by these 
entities to prevent the introduction of known or reasonably foreseeable 
biological, chemical, or physical hazards that can cause serious 
adverse health consequences or death as a result of economically 
motivated adulteration. With regard to farms that produce milk, we 
tentatively concluded that there are not appropriate science-based 
strategies or measures intended to protect against economically 
motivated adulteration that can be applied at the farm. Those tentative 
conclusions were based on our assessment that preventive controls are 
suitable to address economically motivated adulteration when it is 
perpetrated by the entity's supplier, but not when it is perpetrated by 
the entity itself, and supplier controls are not warranted in this 
context because of the lack of inputs into the growing, harvesting, 
packing, or holding of produce or milk (i.e., activities within our 
farm definition) that could be subject to economically motivated 
adulteration that could cause serious adverse health consequences or 
death under sections 419 and 420 of the FD&C Act.
    We received one comment suggesting we include requirements related 
to economically motivated adulteration on produce farms and stating 
that economically motivated adulteration (e.g., illegal use of dyes and 
ripening agents) has occurred on foreign produce farms. We continue to 
believe that preventive controls are suitable to address economically 
motivated adulteration when it is perpetrated by an entity's supplier, 
but not by the entity itself. Preventive controls for economically 
motivated adulteration are not suitable to address the situation where 
the same farm that would be economically adulterating the food (which 
is already prohibited) would also be responsible for implementing 
preventive controls to prevent the adulteration. After considering this 
comment, we have finalized this rule with no requirements related to 
economically motivated adulteration on produce and dairy farms.
3. Dairy Farms
    In the proposed rule, we stated that FDA-led vulnerability 
assessments and associated data analyses identified certain categories 
of points, steps, or

[[Page 34184]]

procedures in the food system which scored high on vulnerability scales 
related to intentional adulteration of food, regardless of the food 
being assessed. Two of these key activity types, liquid storage and 
handling, and bulk liquid receiving and loading, are present on dairy 
farms in areas such as the bulk liquid storage tank. We requested 
comment on several questions, including whether and how access to the 
bulk milk storage tank and milk house could be limited; the presence 
and types of any mitigation strategies currently used on farms; and 
whether and what mitigation strategies would be appropriate and 
feasible given current dairy farming practices.
    Some comments acknowledge that limiting access to the bulk milk 
tank and milk house is an important objective; however, these comments 
describe significant challenges regarding limiting access to milk. 
These comments state that some State laws require unannounced access to 
the bulk tank and/or the milk house for food safety inspections. 
Additionally, comments state that locking only the bulk tank would be 
ineffective because this would still leave the milk accessible via the 
milk house. These comments also state that it is common for many dairy 
farms to leave the bulk tank and the milk house unlocked to facilitate 
normal day-to-day operations and that any regulation requiring strictly 
limiting access, such as locking the milk house, would be impractical 
due to the multiple entry points and the number of personnel needed for 
these measures to function effectively. Some comments suggest that FDA 
engage in substantial dialogue with industry to gain a better 
understanding of current practices and better ascertain the food 
defense measures that would be effective and appropriate before issuing 
regulations. Some comments state that FDA should utilize existing 
programs to identify potential activities to reduce the vulnerability 
to intentional adulteration on dairy farms because these programs have 
demonstrated efficacy and have the structures in place to successfully 
implement new food defense measures.
    Some comments state that FDA should not issue requirements for 
dairy farms because they are not at high risk for intentional 
adulteration. Some comments describe the willingness of stakeholders to 
adopt voluntary food defense measures, with specific examples including 
State-led education efforts and adoption of some elements of existing 
FDA guidance relating to food defense measures on dairy farms. Some 
comments state that any requirements should be limited to food defense 
awareness training while other comments state that such training may be 
beneficial and is provided on some farms, but more information is 
needed to identify effective training programs.
    Additionally, several comments address procedural matters, with 
many comments stating that FDA must either allow a full and separate 
comment period for any potential requirements for dairy farms because 
there were no requirements related to dairy farms in the proposed rule, 
or issue a fully separate proposal for dairy farms which will cover the 
requirements in their entirety independent of the intentional 
adulteration regulations for facilities that are not farms. Some 
comments also request that dairy processing facilities be exempt from 
the requirements of this rule.
    Although we believe requiring mitigation strategies that restrict 
access to milk on dairy farms is warranted based on risk, at this time 
there are not strategies that limit access to milk that are appropriate 
and practical to require for all farms. We believe it is important that 
any mitigation strategies we consider imposing include restricting 
access to milk while it is on farms. We agree with comments that state 
that potential mitigation strategies, such as locking the milk tank and 
milk house, are not currently workable given the realities of milking 
schedules and the access to the bulk tank needed for food safety 
inspections and milk collection. We need further dialogue with key 
stakeholders and collaborative research to develop and identify 
strategies that are protective and practical; we are aware of 
technology-mediated advancements that are under development, and are 
potentially promising for the future in this area. Given the current 
lack of mitigation strategies that would practically limit access to 
milk, we agree that working with the Federal-State collaborative 
program for milk safety, the National Conference on Interstate Milk 
Shipments (NCIMS), is the most appropriate way to address concerns 
regarding intentional adulteration on dairy farms in the near term as 
strategies that can limit access to milk while on farm are developed. 
We believe NCIMS offers an effective platform for FDA to advance the 
development and implementation of mitigation strategies for dairy farms 
because the cooperative program includes key partners, such as the U.S. 
Public Health Service/FDA, the States, and the dairy industry, and has 
a central role in helping to ensure the safety of milk and milk 
products.
    We are not exempting Pasteurized Milk Ordinance (PMO) facilities 
that are not farms (e.g., dairy processing facilities) from complying 
with this rule. Unlike farms, such facilities have identified effective 
mitigation strategies available to them. In addition, PMO requirements 
do not currently address intentional adulteration. Further, unlike 
farms, these facilities are not exempt from the PCHF rule. We note that 
the earliest compliance date for this rule (3 years) is the same as the 
extended compliance date in the PCHF rule, which was chosen to give the 
NCIMS time to modify the PMO to include the requirements of the PCHF 
rule.

IV. Subpart A: Comments on Specific Provisions

A. Revisions to Definitions Also Used in Section 415 Registration 
Regulations (21 CFR Part 1, Subpart H) and Section 414 Recordkeeping 
Regulations (21 CFR Part 1, Subpart J)

    As discussed in the proposed rule (78 FR 78014 at 78030), several 
terms we proposed have the same definitions as proposed in 21 CFR part 
117 (the PCHF proposed rule) and therefore we did not include an 
extensive discussion in the proposed rule of the following terms: 
facility, farm, holding, manufacturing/processing, mixed-type facility, 
and packing. We did not receive specific comments on any of our 
proposed definitions for these terms, except that many comments state 
that it is critical for FDA to cross-reference and be consistent with 
the same terms as finalized in the PCHF final rule. We agree and we 
have amended each of these terms to be consistent with the definitions 
as finalized in the PCHF final rule. See section IV. of the PCHF final 
rule for extensive discussion of the comments received and changes made 
to these definitions.
1. Facility
    We proposed to define the term ``facility'' to mean a domestic 
facility or a foreign facility that is required to register under 
section 415 of the FD&C Act (21 U.S.C. 350d), in accordance with the 
requirements of 21 CFR part 1, subpart H. We have finalized this term 
as proposed, except that we have made editorial changes by removing the 
U.S. Code citation and amended the Code of Federal Regulations 
citation.
2. Farm
    We proposed to define the term ``farm'' by reference to the 
definition of that term in Sec.  1.227 of this chapter. We have 
finalized this term as proposed. For a detailed discussion of the 
definition of ``farm,'' see sections IV.A and IV.B of the PCHF final 
rule.

[[Page 34185]]

3. Holding
    We proposed to define the term ``holding'' to mean storage of food. 
In addition, we proposed that holding facilities include warehouses, 
cold storage facilities, storage silos, grain elevators, and liquid 
storage tanks. Further, we proposed that for farms and farm mixed-type 
facilities, holding also includes activities traditionally performed by 
farms for the safe or effective storage of raw agricultural commodities 
grown or raised on the same farm or another farm under the same 
ownership, but does not include activities that transform a raw 
agricultural commodity (RAC), as defined in section 201(r) of the 
Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321), into a processed 
food as defined in section 201(gg). In this final rule, consistent with 
the PCHF final rule, we have revised the definition for ``holding'' by 
removing the distinction for farms and farm mixed-type facilities and 
added that holding also includes activities performed incidental to 
storage of a food, but does not include activities that transform a RAC 
into a processed food and included additional examples of holding 
activities. For a detailed discussion of the definition of ``holding,'' 
see section IV.D of the PCHF final rule.
4. Manufacturing/Processing
    We proposed to define manufacturing/processing to mean making food 
from one or more ingredients, or synthesizing, preparing, treating, 
modifying or manipulating food, including food crops or ingredients. 
Further, the proposed definition provided that examples of 
manufacturing/processing activities are cutting, peeling, trimming, 
washing, waxing, eviscerating, rendering, cooking, baking, freezing, 
cooling, pasteurizing, homogenizing, mixing, formulating, bottling, 
milling, grinding, extracting juice, distilling, labeling, or 
packaging. In addition, the proposed definition provided that for farms 
and farm mixed-type facilities, manufacturing/processing does not 
include activities that are part of harvesting, packing, or holding. In 
this final rule, consistent with PCHF final rule, we have revised the 
definition of ``manufacturing/processing'' by adding to the list of 
examples and we have reorganized the listed examples to present them in 
alphabetical order. For a detailed discussion of the definition of 
``manufacturing/processing,'' see section IV.E of the PCHF final rule.
5. Mixed-Type Facility
    We proposed to define mixed-type facility to mean an establishment 
that engages in both activities that are exempt from registration under 
section 415 of the FD&C Act and activities that require the 
establishment to be registered. The proposed definition also stated 
that an example of such a facility is a ``farm mixed-type facility,'' 
which is an establishment that grows and harvests crops or raises 
animals and may conduct other activities within the farm definition, 
but also conducts activities that require the establishment to be 
registered. In this final rule, consistent with PCHF final rule and as 
a conforming change associated with the revisions to the ``farm'' 
definition, we have revised the example of a ``farm mixed-type 
facility'' to specify that it is an establishment that is a farm, but 
also conducts activities outside the farm definition that require the 
establishment to be registered. For a detailed discussion of the 
definition of ``mixed-type facility,'' see section IV.F of the PCHF 
final rule.
6. Packing
    We proposed to define packing to mean placing food into a container 
other than packaging the food. Further, the proposed rule provided that 
for farms and farm mixed-type facilities, packing also includes 
activities traditionally performed by farms to prepare RACs grown or 
raised on the same farm or another farm under the same ownership for 
storage and transport, but does not include activities that transform a 
RAC, as defined in section 201(r) of the FD&C Act, into a processed 
food as defined in section 201(gg). In this final rule, consistent with 
the PCHF final rule, we have revised the definition for ``packing'' by 
removing the distinction for farms and farm mixed-type facilities and 
adding that packing includes activities performed incidental to packing 
a food, but does not include activities that transform a RAC into a 
processed food. We have also revised the definition to clarify that 
packing includes ``re-packing.'' For a detailed discussion of the 
definition of ``packing,'' see section IV.G of the PCHF final rule.

B. Other Definitions That We Proposed To Establish in Part 121

    To establish the scope of facilities, activities and food covered 
by this regulation, we proposed to define key terms. We also proposed 
to establish that the definitions in section 201 of the FD&C Act apply 
when used in part 121. We received no comments regarding the use of 
statutory definitions in section 201 of the FD&C Act, and we are 
finalizing that provision without change. In this section, we discuss 
each definition as proposed, related comments, and our responses.
1. Actionable Process Step
    We proposed to define the term ``actionable process step'' to mean 
a point, step, or procedure in a food process at which food defense 
measures can be applied and are essential to prevent or eliminate a 
significant vulnerability or reduce such vulnerability to an acceptable 
level. Although we did not receive comments on the proposed definition 
for actionable process step, we have revised the definition to improve 
understanding of the regulatory requirements in Sec.  121.130 
(Vulnerability assessment to identify significant vulnerabilities and 
actionable process steps) and to be consistent with the definition of 
mitigation strategies. In this final rule, actionable process step is 
defined to mean a point, step, or procedure in a food process where a 
significant vulnerability exists and at which mitigation strategies can 
be applied and are essential to significantly minimize or prevent the 
significant vulnerability.
2. Contaminant
    We proposed to define the term ``contaminant'' to mean any 
biological, chemical, physical or radiological agent that may be 
intentionally added to food and that may cause illness, injury or 
death.
    (Comment 39) Some comments assert the proposed language defining 
``contaminant'' could be interpreted to include ingredients 
intentionally added to food that resulted in harm, even if 
unintentional, such as an unintended allergic or other adverse health 
response. The comments urge FDA to clarify the meaning to be an 
``intentional'' contaminant, for the purpose of this rule, by amending 
the proposed definition as follows: ``Contaminant means any biological, 
chemical, physical or radiological agent added to food to intentionally 
cause illness, injury or death.''
    (Response 39) We agree with the possible confusion as pointed out 
by the comments and have amended the proposed definition. The term 
``contaminant'' is used in the context of intentional acts of 
adulteration with intent to cause wide scale public health harm. We 
agree that amending the proposed definition for contaminant to make 
clear that the harm must be intended better reflects how the term is 
used in this rule.

[[Page 34186]]

    (Comment 40) One comment asserts the term ``contaminant,'' is used 
widely in the food and dietary supplement industries and that if FDA 
were to include a definition for this term, it must employ a definition 
that is consistent throughout all regulations pertaining to food and 
dietary supplements. Further, one comment notes that this term is 
defined differently in the proposed rule (i.e., a contaminant is any 
agent that may be added to food) than it is in the Codex Alimentarius 
guidelines (i.e., contaminants are substances that are ``not 
intentionally added to food or feed''). The comment suggests that FDA 
take note of this difference and consider revisions with the goal of 
promoting consistency and common understanding of terminology.
    (Response 40) As discussed in the proposed rule (78 FR 78014 at 
78031), we based the proposed definition, in part, on the definition of 
``contaminant'' used in Codex Alimentarius guidelines, but made 
modifications to reflect the narrower context that the term is used 
within this rule. Further, as discussed in response to Comment 39, we 
are amending the definition of ``contaminant'' to better reflect its 
limited use in this rule.
3. Focused Mitigation Strategies
    We proposed to define the term ``focused mitigation strategies'' to 
mean those risk-based, reasonably appropriate measures that a person 
knowledgeable about food defense would employ to significantly minimize 
or prevent significant vulnerabilities identified at actionable process 
steps, and that are consistent with the current scientific 
understanding of food defense at the time of the analysis.
    We explained in the proposed rule that a ``mitigation strategy'' is 
a measure taken by a facility to reduce the potential for intentional 
adulteration of food. We further explained that FDA divides mitigation 
strategies into two types, ``broad mitigation strategies'' and 
``focused mitigation strategies.'' We explained that broad mitigation 
strategies are general facility-level measures that are intended to 
minimize a facility's vulnerability, as a whole, to potential acts of 
intentional adulteration. We provided some examples of broad mitigation 
strategies, such as (1) physical security, such as perimeter security 
fencing, locking exterior doors, penetration alarms; (2) personnel 
security, such as pre-hire background and reference checks, 
identification badges, and controlled visitor access; (3) securing 
hazardous materials, such as cleaning products, laboratory materials, 
and pesticides; (4) management practices, such as ingredient storage 
inventory procedures; key security procedures, PINs or passwords; 
procedures to restrict personal items from all food production areas; 
procedures requiring IDs and uniforms to be returned when a person's 
employment ends; and supplier verification or certification procedures; 
and (5) crisis management planning, such as maintenance of updated 
emergency contact information, procedures for responding to reported 
threats, and establishment of a designated food defense leadership 
team. We further explained that broad mitigation strategies, by nature, 
are generally applicable to a facility, regardless of the type of food 
being processed, and, as such, are not targeted to a specific 
processing step in a food operation.
    In contrast, focused mitigation strategies are specific to an 
actionable process step in a food operation where a significant 
vulnerability is identified. They represent reasonably appropriate 
measures that are necessary to reduce the likelihood of intentional 
adulteration intended to cause wide scale public health harm. Focused 
mitigation strategies are customized to the processing step at which 
they are applied, tailored to existing facility practices and 
procedures, and depend on an evaluation of the significant 
vulnerability associated with the actionable process step at which they 
are applied. In the proposal we tentatively concluded, based on our 
vulnerability assessments, that the implementation of focused 
mitigation strategies at actionable process steps in a food operation 
is necessary to minimize or prevent the significant vulnerabilities 
that are identified in a vulnerability assessment, regardless of the 
existence of broad mitigation strategies.
    We further explained, in contrast to broad mitigation strategies, 
focused mitigation strategies are targeted to actionable process steps 
and, therefore, are more effective at countering an attacker who has 
legitimate access to the facility. Our conclusion was based upon our 
interactions with the intelligence community and the many vulnerability 
assessments we conducted with industry, which showed that an act of 
intentional adulteration by an insider presents significant risk for 
that adulteration to result in wide scale public health harm and that 
broad mitigation strategies are not specific enough, for example, to 
counter the actions of an attacker who has legitimate access to the 
facility (i.e., insider attack) or an attacker who circumvents 
perimeter protections (e.g., scaling a fence), with the goal of 
intentionally contaminating the food.
    Although the regulatory text now only refers to ``mitigation 
strategies,'' we continue to believe that facilities must protect 
vulnerable points in their operation from acts of intentional 
adulteration intended to cause wide scale public health harm and that a 
facility's vulnerability to acts of intentional adulteration by 
attackers who have achieved access to the facility must be 
significantly reduced or prevented to protect the food from intentional 
adulteration intended to cause wide scale public health harm. General, 
facility-level protections do not sufficiently address the significant 
vulnerabilities within a facility because they do not address an inside 
attacker who has obtained access to the facility.
    (Comment 41) Some comments state that the distinction between 
``broad'' and ``focused'' mitigation strategies is confusing, and 
request that the distinction be removed. One comment states the line 
between broad and focused mitigation strategies is often blurry. The 
comment asks how close ingredient handling needs to be to a gate for 
the gate to be considered a focused mitigation strategy and not a broad 
one. The comment further asserts that a mandate for focused mitigation 
strategies will result in endless debates between facility management 
and FDA investigators as to whether a particular mitigation strategy is 
broad or focused and that this potential for difference of opinion 
between facilities and FDA investigators is of significant concern for 
industry stakeholders.
    (Response 41) The question asked by the comment highlights the 
nuance and gradation that exists within mitigation strategies. After 
considering the comments, we agree that many mitigation strategies may 
not lend themselves to clear categorizations as either ``broad'' or 
``focused,'' and we agree that the delineation between broad and 
focused mitigation strategies, as described in the proposed rule, may 
be confusing because of the wide diversity of potential mitigations as 
well as variation as to how a facility chooses to implement a 
particular strategy. As a result, we have modified the regulatory text 
throughout the final rule to refer to ``mitigation strategy'' rather 
than ``focused mitigation strategy.'' For example, Sec.  121.135 now 
requires ``mitigation strategies for actionable process steps.'' Also, 
the title of the rule has been modified to reflect this change.

[[Page 34187]]

4. Food
    We proposed to define the term ``food'' to mean food as defined in 
section 201(f) of the FD&C Act and include raw materials and 
ingredients.
    (Comment 42) Some comments urged us to clarify that the definition 
of food does not include food contact substances as defined in section 
409(h)(6) of the FD&C Act (21 U.S.C. 348(h)(6)). One comment recommends 
FDA amend the definition of food to exempt EPA registered 
antimicrobials/pesticides and food contact substances which have no 
ongoing intended technical effect in the final finished food.
    (Response 42) This rule only applies to facilities required to 
register with FDA. The registration rule does not include food contact 
substances and pesticides (21 CFR 1.227(a)(4)(i)). No change to the 
definition of food in this rule is necessary.
5. Food Defense
    We proposed to define the term ``food defense'' to mean the effort 
to protect food from intentional acts of adulteration where there is an 
intent to cause public health harm and economic disruption.
    (Comment 43) One comment states that references to ``terrorism'' in 
the preamble to the proposed rule were unnecessarily limiting and 
confusing and recommends that instead of attempting to narrow the scope 
of intentional adulteration to ``terrorism,'' FDA should use the 
definition of ``food defense'' to explain and further clarify the focus 
of activities covered by the rule.
    (Response 43) We agree with this comment and have modified the 
definition of ``food defense'' in the final rule as follows: ``Food 
defense means, for purposes of this part, the effort to protect food 
from intentional acts of adulteration where there is intent to cause 
wide scale public health harm.'' As discussed in the preamble to the 
proposed rule, although we referred to the protection of the food 
supply from ``acts of terrorism'' throughout the proposed rule, we 
expect our approach would generally address acts intended to cause wide 
scale public health harm, whether committed by terrorists, terrorist 
organizations, individuals or groups of individuals. The purpose of 
this rule is to protect the food supply against individuals or 
organizations with the intent to cause wide scale public health harm. 
Further, although economic disruption is likely to occur in any such 
instance of wide scale public health harm, because the focus of the 
rule is not the protection against economic disruption we have removed 
that language from the definition of ``food defense'' for purposes of 
this rule. In addition, as discussed in section III.G.2, economically 
motivated adulteration is not addressed in this final rule.
    (Comment 44) One comment states that the proposed rule defines 
``food defense'' within the scope of the rule and requests that FDA 
establish a generalized definition of ``food defense'' that can be 
adopted for the purposes of all FDA activities and subsequently the 
scope of this rule can then be further elaborated. The comment proposes 
the following definition of food defense: ``Actions and activities 
related to prevention, protection, mitigation, response, and recovery 
of the food system from intentional acts of adulteration. This includes 
intentional adulteration from both terrorism and criminal activities. 
Criminal activities include economically motivated adulteration, as 
well as acts by disgruntled employees, consumers, or competitors 
intending to cause public health harm or business disruption.''
    (Response 44) We decline this request. The purpose of Sec.  121.3 
(Definitions) is to define terminology that is used within the 
regulatory text of the rule. Therefore, the definitions of terms need 
to be within the context and scope of the rule, rather than a 
definition to be used by FDA or industry activities not related to the 
rule in particular.
6. Monitor
    We proposed to define the term ``monitor'' to mean to conduct a 
planned sequence of observations or measurements to assess whether 
focused mitigation strategies are consistently applied and to produce 
an accurate record for use in verification.
    (Comment 45) Some comments assert that food safety and food defense 
require different terminology and suggest referring to the activities 
as ``checking'' instead of ``monitoring.'' These comments go on to 
suggest that the definition of checking should be ``to observe or 
otherwise assess whether mitigation strategies or measures are in place 
and fully implemented.'' The comments also state that ``a planned 
sequence of observations and measurements'' may not be appropriate for 
all or any mitigation strategies, and questions what kind of 
measurements of a mitigation strategy a facility would take.
    (Response 45) We agree that using completely different terminology 
is appropriate when components of a food safety and food defense HACCP-
type system differ in important, specific ways. As noted in the 
Regulatory Approach discussion in section III.A, food safety uses the 
term ``hazard analysis'' to identify hazards, while food defense uses 
the term ``vulnerability assessment'' to identify significant 
vulnerabilities. These terms are completely different because they 
represent key disciplinary differences which require different 
methodological considerations related to whether the adulteration is 
intentional. A hazard analysis has very different considerations than a 
vulnerability assessment.
    However, we disagree that completely different terminology is 
appropriate for a term that describes the performance of similar 
activities for both food safety and food defense. Monitoring is 
conducted to perform a similar function and in similar ways in both a 
food defense and a food safety framework. In both contexts monitoring 
is conducted to assess whether control measures are operating as 
intended, and in accordance with the food safety or food defense plan. 
However, constant monitoring of some preventive controls is necessary 
(e.g., time-temperature monitoring for pasteurization), while periodic 
monitoring is likely to be more appropriate for many mitigation 
strategies (e.g., checking the lock on an access hatch to a liquid 
storage tank at the end of the tank cleaning cycle). Therefore, to 
recognize that the management components for food safety and food 
defense perform similar activities, but also include some differences, 
we are changing the term to ``food defense monitoring'' to make clear 
that the expectations for compliance are different. In additional 
recognition that the management components for food safety and food 
defense perform similar activities, we are finalizing the definition of 
food defense monitoring to mean to conduct a planned sequence of 
observations or measurements to assess whether mitigation strategies 
are operating as intended. This definition is similar to the definition 
of monitoring in the PCHF final rule.
    As we have concluded that, in some instances, similar terminology 
is appropriate for activities that are conducted to perform similar 
functions for food safety and food defense, incorporation of elements 
from definitions of internationally recognized standards (e.g., Codex) 
is appropriate for this rule. A ``planned sequence'' is included in the 
definition because it is important to thoughtfully and systematically 
assess whether mitigation

[[Page 34188]]

strategies are operating as intended, and the inclusion of ``a planned 
sequence'' in the definition conveys this importance. For example, a 
facility may establish and implement written monitoring procedures to 
include a planned sequence of observations to monitor a lock on an 
access hatch to occur at the end of every silo cleaning cycle, when 
there is potential to add a contaminant because the access hatch can be 
opened without the contents of the silo spilling out. Without planning 
the sequence of observations of this mitigation strategy, monitoring 
the strategy may occur in the middle of the cleaning cycle when the 
access hatch must be open to complete the cleaning process, and would 
therefore not be able to assess if the mitigation strategy was 
functioning as intended (i.e., properly locking the access hatch at the 
end of the cleaning cycle). Additionally, we include the term 
``measurements'' not only to align more so with definitions from 
international standards, but also to reflect a facility's flexibility 
to choose the most appropriate mitigation strategy and how to monitor 
that strategy. In many cases, a facility will observe that a mitigation 
strategy is functioning as intended; however, there are some cases 
where a facility may measure whether a strategy is functioning as 
intended. For example, a facility may choose to implement a mitigation 
strategy that is a thermal-kill step. It would then be necessary for 
the facility to take measurements of the time and temperature to ensure 
the thermal-kill step is functioning as intended. Additionally, we have 
deleted ``consistently applied'' in the proposed definition and added 
``operating as intended'' as this more closely aligns with the ISO 
22000:2005 and with a similar change made in the PCHF final rule. 
Finally, we have removed ``and to produce an accurate record for use in 
verification'' from the proposed definition because the requirement for 
documenting monitoring records is established by the requirement for 
monitoring, and not by the definition of monitor. As discussed in 
Response 89, we have made several revisions to the regulatory text, 
with associated editorial changes, to clarify that monitoring records 
may not always be necessary.
7. Significant Vulnerability
    We proposed to define the term ``significant vulnerability'' to 
mean a vulnerability for which a prudent person knowledgeable about 
food defense would employ food defense measures because of the 
potential for serious adverse health consequences or death and the 
degree of accessibility to that point in the food process.
    Although we did not receive comments on the proposed definition for 
significant vulnerability, we have revised the definition to improve 
understanding of the regulatory requirements in Sec.  121.130 
(Vulnerability assessment to identify significant vulnerabilities and 
actionable process steps). In this final rule, significant 
vulnerability is defined to mean a vulnerability that, if exploited, 
could reasonably be expected to cause wide scale public health harm. A 
significant vulnerability is identified by a vulnerability assessment, 
conducted by a qualified individual, that includes consideration of the 
following: (1) Potential public health impact (e.g., severity and 
scale) if a contaminant were added, (2) degree of physical access to 
the product, and (3) ability of an attacker to successfully contaminate 
the product. The assessment must consider the possibility of an inside 
attacker. For further discussion of the related changes made to the 
requirement in Sec.  121.130 for a vulnerability assessment to identify 
significant vulnerabilities and actionable process steps, see section 
V.B.
8. Significantly Minimize
    We proposed to define the term ``significantly minimize'' to mean 
to reduce to an acceptable level, including to eliminate.
    We did not receive comments on the proposed definition for 
significantly minimize and we are finalizing the definition as 
proposed.
9. Small Business
    We proposed to define the term ``small business'' to mean a 
business employing fewer than 500 persons. We proposed to establish the 
same definition for small businesses as that which has been established 
by the U.S. Small Business Administration under 13 CFR part 121 for 
most food manufacturers. We did not receive any comments on this 
definition. We are finalizing the definition as proposed, with several 
changes for clarity. We are using the term ``500 full-time equivalent 
employees'' rather than ``500 persons.'' In addition, we are adding a 
definition of ``full-time equivalent employee'' to the definition 
section (Sec.  121.3). We have made these changes because we will base 
the calculation on ``full-time equivalent employees'' and use the same 
approach to calculating full-time equivalent employees for the purpose 
of this rule as we used to calculate full-time equivalent employees in 
the section 414 recordkeeping regulations (see Sec.  1.328). Under this 
approach, the number of full-time equivalent employees is determined by 
dividing the total number of hours of salary or wages paid directly to 
employees of the business entity claiming the exemption and of all of 
its affiliates and subsidiaries by the number of hours of work in 1 
year, 2,080 hours (i.e., 40 hours x 52 weeks).
    In addition, we are adding ``including any subsidiaries and 
affiliates'' to the definition to provide clarity on how to calculate 
``500 full-time equivalent employees'' for purposes of this rule.
10. Verification
    We proposed to define the term ``verification'' to mean those 
activities, other than monitoring, that establish that the system is 
operating according to the food defense plan.
    (Comment 46) One comment suggests ``verification'' be defined as 
``the application of methods, procedures, tests and other evaluations, 
in addition to monitoring, to determine whether a focused mitigation 
strategy is or has been operating as intended.''
    (Response 46) We have revised the definition of food defense 
verification to more closely align with the Codex definition of 
verification. The term is now defined as the application of methods, 
procedures, and other evaluations, in addition to food defense 
monitoring, to determine whether a mitigation strategy or combination 
of mitigation strategies is or has been operating as intended according 
to the food defense plan. ``Methods, procedures, and other 
evaluations'' better describes the scope of verification than 
``activities'' used in the proposal. Although the Codex definition 
includes ``test'' as a form of verification, we have not included it 
because the rule does not require verification testing. We believe 
changing ``that establish the system is operating'' to ``to determine 
whether a mitigation strategy is or has been operating'' more 
accurately describes the purpose of food defense verification. We have 
added ``a combination of mitigation strategies'' to recognize that 
facilities may use more than one mitigation strategy to significantly 
minimize or prevent a significant vulnerability. The definition 
proposed by the comment limits verification to mitigation strategies; 
it does not require verification of the food defense plan. Verification 
of the food defense plan reflects the fact that verification is broader 
than just mitigation strategies; it includes, for example, verification 
of food defense monitoring and corrective actions.

[[Page 34189]]

    (Comment 47) Some comments suggest using the term ``evaluation'' 
instead of verification. These comments suggest that evaluation be 
defined as ``those activities, in addition to checking, that establish 
that the facility is implementing a food defense plan.''
    (Response 47) We deny this request. As discussed in response to 
Comment 46, we have revised the definition of food defense verification 
to include ``evaluation'' because evaluation is an appropriate 
verification activity. However, we disagree that completely different 
terminology (in this case, ``evaluation'' rather than ``verification'') 
is appropriate for a term that describes the performance of similar 
activities for both food safety and food defense (see Responses 45 and 
46). Verification is conducted to perform a similar function and in 
similar ways in both a food defense and a food safety framework. In 
both frameworks verification is conducted to determine whether control 
measures are operating as intended according to the food safety or food 
defense plan, and these verification activities are in addition to 
monitoring. At the same time, by using the term ``food defense 
verification,'' we make clear that verification as required by this 
rule is not identical to verification required in the preventive 
controls context.
11. Very Small Business
    We proposed to define the term ``very small business'' to mean a 
business that has less than $10,000,000 in total annual sales for food, 
adjusted for inflation. In the preamble of the proposed rule we 
explained our rationale for defining ``very small businesses'' at the 
$10,000,000 threshold because the purpose of this rule is to protect 
the food supply against individuals or organizations with the intent to 
cause wide scale public health harm. We tentatively conclude these 
individuals or groups would likely target the product of relatively 
large facilities, especially firms whose brand is nationally or 
internationally recognizable. Some comments agree with our proposed 
definition while others disagree. Among the comments that disagree with 
the definition, some state that the $10,000,000 amount is too high or 
too low, and several comments suggest alternatives to using dollar 
amount as the threshold. We further discuss these comments and our 
response to them in this document.
    Some comments submitted to the PCHF proposed rule request that we 
specify that the monetary threshold for the definition be based on 
average sales during a 3-year period on a rolling basis because 
otherwise firms may be subject to significant changes in status from 
year to year. Those comments also ask us to clarify that the sales are 
to be evaluated retrospectively, not prospectively. Although we did not 
receive similar comments to this rule, in an effort to be consistent 
with the PCHF final rule, we have revised the definition of very small 
business to specify that it is based on average sales during the 3-year 
period preceding the applicable calendar year. The applicable calendar 
year is the year after the 3 calendar years used to determine whether a 
facility is a very small business.
    We also revised the definition to include the market value of human 
food manufactured, processed, packed, or held without sale (e.g., held 
for a fee). When there are no sales of human food, market value of the 
human food manufactured, processed, packed, or held without sale is a 
reasonable approach to calculating the dollar threshold for a very 
small business.
    (Comment 48) One comment requests that FDA change the definition of 
``very small business'' to only apply to $10,000,000 in annual sales of 
food that is covered under the rule, and not to total annual food 
sales. The comment asserts that basing the threshold on the sale of 
food covered by the intentional adulteration rule, rather than all 
food, would be necessary to be consistent with the fact that covered 
produce is regulated under the produce rule. Specifically, the comment 
requests that we exclude the sale of animal foods from the calculation 
of annual food sales because this rule exempts the manufacturing, 
processing, packing, or holding of animal foods. The comment further 
argues that this approach is consistent with the statutory mandate that 
FDA regulations be flexible in scale and supply chain appropriate and 
provide special considerations for small and very small businesses.
    (Response 48) We have revised the definition of very small 
businesses to include only the sale of human food plus the market value 
of human food manufactured, processed, packed, or held without sale 
(e.g., held for a fee). Under this revised definition, firms that 
process both human and animal foods will not be required to include 
sale of animal food in their calculation to determine whether they fall 
under the $10,000,000 threshold.
    (Comment 49) Several comments expressed confusion with the varying 
business size thresholds across the seven FSMA rules and stated that it 
will be a significant challenge for the food industry to interpret and 
decide which rules under FSMA they are required to comply with if the 
definitions of the size of business are not consistent throughout all 
FSMA rules. Some comments encourage us to establish a tiered system 
that clearly outlines coverage under all FSMA rules by business size, 
while others request that we provide clear guidance to assist firms, 
especially small and very small businesses, to identify which of the 
seven FSMA rules are applicable to them.
    (Response 49) We recognize that the varying business size 
thresholds across the FSMA rules may be cause for confusion. However, 
each of the rules differs in scope and intent, which compels us to 
establish requirements and exemptions that are specific to and 
appropriate for each rule. To help small and very small businesses 
comply with each rule, we plan to issue Small Entity Compliance Guides.
    (Comment 50) One comment objected to exempting any facilities from 
the rule, arguing that this would give terrorists a ``road map'' to 
those facilities not covered and make them targets for intentional 
adulteration. The comment recommends that FDA remove the exemptions for 
very small businesses and qualified facilities completely.
    (Response 50) We disagree with this comment. Section 418(l)(2) of 
the FD&C Act specifies that qualified facilities, which include very 
small businesses, are not subject to the requirements in sections 
418(a) through (i) and (n). We note that section 418(l)(2) requires 
qualified facilities to submit one of two types of documentation to the 
Secretary. The PCHF and PCAF rules have requirements reflecting this 
provision but this rule does not. Section 418(l)(2)(B)(i)(I) requires 
documentation that demonstrates that the facility has identified 
potential hazards and is implementing and monitoring the preventive 
controls. We have concluded that very small businesses are at reduced 
risk and therefore do not have significant vulnerabilities that require 
mitigation strategies. Therefore, there is nothing for very small 
businesses to document under this option. In contrast, a human or 
animal food facility is not at lesser risk of a food safety problem 
solely because it is relatively small. Section 418(l)(i)(II) is 
similarly inapplicable for several reasons. That section requires 
documentation that a facility is in compliance with State, local, 
county, or other applicable non-Federal food safety law. First, food 
safety is traditionally viewed as separate from food defense. Second, 
no States currently require food defense

[[Page 34190]]

measures, and States are unlikely to impose measures different from 
those in this rule. Therefore, compliance with ``food safety law'' as 
described in the provision would be irrelevant. In contrast, all States 
have food safety laws. Further, regulations issued under section 420 of 
the FD&C Act are to apply to food for which there is a high risk of 
intentional contamination (section 420(c)). Individuals or groups 
intending to cause wide scale public health harm are more likely to 
target the product of relatively large facilities, especially for 
facilities whose brands are nationally or internationally recognizable, 
than to target very small businesses. Covering all facilities would be 
inconsistent with the statutory requirement to limit coverage to foods 
at high risk. The $10,000,000 threshold for very small businesses still 
covers 97-98 percent of the market share of manufactured packaged foods 
(Ref. 14). In addition, section 420(a)(1)(B) of the FD&C Act directs 
FDA to consider the risks, costs, and benefits associated with 
protecting food against intentional adulteration. Imposing the full 
requirements of the rule on all facilities, regardless of size, would 
almost triple the current cost of the rule while only covering an 
additional 2-3 percent of the market share of manufactured foods.
    (Comment 51) One comment recommends we apply the lower dollar 
amount used to define ``very small businesses'' in the PCHF proposed 
rule. Another comment recommends that the threshold be lowered to 
$3,000,000 because smaller companies are less likely to implement food 
defense measures unless mandated.
    (Response 51) The higher threshold for very small businesses in 
this rule as compared to the PCHF rule reflects the difference in the 
nature of risk of intentional adulteration as compared to unintentional 
adulteration (i.e., traditional food safety). This rule protects food 
against intentional adulteration caused by individuals or organizations 
whose goal is to maximize public health harm. An attacker would more 
likely target the product of relatively large facilities, especially 
firms whose brand is nationally or internationally recognizable. An 
attack on such a target would potentially provide the desired wide 
scale public health consequences and the significant public attention 
that would accompany an attack on a recognizable brand. Such facilities 
are likely to have larger batch sizes, potentially resulting in greater 
human morbidity and mortality. Further, an attack on a well-recognized, 
trusted brand is likely to result in greater loss of consumer 
confidence in the food supply and in the government's ability to ensure 
its safety and, consequently, cause greater economic disruption than a 
relatively unknown brand that is distributed regionally.
    (Comment 52) Several comments argue that the $10,000,000 threshold 
is too high, is arbitrary and not risk-based, and excludes many 
suppliers and co-manufacturers to large food companies. The comments 
state that suppliers who provide ingredients to larger firms would not 
be covered under the rule and therefore would pose a significant 
vulnerability to these large, nationally branded food manufacturers 
that have large consumer exposure. They argue that this high threshold 
creates a major hole in the industry that may be exploited, and they 
point out that we identified ``ingredient handling'' as a key activity 
type having significant vulnerabilities and therefore all ingredient 
manufacturers need to be covered.
    (Response 52) The full name of the key activity type referenced is 
``secondary ingredient handling.'' Secondary ingredient handling refers 
to activity occurring in the production facility where the ingredient 
is being added; it does not refer to a facility's ingredient supply 
chain. The potential for incoming ingredients to be intentionally 
adulterated is addressed by the rule's applicability to ingredient 
suppliers. As with finished food, not all ingredient suppliers are 
covered. The rule focuses on those foods at highest risk of intentional 
adulteration; it does not eliminate all risk.
    (Comment 53) Several comments argue that the $10,000,000 threshold 
is too low and recommend that we increase it to $50,000,000 or 
$1,000,000,000 in annual sales. One comment states that for an 
intentional adulteration event to happen, the brand or food must be one 
that a terrorist or a similarly ill-intentioned person is likely to 
target, which would encompass only the largest and most well-known food 
brands. The comment goes on to argue that, ``the top roughly 250 food 
brands in the Western world are owned by only a handful companies 
having annual human food revenues from tens of billions of dollars to 
over 100 billion dollars,'' and therefore, if we are focusing the rule 
on those at ``high risk,'' as specified under section 420 of the FD&C 
Act, then there is little benefit to be gained by imposing the 
requirements of this rule on hundreds of thousands of companies whose 
products are not likely to be targeted. The comment points out that 
because we are ``unable to identify any previous act of intentional 
adulteration intended to cause public health harm that was perpetrated 
in a setting that would be covered by this rule (i.e., all such 
previous attacks have involved restaurant or donated food), it would 
appear that the risk of any such attack occurring is overall quite low, 
and that only the most attractive targets can conceivably be considered 
``high'' risk.''
    (Response 53) We decline this request. Although we agree that those 
intending to cause wide scale public health harm would more likely 
target the larger well known food brands, we disagree that there is 
little benefit to be gained by imposing the requirements of this rule 
on companies under a $50,000,000 or $1,000,000,000 threshold. To 
identify which facilities to cover under this rule, we assessed risk 
based on both the likelihood of being a target and the potential impact 
to public health. If we were to increase the threshold for a very small 
business to $50,000,000 or $1,000,000,000, a large number of facilities 
producing large quantities of food, including some well-known brands, 
would not be covered.
    (Comment 54) Several comments state that using annual sales is not 
indicative of risk and offer alternative ways to define which 
facilities are covered under the rule. The comments argue that annual 
sales do not determine the potential consumer exposure as it relates to 
preventing wide scale public health harm because more expensive 
products could have higher annual sales but lower consumer exposure. 
The comments point out that a manufacturer of a premium chocolate bar 
would sell fewer chocolate bars than a commodity chocolate manufacturer 
with sales of the same dollar amount. Some comments suggest 
alternatives to using annual sales, including units of a product sold 
(e.g., 100,000 retail units), number of servings, volume manufactured, 
and distribution patterns of the product. Other comments recommend 
using the shelf life of products or the shelf stableness of product as 
alternatives.
    (Response 54) We use sales and the market value of food 
manufactured, processed, packed, or held without sale as a proxy for 
volume. We are aware that dollar amounts can be skewed by product 
values and, thus, sales are an imperfect proxy for volume. However, we 
are not aware of a more practical way to identify a threshold based on 
volume or amount of product that could be applied across all product 
sectors, and the comments provide no suggestions for how their 
recommendations could be carried out.
    Shelf life and shelf stability are not necessarily good indicators 
of the speed at which a particular product moves

[[Page 34191]]

through the distribution system because many products are sold and 
consumed months, and even years, before their shelf life expires. The 
risk of a product for intentional adulteration does not increase based 
solely on a short shelf life. Similarly, a product that has a longer 
shelf life is not necessarily at lower risk for intentional 
adulteration; it could be an attractive target based on the potential 
to cause wide scale public health harm.
    (Comment 55) One comment suggests that we base the very small 
business definition on the number of full-time employees, similar to 
how we define ``small business.'' The comment recommends that we define 
``very small business'' at 50 full-time employees.
    (Response 55) We deny this request. The purpose of the definition 
of ``very small business'' is to exempt the smallest businesses from 
the requirements of the rule because they are less likely to be 
targeted by individuals or organizations intending to cause wide scale 
public health harm. The consideration of sales is consistent with the 
other option for being a qualified facility under section 418 of the 
FD&C Act, which also considers sales (section 418(l)(1)(C)). (As 
discussed in IV.E.1 of this rule, we have removed the term ``qualified 
facility'' from the exemption provided in Sec.  121.5(a) for simplicity 
because any facility that would be a ``qualified facility'' as proposed 
in Sec.  121.5(a) will also meet the definition for a ``very small 
business.'')
    In contrast, section 418(l) of the FD&C Act does not specify any 
particular criterion (whether sales or number of employees) for the 
definition of ``small business,'' other than directing us to consider 
the results of the Food Processing Sector Study. Basing the definition 
of ``small business'' on the number of employees is consistent with our 
approach to defining ``small business'' in many other regulations (see, 
e.g., the PCHF final rule, Produce final rule, HACCP regulation for 
juice (Sec.  120.1(b)(1)), the section 414 recordkeeping regulations 
(69 FR 71562, December 9, 2004), and our CGMP regulation for 
manufacturing, packaging, labeling, or holding operations for dietary 
supplements (72 FR 34752, June 25, 2007)).
    (Comment 56) Some comments request that we change the definition of 
``very small business'' to only include the total annual sales of food 
in the United States, adjusted for inflation, for foreign facilities 
that export food to the United States.
    (Response 56) A foreign business that sells more than the threshold 
dollar amount of food has more resources than the businesses being 
excluded, even if less than that threshold dollar amount reflects sales 
to the United States. Likewise, a domestic business that sells more 
than the threshold dollar amount of food has more resources than the 
businesses being excluded, even if that domestic business exports some 
of its food and, as a result, less than that threshold dollar amount 
reflects sales within the United States. Further, this is consistent 
with the PCHF final rule.
12. Vulnerability
    We proposed to define the term ``vulnerability'' to mean the 
susceptibility of a point, step, or procedure in a facility's food 
process to intentional adulteration.
    We did not receive comments on the proposed definition of 
vulnerability and we are finalizing the definition as proposed.

C. Additional Definitions To Clarify Terms Not Defined in the Proposed 
Rule

1. Adequate
    We have defined the term ``adequate'' to mean that which is needed 
to accomplish the intended purpose in keeping with good public health 
practices. See section V.E for a detailed discussion of the changes to 
the requirement for food defense monitoring in Sec.  121.140, including 
the requirement to monitor the mitigation strategies with ``adequate'' 
frequency to provide assurances that they are consistently performed.
2. Affiliate and Subsidiary
    We have defined the term ``affiliate'' to mean any facility that 
controls, is controlled by, or is under common control with another 
facility. We have defined the term ``subsidiary'' to mean any company 
which is owned or controlled directly or indirectly by another company. 
These definitions incorporate the definitions in sections 418(l)(4)(A) 
and (D) of the FD&C Act and would make the meanings of these terms 
clear when used in the definition of ``very small business.''
3. Full-Time Equivalent Employee
    We have established a definition for ``full-time equivalent 
employee'' as a term used to represent the number of employees of a 
business entity for the purpose of determining whether the business 
qualifies as a small business. The number of full-time equivalent 
employees is determined by dividing the total number of hours of salary 
or wages paid directly to employees of the business entity and of all 
of its affiliates by the number of hours of work in 1 year, 2,080 hours 
(i.e., 40 hours x 52 weeks). If the result is not a whole number, round 
down to the next lowest whole number. Because the calculation for the 
number of employees affects the small business definition and extended 
compliance dates, we are establishing the definition of ``full-time 
equivalent employees'' in the definitions for this rule and modifying 
the definition of ``small business'' to use the term ``500 full-time 
equivalent employees'' rather than ``500 persons.''
4. Qualified Individual
    In this final rule, we have defined the term ``qualified 
individual'' to mean a person who has the education, training, or 
experience (or a combination thereof) necessary to perform an activity 
required under subpart C, as appropriate to the individual's assigned 
duties. A qualified individual may be, but is not required to be, an 
employee of the establishment. See section V.H. for a detailed 
discussion of the new requirements in Sec.  121.4--Qualifications of 
Individuals Who Perform Activities Under Subpart C.
5. You
    In this final rule, we have defined the term ``you'' for purposes 
of this part, to mean the owner, operator, or agent in charge of a 
facility. We have made conforming changes throughout the regulatory 
text to replace ``owner, operator, or agent in charge'' with ``you'' 
for simplicity and consistency with the PCHF and PCAF regulations.

D. Comments Asking FDA To Establish Additional Definitions or Otherwise 
Clarify Terms Not Defined in the Rule

1. Correction
    (Comment 57) Some comments that request the addition of corrections 
to the requirement related to corrective actions request we define 
``correction'' to mean the action to eliminate a non-conformity.
    (Response 57) We decline this request. Because we are not providing 
for corrections and the term ``corrections'' is not in the regulatory 
text, there is no need to define the term.
2. Defensive Controls or Defensive Control Point
    (Comment 58) One comment requests that FDA consider adoption of 
food defense terminology that is complementary to food safety 
terminology used in the PCHF final rule, such as ``defensive controls'' 
or ``defense control point.''
    (Response 58) We decline the request to adopt the specific terms of 
``defense controls'' or ``defense control point.''

[[Page 34192]]

Although the comment did not further explain what terms ``defense 
controls'' or ``defense control point'' would replace, we believe 
``actionable process steps'' and ``mitigation strategies'' 
appropriately differentiate these terms, related to intentional 
adulteration, from analogous food safety terms used in the PCHF final 
rule.
3. Reasonably Foreseeable
    (Comment 59) Some comments state FDA should clearly define what 
constitutes a ``reasonably foreseeable'' threat as it relates to the 
risk of intentional adulteration.
    (Response 59) We decline this request. The term ``reasonably 
foreseeable'' is not used in the regulatory text of this rule.
4. Supply Chain
    (Comment 60) One comment requests that FDA define ``supply chain'' 
as it relates to food and provides a recommended definition to be 
included in the rule.
    (Response 60) We decline this request. The term ``supply chain'' is 
not used in the regulatory text of this rule.
5. Validation
    (Comment 61) One comment suggests we define ``validation'' as 
obtaining evidence that a control measure or combination of control 
measures, if properly implemented, is capable of controlling the hazard 
to a specified outcome.
    (Response 61) We decline this request. The term ``validation'' is 
not used in the regulatory text of this rule.
6. Miscellaneous
    (Comment 62) One comment requests that FDA define certain terms or 
phrases that are used in some definitions and that the comment suggests 
will have a wide range of interpretations. The comment cites 
``acceptable level'' (used in the definitions of ``actionable process 
step'' and ``significantly minimize''), ``reasonably appropriate 
measures'' and ``person knowledgeable about food defense'' (both used 
in the definition of ``focused mitigation strategies''), and ``prudent 
person knowledgeable about food defense'' (used in the definition of 
``significant vulnerability'').
    (Response 62) The terms ``acceptable level'' and ``reasonably 
appropriate measures'' are meant to be flexible standards. We do not 
need to define every term used in the definitions. By specifying that a 
point, step, or procedure in a food process at which food defense 
measures can be applied and are essential to prevent or eliminate a 
significant vulnerability or reduce such vulnerability to an acceptable 
level, the definition for actionable process step provides flexibility 
for a facility to determine what that level would be in a particular 
circumstance. We now use ``person knowledgeable about food defense'' 
without reference to ``prudent'' in the definitions of ``significant 
vulnerability'' and ``mitigation strategies.'' A person knowledgeable 
about food defense would meet the requirements of being a Qualified 
Individual (Sec.  121.4).

E. Proposed Sec.  121.5--Exemptions

    We proposed to establish a series of exemptions from the 
intentional adulteration requirements. We also sought comments on 
whether we should exempt on-farm manufacturing, processing, packing, or 
holding of the food identified as having low-risk production practices 
identified in Appendix 4 to the Draft Risk Assessment (further 
discussed in section I.C). We discuss these in the following sections.
1. Proposed Sec.  121.5(a)--Exemption Applicable to a Qualified 
Facility
    We proposed to exempt a qualified facility, except that qualified 
facilities must, upon request, provide for official review 
documentation that was relied upon to demonstrate that the facility 
meets this exemption. We also proposed that such documentation must be 
retained for 2 years. We proposed to define qualified facility, in 
part, as a facility that is (1) a very small business; or (2) a 
facility to which certain circumstances must apply.
    We have removed the exemption applicable to a qualified facility 
and replaced it with a very small business exemption. Revised Sec.  
121.5(a) provides that this part does not apply to a very small 
business, except that a very small business must, upon request, provide 
for official review documentation sufficient to show that the facility 
meets the exemption and that such documentation must be retained for 2 
years. We have removed the term ``qualified facility'' from the 
exemption provided in Sec.  121.5(a) to simplify the provision and 
provide clarity as to the applicability of the exemption. For purposes 
of this rule, any facility that would be a ``qualified facility'' as 
proposed in Sec.  121.5(a) will also meet the definition for a ``very 
small business.'' Further, section 418(l)(3) of the FD&C Act, which 
provides for withdrawal of an exemption from a ``qualified facility,'' 
is not relevant because we are also issuing these requirements under 
section 420 of the FD&C Act.
2. Proposed Sec.  121.5(b)--Exemption Applicable to Holding of Food
    We proposed to exempt holding of food, except the holding of food 
in liquid storage tanks. We received one comment that disagrees with 
the holding exemption, and have addressed the comment in Response 34. 
After considering this comment, we are finalizing the exemption as 
proposed.
3. Proposed Sec.  121.5(c)--Exemption Applicable To Packing, Re-
Packing, Labeling, or Re-Labeling of Food Where the Container That 
Directly Contacts the Food Remains Intact
    We proposed to exempt packing, re-packing, labeling, or re-labeling 
of food where the container that directly contacts the food remains 
intact. We did not receive comments on the proposed exemption and we 
are finalizing the exemption as proposed.
4. Proposed Sec.  121.5(d)--Exemption Applicable to Activities of a 
Facility That Are Subject to Section 419 of the FD&C Act
    We proposed to exempt activities of a facility that are subject to 
section 419 of the FD&C Act (Standards for Produce Safety). We did not 
receive comments on the proposed exemption and we are finalizing the 
exemption as proposed.
5. Proposed Sec.  121.5(e)--Exemption With Respect to Alcoholic 
Beverages
    Section 116 of FSMA (21 U.S.C. 2206) (Alcohol-Related Facilities) 
provides a rule of construction for certain facilities engaged in the 
manufacturing, processing, packing, or holding of alcoholic beverages 
and other food. In the proposed rule, we discussed our interpretation 
of section 116 of FSMA and requested comment on our interpretation. 
Based on our interpretation, we proposed that part 121 would not apply 
with respect to alcoholic beverages at facilities meeting two specified 
conditions (78 FR 78014 at 78037). We also proposed that part 121 would 
not apply with respect to food other than alcoholic beverages at 
facilities described in the exemption, provided such food is in 
prepackaged form that prevents direct human contact with the food and 
constitutes not more than 5 percent of the overall sales of the 
facility. No comments disagreed with the exemption of alcoholic 
beverages, but some comments requested changes or clarifications to the 
proposed activities covered in the exemption. After reviewing the 
comments, we are finalizing this exemption as proposed.
    (Comment 63) Two comments supported the exemption for alcoholic 
beverages and FDA's interpretation of

[[Page 34193]]

section 116 of FSMA, but one comment requests changing the language 
from just ``alcoholic beverages'' to ``manufacturing, processing, 
packing and holding of alcoholic beverages,'' stating that in reducing 
the words FDA may unintentionally limit the scope of the exemption to 
facilities holding finished beverage alcohol products.
    (Response 63) We agree with the comments that support the exemption 
as written. We do not believe it is necessary to list the activities in 
the codified as requested by one comment. Under section 415 of the FD&C 
Act a facility is required to register as a facility because it is 
engaged in manufacturing, processing, packing, or holding of one or 
more alcoholic beverages. Therefore, the language stating ``alcoholic 
beverages at a facility'' encompasses facilities engaged in the 
activities listed previously and the regulatory text in Sec.  121.5(e) 
clearly covers the intended exemption for the ``manufacturing, 
processing, packing and holding of alcoholic beverages.''
    (Comment 64) One comment supports the exemption for alcoholic 
beverages but requests that we further exempt craft breweries from 
drying and packaging requirements for disposal of spent grains as 
cattle feed to small farmers.
    (Response 64) The exemption established under the rule of 
construction in section 116 of FSMA applies to alcoholic beverages, not 
to any other food (see section 116(c) of FSMA (21 U.S.C. 2206(c)). The 
by-products described in this comment appear to be products that would 
be used in food for animals rather than in human food, and we exempt 
these foods in section Sec.  121.5(f). Since this rule exempts both 
alcoholic beverages at a facility, provided certain conditions are met, 
and food for animals, we believe this comment misunderstands the 
exemptions.
6. Proposed Sec.  121.5(f)--Exemption Applicable To Manufacturing, 
Processing, Packing, or Holding of Food for Animals Other Than Man
    We proposed to exempt manufacturing, processing, packing, or 
holding of food for animals other than man. Section 418(m) of the FD&C 
Act authorizes FDA to exempt or modify the requirements for compliance 
with section 418 with regard to facilities that engage solely in the 
production of animal food. Further, section 420(c) of the FD&C Act 
requires that regulations that FDA issues under that section apply only 
to food for which there is a high risk of intentional contamination. 
FDA tentatively concluded in the proposed rule that animal food is not 
at a high risk for intentional contamination because our analysis shows 
that adulteration of animal food has minimal potential for human 
morbidity and mortality which would lead to wide scale public health 
harm. In considering whether to provide an exemption related to animal 
food, we evaluated three types of possible attack scenarios: (1) 
Incorporation of a contaminant into feed to be used for muscle meat-
producing animals; (2) incorporation of a contaminant into feed to be 
used for egg-producing or milk producing animals; and (3) incorporation 
of a contaminant into pet food. With regard to the two former 
scenarios, we did not identify any contaminants that could be 
incorporated into feed at levels that would lead to human morbidity or 
mortality among consumers that subsequently eat the meat, eggs or milk 
without first showing noticeable clinical signs and/or mortality in the 
animals. While some contaminants can increase the risk of chronic 
disease, such as cancer, among consumers, such an outcome is not 
consistent with our understanding of the goals of terrorist 
organizations, which include a more immediate impact. Regarding the 
third attack scenario, adulterants could be incorporated into feed or 
pet food that result in significant animal morbidity and mortality as 
well as lead to secondary infections of humans through cross 
contamination, but this type of intentional adulteration of animal food 
poses a lower risk because secondary human illness or death is not the 
primary goal of an attacker with the intent to cause wide scale public 
health harm. As such, the proposed rule would not apply to the 
manufacturing, processing, packing, or holding of food for animals 
other than man. We requested comment on our tentative conclusions. Some 
comments agreed with our conclusions and support the exemption as 
proposed. One comment supported the exemption but requested a 
clarification of exempted activities. Some comments disagreed with our 
conclusions and assert that animal food is at high risk for intentional 
adulteration because it has been intentionally contaminated in the 
past. Some comments state that FDA should protect against intentional 
adulteration that leads to serious health consequences or death to 
humans or animals. After reviewing the comments, we are finalizing the 
exemption as proposed.
    (Comment 65) Some comments support our tentative conclusions and 
agree that animal food would not be at high risk for intentional 
contamination and lacks a significant potential for human morbidity and 
mortality. One comment supports the exemption but requests 
clarification that the exemption of animal feed includes the byproduct 
of manufactured human food regardless of the small business exemption.
    (Response 65) We conclude that animal food, regardless of whether 
it is produced at a facility solely engaged in the production of animal 
food or at a facility engaged in the production of both animal and 
human food, does not involve significant vulnerabilities that require 
mitigation strategies under section 418 of the FD&C Act, and is not 
high risk under section 420 of the FD&C Act. Therefore, we are not 
requiring a vulnerability assessment to determine that there are no 
actionable process steps present and no mitigation strategies needed. 
Regarding the requested clarification, the exemption applies to animal 
food regardless of whether a facility is part of a small business.
    (Comment 66) Some comments disagree with our conclusion that animal 
feed would not be at high risk for intentional contamination for 
several reasons. Some comments cite the 2007 incident of melamine in 
animal food that sickened and killed many animals as an example of 
previous intentional contamination suggesting that animal food is at 
high risk for intentional contamination. Some comments state that in 
section 420(c) of the FD&C Act the intent of Congress was for 
regulations to be issued that addressed hazards that would cause 
``serious health consequences or death to humans or animals.'' One 
comment asserts that pet food and human food supply chains are 
interconnected, and therefore should be covered by this rule. One 
comment believes that animal food comes into our homes as pet food 
therefore can harm families via cross-contamination. One comment 
asserts that the risk of Foot and Mouth Disease has been the focus of 
many exercises and discussions with respect to intentional adulteration 
and asserts that terrorists have attacked livestock in the past.
    (Response 66) We disagree with these comments and continue to 
believe that animal food is not at high risk for intentional 
adulteration within the context of this rule. While we agree that some 
animal feed could be intentionally contaminated, our analysis shows 
only minimal potential for human morbidity and mortality as a result of 
an attack during, or associated with, animal food production. We 
analyzed both human and animal food using CARVER+Shock methodology. For 
human food, our analyses show the potential for

[[Page 34194]]

significant human morbidity and mortality should intentional 
adulteration occur at certain points in a food operation. In contrast, 
for animal food, our analysis shows only minimal potential for human 
morbidity or mortality as a result of attacks at points in an animal 
food operation.
    Significantly, our CARVER+Shock vulnerability assessments of animal 
food have had to focus entirely on economic consequences because of the 
lack of potential for human morbidity and mortality. As stated in the 
preamble to the proposed rule (78 FR 78014 at 78037), in considering 
whether to provide an exemption related to animal food, we evaluated 
three types of possible attack scenarios: (1) Incorporation of a 
contaminant into feed to be used for muscle meat-producing animals; (2) 
incorporation of a contaminant into feed to be used for egg-producing 
or milk producing animals; and (3) incorporation of a contaminant into 
pet food. With regard to the two former scenarios, we are not aware of 
contaminants that could be incorporated into feed at levels that would 
not produce noticeable clinical signs and/or mortality in animals but 
would result in significant human morbidity or mortality among 
consumers that subsequently eat the meat, eggs or milk. While such 
contaminants can increase the long-term risk of chronic disease, such 
as cancer, among consumers, such an outcome is not consistent with our 
understanding of the more-immediate goals of individuals or groups 
intending to cause wide scale public health harm.
    Regarding the third attack scenario, incorporation of a contaminant 
into pet food, we are aware of contaminants that could be incorporated 
into feed or pet food that could result in significant animal 
(including pet) morbidity and mortality, including some which could 
result in secondary infectious spread of disease (because some 
infectious agents can be transmitted orally as well as through 
aerosol). Such attacks could be significant from an economic and 
societal standpoint. However, the risk that they pose with regard to 
targeting by individuals or groups intending to cause wide scale public 
health harm appears to be significantly lower than those involving 
human morbidity and mortality.
    Foot and mouth disease, mentioned in one comment, can lead to 
animal death and economic consequences, but does not affect human 
morbidity or mortality. Because foot and mouth disease would not cause 
wide scale public health harm, it does not change our conclusion that 
animal food is a less attractive target than human food, when the 
intent of the adulteration is to cause wide scale public health harm 
for humans. The event in 2007 involving contamination of wheat flour 
and wheat gluten with melamine that resulted in pet illnesses and 
deaths did not affect human health and was motivated by economic gain. 
That form of intentional adulteration (i.e., economically motivated 
adulteration) is addressed by the PCHF and PCAF final rules.
7. Exemption for Low-Risk Activities at Farm Mixed-Type Facilities
    As discussed in section I.D, we issued for public comment an 
``Appendix to Draft Qualitative Risk Assessment of Risk of Activity/
Food Combinations for Activities (Outside the Farm Definition) 
Conducted in a Facility Co-Located on a Farm'' (the draft RA Appendix) 
(78 FR 78064, December 24, 2013). The draft RA Appendix was conducted 
to provide a science-based risk analysis to determine which foods' 
production processes would be considered low risk with respect to the 
risk of intentional adulteration. Based on the tentative conclusions of 
the draft RA Appendix, we asked for comment in the proposed rule on 
possible exemptions or modified requirements for this final rule. In 
the draft RA Appendix we tentatively concluded that the production 
processes for the following finished foods are low-risk: Eggs (in-
shell); fruits and vegetables other than pods, seeds for direct 
consumption, and hesperidia (fresh, intact); game meats (whole or cut, 
not ground or shredded, without secondary ingredients); peanuts and 
tree nuts (raw, in-shell); and sugarcane and sugar beets (fresh, 
intact). We sought comment on whether we should exempt on-farm 
manufacturing, processing, packing, or holding of the foods identified 
as having low-risk production practices when conducted by a small or 
very small business if such activities are the only activities 
conducted by the business that are subject to section 418 of the FD&C 
Act.
    (Comment 67) Several comments agree with the conclusions of the 
draft RA Appendix and state we should provide exemptions in the 
regulatory text for those on-farm manufacturing, processing, packing, 
or holding activities identified as having low-risk production 
practices when conducted by a small or very small business if such 
activities are the only activities conducted by the business subject to 
section 418 of the FD&C Act.
    (Response 67) We agree with these comments. In addition, we have 
conducted a reanalysis of the risk assessment and have identified some 
foods included in the draft RA Appendix as being out of scope of the 
final appendix because of the changes to the definition of ``farm'' 
made by the PCHF rule, including some foods determined to have low risk 
production practices in the draft appendix. Finished foods that are 
produced using only activities that fall within the farm definition 
(e.g., RACs such as fruits and vegetables, grains, and unpasteurized 
milk) are out of scope for the purposes of this final appendix because 
this evaluation focuses on the production processes used to produce a 
finished food and applies only to activities outside the farm 
definition performed by facilities co-located on farms. Accordingly, we 
have provided a new exemption in the regulatory text in Sec.  121.5(g) 
that exempts on-farm manufacturing, processing, packing, or holding of 
eggs (in-shell, other than RACs, e.g., pasteurized), and game meats 
(whole or cut, not ground or shredded, without secondary ingredients) 
when conducted by a small or very small business if such activities are 
the only activities conducted by the business subject to section 418 of 
the FD&C Act. This exemption is also appropriate under section 420 of 
the FD&C Act because such activities are not high risk under that 
provision.
    The draft RA, considered fruits and vegetables other than pods, 
seeds for direct consumption, and hesperidia, and determined them to be 
low risk. Because these foods are produced using only activities that 
fall within the modified farm definition, these finished foods are now 
out of scope of the RA. Additionally, peanuts, tree nuts (raw, in 
shell), sugarcane, and sugar beets were also considered and determined 
to be low risk in the draft RA. These foods similarly are out of scope 
of the evaluation of risk because these foods are produced using only 
activities that fall within the modified farm definition. The finished 
foods mentioned in this paragraph, when produced on farms, are exempt 
under Sec.  121.5(d).

V. Subpart C: Comments on Food Defense Measures

A. Proposed Sec.  121.126--Requirement for a Food Defense Plan

    We proposed that the owner, operator, or agent in charge of a 
facility must prepare, or have prepared, and implement a written food 
defense plan which must include: (1) Written identification of 
actionable process steps; (2) written focused mitigation strategies; 
(3) written procedures for monitoring; (4) written corrective action

[[Page 34195]]

procedures; and (5) written verification procedures.
    Some comments agree with the requirements for a food defense plan 
as proposed. In general, comments support the proposed requirement that 
facilities develop and maintain food defense plans to protect food 
against intentional adulteration. In the following paragraphs, we 
discuss comments that disagree with, or suggest one or more changes to, 
the proposed requirements. After considering these comments, we are 
finalizing the provisions as proposed, with editorial and conforming 
changes as discussed in the other applicable sections of this document.
    (Comment 68) Some comments state that facilities should be allowed 
to develop food defense plans that are tailored to and best meet the 
needs and unique characteristics of the establishment. Other comments 
state that the requirements should be adequately broad and provide 
flexibility so that companies can build on their plans over time based 
on emerging threats and new mitigation strategies.
    (Response 68) We agree with these comments and recognize that there 
needs to be flexibility within the requirements for a facility to 
develop a food defense plan that meets its needs and unique 
characteristics. In the final rule we have added flexibility for 
management components (see Comment 88, Comment 92, Comment 93, and 
Comment 95 for a detailed discussion). Additionally, we agree that food 
defense plans should change over time based on emerging threats and 
identification of new mitigation strategies. The rule (Sec.  121.157) 
requires a reanalysis of the food defense plan as a whole or to the 
applicable portion of the plan when any of the following circumstances 
occur: a significant change made in the activities conducted at the 
facility creates a reasonable potential for a new vulnerability or a 
significant increase in a previously identified vulnerability; a 
facility becomes aware of new information about potential 
vulnerabilities; a mitigation strategy, a combination of mitigation 
strategies, or the food defense plan as a whole is not properly 
implemented; or whenever FDA requires reanalysis to respond to new 
vulnerabilities, credible threats to the food supply, or developments 
in scientific understanding. See section V.G.2 for more detailed 
discussion of the reanalysis section.
    (Comment 69) Some comments state that many food facilities have 
already voluntarily developed and implemented food defense plans. The 
comments express concern that FDA would require companies to completely 
overhaul their existing food defense plans that are already in place 
and working properly. These comments argue that existing food defense 
plans should be adequate to meet the requirements of this rule so long 
as they were thoughtfully developed.
    (Response 69) We recognize that some facilities have already 
voluntarily developed and implemented food defense plans. These 
facilities likely have a head start on compliance with this rule. To 
the extent a food defense plan satisfies elements of this rule, a 
facility has less to do to meet these requirements. Further, in the 
final rule we have specified that existing records do not need to be 
duplicated if they contain all of the required information and satisfy 
the requirements of part 121, subpart D (Sec.  121.330).
    (Comment 70) Some comments express concern that it is too premature 
to require that all foreign facilities prepare and implement a food 
defense plan.
    (Response 70) All foreign facilities do not have to prepare and 
implement a food defense plan. For example, foreign facilities that are 
not required to register are not subject to this rule. This includes a 
foreign facility, if food from such a facility undergoes further 
manufacturing/processing (including packaging) by another facility 
outside the United States (21 CFR 1.226(a)). In addition, the rule 
contains exemptions applicable to domestic and foreign facilities 
(Sec.  121.5). For example, very small businesses are only required to 
keep records documenting their status.

B. Proposed Sec.  121.130--Identification of Actionable Process Steps

    We proposed to require that the owner, operator, or agent in charge 
of a facility identify any actionable process steps by either 
conducting a facility-specific vulnerability assessment or by using the 
four key activity types we identified. Recognizing that various 
methodologies may exist to conduct a facility-specific vulnerability 
assessment, and not wishing to preclude the benefits of future science 
in this area, we did not propose to require a specific methodology for 
the facility-specific vulnerability assessment. Further, we proposed 
that regardless of the method chosen, the identification of actionable 
process steps and the assessment leading to that identification must be 
written.
    Some comments agree with the requirements as proposed. In the 
following paragraphs, we discuss comments that suggest one or more 
changes to, and/or disagree with the proposed requirements. After 
considering the comments, we have revised this section as follows: (1) 
Removing from the regulatory text the option to identify actionable 
process steps by utilizing the four FDA-identified key activity types, 
(2) adding to the regulatory text the factors that must be considered 
when conducting a vulnerability assessment, (3) adding to the 
regulatory text a requirement to explain why each process step was or 
was not identified as an actionable process step, (4) adding to the 
regulatory text a requirement that the vulnerability assessment must 
consider the possibility of an inside attacker, and (5) changing the 
title of this section to ``Vulnerability Assessment to Identify 
Significant Vulnerabilities and Actionable Process Steps.''
    (Comment 71) Some comments recommend removing from the regulatory 
text the option for facilities to use the key activity types as a 
method for identifying actionable process steps, and instead, requiring 
all facilities to conduct facility-specific vulnerability assessments. 
Some comments recommend continuing to provide the option to use key 
activity types but not specifically providing for it in the regulatory 
text. Under this approach, key activity types would be considered an 
``appropriate method'' for identifying actionable process steps with 
the specific key activity types identified in guidance. These comments 
express concern that identifying a particular methodology (i.e., key 
activity types) in the codified indicates there is one ``right'' way to 
conduct vulnerability assessments. Furthermore, some comments express 
concern that the key activity types may become the de facto standard 
for the regulatory inspection of actionable process steps, even if 
facilities conduct facility-specific vulnerability assessments. Some 
comments express concerns that including key activity types in the 
codified would result in mitigation strategies being required at key 
activity types regardless of the outcome of a facility-specific 
vulnerability assessment.
    (Response 71) The key activity types are based upon the results of 
over 50 vulnerability assessments which reflect the activities and 
associated vulnerabilities present in a wide array of manufacturing 
settings. The vulnerability assessments included consideration of the 
three elements now required by Sec.  121.130 to be evaluated in any 
vulnerability assessment: (1) The potential public health impact if a 
contaminant were added (e.g., severity and scale); (2) the degree of 
physical access to product; and (3) the ability of

[[Page 34196]]

an attacker to successfully contaminate the food. The four identified 
key activity types are processes, steps, or procedures that 
consistently ranked as the most vulnerable, regardless of the commodity 
being assessed, and reflect significant vulnerabilities to intentional 
adulteration caused by acts intended to cause wide scale public health 
harm. Therefore, using the key activity types is an appropriate method 
to conduct a vulnerability assessment. In addition, using key activity 
types has the benefit of allowing facilities with less technical 
expertise in conducting food defense vulnerability assessments to 
leverage their expertise in food processing to identify actionable 
process steps.
    However, in response to comments, we are no longer singling out key 
activity types in the regulatory text. Importantly, using key activity 
types remains as one appropriate vulnerability assessment method. We 
intend to place the key activity types in guidance, which will provide 
us with greater flexibility to update them in the future, if necessary. 
The final rule provides firms the flexibility to choose a vulnerability 
assessment methodology appropriate to their operations, provided that 
methodology includes the three fundamental elements required by Sec.  
121.130(a). We expect that some firms will use key activity types, and 
some firms will use other methods.
    (Comment 72) Some comments recommend that vulnerability assessments 
should consider the contribution of existing practices, procedures, and 
programs that may already function to reduce vulnerability.
    (Response 72) When conducting facility-specific vulnerability 
assessments, the role of existing measures (e.g., security practices, 
procedures, or programs) should be determined on a case-by-case basis. 
In general, existing measures that are applied to the process (e.g., 
locks, area access controls, peer or supervisory monitoring) and are 
not inherent characteristics of a particular process step, should be 
considered after the vulnerability assessment is completed and 
actionable process steps have been identified, and should not be 
considered during the identification of significant vulnerabilities. 
For example, when evaluating the vulnerability of a mixing tank, a 
facility would not conclude the tank does not represent a significant 
vulnerability because the mixing tank lid and sampling ports are 
routinely locked. Instead, the vulnerability of the mixing tank would 
be evaluated as if the existing measure (in this case the locks) were 
not in place. If, in the absence of properly implemented locks, the 
mixing tank would be significantly vulnerable, then the facility would 
identify the mixing tank as an actionable process step. The facility 
may then decide that the existing locks could serve as a mitigation 
strategy that reduces the significant vulnerability of the mixing tank 
and evaluate if any other mitigation strategies are necessary. The food 
defense plan would then capture the mixing tank step as an actionable 
process step and the locks as the mitigation strategy. As a mitigation 
strategy, the locks would be subject to mitigation strategy management 
components (i.e., food defense monitoring, corrective actions, and 
verification).
    There are some instances where it is appropriate to consider 
existing food defense measures before the vulnerability assessment is 
completed. For example, the owner of the same facility may assess a 
second mixing tank that is part of an entirely closed system, with no 
direct access points into the system, such that an individual 
attempting to access this mixing tank likely would cause a major 
disruption to the line, foiling any attempted intentional adulteration. 
Because this second mixing tank has specific closed properties designed 
into the system, that are inherent characteristics of the mixing tank, 
it would be appropriate for the facility to consider these inherent 
characteristics in the vulnerability assessment. Based on this 
assessment, the facility may conclude that the inherent characteristics 
of this mixing tank, in this case its enclosed nature, renders the 
product inaccessible at this step and, therefore would not identify an 
actionable process step associated with this mixing tank (in which 
case, there would also be no requirement to implement a mitigation 
strategy at this step).
    Permanent equipment changes may reduce a significant vulnerability 
to such an extent that a processing step would no longer be considered 
an actionable process step. For example, a facility might identify a 
rotating air dryer as an actionable process step and in the supporting 
rationale discuss the high degree of accessibility at the point where 
product is fed from a pneumatic conveyor into the top of the dryer. The 
facility later installs a permanent, clear plastic shield affixed to, 
and extending from, the discharge of the pneumatic conveyor to the 
opening of the dryer. The clear plastic shield enables workers to 
supervise the product flow into the dryer while serving as an effective 
barrier to an attacker wishing to introduce a contaminant into the 
product at the dryer. This engineering improvement would significantly 
minimize or eliminate access to product in the dryer and thereby 
significantly minimize or prevent a significant vulnerability at this 
process step. The implementation of this engineering improvement would 
be detailed in the facility's food defense plan and, upon reanalysis, 
the facility may determine that this processing step is no longer an 
actionable process step.
    (Comment 73) Some comments recommend that vulnerability assessments 
should consider downstream processing steps, the volume of product, 
shelf life, marketplace turnover, and consumption patterns and that 
additional details regarding vulnerability assessments should be in the 
regulatory text. The comments did not provide specifics or 
recommendations regarding what additional details about vulnerability 
assessments should be included.
    (Response 73) As previously stated, we are not prescribing a 
specific methodology that facilities must use to conduct vulnerability 
assessments to identify actionable process steps. In the preamble to 
the proposed rule, we listed a number of elements to consider when 
conducting vulnerability assessments (78 FR 78014 at 78042) and did not 
require particular elements in the regulatory text. However, in light 
of comments requesting further vulnerability assessment details in the 
regulatory text, and the removal of key activity types as a separately 
identified option, we are specifying that three elements must be 
considered in any vulnerability assessment. These three elements are 
based on our extensive experience conducting vulnerability assessments 
and collaborating with stakeholders to refine vulnerability assessment 
methodology and are critical elements of an acceptable vulnerability 
assessment methodology. Specifically, we have revised Sec.  121.130 to 
require that for each processing step under evaluation, the facility 
must consider, at a minimum: (1) The potential public health impact if 
a contaminant were added (e.g., severity and scale); (2) the degree of 
physical access to product; and (3) the ability of an attacker to 
successfully contaminate the product.
    a. Element 1: The potential public health impact if a contaminant 
were added (e.g., severity and scale). This factor includes, for each 
processing step, consideration of the volume of product impacted, the 
number of at risk servings generated, and the number of potential 
exposures. As appropriate, and with sufficient scientific rigor, the 
facility may also consider other factors such as food velocity (i.e., 
the speed at which a

[[Page 34197]]

particular product moves through the distribution system); potential 
agents of concern; the infectious or lethal dose of agents of concern; 
and the morbidity/mortality rate if the intentional adulteration were 
successful. This element is required in the vulnerability assessment 
because it enables facilities to focus resources on processing steps 
with the highest degree of public health impact if the intentional 
adulteration were successful.
    We recognize that some facilities may not have the scientific 
knowledge to critically identify and evaluate individual agents of 
concern across their production process. The potential public health 
impact can also be determined through the consideration of the volume 
of food at risk should an act of intentional adulteration be successful 
at each process step. This approach would serve to extrapolate the 
potential public health impact without the scientifically rigorous 
examination of specific agents (e.g., consideration of infectious or 
lethal dose). For example, using this approach, a facility considering 
the potential public health impact of the intentional adulteration of 
its primary ingredient storage tank would consider the volume of food 
in the tank and the servings generated from this volume. If the 
facility has a 50,000 gallon primary ingredient liquid storage tank 
that would generate 800,000 one cup servings (50,000*16), the facility 
would consider all of these 800,000 servings as being at risk. Note 
that potential servings at risk is not limited to the amount of food 
being processed at an actionable process step. This is illustrated by a 
process step that applies a minor ingredient, such as a vitamin mixture 
applied over toasted cereal as it passes underneath spray nozzles. The 
facility's metering tank for application to the cereal is 10 gallons. 
However, these 10 gallons will be sprayed over 100,000 servings of 
cereal. The facility would conclude that 100,000 servings are at risk 
if the intentional adulteration were successful at this point.
    A number of other factors may also go into the calculations a 
facility uses to determine the potential public health impact. For 
example, if a facility has conducted market research and concludes that 
each distribution unit of 20 servings is typically consumed by four 
persons, the potential public health impact of that distribution unit 
could be considered four persons rather than 20.
    b. Element 2: The degree of physical access to product. This 
element includes consideration of, at a minimum, the ability of an 
attacker to conduct the attack at the particular processing step under 
evaluation; and the openness of the processing step to intentional 
adulteration, based on the presence of physical barriers such as gates, 
railings, doors, lids, seals, shields, and other barriers. This element 
is required in the vulnerability assessment because it enables 
facilities to prioritize how easy or difficult it is to access product 
at each processing step, based on the inherent characteristics of the 
physical environment surrounding the step.
    c. Element 3: The ability of an attacker to successfully 
contaminate the product. This element includes, for each processing 
step, consideration of, at a minimum, the ease of introducing an agent 
to the product; the ability for an agent to be uniformly mixed or 
evenly applied; and the ability of an attacker to work unobserved and 
have sufficient time to introduce the agent. As appropriate, and with 
sufficient scientific rigor, the facility may also consider: The amount 
of specific agent required; whether downstream dilution or 
concentration steps would affect the volume of agent required; whether 
downstream processing would or would not neutralize the agent(s) under 
evaluation; and the ability of the attacker to successfully introduce a 
sufficient volume of agent to the food without being detected or 
interdicted. This element is required in the vulnerability assessment 
because it enables facilities to understand whether the amount of agent 
required at each processing step is feasible and if subsequent 
processing steps would successfully remove an agent if present.
    Taken together, these three required vulnerability assessment 
elements provide facilities appropriate tools to adequately identify 
which vulnerabilities should be identified as significant 
vulnerabilities (i.e., those vulnerabilities, if attacked, could 
reasonably be expected to cause wide scale public health harm). If the 
step under evaluation has significant vulnerabilities associated with 
it and requires the application of mitigation strategies to prevent or 
eliminate a significant vulnerability or reduce such vulnerability to 
an acceptable level, the step would be categorized as an actionable 
process step.
    By utilizing these three required elements when conducting a 
vulnerability assessment, regardless of the vulnerability assessment 
methodology utilized, facilities are provided with a systematic 
approach that enables them to move in a logical, step-wise manner to 
identify actionable process steps. First, a facility would develop a 
list or flow diagram of each point, step, or procedure in the food 
process under evaluation, recognizing that each processing step has 
some associated vulnerability (i.e., the susceptibility of a point, 
step, or procedure in a facility's food process to intentional 
adulteration). Second, the facility would identify which 
vulnerabilities are significant vulnerabilities (by using the three 
required elements), and third, the facility would identify actionable 
process steps where significant vulnerabilities are present. We intend 
to provide further guidance on conducting vulnerability assessments to 
satisfy these requirements.
    As noted previously, some comments suggested that vulnerability 
assessments should consider downstream processing steps, the volume of 
product, shelf life, marketplace turnover, and consumption patterns. We 
have found that shelf life is not necessarily a good indicator of the 
speed at which a particular product moves through the distribution 
system (i.e., food velocity), because many products are sold and 
consumed months, if not years, before their shelf life expires. 
Marketplace turnover and consumption patterns are captured within the 
concept of food velocity, which may be considered in a vulnerability 
assessment as a component of Element 1, detailed previously in this 
document. Likewise, the potential effect of downstream processing can 
be considered as a component of Element 3, detailed previously in this 
document.
    (Comment 74) One comment suggests adding laboratory professionals 
to the list of possible vulnerability assessment team members.
    (Response 74) The list of potential members of the vulnerability 
assessment team discussed in the preamble to the proposed rule is not 
exhaustive (78 FR 78014 at 78042). The original list included 
``personnel working in the areas of security, food safety/quality 
assurance or control, human resources, operations, maintenance, and 
other individuals deemed necessary to facilitate the formation of the 
vulnerability assessment.'' We agree that laboratory professionals can 
provide important contributions to the vulnerability assessment and can 
be included as potential team members.
    (Comment 75) A few comments seek clarification on what type of 
justification would be required in the instance where no significant 
vulnerabilities are identified through a vulnerability assessment.
    (Response 75) It has been our experience that most facilities will 
identify one or more significant vulnerabilities. For a facility to

[[Page 34198]]

conclude that it has no significant vulnerabilities and therefore no 
actionable process steps, the facility would need to determine that 
none of its production steps present a significant vulnerability for 
wide scale public health harm from intentional adulteration. In 
conducting its vulnerability assessment, the facility would need to 
consider at each step of its process: (1) The potential public health 
impact if a contaminant were added (e.g., severity and scale); (2) the 
degree of physical access to the product; and (3) the ability of an 
attacker to successfully contaminate the product. The written 
vulnerability assessment, including the accompanying rationale 
supporting the decision not to identify any significant vulnerabilities 
would be important for determining if such a facility had complied with 
Sec.  121.130.
    (Comment 76) One comment suggests the term ``vulnerability 
assessment'' should be clearly defined in the rule.
    (Response 76) We deny this request. As discussed in Response 73, 
Sec.  121.130 has been revised to provide required elements the 
facility would need to consider at each step of its process when 
conducting vulnerability assessments: (1) The potential public health 
impact if a contaminant were added (e.g., severity and scale); (2) the 
degree of physical access to the product; and (3) the ability of an 
attacker to successfully contaminate the product. Additionally, the 
definition for significant vulnerability has been revised to include 
these three required elements, which underscores the importance of the 
evaluation that leads to the identification of significant 
vulnerabilities, which in turn leads to the identification of 
actionable process steps.
    We believe the combination of required vulnerability assessment 
elements in Sec.  121.130 and a revised definition for significant 
vulnerability provides a high degree of specificity regarding what 
constitutes a vulnerability assessment and will provide direction to 
facilities as they select an appropriate vulnerability assessment 
methodology.
    (Comment 77) One comment suggests that the term ``secondary 
ingredient handling'' used in a key activity type is confusing because 
it is not obvious whether ``secondary'' describes ``ingredient'' or 
``handling,'' nor what is meant by ``secondary.''
    (Response 77) We are removing the key activity types from the 
regulatory text, although the key activity types are one appropriate 
method to conduct vulnerability assessments to identify actionable 
process steps. Consequently, we will consider these comments when 
developing guidance to support the use of key activity types as an 
appropriate method to conduct a vulnerability assessment.
    (Comment 78) One comment suggests that the definition for 
``holding'' used in two key activity types should be modified to 
account for activities that involve the safe and effective storage of 
raw agricultural commodities, other than fruits and vegetables, 
intended for further distribution or processing, but does not include 
activities that transform a raw agricultural commodity into a processed 
food. The specific example of mineral oil applied to raw grains and 
oilseeds for dust control was provided.
    (Response 78) In response to the comment, we have conducted an 
analysis of this activity and believe that the storage of mineral oil 
and its application onto raw, whole grains or oilseeds in accordance 
with 21 CFR 172.878 is not a significant vulnerability and facilities 
engaged in these specific practices are not required to evaluate these 
processing steps when conducting vulnerability assessments (Ref. 15). 
Facilities storing and using mineral oil on other food products, such 
as baked goods, condiments, spices, or confectionery products, are 
required to evaluate mineral oil storage and use when conducting 
vulnerability assessments.
    Additionally, we are removing the key activity types from the 
regulatory text, as discussed previously, although the key activity 
types are one appropriate method to conduct vulnerability assessments 
to identify actionable process steps. Further, we are revising the 
definition of ``holding'' in this final rule, as discussed in section 
IV.A.3, by removing the distinction for farms and farm mixed-type 
facilities and adding that holding also includes activities performed 
incidental to storage of a food, but does not include activities that 
transform a RAC into a processed food and we include additional 
examples of holding activities. However, the holding of food in liquid 
storage tanks remains an activity subject to the rule under Sec.  
121.5(b).
    (Comment 79) Some comments state that when conducting vulnerability 
assessments, facilities should take different processing steps into 
consideration, but facilities should not be expected to conduct 
vulnerability assessments based on product type. Rather, they should be 
able to conduct a tailored vulnerability assessment based on the best 
methodology for each facility, either in its entirety or by any 
appropriate, locally determined methodological approach, such as 
grouping different production areas or processing steps.
    (Response 79) Facilities have the flexibility to choose a 
vulnerability assessment methodology appropriate to their operations, 
provided that methodology includes consideration of three fundamental 
elements (i.e., the evaluation of the potential public health impact if 
a contaminant were added (e.g., severity and scale), the degree of 
physical access to the product, and the ability of an attacker to 
successfully contaminate the product) and is performed by an individual 
qualified by training and/or experience to conduct vulnerability 
assessments. A facility must conduct written vulnerability assessments 
for all of the foods that it manufactures/processes, packs, or holds. 
We recognize there are instances where facilities are manufacturing 
very similar products using either the same equipment and/or very 
similar processes. In such instances, it is appropriate for the 
facility to conduct vulnerability assessments of like products by 
grouping these products into one or more processes and conducting 
vulnerability assessments on these process groupings. However, any 
product or process-specific differences must be carefully delineated 
and noted in the vulnerability assessment, and the facility must 
clearly identify the specific products included in each vulnerability 
assessment. In some facilities with limited types of products, the 
written vulnerability assessment may contain a single set of process 
steps that addresses all of the products produced. For example, a 
facility making fruit-flavored beverages may be able to conduct a 
single vulnerability assessment for all of its beverages using a single 
set of processing steps.
    In other facilities, there may not be a practical way to group all 
products into a single set of process steps, and vulnerability 
assessments may be needed for multiple groups of products. For example, 
a facility that makes both ready-to-eat (RTE) entrees and entrees that 
are not RTE may need to conduct a vulnerability assessment of the RTE 
entrees and conduct a separate vulnerability assessment for the entrees 
that are not RTE.
d. Qualified Individual
    (Comment 80) Several comments requested more information regarding 
the requirement that vulnerability assessments must be conducted by 
individual(s) qualified by experience and/or training using appropriate 
methods. Specifically, additional clarification was requested regarding

[[Page 34199]]

training such individuals must receive (particularly in the absence of 
FDA standardized curriculum); the process and criteria by which 
relevant work experience may supplement or substitute for training; and 
the criteria by which FDA will determine if the individual is 
adequately qualified to conduct vulnerability assessments. 
Additionally, several comments believe there is confusion with the use 
of qualified individuals in this rule compared to other rules and 
believe the term should be defined.
    (Response 80) We agree that further clarification is needed 
regarding a definition for a qualified individual in the context of 
this rule and in particular, how it relates to the qualifications 
necessary to conduct vulnerability assessments. Consequently, in Sec.  
121.3 we have defined a qualified individual to mean ``a person who has 
the education, training, or experience (or a combination thereof) 
necessary to perform an activity required under subpart C, as 
appropriate to the individual's assigned duties. A qualified individual 
may be, but is not required to be, an employee of the establishment.'' 
We have further clarified the qualifications necessary for the conduct 
of a vulnerability assessment by creating a new section (Sec.  121.4, 
Qualifications of Individuals Who Perform Activities Under Subpart C). 
In Sec.  121.4 we state ``each individual responsible for . . . 
conducting or overseeing a vulnerability assessment as required in 
Sec.  121.130'' must (1) have the appropriate education, training, or 
experience (or a combination thereof) necessary to properly perform the 
activities; and (2) have successfully completed training for the 
specific function at least equivalent to that received under a 
standardized curriculum recognized as adequate by FDA or be otherwise 
qualified through job experience to conduct the activities. Job 
experience may qualify an individual to perform these functions if such 
experience has provided an individual with knowledge at least 
equivalent to that provided through the standardized curriculum. This 
new definition and qualifications section has provided more information 
on what would qualify an individual to perform a vulnerability 
assessment. We believe that our definition of ``qualified individual'' 
as well as the qualifications required of those individuals have 
addressed this need and fulfill the request of the comments. This new 
approach is consistent with other FSMA rules, including the PCHF final 
rule, which we believe allows for easier understanding and 
implementation for the regulated industry.
    As stated in the preamble to the proposed rule, we recognize that 
the task of performing a vulnerability assessment requires an 
individual with a specific skill set to properly assess and prioritize 
the various points, steps, or procedures in a food process to 
characterize their susceptibility to intentional adulteration, to 
identify significant vulnerabilities and to identify actionable process 
steps where mitigation strategies are essential to significantly 
minimize or eliminate the significant vulnerabilities. We also believe 
that various activities required by this rule may require higher levels 
of training based on the difficulty and intensity of the task. We 
believe that a standardized curriculum will be required to ensure clear 
and consistent training is provided for this activity. The training 
developed for the purpose of conducting or overseeing a vulnerability 
assessment will require an in-depth analysis of the functional and 
thought processes required to properly characterize significant 
vulnerabilities associated with a facility's points, steps or 
procedures and the identification of actionable process steps. The 
process of conducting a vulnerability assessment may be new to much of 
the industry and the training must take this into consideration. The 
standardized curriculum for conducting a vulnerability assessment will 
need to be a comprehensive training that teaches an individual the 
required components of a vulnerability assessment and provides enough 
information for an individual to calibrate their decision making based 
on the scientific analysis required by a vulnerability assessment. We 
believe that the curriculum designed for this activity will require 
multiple days and may best be offered in person.
    (Comment 81) A few comments believe the key activity type option 
for identifying actionable process steps should include a requirement 
that the evaluation be performed by an individual(s) qualified by 
experience and/or training using appropriate methods.
    (Response 81) We agree with the comments and this is reflected in 
the revised requirements. As explained in Response 71, key activity 
types have been removed from the regulatory text, but are still 
considered an appropriate method to conduct a vulnerability assessment. 
The rule requires that a vulnerability assessment, no matter which 
methodology is used, must be conducted or overseen by a qualified 
individual. We note that the requirements to conduct or oversee a 
vulnerability assessment will differ depending on the type of 
vulnerability assessment conducted. Using key activity types requires 
less technical expertise and experience than other methodologies and 
this would be reflected in the necessary qualifications.

C. Proposed Sec.  121.135--Focused Mitigation Strategies for Actionable 
Process Steps

    We proposed that the owner, operator, or agent in charge of a 
facility must identify and implement focused mitigation strategies at 
each actionable process step to provide assurances that the significant 
vulnerability at each step will be significantly minimized or prevented 
and the food manufactured, processed, packed, or held by such facility 
will not be adulterated under section 402 of the FD&C Act (21 U.S.C. 
342). As discussed in section IV.B.3, in the final rule we use the term 
``mitigation strategies'' and no longer reference focused and broad 
mitigation strategies.
    In addition, we have modified this provision to provide that for 
each mitigation strategy or combination of strategies implemented at 
each actionable process step, the facility must include a written 
explanation of how the mitigation strategy(ies) sufficiently minimizes 
or prevents the significant vulnerability associated with the 
actionable process step. In the preamble to the proposed rule, we 
stated that a justification for how the strategy significantly reduces 
or eliminates the risk of intentional adulteration at that actionable 
process step(s) must be documented (see 78 FR 78014 at 78048); however, 
this was not explicitly included in the regulatory text. We believe 
that providing additional flexibility in the nature of the mitigation 
strategies facilities may employ makes it critical that facilities 
explain their rationale as to how the strategy(ies) are, in fact, 
protective of the actionable process step. This explanation will 
include a facility's rationale for selecting its mitigation strategies. 
This explanation can provide additional benefits to the facility by 
assisting them in the decision-making process for identifying 
mitigation strategies as well as identifying the most appropriate 
mitigation strategies management components for the mitigation 
strategy(ies).
    Based on our vulnerability assessments, we believe that adequate 
mitigation strategies are designed to minimize or eliminate the chances 
an attacker would be successful if an act of intentional adulteration 
were attempted at the actionable process step by either

[[Page 34200]]

(1) minimizing the accessibility of the product to an attacker (e.g., 
physically reducing access to the product by locking storage tanks) or 
(2) reducing the opportunity for an attacker to successfully 
contaminate the product (e.g., increasing observation of the area 
through supervision or use of the buddy system), or a combination of 
both. Mitigation strategies found within FDA's Mitigation Strategies 
Database, generally, are designed to address one or both of these 
concepts. The content of the Mitigation Strategies Database is derived 
from our experience conducting vulnerability assessments with industry 
and can serve as a resource for facilities to identify adequate and 
appropriate mitigation strategies. The explanation of how the 
mitigation strategy sufficiently minimizes or prevents the significant 
vulnerability associated with the actionable process step would, 
generally, address the mitigation strategy's impact on one or both of 
these outcomes.
    For example, a facility seeking to protect its liquid storage 
tank's access hatch with a lock may conclude that the lock 
significantly reduces access to the liquid food stored in the tank by 
rendering the hatch inaccessible and include this explanation in its 
food defense plan. As another example, a facility may elect to protect 
its liquid storage tank actionable process step with a policy to 
require two or more employees to be in the area at all times. The 
facility's explanation would include the rationale that this ``buddy 
system'' reduces the opportunity and ability of an attacker to bring a 
contaminant into the vulnerable production area and introduce the 
contaminant into the food without being detected by his or her co-
workers. These two examples show that the same actionable process step 
can be protected in a variety of ways. The explanation will clarify the 
facility's thinking and rationale as to how a mitigation strategy 
significantly minimizes or prevents a significant vulnerability.
    We believe that the explanation accompanying the mitigation 
strategy(ies) will be highly beneficial to the facility in gauging the 
proper implementation of the mitigation strategy during required 
verification activities. In identifying and implementing appropriate 
mitigation strategies, the facility will need to reason through how and 
why the mitigation strategy(ies) will be protective of the respective 
actionable process step in question. This explanation and the 
monitoring of the mitigation strategy play key roles in enabling the 
facility to determine if the mitigation strategy is achieving its 
intended aim and, therefore, is properly implemented.
    For example, for a facility that secures its liquid storage tank 
with a lock, a review of monitoring records may show that the lock is 
consistently in place and locked, therefore reducing accessibility and 
significantly reducing the vulnerability associated with the liquid 
storage tank. By being consistently implemented as intended, the lock 
is achieving the aim as explained in the food defense plan to reduce 
access to the liquid food held in the liquid storage tank. In this 
case, the facility can conclude that this mitigation strategy is 
properly implemented and is reducing a significant vulnerability.
    In contrast, consider a lock on a mixer that is not achieving its 
intended aim. In this example, the worker at the mixer must routinely 
open the mixer's lid to determine if the product is being sufficiently 
mixed. The worker finds the lock to be interfering with his or her 
responsibilities and frequently does not engage the lock after checking 
on the product, repeatedly leaving the mixer unsecured. This deviation 
is documented in monitoring records by the production supervisor. In 
this case, the facility's explanation as to how the mitigation strategy 
would be protective of the mixer included the rationale that the lock 
would reduce access to the product. A component of the facility's 
corrective action procedure for this mitigation strategy was to retrain 
the employee on the importance of locking the mixer, but the employee 
continues to repeatedly leave the mixer unlocked due to its 
interference with his or her responsibilities. Since the mitigation 
strategy, as determined through a review of monitoring and corrective 
action records, was not consistently implemented, it is not achieving 
the aim as specified in the mitigation strategy's explanation. 
Therefore, the mitigation strategy cannot be determined to be properly 
implemented and is not reducing significant vulnerabilities associated 
with the mixer. Since the facility has found that the mitigation 
strategy is not properly implemented, the facility must reanalyze this 
portion of the food defense plan under the requirements of Sec.  
121.157(b)(3) and then identify and implement a different mitigation 
strategy, or combination of strategies, for the mixer that would reduce 
the likelihood that an act of intentional adulteration would be 
successful.
    Additionally, we believe that the explanation for how the 
mitigation strategy(ies) are suitable and intended to reduce the 
significant vulnerability will also be highly beneficial in 
establishing common understanding and communication between the 
facility and inspectors during inspections.
    (Comment 82) Many comments support our proposed requirement that 
mitigation strategies be targeted at high vulnerability process steps 
instead of setting requirements for general facility-level protections. 
Further, some comments assert that significant vulnerabilities by 
nature present themselves at particular points in a process and that 
these individual points, steps, or procedures must be protected. These 
comments also state that broad mitigation strategies would be far 
reaching and require significantly more capital investment from 
industry, while not directly protecting the most vulnerable processes.
    (Response 82) We agree with comments supporting the direction of 
mitigation strategies to those areas where vulnerability is highest. As 
discussed previously, we now refer to mitigation strategies, rather 
than broad and focused mitigation strategies. However, we continue to 
believe that to be sufficient and appropriate mitigation strategies 
must be specifically tailored to the significant vulnerability and 
customized to the actionable process step where they are applied rather 
than applied to the entire facility (e.g., locking exterior doors, or 
ensuring employees and visitors have identification badges). We would 
not consider these two examples to be adequate to significantly reduce 
or prevent a significant vulnerability because they do not address an 
inside attacker.
    However, we believe that many policies or procedures that a 
facility currently has in place can be modified or altered to provide 
protection against acts of intentional adulteration without the 
facility incurring significant costs, or requiring additional capital 
investment. For example, consider a liquid food storage tank with an 
inward opening hatch. When the tank is full, the pressure of the liquid 
prevents the hatch from being opened, rendering the tank inaccessible. 
However, when the tank is empty, the hatch may be opened and a 
contaminant added. It may be part of normal facility practice for a 
supervisor to conduct a visual check of storage tanks after a cleaning 
cycle to ensure the cleaning has been conducted properly. Rather than 
incur the cost of installing a lock or other access control on the 
hatch, the facility may elect to implement a food defense mitigation 
strategy by altering its visual check procedure so that the visual 
check by the supervisor is conducted

[[Page 34201]]

immediately prior to food being added to the storage tank so that the 
tank is observed after the tank has been empty and accessible for an 
extended period of time. Alternatively, the facility could elect to 
secure the tank's hatch with a tamper-evident seal or tape after the 
visual inspection. This slight modification of an existing facility 
practice could be implemented with little, if any, cost to the facility 
and serve to protect the actionable process step--in this case the 
storage tank--from an attacker adding a contaminant to the tank while 
it is empty and accessible after it been cleaned and visually 
inspected.
    (Comment 83) Some comments state that those strategies previously 
termed as broad mitigation strategies should be considered as being 
among appropriate mitigation strategies for compliance with the 
requirements, with the majority of those comments indicating that FDA 
should not distinguish between focused and broad mitigation strategies 
in the final rule. Some comments disagree with FDA's statement in the 
proposed rule that the implementation of focused mitigation strategies 
at actionable process steps in a food operation is necessary to 
minimize or prevent the significant vulnerabilities that are identified 
in a vulnerability assessment regardless of the existence of broad 
mitigation strategies. These comments contend that mitigation 
strategies (whether broad or focused) can work in concert with one 
another and play an important role in a facility's food defense 
approach. Additionally, some comments state that broad mitigation 
strategies can sometimes achieve the same results as focused mitigation 
strategies and some comments state that the differentiation between the 
two types of strategies is confusing and subjective.
    (Response 83) We believe this comment is largely addressed by 
changing the regulatory text to refer to only mitigation strategies in 
this final rule. We agree with comments that mitigation strategies 
exist across a spectrum from those that are very broad and facility-
wide in nature to those that are very specific and tailored to unique 
processing steps and areas. If implemented in a directed manner, a 
strategy that may tend to be thought of as ``broad'' can be effective 
at reducing vulnerability associated with a specific actionable process 
step and could sufficiently minimize the likelihood of a successful act 
of intentional adulteration at the actionable process step.
    Based on the results of our vulnerability assessments, we believe 
that mitigation strategies implemented at actionable process steps that 
are customized to the processing step at which they are applied, 
tailored to existing facility practices and procedures, and consider 
the actionable process step's vulnerability to an insider attack are 
sufficient to protect the actionable process step. An insider attack 
must be considered because an attacker who has achieved access to the 
facility will have already circumvented the facility's general 
facility-level protections. During the course of our vulnerability 
assessments, we determined that if an actionable process step was 
sufficiently protected against an attack perpetrated by an insider with 
legitimate access to the facility, it would be similarly protected 
against the actions of an outside attacker who has circumvented 
perimeter protections. Facility-wide security measures can support or 
compliment the mitigation strategy(ies) the facility implements; 
however the significant vulnerability associated with the actionable 
process step must be significantly reduced or prevented.
    For example, if a facility implements a strategy to restrict access 
at an actionable process step to only those authorized individuals who 
work in the area, and the facility leverages identification badges to 
enforce this strategy, then the strategy becomes much more targeted. In 
this case, the strategy is simply not about identifying personnel who 
work anywhere in the facility, but rather, restricting access to a 
specifically vulnerable area. In this case, the pre-existing badging 
process the facility had in place to positively identify employees and 
visitors serves as the foundation upon which the more tailored 
mitigation strategy is built. However, the badging process itself is 
not a mitigation strategy sufficient to significantly reduce or prevent 
a significant vulnerability at the actionable process step because the 
badging process alone does not restrict access to the actionable 
process step.
    Another example to illustrate how different practices can work in 
concert with each other to achieve protection is that of vetting 
employees. In the proposal we described a hypothetical scenario where a 
facility's secondary ingredient handling area was identified as 
significantly vulnerable and was, therefore, identified as an 
actionable process step. In the scenario, the facility elected to 
mitigate this vulnerability by (1) reducing the time ingredients were 
open and accessible, (2) entrusting the handling of secondary 
ingredients to one of the most trusted employees, and (3) increasing 
observation over the secondary ingredient handling area. To implement 
the second mitigation strategy (use of most trusted employees), the 
facility could utilize either senior and/or long-term employees who had 
earned their trust over time, or the facility could conduct a more 
detailed background check on specific employees.
    Much the same way the Federal government assigns more sensitive 
tasks to Federal workers based on a multi-layered classification and 
security clearance process, the facility could require basic level pre-
employment screening for most employees, but for those employees 
working at actionable process steps, a mitigation strategy could be to 
require a more detailed level of background check. The facility would 
also conduct periodic review of the background check, as appropriate. 
By applying a more targeted approach to establishing trust for the 
employee working in the secondary ingredient handing area, the facility 
leveraged what was previously described in the proposal as a ``broad'' 
mitigation strategy in a much more directed and targeted way such that 
it was specifically addressing the significant vulnerability associated 
with the secondary ingredient staging area. This example shows how what 
were ``broad'' and ``focused'' mitigation strategies can work together 
to protect an actionable process step.
    We caution against using background checks as the sole mitigation 
strategy to reduce significant vulnerabilities at an actionable process 
step because a background check may not identify all indicators of an 
insider threat. Additionally, information within a background check may 
be outdated or missing more recent key information that could be 
indicators of an insider threat. Background checks should be used in 
concert with other mitigation strategies to counter the risk of an 
insider attack. In this example, the facility also mitigated 
vulnerability at the secondary ingredient staging area by reducing the 
staging time of ingredients and increasing observation of the area.
    Similarly, some other mitigation strategies may not be adequate 
when used in isolation. For example, ensuring adequate lighting around 
an actionable process step would generally be a mitigation strategy 
that must be used in concert with other strategies to significantly 
reduce the likelihood of, or prevent, successful acts of intentional 
adulteration at an actionable process step. The increased lighting can 
support other mitigation strategies (i.e., increased supervision of an 
actionable process step) but, generally, increased

[[Page 34202]]

lighting would not by itself be sufficient to address the significant 
vulnerability associated with the actionable process step.
    (Comment 84) Some comments state that existing facility practices 
and facility-level measures should be considered when a facility is 
identifying appropriate mitigation strategies.
    (Response 84) We agree. As discussed previously, mitigation 
strategies should be tailored to existing facility practices and 
procedures, and take into account the nature of the actionable process 
step's significant vulnerability. Mitigation strategies can be 
complemented by or built on top of existing practices or facility-level 
measures. For example, a facility might prepare secondary ingredients 
in an area near the process step where they will be added to the 
product line. The facility weighs and measures ingredients the night 
before use so they are ready for introduction into the product line in 
the morning. To identify a suitable and appropriate mitigation 
strategy, the facility would consider its normal practice of staging 
ingredients the night before and any other relevant practices the 
facility engages in regarding its handling of secondary ingredients in 
this area. The facility might conclude that staging ingredients the 
night before is unnecessary and elect to implement the mitigation 
strategy that ingredients will only be handled immediately before their 
introduction into the product line to prevent them from being open and 
accessible for extended periods of time. Alternatively, if the facility 
concludes that their operating practices prevent this approach, it 
could implement the mitigation strategy to place the ingredients in 
tamper evident storage containers overnight to prevent an attacker from 
being able to introduce an agent without indications of tampering with 
the ingredients. The facility would implement the most appropriate 
mitigation strategy taking into consideration its existing practices 
and procedures.
    (Comment 85) One comment asserts broad mitigation strategies offer 
significant protections to the food supply and that focused mitigation 
strategies are of questionable or at least unproved efficacy. This 
comment goes on to request that FDA focus requirements only on broad 
mitigation strategies that limit access to bulk foods prior to and at 
process steps that may disperse contamination in a large volume of 
finished food.
    (Response 85) During the course of our vulnerability assessments, 
we found that appropriate mitigation strategies must be specifically 
tailored to the significant vulnerability they are addressing and 
customized to the actionable process step where they are applied, while 
taking into account existing facility practices and procedures. We 
disagree with the comment's assertion that strategies previously termed 
as ``focused mitigation strategies'' are questionable or of unproven 
efficacy. Indeed, we conclude as determined through our vulnerability 
assessments that mitigation strategies specifically designed to protect 
the most vulnerable points in a food operation are the most effective 
at reducing the likelihood that an act of intentional adulteration 
would be successful. General facility-level security measures have 
questionable value in protecting actionable processing steps from 
significant vulnerabilities, especially those significant 
vulnerabilities associated with attackers with legitimate access to the 
facility. However, this comment illustrates why we are changing the 
codified to refer to only ``mitigation strategies.'' We would consider 
the efforts described by this comment to be focused mitigation 
strategies as we used that term in the proposed rule. We agree that 
``bulk foods prior to and at process steps that may disperse 
contamination in a large volume of finished food'' would most likely be 
significantly vulnerable and thus require appropriate mitigation 
strategies.
    (Comment 86) Some comments state that some of the mitigation 
strategies identified in the preamble of the proposed rule may not be 
appropriate or suitable in certain circumstances. For example, some 
comments mention that one-way sample ports as a mitigation strategy may 
not be appropriate for products that require aseptic sampling. Some 
comments contend that making engineering enhancements to equipment or 
repositioning equipment to increase visual observation may be 
prohibitively costly.
    (Response 86) We agree that certain mitigation strategies may not 
be appropriate or suitable in some situations. Therefore, we are not 
requiring any specific mitigation strategies in this rule. A facility 
may identify the most appropriate and suitable mitigation strategies 
for its facility, the food being processed, the actionable process step 
being protected, and the nature of the significant vulnerability being 
mitigated.
    (Comment 87) Some comments urge FDA to permit requirements that are 
already in place by other government agencies to count as mitigation 
strategies, when appropriate based on a thoughtful vulnerability 
assessment. In particular, these comments suggest the C-TPAT program 
has proved successful in requiring that broad mitigation strategies be 
implemented, including physical security, personnel security, 
ingredient storage and inventory procedures, and crisis management 
planning.
    (Response 87) As discussed in section III.D, we believe that 
participation in other security programs, such as C-TPAT or CFATS for 
example, raises the overall security posture for a facility and can be 
beneficial along with the requirements of the final rule. In certain 
circumstances, security measures implemented under other security 
programs may also prove to be effective mitigation strategies once 
actionable process steps are identified. These security measures should 
be evaluated on a case-by-case basis to determine if they significantly 
reduce or prevent significant vulnerabilities at actionable process 
steps. If so, the facility may consider these protections as mitigation 
strategies under Sec.  121.135 and document them in the food defense 
plan. However, FDA will not consider a facility's participation with 
other security programs as de facto compliance with this rule.

D. Final Sec.  121.138--Mitigation Strategies Management Components

    We have added a new Sec.  121.138 (Mitigation Strategies Management 
Components) to establish that mitigation strategies required under 
Sec.  121.135 are subject to the following mitigation strategies 
management components as appropriate to ensure the proper 
implementation of the mitigation strategies, taking into account the 
nature of each such mitigation strategy and its role in the facility's 
food defense system: (1) Food defense monitoring in accordance with 
Sec.  121.140; (2) Food defense corrective actions in accordance with 
Sec.  121.145; and (3) Food defense verification in accordance with 
Sec.  121.150. We have created this new section to provide clarity and 
understanding regarding the application of the three management 
components to the mitigation strategies as required by Sec.  121.135.

E. Proposed Sec.  121.140--Monitoring

1. Proposed Sec.  121.140(a)-(b) Requirement for Written Procedures for 
and Frequency of Monitoring
    We proposed that you must establish and implement written 
procedures, including the frequency with which they are to be 
performed, for monitoring the mitigation strategies, and you must 
monitor the mitigation strategies with

[[Page 34203]]

sufficient frequency to provide assurance that they are consistently 
applied.
    Some comments support the proposed requirements. In the following 
paragraphs, we discuss comments that disagree with the proposed 
requirements, ask us to clarify the proposed requirements, or suggest 
one or more changes to the proposed requirements. Some comments request 
that we provide more flexibility than a traditional HACCP framework, 
with specific requests for flexibility in the management components, 
including monitoring.
    After considering these comments, we are making three revisions to 
the requirements for monitoring in Sec.  121.140. First, we are adding 
the qualification ``as appropriate to the nature of the mitigation 
strategy and its role in the facility's food defense system,'' to the 
beginning of the provision. Second, we are changing ``sufficient'' to 
``adequate'' in Sec.  121.140(b), which now states that ``you must 
monitor the mitigation strategies with adequate frequency to provide 
assurances that they are consistently performed.'' We are substituting 
the term ``adequate'' for the term ``sufficient'' to be consistent with 
the PCHF final rule definition for monitoring. We conclude that there 
is no meaningful difference between ``adequate'' and ``sufficient'' for 
the purposes of part 121. We have also added a definition for the term 
``adequate'' in the regulatory text to mean that which is needed to 
accomplish the intended purpose in keeping with good public health 
practice. We also conclude that the regulations will be clearer if we 
use the single term ``adequate'' throughout the regulations. Third, we 
are changing ``applied'' to ``performed'' to address comments that 
state the language was unclear. Section 121.140(b) now states that 
``you must monitor the mitigation strategies with adequate frequency to 
provide assurances that they are consistently performed.''
    (Comment 88) Some comments argue that the language of section 
418(d) of the FD&C Act is ambiguous, and state that monitoring in 
section 418(d) does not require that facilities conduct monitoring as 
described in the National Advisory Committee on Microbiological 
Criteria for Foods' HACCP Principles and Application Guidelines. These 
comments state that the statute sets a standard for facilities to 
``monitor the effectiveness of the preventive controls.'' The comments 
state that the statute does not indicate how facilities are to monitor 
the effectiveness of the mitigation strategies; it does not indicate 
that each mitigation strategy must be monitored, and it does not 
specify the frequency at which monitoring must occur. However, the 
comments agree that facilities should assess whether mitigation 
strategies are in place and are fully implemented. The comments agree 
that facilities should have written procedures regarding how, and the 
frequency at which, observations take place, but also indicate that 
these procedures and frequencies should be less rigorous than 
procedures and frequencies for preventive controls.
    (Response 88) We agree that facilities must assess whether 
mitigation strategies are in place. We also agree that facilities must 
provide written procedures regarding how, and the frequency at which, 
monitoring occurs. This rule implements section 103 of FSMA, and 
therefore includes components for monitoring (section 418(d) of the 
FD&C Act). We agree that monitoring in the intentional adulteration 
regulatory framework should be more flexible than monitoring as 
described in the National Advisory Committee on Microbiological 
Criteria for Foods' HACCP Principles and Application Guidelines. 
Therefore, we have modified the requirement for monitoring in the 
regulatory text to include ``as appropriate to ensure the proper 
implementation of the mitigation strategies, taking into account the 
nature of each such mitigation strategy and its role in the facility's 
food defense system'' (see Sec. Sec.  121.138, 121.140) and to provide 
for the use of exception records (see Sec.  121.140(c)(2)). These 
changes allow a facility to select the appropriate rigor and frequency 
of its monitoring based on its particular circumstances and are similar 
to those made in the PCHF final rule regulatory text for monitoring in 
the preventive controls management components.
    For example, a facility stages ingredients overnight so the first 
shift can immediately begin adding ingredients to a hopper. The 
facility identifies staged ingredient containers as an actionable 
process step because the overnight staging makes the ingredient 
containers significantly vulnerable. The facility then identifies a 
mitigation strategy of reducing ingredient staging time. The facility 
establishes and implements food defense monitoring procedures to 
include observations of the staging area to ensure the ingredients are 
staged immediately prior to addition into the hopper rather than 
overnight. This monitoring procedure is tailored to the facility's 
circumstances and is appropriate to the mitigation strategy (i.e., 
suitable for a particular purpose and capable of being applied) because 
it allows for the assessment or observation that the ingredient staging 
time is being reduced. When establishing the monitoring procedure, the 
facility considered the nature of the mitigation strategy (i.e., an 
observation would determine if reducing the staging time was being 
consistently performed) and its role in the facility's food defense 
system (i.e., the facility deemed it necessary to conduct the 
monitoring for the mitigation strategy because the reducing the staging 
time significantly minimized the significant vulnerability associated 
with the ingredient containers). Additionally, the facility reasoned 
that monitoring the staging area immediately prior to the addition of 
the ingredients to the hopper met the requirement for monitoring to be 
conducted on an adequate frequency because this frequency meets the 
definition of adequate (i.e., that which is needed to accomplish the 
intended purpose in keeping with good public health practice) in that 
monitoring prior to ingredient addition to the hopper ensures that 
employees will properly implement the reduced staging time and reduce 
the significant vulnerability.
2. Proposed Sec.  121.140(c)--Requirement for Records
    We proposed that all monitoring of focused mitigation strategies in 
accordance with this section must be documented in records that are 
subject to verification in accordance with proposed Sec.  121.150(a) 
and records review in accordance with proposed Sec.  121.150(c).
    In the following paragraphs, we discuss comments that disagree with 
the proposed requirements, ask us to clarify the proposed requirements, 
or suggest one or more changes to the proposed requirements. After 
considering these comments, we have revised the regulatory text to 
provide that exception records may be adequate in some circumstances 
(see Sec.  121.140(c)(2)).
    (Comment 89) Some comments state that a facility will be much more 
likely to document a deviation from an established mitigation strategy 
(i.e., a light is broken or turned off) rather than a confirmation that 
the light was working properly each day. These comments seem to 
indicate that this could be a potential area where greater flexibility 
is needed regarding how monitoring is documented.
    (Response 89) New Sec.  121.140(c)(2) provides for exception 
records and states records may be affirmative records demonstrating the 
mitigation strategy is functioning as intended and

[[Page 34204]]

that exception records demonstrating the mitigation strategy is not 
functioning as intended may be adequate in some circumstances. This 
revision to the regulatory text was made to clarify that exception 
records, in certain circumstances, are acceptable. We understand 
exception reporting as a structure where automated systems are designed 
to alert operators and management on an exception basis--i.e., only 
when a deviation from food safety parameter limits are observed by the 
system.
    Exception reporting would be an acceptable monitoring system in 
some circumstances. A facility must be able to verify that food defense 
monitoring is being conducted (Sec.  121.150(a)(1)). This is 
straightforward with affirmative monitoring records but can be more 
difficult or impossible with exception records. The following example 
provides an instance where a facility may choose exception records when 
monitoring a mitigation strategy. A facility identifies an ingredient 
storage area as an actionable process step, and identifies and 
implements a restricted access system that uses electronic swipe/key 
cards to limit access to the area. The restricted access system is 
designed to allow authorized personnel to open a door to the area, 
while also alerting management when the door is left unlocked. While 
the system would not need to produce a record for every authorized 
access to the area, the system would produce a record for each instance 
that the door is left unlocked and alert operators to those instances. 
In this example, the facility would periodically verify that the 
restricted access system is working properly, in part, by leaving the 
door unlocked, and ensuring the system alerts the operator by 
generating a record that documents the door being unlocked. Exception 
records are not always appropriate. For example, it would not be 
appropriate to create a record that indicates adequate lighting is not 
functioning as intended, rather than documenting adequate lighting is 
functioning as intended, unless the facility devised an approach that 
would allow it to verify that food defense monitoring was being 
conducted as required.

F. Proposed Sec.  121.145--Corrective Actions

1. Proposed Sec.  121.145(a)(1)-(2) Requirement To Establish and 
Implement Corrective Action Procedures That Must Describe Steps To Be 
Taken
    We proposed that you must establish and implement written 
corrective action procedures that must be taken if the mitigation 
strategy is not properly implemented. The corrective action procedures 
must describe the steps to be taken to ensure that appropriate action 
is taken to identify and correct a problem with implementation of a 
mitigation strategy to reduce the likelihood that the problem will 
recur.
    Some comments support the proposed requirements. In the following 
paragraphs, we discuss comments that disagree with the proposed 
requirements, ask us to clarify the proposed requirements, or suggest 
one or more changes to the proposed requirements. Some comments request 
that the intentional adulteration requirements provide more flexibility 
than a traditional HACCP framework, with specific requests for 
flexibility in the management components, including corrective actions. 
After considering these comments, we are making several revisions to 
the proposed requirements for corrective actions. First, we are adding 
the qualification ``as appropriate to the nature of the actionable 
process step and the nature of the mitigation strategy'' to the 
beginning of the provision in Sec.  121.145(a). Second, we are 
separating the requirements to take appropriate action to identify and 
correct a problem that has occurred from the requirement to take 
appropriate action, when necessary, to reduce the likelihood that the 
problem will recur. The separated requirements are now included in the 
regulatory text as Sec.  121.145(a)(2)(i) and Sec.  121.145(a)(2)(ii), 
respectively. Similar changes were made to the PCHF final rule 
regulatory text for corrective actions, as comments related to that 
rule asserted the proposed corrective action regulatory text could have 
been misunderstood as a requirement to establish a new preventive 
control after implementing a corrective action procedure. These 
comments also asserted that it would be inappropriate to assume that 
corrective action procedures always correct a problem with the 
implementation of a new or additional preventive control. We have 
addressed these comments to the requirement to identify and correct a 
problem by adding ``that has occurred'' after ``correct a problem'' in 
Sec.  121.145(a)(2)(i). We have also addressed these comments by 
qualifying the requirement that the corrective action procedures must 
describe the steps to be taken to ensure that appropriate action is 
taken to reduce the likelihood that the problem will recur by inserting 
``when necessary'' after ``appropriate action is taken'' in Sec.  
121.145(a)(2)(ii).
    (Comment 90) A few comments state that greater flexibility is 
needed to reflect the differences between mitigation strategies and 
preventive controls and that corrective actions is one potential area 
in which to increase flexibility. While comments agree that a facility 
should take action when a mitigation strategy is not properly or fully 
implemented, these comments further state that detailed, written 
corrective action procedures should not be required to address every 
possible deviation for each mitigation strategy. In addition, comments 
state that facility employees should make corrections, rather than take 
corrective actions, in some circumstances. These comments provide an 
example of corrections where a door is simply closed, and the action is 
not documented, in response to a single, isolated event where a door is 
propped open.
    (Response 90) As described previously, we have modified the 
provision to provide that corrective action procedures are established 
and implemented based on the nature of the actionable process step in 
addition to the nature of the mitigation strategy (see Sec.  
121.145(a)). The rule allows for a facility's corrective action 
procedures to reflect the extent of the deviation. For example, a 
facility's monitoring indicates that a peer monitoring mitigation 
strategy is not implemented as intended because one of the employees 
does not accompany the other employee at the actionable process step. A 
component of the facility's written corrective action is to retrain the 
employee on the importance of accompanying the other employee while at 
the actionable process step. We expect, in most cases, that food 
defense corrective action procedures will be simple and easy to 
undertake. Further, we agree that written corrective action procedures 
need not address every possible deviation, and the rule does not 
require this. Written corrective action procedures should address 
circumstances where deviations are likely to occur. The reason to have 
corrective action procedures is to consider the likely scenarios in 
advance, rather than react to these scenarios on an ad hoc basis.
    We do not agree that certain situations are more appropriate for 
corrections rather than corrective actions. A ``correction'' does not 
include, among other things, actions to reduce the likelihood that the 
problem will recur. The comment describes a situation where a facility 
is locking the door to serve as the mitigation strategy, and the

[[Page 34205]]

monitoring of the mitigation strategy indicates the strategy is not 
performing as intended (i.e., the door is not locked, and it is propped 
open). Because monitoring has indicated the mitigation strategy is not 
properly implemented, a corrective action is required (Sec.  
121.145(a)(1)). While the example includes a corrective action that is 
quite simplistic and easy to undertake, it is important that a 
corrective action, and not a correction, be taken because the 
corrective action includes actions to reduce the likelihood that the 
problem will recur, while the correction does not. An unlocked door 
leaves the significant vulnerability unmitigated, and therefore, this 
seemingly isolated problem directly impacts product vulnerability.
    Furthermore, corrections, such as those discussed in the PCHF final 
rule (e.g., facility observes food residue on ``clean'' equipment prior 
to production of food, and then cleans the equipment), are appropriate 
for minor and isolated problems that do not directly impact product 
safety. An analogous situation does not exist in the context of 
intentional adulteration where requirements of this rule are designed 
to reduce significant vulnerabilities associated with an insider 
attack. Additionally, food defense corrective action requirements are 
less rigorous and resource-intensive than corrective actions for food 
safety purposes. Food defense corrective actions do not include 
requirements to evaluate all affected food for safety, prevent affected 
food from entering commerce, or include requirements for unanticipated 
problems.
2. Proposed Sec.  121.145(a)(3)--Documentation
    We proposed that all corrective actions taken in accordance with 
this section must be documented in records that are subject to 
verification in accordance with proposed Sec.  121.150(b) and records 
review in accordance with proposed Sec.  121.150(c).
    Some comments support the proposed requirements without change. One 
comment states that documentation would not be needed in a single, 
isolated event, such as where a door is propped open, and the 
corrective action would simply result in the door being closed. While 
the example includes a corrective action that is simple and easy to 
undertake, it is necessary that it be documented. Without such 
documentation, verification of proper implementation of the mitigation 
strategy, as required in Sec.  121.150(a)(3), may not be possible 
because there are no records to review which reflect failure to 
implement the mitigation strategy. Further, without documentation, it 
may not be known whether it was a one-time event or the door was 
propped up more regularly. Documentation of the corrective actions and 
review of the documentation to verify proper implementation of 
mitigation strategies is necessary to identify trends and patterns of 
implementation of mitigation strategies over time, and is also 
necessary to ensure appropriate decisions about corrective actions are 
being made. After considering the comment, we are finalizing these 
requirements as proposed.

G. Proposed Sec.  121.150--Verification

    We proposed to require verification of monitoring, verification of 
corrective actions, verification of implementation and effectiveness, 
reanalysis, and documentation of all verification activities. 
Specifically regarding verification of implementation and 
effectiveness, (proposed Sec.  121.150(c)), we proposed that you must 
verify that the focused mitigation strategies are consistently 
implemented and are effectively and significantly minimizing or 
preventing the significant vulnerabilities. We proposed that this must 
include, as appropriate to the facility and the food, review of the 
monitoring and corrective actions records within appropriate timeframes 
to ensure that the records are complete, the activities reflected in 
the records occurred in accordance with the food defense plan, the 
focused mitigation strategies are effective, and appropriate decisions 
were made about corrective actions. We also requested comment on 
whether we should specify the verification activities that must be 
conducted for verification of monitoring and for verification of 
corrective actions and, if so, what verification activities should be 
required.
1. Verification of Monitoring, Corrective Actions and Implementation 
and Effectiveness
    Some comments support the proposed requirements. In the following 
paragraphs, we discuss comments that disagree with the proposed 
requirements, ask us to clarify the proposed requirements, or suggest 
one or more changes to the proposed requirements. Some comments request 
that the intentional adulteration requirements provide more flexibility 
than a traditional HACCP framework, with specific requests for 
flexibility in the management components, including verification. Most 
of the comments addressing verification activities request 
clarification specifically related to implementation and effectiveness. 
One comment requests that we provide for other activities appropriate 
for verification of implementation and effectiveness. After considering 
these comments, we are making several changes to the requirements for 
verification.
    First, we are adding text to Sec.  121.150(a) (Food defense 
verification) to reflect that verification procedures are established 
and implemented based on the nature of the mitigation strategy and its 
role in the facility's food defense system. Second, we made edits to 
reflect new Sec.  121.138. We have changed proposed Sec.  121.150(a) to 
final Sec.  121.150(a)(1), which now states ``Verification that food 
defense monitoring is being conducted as required by Sec.  121.138 (and 
in accordance with Sec.  121.140).'' We have changed proposed Sec.  
121.150(b) to final Sec.  121.150(a)(2), which now states 
``Verification that appropriate decisions about food defense corrective 
actions are being made as required by Sec.  121.138 (and in accordance 
with Sec.  121.145).'' We have changed proposed Sec.  121.150(c) to 
final Sec.  121.150(a)(3) which requires verification that mitigation 
strategies are properly implemented and significantly minimizing the 
significant vulnerabilities.
    Third, we have removed the requirement to verify that mitigation 
strategies are effectively significantly minimizing or preventing 
significant vulnerabilities in Sec.  121.150(c) because it is more 
appropriate to verify mitigation strategies are being properly 
implemented, in accordance with the food defense plan, rather than 
verifying these strategies are effective. In the food safety context, 
verification of effectiveness is mainly accomplished via validation and 
testing, which are not required in this final rule due to the nature of 
mitigation strategies. Fourth, we are adding a new section Sec.  
121.150(a)(3)(ii) to provide for ``other activities appropriate for 
verification of proper implementation'' to allow for increased 
flexibility in verifying mitigation strategies are properly implemented 
beyond what is included in Sec.  121.150(a)(3)(i). Fifth, we added a 
requirement (Sec.  121.150(b)), to establish and implement written 
procedures, including the frequency for which they are performed, for 
verification activities. This requirement was added because the 
flexibility, provided in Sec.  121.150(a)(3)(ii), is significant but 
not unbounded. Written procedures are essential to ensure these 
activities are occurring in accordance with the food defense plan. 
Sixth, we moved the more

[[Page 34206]]

extensive section for reanalysis (proposed Sec.  121.150(d)) to a new 
section (final Sec.  121.157) to improve readability and clarity. As a 
result, we created a new Sec.  121.150(a)(4) (``Verification of 
Reanalysis in accordance with Sec.  121.157'') to include in Sec.  
121.150 the requirement to verify that reanalysis has been conducted. 
Some of these changes are similar to those made in the PCHF final rule 
regulatory text for verification and preventive controls management 
components.
    (Comment 91) Some comments request clarification and elaboration 
for verification activities related to implementation and effectiveness 
of mitigation strategies (proposed Sec.  121.150(c)).
    (Response 91) As mentioned previously, we have removed the 
requirement to verify the effectiveness of mitigation strategies. As 
part of food defense verification, a facility must determine if each 
mitigation strategy is properly implemented and significantly 
minimizing or preventing significant vulnerabilities. To do this, a 
facility would determine whether the mitigation strategies are 
consistently implemented and functioning as intended. Part of this 
determination would be based on review of monitoring and corrective 
action records. In addition, as mentioned in section V.D, facilities 
may use, but are not limited to, two important factors to determine the 
proper implementation of mitigation strategies to significantly 
minimize or prevent significant vulnerabilities: (1) The degree of 
physical access to the product at the actionable process step and (2) 
the ability of an attacker to successfully contaminate the product at 
the actionable process step.
    For example, if a mitigation strategy is significantly minimizing 
the degree of physical access to the product at an actionable process 
step, and the strategy is consistently implemented as determined by 
record review, the strategy can be considered properly implemented. 
Likewise, if the mitigation strategy is significantly minimizing the 
ability of an attacker to successfully contaminate the product at the 
actionable process step, and the strategy is consistently implemented 
as determined by record review, the strategy can be considered properly 
implemented. These factors are the same as two of the factors required 
to be evaluated in a vulnerability assessment (Sec.  121.130(a)(2) and 
(3)).
    We are not including the third factor (the potential for public 
health impact (Sec.  121.130(a)(1)) because it has been our experience 
that mitigation strategies either directly reduce access to a point, 
step, or procedure, or directly reduce the ability of an attacker to 
contaminate the food at a point, step, or procedure, and in doing so, 
indirectly reduce the potential public health impact if a contaminant 
were added at a point, step, or procedure.
    As a facility reasons through its explanation of how the mitigation 
strategy significantly minimizes or prevents the significant 
vulnerability (Sec.  121.135(a)), the facility's explanation will most 
likely include the rationale for how the mitigation strategy reduces, 
to an acceptable level, either the degree of unauthorized access to the 
actionable process step or the ability of an attacker to successfully 
contaminate the product at the actionable process step. When the 
facility reviews the monitoring and corrective action records to ensure 
that activities reflected in the records occur as envisioned by the 
food defense plan (Sec.  121.135(a)) and are consistently implemented 
(Sec.  121.150(a)(3)), the facility can then determine whether the 
mitigation strategy is properly implemented and is significantly 
minimizing the significant vulnerability at the actionable process 
step.
    (Comment 92) One comment states that verification methods other 
than those required by proposed Sec.  121.150(c) may be appropriate, 
and provides suggestions of such methods, including direct observation 
of monitoring, such as a supervisor observing monitoring conducted by 
an employee, and review of monitoring and corrective actions activities 
during team meetings.
    (Response 92) We agree that the rule should provide flexibility for 
additional activities related to verification of properly implemented 
mitigation strategies, and have revised the specific requirements to 
provide for other activities appropriate for verification of proper 
implementation of mitigation strategies in Sec.  121.150(a)(3)(ii). 
Providing specific requirements for verification of implementation 
(Sec.  121.150(a)(3)(i)), but allowing for other activities appropriate 
for verification of implementation (Sec.  121.150(a)(3)(ii)), 
addresses, in part, comment requests that mitigation strategies 
management components need to provide more flexibility.
    (Comment 93) One comment disagrees with the requirement that, as 
part of verification, monitoring and corrective action records must be 
reviewed and further states that the proposed requirement is too 
prescriptive and not applicable to food defense.
    (Response 93) Review of monitoring and corrective action records is 
a key component of verification in a food defense system. Review of 
monitoring records is necessary to determine whether mitigation 
strategies are implemented as intended and are therefore significantly 
minimizing significant vulnerabilities. For example, review of 
monitoring records for a mitigation strategy of using a lock to secure 
an access hatch on top of a silo could indicate that the lock is 
functioning as intended because the securing mechanism is fully 
engaged, and the hatch cannot be accessed without a key to the lock. 
The significant vulnerability has been significantly minimized because 
the food in the silo is no longer accessible. The facility determines 
the mitigation strategy is properly implemented because it is 
functioning as intended and minimizes the significant vulnerability.
    Review of corrective action records is necessary to determine 
whether appropriate decisions are being made to identify and correct 
any problems with the implementation of a mitigation strategy and 
whether actions are being taken to reduce the likelihood that a problem 
would recur. To continue with the example, if the review of monitoring 
records indicated that the lock was not properly implemented due to 
employee error, the facility implements the corrective action, which 
consists of engaging the securing mechanism of the lock on the access 
hatch, and retraining the employee assigned to this step in how to 
properly use the securing mechanism. During the review of the 
corrective action records, the facility determines that appropriate 
decisions about corrective actions were made because the problem was 
identified that the lock was not properly implemented due to employee 
error, the problem was corrected because the facility engaged the 
securing mechanism of the lock to lock the access hatch, and actions 
were taken to reduce the likelihood the problem would recur by training 
the employee on how to successfully engage the securing mechanism of 
the lock in order to lock the access hatch.
    Further, FDA has provided a flexible time period for review, 
allowing review of monitoring and corrective action records to take 
place in an ``appropriate timeframe.'' For example, a facility chooses 
to use several mitigation strategies, including adequate lighting, at 
the bulk truck unloading bay to protect the actionable process step, 
and the lighting may be monitored each time a shipment is received or 
on a weekly basis depending on the facility's determination of the 
frequency of the monitoring procedures. The review of these monitoring 
records may occur on

[[Page 34207]]

a weekly or monthly basis, depending on the frequency of the monitoring 
procedures and the role this mitigation strategy plays in a facility's 
food defense system. We disagree that this requirement is too 
prescriptive.
    (Comment 94) Some comments assert that industry cannot be held to a 
standard of absolute prevention of intentional adulteration, and given 
this assertion, one of these comments further states that effectiveness 
of mitigation strategies should be interpreted reasonably by both FDA 
and industry. The comment agrees that facilities should be expected to 
take reasonably appropriate measures to mitigate vulnerabilities and 
also states that facilities should have discretion to determine how 
mitigation strategies are effective. This comment goes on to state that 
facilities should not be expected to employ a certain measure just 
because the measure is available, particularly when the added benefit 
might be minimal. Finally, the comment states that, in the context of 
interpreting effectiveness of mitigation strategies in a reasonable 
manner, FDA should be mindful of the extremely low likelihood of an 
intentional adulteration event that may cause massive public health 
harm or economic disruption.
    (Response 94) We acknowledged the low probability of an intentional 
adulteration event that may cause wide scale public health harm in the 
proposed rule (78 FR 78014 at 78024). The rule does not create a 
standard of absolute prevention at every identified actionable process 
step. Mitigation strategies are, among other things, ``risk-based'' and 
``reasonably appropriate measures.'' They are employed to 
``significantly minimize or prevent'' significant vulnerabilities.
    Furthermore, each facility has some degree of discretion in 
determining how, and whether, each mitigation strategy is properly 
implemented, as part of the facility's written explanation of how the 
mitigation strategy sufficiently minimizes or prevents the significant 
vulnerability associated with the actionable process step.
    Additionally, facilities are not required to employ measures just 
because they are available or convenient. Rather, facilities are 
required to identify and implement mitigation strategies that reflect 
the specific circumstances of the actionable process step and the 
facility. Because the facility considers these circumstances when 
identifying and implementing an appropriate mitigation strategy, and 
provides a written explanation of how the mitigation strategy 
sufficiently minimizes or prevents the significant vulnerability 
associated with an actionable process step, a facility may choose a 
mitigation strategy that it believes provides maximum benefit, 
regardless of availability or convenience, if it complies with the 
requirement to significantly minimize, or prevent, the significant 
vulnerability.
2. Proposed Sec.  121.150(d)--Reanalysis (Final Sec.  121.157)
    We proposed that you must conduct a reanalysis of the food defense 
plan (1) At least once every 3 years; (2) Whenever a significant change 
in the activities conducted at your facility creates a reasonable 
potential for a new vulnerability or a significant increase in a 
previously identified vulnerability; (3) Whenever you become aware of 
new information about potential vulnerabilities associated with the 
food operation or facility; (4) Whenever you find that a focused 
mitigation strategy is ineffective; and (5) Whenever FDA requires 
reanalysis to respond to new vulnerabilities and developments in 
scientific understanding including, as appropriate, results from the 
Department of Homeland Security biological, chemical, radiological, or 
other terrorism risk assessments. These requirements for reanalysis of 
the food defense plan were proposed within Sec.  121.150 Verification.
    Many comments responded to Sec.  121.150 (Verification) as a whole, 
without specifically referring to reanalysis as an area needing edits. 
However, some comments regarding verification potentially apply to 
reanalysis, and these are addressed in this section. Some comments 
support the proposed requirements without change and some support the 
proposed provisions but ask for more flexibility and suggest 
alternative regulatory text. After considering these comments, to 
improve clarity and readability and to be consistent with the PCHF 
final rule with respect to the regulatory text for reanalysis, we have 
removed reanalysis from Sec.  121.150 and created a new section Sec.  
121.157 devoted entirely to requirements for reanalysis. We have 
revised the regulatory text within this section to clarify which 
portions of the food defense plan will need reanalysis and how often 
(e.g., the whole plan needs reanalysis at least every 3 years, and the 
whole plan or the applicable portions of the plan need reanalysis for 
all other reasons required in the text), to expand the scope of 
situations that trigger a reanalysis (e.g., added a reanalysis 
requirement when required by FDA based on credible threats to the food 
supply), and we increased clarity for when the reanalysis requires a 
revision to the food defense plan (e.g., the proposed language stated a 
revision to the food defense plan is required when a significant change 
is made, and the text was edited to state that a revision to the food 
defense plan is required when a significant change in activities 
conducted at your facility creates a reasonable potential for a new 
significant vulnerability or a significant increase in a previously 
identified vulnerability). Also, the new reanalysis section provides 
more flexibility in the timeframe for when a reanalysis must be 
completed, and clarifies when a reanalysis requires a revision to the 
food defense plan.
    In the following paragraphs, we discuss comments that suggest one 
or more changes to the proposed requirements.
    (Comment 95) Some comments state that greater flexibility is needed 
to reflect the differences between mitigation strategies and preventive 
controls and that verification is one potential area in which to 
increase flexibility. These comments believe that the oversight burden 
and the records burden associated with verification could be lessened 
by adding more flexibility.
    (Response 95) We interpreted these comments to include reanalysis 
in the verification activities mentioned. We agree that the overall 
regulatory framework for this rule should provide more flexibility than 
that of a traditional HACCP approach and have described our general 
thinking in Comment 1 and Comment 2 of this document. To align with 
this thinking we have made specific changes to the reanalysis 
requirements. We removed reanalysis from Sec.  121.150 and created a 
new section Sec.  121.157 devoted entirely to requirements for 
reanalysis to help clarify activities for the purpose of verification 
versus activities specific to reanalysis. Within this section we 
provide for reanalysis of an applicable portion of the food defense 
plan (rather than the complete food defense plan) in specified 
circumstances. We have revised the regulatory text to state that when 
reanalysis is conducted for any reason other than Sec.  121.157(a) 
(every 3 years), the food defense plan as a whole may need to be 
reanalyzed, or just the applicable portion of the food defense plan 
that may be affected by the proposed change or the new information (see 
Sec.  121.157(a) and 121.157(b)). In the proposed rule, the portions of 
the plan that required reanalysis were not detailed, and the 
implication was that the entire plan must be reanalyzed in all cases. 
Our clarification of this language

[[Page 34208]]

allows flexibility for the facility to determine the extent of the 
required reanalysis based on the nature of the reanalysis trigger. In 
addition, we made associated editorial changes for the intentional 
adulteration reanalysis requirements to improve the readability of the 
requirement to conduct reanalysis ``whenever a mitigation strategy, a 
combination of mitigation strategies, or the food defense plan as a 
whole, is not properly implemented'' (see Sec.  121.157(b)(3)). In the 
proposed rule this requirement applied only to the ineffective nature 
of a mitigation strategy and did not take into account other areas of 
the food defense plan that may be contributing to an ineffective food 
defense plan. We also added new text to the reanalysis requirement to 
allow FDA to require a reanalysis ``when credible threats are made to 
the food supply'', as discussed more fully in section III.C.
    Further, additional flexibility has been provided with respect to 
timeframes associated with completing reanalysis. The proposed rule 
required that reanalysis be completed ``before the change in activities 
at the facility were operative'' or ``when necessary, during the first 
6 weeks of production.'' The new requirement states that the reanalysis 
must be complete ``before any changes in activities (including any 
change in mitigation strategy) at the facility is operative,'' or 
``when necessary, within 90 days of production'' or ``within a 
reasonable timeframe, providing a written justification is prepared for 
a timeframe that exceeds 90 days after production of the applicable 
food first begins.'' This flexibility in timeframes lessens the burden 
on the facility. We believe the 90-day timeframe is sufficient for 
completing the reanalysis but recognize that there may be instances 
where the 90-day timeframe is exceeded and this is allowed with 
sufficient written justification.
    We lessened the documentation burden by only requiring a revision 
to the food defense plan ``if a significant change in the activities 
conducted at your facility creates a reasonable potential for a new 
significant vulnerability or a significant increase in a previously 
identified vulnerability.'' The proposed rule required a revision to 
the food defense plan if ``a significant change was made.'' By stating 
specifically that revisions are only required if a change is made in 
activities that affect vulnerabilities, we eliminate the revision 
requirements for changes that are not directly related to the risk of 
intentional adulteration. Both the proposed and final rules provide for 
the option to conclude that a revision to the food defense plan is not 
needed as long as the basis for that conclusion has been documented.
    Many of the changes we made to the reanalysis provisions are 
similar to changes made in the PCHF final rule, and we believe this 
consistency will assist with overall understanding and implementation 
of these rules.
    (Comment 96) Some comments ask us to recognize other terminologies 
suggesting reanalysis could be referred to as ``reassessment.''
    (Response 96) We decline this request. We have acknowledged that 
the terminology used in relation to the concept of ``reanalysis'' 
varies in current regulations and guidelines for systems such as HACCP 
(78 FR 3646 at 3759). A facility may choose to use a term such as 
``reassessment'' in its records--e.g., if it relies on existing records 
that use the term ``reassessment'' to satisfy some or all of the 
requirements of this rule for reanalysis. However, the rule will use a 
single term to minimize the potential for confusion about whether 
different terms have a different meaning for the purposes of the rule.

H. Proposed Sec.  121.160--Training (Final Sec.  121.4)

    We proposed in Sec.  121.160 to require that (1) Personnel and 
supervisors assigned to actionable process steps must receive 
appropriate training in food defense awareness and their respective 
responsibilities in implementing focused mitigation strategies and (2) 
All required training must be documented in records. We asked for 
comment on several questions related to training, including whether we 
should require that basic food defense awareness training be completed 
by all employees and whether we should require training to be repeated 
periodically. We also requested comment on the adequacy of FDA's Food 
Defense 101 training materials and whether additional FDA training 
materials are needed. Finally, we requested comment on the feasibility 
of the proposed training requirements, in light of the current state of 
food defense awareness in the industry and available training 
resources.
    No comments disagree with the need for training for facilities to 
be able to properly implement this rule, and many comments acknowledge 
that training is crucial to creating an effective food defense 
environment in a facility. Some comments agree with our proposed 
training approach, and other comments request changes. After 
considering the comments, we have changed the training requirements by 
creating a new section, Sec.  121.4 (Qualifications of Individuals Who 
Perform Activities Under Subpart C), which replaces Sec.  121.160 and 
defining the term ``qualified individual'' in Sec.  121.3. In summary, 
the final rule requires all individuals who perform activities under 
Subpart C to be qualified through training or job experience or a 
combination thereof. Individuals and their supervisors at actionable 
process steps are required to take food defense awareness training and 
individuals who prepare the food defense plan, conduct a vulnerability 
assessment, identify and explain mitigation strategies and perform 
reanalysis must have successfully completed training for the specific 
activity at least equivalent to that received under a standardized 
curriculum recognized as adequate by FDA or be otherwise qualified 
through job experience to conduct the activities.
    Section 121.4 requires that individuals performing activities under 
Subpart C have certain qualifications that vary based on the activity 
performed. Section 121.4(a) requires that you ensure that each 
individual who performs activities required under Subpart C is a 
qualified individual. A qualified individual is ``a person who has the 
education, training, or experience (or a combination thereof) necessary 
to perform an activity required under Subpart C, as appropriate to the 
individual's assigned duties. A qualified individual may be, but is not 
required to be, an employee of the establishment'' (Sec.  121.3). See 
section IV.C.4 for further discussion of this definition. Section 
121.4(b) requires that each individual assigned to an actionable 
process step (including temporary and seasonal personnel) or in the 
supervision thereof must (1) be a qualified individual and (2) receive 
training in food defense awareness. Section 121.4(c) requires that each 
individual assigned to (1) the preparation of the food defense plan, 
(2) the conduct of a vulnerability assessment, (3) the identification 
and explanation of the mitigation strategies, or (4) the reanalysis of 
the food defense plan must be a qualified individual and have 
successfully completed training for the specific activity at least 
equivalent to that received under a standardized curriculum recognized 
as adequate by FDA or be otherwise qualified through job experience to 
conduct the activities. Job experience may qualify an individual to 
perform any of the activities listed previously if such experience has 
provided an individual with knowledge at least equivalent to that 
provided through the standardized

[[Page 34209]]

curriculum. Section 121.4(d) requires that responsibility for ensuring 
compliance by individuals with the requirements be clearly assigned to 
supervisory personnel with adequate qualifications to supervise the 
activities. Section 121.4(e) requires that the training required by 
Sec.  121.4(b) and (c) must be documented in records that include the 
date of the training, the type of training, and the person trained, and 
must be established and maintained in accordance with the requirements 
of subpart D.
    In the following paragraphs, we discuss comments that respond to 
our request for comment regarding the proposed training requirement and 
comments that request changes to the training requirement as proposed.
    (Comment 97) Some comments assert that FDA should require 
facilities to conduct food defense awareness training for all employees 
and not just for employees and supervisors who work at actionable 
process steps. Some comments indicate that, since food defense is a new 
area of regulation, that training to increase general awareness by all 
employees would be a useful requirement in gaining familiarity with the 
risk and mitigation of intentional adulteration. Some comments state 
that food defense awareness training for all employees is fundamental 
for creating a food defense culture at a facility and may be the 
critical element for preventing a successful attack. Alternatively, 
some comments state that expanding the food defense awareness training 
requirement to all employees will not advance food defense and could 
create a generalized approach that may diminish the ability of the 
facility to effectively train personnel who have significant roles in 
implementing food defense requirements. Some comments state that the 
cost of requiring training of all employees would be overly burdensome.
    (Response 97) Although we agree that food defense awareness 
training would be useful for all employees, we believe that the best 
use of training resources for industry would be to focus the 
requirement for food defense awareness training on personnel who are 
assigned to an actionable process step. We do not believe it is 
necessary to require that facilities provide all employees with 
awareness training to significantly minimize or prevent significant 
vulnerabilities. Although we disagree that training all employees could 
diminish the ability of a facility to effectively train personnel, we 
agree that concentrating awareness training on certain individuals is 
less burdensome than a general training requirement. We believe it is 
the best use of resources to train individuals at actionable process 
steps in food defense awareness because that is where intentional 
adulteration, when intended to cause wide scale public health harm, is 
most likely to occur. Our food defense guidance includes options for 
increasing general awareness of food defense throughout a facility by 
incorporating the importance of food defense procedures into routine 
facility communications, such as brochures, staff meetings, or payroll 
stuffers. We recommend that facilities encourage all employees to 
report unusual or suspicious individuals or activities to management.
    In addition to requiring food defense awareness training for 
certain individuals, the rule requires that each individual who 
performs activities required by subpart C be a qualified individual as 
that term is defined in Sec.  121.3. In addition, the rule requires 
individuals performing certain activities, including the preparation of 
the food defense plan or the conduct of a vulnerability assessment, to 
have successfully completed training for the specific activity at least 
equivalent to that received under a standardized curriculum recognized 
as adequate by FDA or be otherwise qualified through job experience to 
conduct the activities.
    (Comment 98) Some comments express a need for advanced food defense 
training requirements for individuals conducting higher level food 
defense activities such as food defense coordinators, individuals who 
prepare, monitor, verify, or conduct corrective actions associated with 
food defense plans, managers or quality control personnel or personnel 
who would be responsible for identification of appropriate mitigation 
strategies. Some comments assert that these food defense activities 
require specialized knowledge that would not be covered in food safety 
training and that qualified individuals should perform these higher 
level functions.
    (Response 98) We agree with these comments and are requiring that 
each individual engaged in activities in subpart C must be a qualified 
individual with the appropriate education, training, or experience (or 
a combination thereof) to perform the activity. Further, the rule 
requires increased qualifications for individuals responsible for 
higher level activities, such as preparation of the food defense plan, 
conducting a vulnerability assessment, identifying and explaining 
mitigation strategies, and reanalysis (Sec.  121.4(c)). These 
individuals must have the appropriate education, training, or 
experience (or a combination thereof) necessary to properly perform 
their assigned activities and have successfully completed training at 
least equivalent to that received under a standardized curriculum 
recognized as adequate by FDA or be otherwise qualified through job 
experience to conduct the activities. Job experience may qualify an 
individual to perform these functions if such experience has provided 
an individual with knowledge at least equivalent to that provided 
through the standardized curriculum. We believe the activities listed 
previously require an additional level of expertise and training than 
other activities required under subpart C and, therefore, FDA is 
establishing a standardized curriculum for training which individuals 
performing these activities must successfully complete (or be otherwise 
qualified through job experience). This approach is consistent with the 
PCHF final rule, where additional food safety training is required for 
individuals who prepare or oversee preparation of the food safety plan, 
including conducting the hazard analysis (21 CFR 117.126(a)(2)).
    We anticipate that the standardized curriculum for activities other 
than the conduct of a vulnerability assessment will be an approximately 
4-hour training that will cover food defense awareness and food defense 
planning components such as preparing, implementing, and reanalysis of 
a food defense plan and selecting and explaining mitigation strategies. 
We plan for the training to be available online.
    The training for conducting or overseeing a vulnerability 
assessment will require in-depth analysis of the functional and thought 
processes required to properly characterize significant vulnerabilities 
associated with a facility's points, steps, or procedures and the 
identification of actionable process steps. The process of conducting a 
vulnerability assessment may be new to much of the industry and the 
training will take this into consideration. The standardized curriculum 
for conducting a vulnerability assessment will need to cover each 
required component of the vulnerability assessment and provide enough 
information for an individual to calibrate their decision making based 
on the scientific analysis required by a vulnerability assessment. We 
believe that the curriculum designed for this activity will require 
multiple days and may be best offered in person. Based on the 
vulnerability assessment method chosen, the length of the standardized 
curriculum may vary, for example if a

[[Page 34210]]

facility is using the key activity types the training could be shorter.
    Finally, with regard to comments that suggest that individuals who 
prepare, monitor, verify, or conduct corrective actions associated with 
food defense plans receive specialized training, we agree that 
individuals responsible for these activities should be qualified 
individuals and may need training to perform such activities. However, 
we are not standardizing a curriculum for such training and realize 
that individuals may be qualified through education or experience to do 
these activities because these concepts are not completely unique to 
food defense planning and analogous food safety concepts have been in 
routine practice in many food facilities for the purpose of food safety 
plans and/or HACCP approaches.
    (Comment 99) Some comments state that food defense awareness 
training should be recognized as a beneficial mitigation strategy 
within food defense plans to create heightened awareness and that this 
training can be used to address intentional contamination including 
insider threats. Other comments state that the only requirement for 
food defense should be training and that any requirements beyond this 
approach are not necessary.
    (Response 99) We agree that food defense awareness training for 
employees and supervisors assigned to actionable process steps would 
increase awareness and could assist with recognizing or thwarting an 
insider threat; however, the training alone will not protect the food 
at that actionable process step. It is the properly implemented 
mitigation strategies, which are designed to reduce the significant 
vulnerability at that step, which would protect the food against 
intentional adulteration.
    (Comment 100) Some comments recommend that FDA set a requirement 
for periodic retraining, and some comments suggest the training 
requirement should specify training intervals such as during an 
employee ``onboarding'' process and periodically thereafter or when 
significant changes are made to the food defense plan. One comment did 
not request a requirement for retraining but stated that it should be 
understood that education and training are not a one-time occurrence. 
One comment asked for flexibility for training and retraining 
frequencies so a facility can take into account facility size, 
environment, seasonality of employees, and other circumstances.
    (Response 100) We agree that training should not be a one-time 
occurrence and believe that by defining ``qualified individual'' in 
terms of an ability to perform assigned responsibilities we have 
provided the flexibility for firms to consider relevant factors in 
determining how often to perform training. Individuals conducting 
activities under subpart C must be qualified to successfully implement 
the food defense measures contained in the food defense plan. If the 
food defense plan changes, because of a production change resulting in 
a mitigation strategy change, for example, employees and supervisors 
may need retraining if their responsibilities under subpart C change. 
Also, retraining may be needed as a component of corrective action. For 
example, if during the course of monitoring a facility determines that 
certain mitigations strategies are not being implemented consistently 
or appropriately, a component of the corrective action may be to 
retrain the responsible staff and their supervisors. To ensure that 
employees remain qualified to perform their duties under subpart C, 
facilities will need to retrain employees when the food defense plan 
changes and when a problem has been identified that training would 
address.
    (Comment 101) Some comments commend FDA on the development of a 
broad range of free training materials that will be efficient and 
useful to meet training requirements. Some comments suggest updating 
and expanding these trainings to include options for free, 
downloadable, and customizable materials to reach a broad range of 
cultural and language groups, and to include information on how to 
protect food defense-related documents. One comment recommends that FDA 
update all of its food defense resources to reflect the requirements 
ultimately included in this final rule. One comment suggests that FDA 
develop a ``train-the-trainer'' course that could be effectively 
utilized by industry to equip management of food companies with the 
training materials needed to comply with the training requirements.
    (Response 101) We agree that many of our trainings and other 
resources will assist industry in complying with this rule. However, we 
recognize that many of our existing materials will need to be updated 
to reflect the provisions of the rule and new training materials will 
need to be developed. We intend to update our training materials to 
provide an option to comply with the food defense awareness training 
requirement, and we will be developing a standardized curriculum for 
training in accordance with the requirements of Sec.  121.4(c). We 
anticipate the standardized content of the training will be modular, 
with certain modules varying based on the difficulty and skill level of 
the activity being performed, with the vulnerability assessment 
training module being the most in-depth and lengthy (See Comment 80 and 
Comment 81).
    The training for individuals and supervisors assigned to actionable 
process steps may require facility-specific information for proper 
implementation of the mitigation strategy or strategies and, therefore, 
will need to be developed and administered on the job and will not be 
developed by FDA.
    We will continue to provide food defense training and other 
materials in as many formats as resources allow, such as online, DVD, 
and hard copy. FDA currently has some food defense materials in 
languages other than English, but will work as we are able towards 
translating more materials in other languages to reach a broader 
audience.
    In response to the development of a ``train the trainer'' course to 
assist management with meeting the training requirements of this rule, 
we interpret this comment to mean that we should offer materials so 
that companies can deliver their own food defense awareness training. 
Since the requirement for awareness training has inherent flexibility, 
facilities can deliver their own food defense awareness trainings. We 
believe the training tools and resources that we intend to update, 
based on the requirements of this rule, will assist facility management 
with gaining knowledge necessary for delivering food defense awareness 
training, and we intend to explore the development of a ``train the 
trainer'' in consultation with the alliance to meet the needs of the 
standardized curriculum requirements.
    (Comment 102) Some comments request that FDA support the 
development and distribution of educational and training resources to 
assist very small facilities exempt from the rule with voluntary 
compliance. Some comments request that FDA clarify how it will work 
with retail stakeholders to strengthen education and training for 
retail facilities that want to take voluntary food defense risk 
reduction measures.
    (Response 102) FDA offers free tools and food defense awareness 
training, as well as guidance, that we intend to update based on the 
final requirements which should assist non-covered entities, such as 
those at the retail level, who wish to voluntarily comply with the 
final provisions of this rule.
    (Comment 103) Some comments support the food defense awareness

[[Page 34211]]

training requirement but ask that FDA keep the requirement flexible and 
make clear that online training or other non-FDA developed trainings 
are acceptable. One comment asked us to state whether the ``Food 
Defense 101'' training released in 2013 by FDA is the preferred 
resource for employee awareness training. Some comments state that it 
might not be possible to provide the same type of training to all staff 
at various levels, and that it should be up to the facility to 
determine which training to provide to which staff, based on their food 
defense responsibilities.
    (Response 103) We agree with the need to avoid rigid requirements 
with respect to training content for food defense awareness. We 
recognize that many food defense awareness trainings exist and may 
already be utilized at facilities, and mandating specific content in 
trainings may lead to redundancy and additional cost. We intend to 
update our ``Food Defense 101, Food Defense Awareness for the Front-
line Employee'' training such that it would satisfy the requirement for 
food defense awareness training; however, it is not the only acceptable 
training. In addition, we believe that there are several existing 
trainings that would be acceptable for other activities that may 
require training such as food defense monitoring, food defense 
corrective actions, and food defense verification.
    (Comment 104) Some comments recommend that, because food defense is 
a new and evolving area, and because this regulation will be the first 
of its kind worldwide, training and education need to occur at many 
levels to effectively implement this rule. These comments state that 
FDA must provide significant outreach and education to both industry 
and State regulatory Agencies with jurisdiction over the production of 
human food. These comments emphasize that FDA and State and local 
inspection personnel will need significant training in conducting food 
defense inspections and that training developed for FDA investigators 
should be extended to State and local governments as well as industry 
to help food facilities understand what is expected and how compliance 
will be determined.
    (Response 104) We appreciate these comments regarding consistency 
of training between industry and Federal, State, local and tribal 
regulators, and we agree that this is a novel area of regulation that 
could benefit from alignment of training between the regulated industry 
and its regulators. We have addressed the issue of training for the 
purposes of inspection and compliance in section III.D, but in general, 
FDA is still in the process of assessing its training needs for 
inspection and enforcement of this rule.
    (Comment 105) Some comments state that Alliances have been 
successfully used to support implementation of other national 
requirements, including other FSMA rules, using a partnership model. 
These comments recommend that FDA consider formation of an Alliance 
structure for the area of food defense as well. Comments state that 
Alliances, made up of State and local public health professionals, 
State and local public health associations, and industry can play an 
important role in information sharing and outreach and a formal 
Alliance for food defense is the best way to accomplish the development 
of standardized food defense training content and effective training 
tools and resources.
    (Response 105) We agree with these comments and have funded the 
establishment of an Intentional Adulteration Subcommittee under the 
existing Food Safety Preventive Controls Alliance. We intend to 
leverage the expertise of State and local public health professionals, 
State and local public health associations, and industry associations 
to develop the standardized curriculum needed to meet the training 
requirement.
    (Comment 106) Some comments suggest that FDA establish a technical 
assistance office based out of the Center for Food Safety and Applied 
Nutrition (CFSAN) that can answer queries, provide guidance, and 
release information consistently to both regulators and the covered 
industry to assist with educating industry and regulators.
    (Response 106) FDA has established a FSMA Technical Assistance 
Network (TAN) to provide technical assistance to industry, regulators, 
academia, consumers, and others regarding FSMA implementation. 
Inquiries are answered by FDA Information Specialists or Subject Matter 
Experts, based on the complexity of the question. To find out more 
about the FSMA TAN please visit http://www.fda.gov/food/guidanceregulation/fsma/ucm459719.htm.
    (Comment 107) Some comments request funding from FDA for the 
training of State, local, tribal, and territorial regulators.
    (Response 107) Funding associated with training State, local, 
tribal, and territorial regulators is outside the scope of this rule.
    (Comment 108) One comment asserts that training and compliance 
incentives must be available at the same time the final regulation is 
released to give facilities time to learn about, build, and deploy an 
effective implementation plan.
    (Response 108) It is unclear what is meant by training and 
compliance incentives, but we have established extended compliance 
dates to allow facilities the time necessary to comply with this 
training requirement. See section VIII for information on compliance 
dates.
    (Comment 109) One comment suggests that FDA should mandate training 
on a ``code of ethics'' to prevent economically motivated adulteration.
    (Response 109) Acts of intentional adulteration for the purpose of 
economic gain, i.e., economically motivated adulteration, are outside 
the scope of the rule and are addressed in the preventive controls for 
human food rule (80 FR 55907 at 56028-56029) and the preventive 
controls for animal food final rule (80 FR 56170 at 56244-56246).

VI. Subpart D: Comments on Requirements Applying to Records That Must 
Be Established and Maintained

    We proposed to establish in subpart D requirements that would apply 
to all records that would be required by the various provisions of 
proposed part 121, including general requirements related to the 
content and form of records, additional requirements specific to the 
food defense plan, requirements for record retention, requirements for 
official review of records by FDA, and public disclosure.
    Some comments generally support requiring records to demonstrate 
that a food defense plan has been created, is functioning, and is being 
monitored. However, many comments disagreed with some of the specific 
requirements that we proposed. In the following paragraphs, we discuss 
comments that ask us to clarify the proposed requirements, disagree 
with, or suggest one or more changes to the proposed requirements.

A. Proposed Sec.  121.301--Records Subject to the Requirements of This 
Subpart D

    We proposed that all records required by proposed subpart C (Food 
Defense Measures) are subject to all requirements of this subpart 
except that the requirements of Sec.  121.310 apply only to the written 
food defense plan. We received no comments on this section and are 
finalizing as proposed.

B. Proposed Sec.  121.305--General Requirements Applying to Records

    We proposed that the records must (1) be kept as original records, 
true copies, or electronic records (and that electronic records must be 
kept in accordance with

[[Page 34212]]

part 11 (21 CFR part 11)); (2) contain the actual values and 
observations obtained during monitoring; (3) be accurate, indelible, 
and legible; (4) be created concurrently with performance of the 
activity documented; (5) be as detailed as necessary to provide history 
of work performed; and (6) include the name and location of the plant 
or facility, the date and time of the activity documented, the 
signature or initials of the person performing the activity, and, where 
appropriate, the identity of the product and the production code, if 
any. In the following paragraphs, we discuss comments that ask us to 
clarify the proposed requirements or that disagree with, or suggest one 
or more changes to, the proposed requirements.
    (Comment 110) Several comments express concern over the proposed 
requirement that all electronic records be kept in accordance with part 
11 and request that FDA exempt electronic records under part 121 from 
compliance with part 11. Comments argue that while some of the larger 
companies may have the technologies in place to comply with part 11, 
many of the covered facilities do not. These comments assert that 
compliance with part 11 would create the need to redesign and recreate 
existing systems, thus leading to considerable cost, which was not 
taken into account in the cost analysis in the preliminary regulatory 
analysis for the proposed rule. The comments go on to point out that we 
do not impose these requirements for recordkeeping requirements imposed 
under section 414 of the FD&C Act, and that this requirement is an 
added burden and expense that does not have any added benefit to public 
health.
    (Response 110) The final rule does not require compliance with part 
11 (Sec.  121.305 (a)). Similar to the PCHF final rule, we are making a 
conforming change in part 11 to specify in new Sec.  11.1(o) that part 
11 does not apply to records required to be established or maintained 
under part 121, and that records that satisfy the requirements of part 
121, but that also are required under other applicable statutory 
provisions or regulations, remain subject to part 11. Although we are 
not specifying that part 11 applies, facilities should take appropriate 
measures to ensure that records are trustworthy, reliable, and 
generally equivalent to paper records and handwritten signatures 
executed on paper.
    (Comment 111) One comment asserts that while it is common for 
certain records to be created concurrently with performance of the 
activity, some records may require more time for writing, reviewing, 
editing, or approving. The comment requests that we provide for the 
creation of records ``in a timely manner following performance of the 
activity,'' rather than ``concurrently with performance of the 
activity.''
    (Response 111) We decline this request. The comment did not provide 
any specific examples of activities where concurrent record creation 
would prove difficult, and we are not aware of any such circumstance. 
For example, we are not aware of any difficulty complying with 
longstanding similar requirements associated with our HACCP regulations 
for seafood and juice (see Sec. Sec.  123.9(a)(4) and 120.12(b)(4), 
respectively).
    (Comment 112) Some comments assert that for certain production and 
associated activities documenting the time of activity is not 
necessary. Specific examples cited include equipment setup, 
verification of equipment setup, charging an ingredient into a blender, 
and weighing material for process yield and reconciliation purposes. 
These comments ask us to modify the proposed requirements so that the 
records would only be required to include the time of the activity 
where appropriate for food defense.
    (Response 112) The recordkeeping requirements in the rule only 
apply to records required by subpart C (Food defense measures). It is 
not clear that all of the activities specified by the comments relate 
to food defense measures and therefore are subject to the recordkeeping 
requirements in the rule. For records that are required, we agree that 
documenting the time of the activity is not always necessary. The rule 
requires that records must contain ``when appropriate, the time of the 
activity documented'' (Sec.  121.305(f)(2)). Monitoring records are an 
example of when documenting the time of the activity is appropriate 
because monitoring records are used to determine if a particular 
mitigation strategy is properly implemented. Without documenting the 
time the monitoring was conducted, a facility cannot identify patterns 
over time as to the mitigation strategy's implementation and whether 
appropriate corrective actions were being made. For mitigations 
strategies that are not time-dependent (e.g., permanent equipment 
changes to reduce access to the product, such as permanently affixing a 
shield to the rotating air drying to prevent access to the food at the 
point where product is introduced into the dryer from the pneumatic 
conveyance), facilities are not required to document the time the 
activity was performed.
    (Comment 113) Some comments express concern that we will require 
records to be kept in English. These comments ask us to limit the 
documents that must be written in English to reduce translation and 
records duplication. These comments ask that records related to 
verification and monitoring should be allowed to be written in 
languages other than English.
    (Response 113) The rule does not require that any records be kept 
in English.
    (Comment 114) One comment seeks clarification on whether the use of 
checklist-type forms to document monitoring observations would satisfy 
the requirement in Sec.  121.305(b) that records contain actual values 
and observations obtained during monitoring. The comment argues that 
properly developed checklists will allow monitoring records to be 
accurate, indelible, and legible as required in Sec.  121.305(c) and 
will lessen the recordkeeping burden. For example, monitoring a 
mitigation strategy such as adequate lighting at the truck unloading 
bay could be recorded as a ``yes'' or ``no'' by checking the 
appropriate box on a checklist.
    (Response 114) Although monitoring records must contain the actual 
values and observations obtained during monitoring, facilities have 
flexibility to tailor the amount of detail to the nature of the record 
(Sec.  121.305(e)). Monitoring for adequate lighting at the truck 
unloading bay could be recorded as ``yes'' or ``no'' in either a 
narrative or checklist format. However, in the case of an improperly 
implemented mitigation strategy, we would recommend that the facility 
also document the extent to which the strategy was incorrectly applied, 
because this information would support the identification of previously 
written corrective actions that could be used to remedy the situation, 
as well as provide context as to why the mitigation strategy failed in 
this instance, which would be beneficial information for verification 
activities. For example, if lighting in the bulk unloading bay was 
insufficient, the monitoring document may record this instance as 
``no'' in a checklist and also may note that half of the lights were 
inoperative due to a circuit-breaker that failed. This information 
would be helpful to facility management to determine whether the 
mitigation strategy is consistently applied and appropriate to the 
actionable process step in question. In this case, a faulty circuit 
breaker would be replaced, thereby correcting the deviation in the 
mitigation strategy. The mitigation strategy could still be determined 
to be achieving its aim with

[[Page 34213]]

this corrective action. Alternatively, if monitoring records document 
that the lighting was turned off by an employee, a different corrective 
action may be required, such as retraining of the employee on the 
importance of maintaining adequate lighting in the area. We note in 
Response 83 that ensuring adequate lighting around an actionable 
process step would generally be a mitigation strategy that must be used 
in concert with other strategies to significantly reduce the likelihood 
of, or prevent, successful acts of intentional adulteration at an 
actionable process step.

C. Proposed Sec.  121.310--Additional Requirements Applying to the Food 
Defense Plan

    We proposed that the food defense plan must be signed and dated by 
the owner, operator, or agent in charge of the facility upon initial 
completion and upon any modification. We did not receive any comments 
related to this section, and we are finalizing as proposed.

D. Proposed Sec.  121.315--Requirements for Record Retention

    We proposed that (1) All required records must be retained at the 
facility for at least 2 years after the date they were prepared; (2) 
The food defense plan must be retained at the facility for at least 2 
years after its use is discontinued; (3) Except for the food defense 
plan, offsite storage of records is permitted after 6 months following 
the date that the records were made if such records can be retrieved 
and provided onsite within 24 hours of request for official review; and 
(4) If the facility is closed for a prolonged period, the records may 
be transferred to some other reasonably accessible location but must be 
returned to the plant or facility within 24 hours for official review 
upon request.
    (Comment 115) One comment asserts that a 2-year retention period 
for monitoring, corrective actions, and verification records for a 
product with a short shelf life is unnecessary. The comment argues that 
industry has been following record retention requirements in the 
Seafood HACCP regulation which requires 1 year records retention for 
refrigerated products and 2 years records retention for frozen, 
preserved, or shelf-stable products and requests that we use the same 
requirements in this rule.
    (Response 115) We decline this request. The 2-year record retention 
period is explicitly provided for by section 418(g) of the FD&C Act. 
Further, shelf life is more relevant to record retention requirements 
for the purpose of tracking potentially contaminated food than to 
record retention requirements for the purpose of evaluating compliance 
with this rule. Finally, 2 years is the same retention period as 
required by the PCHF final rule.
    (Comment 116) Some comments ask us to exercise flexibility 
regarding the 2-year record retention requirement because the unique 
nature of food defense activities and the technologies used in 
protecting the food supply against intentional adulteration do not 
typically allow for record retention for such a long period of time. 
For example, several comments explain that records related to video 
surveillance cannot be kept for 2 years because it is impractical; 
industry practice is typically to keep video records for 30 days or 
less. Comments argue that requiring 2-year retention of video records 
would be very difficult and costly, and that FDA likely did not include 
calculations for those added costs in our preliminary regulatory impact 
analysis for the proposed rule.
    (Response 116) The assertion that it is impractical for food 
defense records cannot be kept for 2 years seems to reflect a 
misunderstanding of the rule. The rule does not require maintaining 
video surveillance footage for 2 years. Video surveillance used as part 
of a mitigation strategy is not a monitoring record. If the video is 
being sent to a security office for observation, the monitoring record 
could be a log affirming that a security officer reviewed the video and 
detected no abnormal activities. If the video is being watched by a 
security officer in real time, the monitoring record could be the 
timesheets of the security officer showing he was in the security 
office performing his duties in observing the video feed.
    (Comment 117) Some comments ask us to specify our expectations for 
record availability and allow companies the flexibility in using 
technology to meet those expectations. The comments explain that many 
companies keep important records such as food defense plans at their 
corporate headquarters or other central locations and not at individual 
facilities but that the facilities can easily access those records 
electronically if needed. The comments also assert that 6-month onsite 
record retention requirement is arbitrary and that FDA should establish 
a workable requirement that provides for the efficient storage and 
retrieval of records in a timely manner. Some comments ask us to revise 
the requirement so that records that can be retrieved and provided 
onsite within 24 hours would be sufficient.
    (Response 117) We have revised the provisions to provide for 
offsite storage of all records (except the food defense plan), provided 
that the records can be retrieved and made available to us within 24 
hours of a request for official review. We expect that many records 
will be electronic records that are accessible from an onsite location 
and, thus, would be classified as being onsite (see Sec.  121.315(c)). 
As a companion change, we have revised the proposed provision directed 
to the special circumstance of storing records when a facility is 
closed for prolonged periods of time so that it only relates to the 
offsite storage of the food defense plan in such circumstances (see 
Sec.  121.315(d)). Further, we require records that a facility relies 
on during the 3-year period preceding the applicable calendar year to 
support its status as exempt as a very small business must be retained 
at the facility as long as necessary to support the status of a 
facility as a very small business during the applicable calendar year 
(see Sec.  121.315(a)(2)).
    (Comment 118) One comment states that records and documentation 
should not increase costs for farm-based operations, most of whom 
operate as small businesses. They argue that these businesses already 
maintain a variety of records but some do not have the technical or 
financial resources available to maintain an electronic system for 
records. The comment requests that FDA accept records in formats that 
are not electronic.
    (Response 118) To clarify, we did not propose to require that any 
records must be kept in electronic format. In addition, this rule does 
not apply to farms.

E. Proposed Sec.  121.320--Requirements for Official Review

    We proposed that all records required by this part must be made 
promptly available to a duly authorized representative of the Secretary 
of Health and Human Services upon oral or written request. In the 
following paragraphs, we discuss comments that ask us to clarify the 
proposed requirements or that disagree with, or suggest one or more 
changes to, the proposed requirements.
    (Comment 119) Some comments assert that FDA investigators should 
only review food defense plans on site and that we should not copy, 
photograph, transmit, or take possession of food defense plans. These 
comments assert that onsite review of records allows facility staff 
that is familiar with the documents and recordkeeping

[[Page 34214]]

practices to answer any questions or provide clarification to the 
investigator. Some comments state that we should make it clear that any 
State investigators must follow the same policy and not copy, 
photograph, transmit, or take possession of food defense plans. Other 
comments assert that we should only take possession of food defense 
plans for compliance reasons or in the event of an emergency or a 
credible threat.
    (Response 119) Some of the issues raised by these comments are 
similar to issues raised by comments on the PCHF rule (see the 
discussion at 80 FR 55908 at 56091) and seafood HACCP rule (see the 
discussion at 60 FR 65096 at 65137-65140, December 18, 1995). During an 
inspection, we expect that FDA investigators will determine whether to 
copy records on a case-by-case basis as necessary and appropriate. It 
may be necessary to copy records when, for example, our investigators 
need assistance in reviewing a certain record from relevant experts in 
headquarters. If we are unable to copy records, we would have to rely 
solely on our investigators' notes and reports when drawing 
conclusions. In addition, copying records will facilitate follow-up 
regulatory actions. The public availability of any records that FDA 
would possess as a result of copying during an inspection would be 
governed by section 301(j) of the FD&C Act and by the Freedom of 
Information Act (FOIA) and regulations issued pursuant to it by the 
Department of Health and Human Services (DHHS) and FDA. Section 301(j) 
of the FD&C Act expressly prohibits FDA from disclosing trade secret 
information obtained during the course of an inspection. FDA's 
disclosure regulations also provide that FDA will not divulge either 
trade secret or confidential commercial information. See section VI.F. 
for a further discussion of protecting food defense records from 
disclosure.
    (Comment 120) Some comments assert that FDA investigators should 
not include details of food defense plans in the Establishment 
Inspection Reports (EIR) Form 483 and that food defense information 
should be kept separate from food safety information on FDA reports. 
The comments argue that if investigators include food defense-related 
noncompliance on an official report, that report could become public 
and could increase the risk to public health by disclosing weak points 
in a facility's food defense plan.
    (Response 120) As we do now, FDA would redact any protected 
information in an EIR or other document before publically releasing the 
document. See section VI.F for further discussion of protecting food 
defense records from disclosure.
    (Comment 121) One comment asserts that section 106 of FSMA does not 
give FDA express access to review food defense plans and that FSMA 
indicates a Congressional intent to limit the distribution of certain 
materials related to food defense.
    (Response 121) The provisions in section 106 of FSMA concerning 
limited distribution relate to the ability of the Secretary of HHS (and 
by delegation, FDA) to limit the distribution of certain information 
already in the Agency's possession. Specifically, section 420(a)(2) of 
the FD&C Act authorizes FDA to determine the time, manner, and form in 
which a vulnerability assessment is made publically available. Further, 
section 420(b)(3) provides for FDA to determine the time, manner, and 
form in which certain guidance documents are made public. The 
provisions do not limit FDA's authority to access information in a 
facility's possession, such as a food defense plan.
    Further, the ability of FDA to review food defense plans is 
necessary for the efficient enforcement of the FD&C Act. The rule 
requires a food defense plan consisting of a written vulnerability 
assessment, mitigation strategies, and procedures for food defense 
monitoring, corrective actions, and verification. Access to food 
defense plans is necessary for FDA to assess the adequacy of each of 
these documents and determine compliance with the rule. For example, to 
assess compliance with Sec.  121.130(a), FDA must review a facility's 
vulnerability assessment to determine whether it includes an evaluation 
of the potential public health impact if a contaminant were added, the 
degree of physical access to the product, and the ability of an 
attacker to successfully contaminated the product.
    In addition to section 420 (added to the FD&C Act by section 106 of 
FSMA), FDA is issuing this rule under the authority of section 418 of 
the FD&C Act. Section 418 explicitly provides authority for FDA access 
to certain documents. Under section 418, the required ``written plan, 
together with the documentation of [monitoring, instances of 
nonconformance, the results of testing and other appropriate means of 
verification, instances where corrective actions were implemented, and 
the efficacy of preventive controls and corrective actions] shall be 
made promptly available to [FDA] upon oral or written request.''
    (Comment 122) One comment asserts that neither section 103 nor 106 
of FSMA expressly provide FDA with the authority to copy food defense 
plans or records.
    (Response 122) As we described in the seafood HACCP rule (60 FR 
65096 at 65101, December 18, 1995), to effectuate the broad purposes of 
the FD&C Act, there may be some circumstances in which access to the 
records would be meaningless without the opportunity to copy them, and 
therefore copying records is necessary for the efficient enforcement of 
the FD&C Act. For further discussion of copying records, see response 
to Comment 121.

F. Proposed Sec.  121.325--Public Disclosure

    We proposed that records required by this part will be protected 
from public disclosure to the extent allowable under part 20 of this 
chapter. We received numerous comments expressing concern with 
protecting food defense plans and records from public disclosure, 
especially due to the sensitive nature of the content within a food 
defense plan. One comment fully supports our proposal and believes 
there is sufficient precedent and need to protect the sensitive 
documents from public disclosure. In the following paragraphs, we 
discuss comments that ask us to clarify the proposed requirements or 
that disagree with, or suggest one or more changes to, the proposed 
requirements.
    (Comment 123) Some comments assert that food defense plans include 
information that is commercial confidential or trade secret and, 
therefore, should be exempt from disclosure under FOIA. The comments 
argue that food defense plans may include information on a facility's 
food defense-related measures and that disclosure of one facility's 
food defense plan may adversely affect other facilities and companies 
that may process similar foods or have similar processing procedures.
    (Response 123) FDA protects records from disclosure under Exemption 
4 of FOIA to the extent they contain ``trade secrets'' or ``commercial 
or financial information obtained from a person and privileged or 
confidential.'' The questions raised in these comments are similar to 
some of the questions raised during the rulemaking to establish our 
HACCP regulation for seafood (see the discussion at 60 FR 65096 at 
65137-65140). Our experience in conducting CGMP inspections in 
processing plants, our experience with enforcing our HACCP regulations 
for seafood and juice, and our understanding from the Regulatory Impact 
Analysis for this rule make it clear that food defense plans

[[Page 34215]]

will take each facility time and money to develop.
    There is value in a plan to a company that produces it for no other 
reason than that it took work to write. The equity in such a product is 
not readily given away to competitors. We expect that plant 
configurations will be unique to individual processors, or at least 
have unique features, as was the case in the seafood industry (Ref. 
16). While generic plans will have great utility in many circumstances, 
they will serve primarily as starting points for facilities to develop 
their own plans. Facilities will still need to expend time and money to 
tailor a generic food defense plan to their individual circumstances. 
Thus, we conclude that food defense plans generally will meet the 
definition of trade secret, including the court's definition in Public 
Citizen Health Research Group v. FDA, 704 F.2d 1280 (D.C. Cir. 1983).
    (Comment 124) Some comments ask us to provide assurances that food 
defense plans and related records will not be made public and assert 
that protecting these documents from disclosure to the extent allowable 
under part 20 may not be sufficient. They argue that food defense plans 
are more sensitive than food safety plans because food defense plans 
contain specifics on a facility's vulnerabilities and how they protect 
those vulnerabilities, and as such, could provide a ``road map'' for 
individuals intending to cause harm. These comments state that FDA 
should be more protective of food defense plans and argue that due to 
the sensitivity of information contained in food defense plans, it is 
too risky to rely on FOIA exemptions alone.
    (Response 124) We agree that food defense plans contains 
information that presents sensitivities not likely to be present in 
food safety plans. Exemption 7(F) of FOIA allows Agencies to withhold 
``records or information compiled for law enforcement purposes . . . to 
the extent that production of such law enforcement records or 
information . . . could reasonably be expected to endanger the life or 
physical safety of any individual.'' Food defense plans are likely to 
meet the criteria to withhold them from disclosure under exemption 
7(F). Food defense plans in FDA's possession would be compiled for law 
enforcement purposes because they would be collected as part of 
compliance efforts. Further, production of such records could 
reasonably be expected to endanger life or physical safety. 
Specifically, a food defense plan is likely to contain information that 
could be used to identify weaknesses in a facility's security, to 
choose targets, and to help plan and execute an attack involving 
intentional adulteration.
    (Comment 125) Some comments state that food defense plans could be 
classified under Executive Order 13526 because their unauthorized 
disclosure could reasonably be expected to cause identifiable or 
describable damage to national security and because food defense plans 
pertain to ``vulnerabilities or capabilities of systems, installations, 
infrastructures, projects, plans, or protection services relating to 
national security.'' These comments acknowledge that classifying food 
defense plans would be cumbersome and access to the classified 
documents would be extremely restricted and therefore, they recommend 
that FDA implement a policy that FDA investigators not copy, 
photograph, or transmit any food defense plan records or make detailed 
notes about the food defense plans in the Establishment Inspection 
Reports that could reveal sensitive information.
    (Response 125) See response to Comment 124 for a discussion of FDA 
handling of food defense plans. We note that FDA cannot classify food 
defense plans under Executive Order 13526. That executive order 
provides that information may be originally classified only if several 
conditions are met, including that the information is owned by, 
produced by or for, or is under the control of the U.S. Government. A 
food defense plan that is developed by industry for use by industry is 
not owned by, produced by or for, or under the control of, the U.S. 
Government.
    (Comment 126) One comment suggests that FDA only allow 
investigators who have the appropriate national security credentials 
(e.g., background checks, security clearances) to review the content of 
a food defense plan. The comment asserts that this will help prevent 
the risk of a sophisticated insider attack by a potential wrongdoer who 
has infiltrated the Agency.
    (Response 126) All FDA investigators and contracted State 
investigators are required to undergo background checks by the Federal 
government prior to employment and periodically thereafter. Food 
defense plans are not classified, and therefore FDA investigators would 
not need national security clearances.
    (Comment 127) Some comments state that FDA should, at a minimum, be 
aligned with and apply the same protection for food defense plans and 
records required under this part as HACCP seafood and juice regulations 
(see Sec. Sec.  123.9(d) and 120.12(f), respectively).
    (Response 127) We disagree that the proposed provisions governing 
public disclosure are not aligned with the public disclosure provisions 
of our HACCP regulations for seafood and juice. Our regulations in part 
20 regarding public information apply to all Agency records, regardless 
of whether a particular recordkeeping requirement says so. In the 
public disclosure provisions for our HACCP regulations for seafood and 
juice, we provided specific details about how particular provisions in 
part 20 (i.e., Sec.  20.61 (Trade secrets and commercial or financial 
information which is privileged or confidential) and Sec.  20.81 (Data 
and information previously disclosed to the public)) would apply to the 
applicable records, because we recognized that such details were of 
particular interest to the regulated industries and such recordkeeping 
requirements were relatively new. In this rule, we framed the 
provisions regarding public disclosure more broadly by referring to all 
the requirements of part 20, consistent with our more recent approach 
to public disclosure provisions in regulations (see e.g., 21 CFR 
112.167, 117.325).
    (Comment 128) Some comments assert that FDA should develop guidance 
and training for industry on how to protect food defense-related 
documents because industry is developing these documents to meet an FDA 
requirement and has a potential to increase the risk to public health.
    (Response 128) Our implementation of this rule will involve a 
broad, collaborative effort to foster awareness and compliance through 
guidance, education, and technical assistance. We agree that protection 
of food defense plans--by FDA and by industry--is important; we plan on 
including information within guidance for industry on best practices 
for how to protect food defense plans.

G. Proposed Sec.  121.330--Use of Existing Records

    We are adding new section Sec.  121.330 (Use of Existing Records) 
to the final rule to increase recordkeeping flexibility. Section 
121.330 specifies that existing records (e.g., records that are kept to 
comply with other Federal, State, or local regulations) do not need to 
be duplicated if they contain all of the required information and 
satisfy the requirements of subpart D. Section 121.330 also provides 
that existing records may be supplemented as necessary to include all 
of the required information. Further, Sec.  121.330 clarifies that the 
information required does not need to be kept in one set of records; if 
existing records contain some of the required information, any new

[[Page 34216]]

information required may be kept either separately or combined with the 
existing records.

VII. Subpart E: Comments on Compliance--Proposed Sec.  121.401

1. Proposed Sec.  121.401(a)--Failure To Comply With Section 418 of the 
FD&C Act
    We proposed that the operation of a facility that manufactures, 
processes, packs, or holds food for sale in the United States if the 
owner, operator, or agent in charge of such facility is required to 
comply with, and is not in compliance with, section 418 of the FD&C Act 
or subparts C or D of this part is a prohibited act under section 
301(uu) of the FD&C Act.
    We did not receive any comments on this provision, and we are 
finalizing as proposed.
2. Proposed Sec.  121.401(b)--Failure To Comply With Section 420 of the 
FD&C Act
    We proposed that the failure to comply with section 420 of the FD&C 
Act or subparts C or D of this part is a prohibited act under section 
301(ww) of the FD&C Act.
    We did not receive any comments on this provision, and we are 
finalizing as proposed.

VIII. Effective and Compliance Dates

    We proposed the effective date would be 60 days after this final 
rule is published. However, we proposed for a longer timeline for 
facilities to come into compliance. As proposed, facilities, other than 
small and very small businesses, would have 1 year after the effective 
date to comply with part 121. Small businesses (i.e., those employing 
fewer than 500 persons) would have 2 years after the effective date to 
comply with part 121. Very small businesses (i.e., businesses that have 
less than $10,000,000 in total annual sales of food, adjusted for 
inflation) would have 3 years after the effective date to comply with 
Sec.  121.5(a).
    Some comments express concern that facilities will not have the 
time or resources to implement requirements for the intentional 
adulteration rule at the same time they must comply with other FSMA 
rules. Some comments also state that more time is necessary to comply 
with this rule because food defense is different from current 
requirements for food safety. These comments request additional time 
for compliance.
    We agree with the comments and are providing more time for 
facilities to come into compliance. Facilities, other than small and 
very small businesses, have 3 years after the effective date to comply 
with part 121. Small businesses (i.e., those employing fewer than 500 
full-time equivalent employees) have 4 years after the effective date 
to comply with part 121. Very small businesses (i.e., businesses that 
have less than $10,000,000, adjusted for inflation, per year, during 
the 3-year period preceding the applicable calendar year in both sales 
of human food plus the market value of human food manufactured, 
processed, packed, or held without sale) have 5 years after the 
effective date to comply with Sec.  121.5(a).

IX. Executive Order 13175

    In accordance with Executive Order 13175, FDA has consulted with 
tribal government officials. A Tribal Summary Impact Statement has been 
prepared that includes a summary of Tribal officials' concerns and how 
FDA has addressed them (Ref. 17). Persons with access to the Internet 
may obtain the Tribal Summary Impact Statement at http://www.fda.gov/Food/GuidanceRegulation/FSMA/ucm378628 or at http://www.regulations.gov. Copies of the Tribal Summary Impact Statement also 
may be obtained by contacting the person listed under FOR FURTHER 
INFORMATION CONTACT.

X. Final Regulatory Impact Analysis

    We have examined the impacts of the final rule under Executive 
Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5 
U.S.C. 601-612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 
104-4). Executive Orders 12866 and 13563 direct Agencies to assess all 
costs and benefits of available regulatory alternatives and, when 
regulation is necessary, to select regulatory approaches that maximize 
net benefits (including potential economic, environmental, public 
health and safety, and other advantages; distributive impacts; and 
equity). We have developed a comprehensive Economic Analysis of Impacts 
that assesses the impacts of the final rule. We believe that this final 
rule is a significant regulatory action under Executive Order 12866.
    The Regulatory Flexibility Act requires us to analyze regulatory 
options that would minimize any significant impact of a rule on small 
entities. The annualized costs per entity due to this rule are about 
$13,000 for a one-facility firm with 100 employees, and there are about 
4,100 small businesses that would be affected by the rule, so we 
tentatively conclude that the final rule could have a significant 
economic impact on a substantial number of small entities.
    The Small Business Regulatory Enforcement Fairness Act of 1996 
(Pub. L. 104-121) defines a major rule for the purpose of congressional 
review as having caused or being likely to cause one or more of the 
following: An annual effect on the economy of $100 million or more; a 
major increase in costs or prices; significant adverse effects on 
competition, employment, productivity, or innovation; or significant 
adverse effects on the ability of U.S.-based enterprises to compete 
with foreign-based enterprises in domestic or export markets. In 
accordance with the Small Business Regulatory Enforcement Fairness Act, 
the Office of Management and Budget (OMB) has determined that this rule 
is a major rule for the purpose of Congressional review.
    The Unfunded Mandates Reform Act of 1995 (section 202(a)) requires 
us to prepare a written statement, which includes an assessment of 
anticipated costs and benefits, before proposing ``any rule that 
includes any Federal mandate that may result in the expenditure by 
State, local, and tribal governments, in the aggregate, or by the 
private sector, of $100,000,000 or more (adjusted annually for 
inflation) in any one year.'' The current threshold after adjustment 
for inflation is $144 million, using the most current (2014) Implicit 
Price Deflator for the Gross Domestic Product. This final rule may 
result in a 1-year expenditure that would meet or exceed this amount.

XI. Paperwork Reduction Act of 1995

    This rule contains information collection requirements that are 
subject to review by the OMB under the Paperwork Reduction Act of 1995 
(PRA) (44 U.S.C. 3501-3521). A description of these provisions is given 
in this section with an estimate of the annual reporting and 
recordkeeping burden; there is no third-party disclosure burden 
associated with the information collection. Included in the estimate is 
the time for reviewing instructions, searching existing data sources, 
gathering and maintaining the data needed, and completing and reviewing 
each collection of information.
    Title: Mitigation Strategies to Protect Food Against Intentional 
Adulteration
    Description: The Food and Drug Administration (FDA or we) is 
requiring domestic and foreign food facilities that are required to 
register under the Federal Food, Drug, and Cosmetic Act to address 
hazards that may be introduced with the intention to cause wide scale 
public health harm. These food facilities are required to identify and 
implement mitigation strategies that significantly minimize or prevent 
significant

[[Page 34217]]

vulnerabilities identified at actionable process steps in a food 
operation. FDA is promulgating these requirements as part of our 
implementation of the FDA Food Safety Modernization Act (FSMA). We 
expect the rule to help protect food from acts of intentional 
adulteration intended to cause wide scale public health harm.
    Description of Respondents: Respondents to the collection are food 
production facilities with more than $10 million in annual sales. We 
estimate there are 9,759 such facilities owned by 3,247 firms. We 
estimate there are 18,080 facilities with less than $10 million in 
annual sales that will need to show documentation of their exemption 
status under the rule, upon request.
    In the Federal Register of December 24, 2013, FDA published a 
proposed rule including a PRA analysis of the information collection 
provisions found in the regulations. While FDA did not receive specific 
comments in response to the four information collection topics 
solicited, comments in response to the rule are addressed elsewhere in 
this document. Comments filed in response to the rulemaking are filed 
under Docket No. FDA-2013-N-1425.
    We estimate the burden for this information collection as follows:
    Reporting: The rule does not apply to very small businesses, except 
that ``a very small business'' is required to provide for official 
review, upon request, documentation that was relied upon to demonstrate 
that the facility meets this exemption. At this time we estimate there 
are 18,080 firms with less than $10 million in annual sales, exempting 
them from the rule. However, these facilities must show documentation 
upon request to verify their exempt status under the regulations (Sec.  
121.5(a)). We estimate preparing and updating relevant files will 
require an average of 30 minutes per respondent for a total annual 
burden of 9,040 hours (30 minutes x 18,080), as reflected in table 4.

                                                     Table 4--Estimated Annual Reporting Burden \1\
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                         Number of
                      21 CFR Section; activity                          Number of      responses per   Total annual    Average burden per    Total hours
                                                                       respondents       respondent      responses          response
--------------------------------------------------------------------------------------------------------------------------------------------------------
Sec.   121.5; Exemption for food from very small businesses........          18,080                1             1      0.50 (30 minutes)         9,040
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ There are no capital costs, or operating and maintenance costs associated with this collection.

    Recordkeeping: Under the rule, the owner, operator, or agent in 
charge of a facility must prepare, or have prepared, and implement a 
written food defense plan, including a written vulnerability 
assessment; written mitigation strategies; written procedures for 
defense monitoring; written procedures for food defense corrective 
actions; and written procedures for food defense verification. Table 5 
shows the estimated recordkeeping burden associated with these 
activities, totaling 2,515,258 annual burden hours and 409,486 annual 
responses. This is a revision from our previous estimate, reflecting a 
slight decrease in burden hours as a result of finalizing regulatory 
requirements from the proposed rule and revising the number of 
estimated respondents.

                               Table 5--Estimated Annual Recordkeeping Burden \1\
----------------------------------------------------------------------------------------------------------------
                                                      Number of       Total
     21 CFR Section; activity         Number of      records per      annual    Average  burden per  Total hours
                                    recordkeepers   recordkeeper     records        recordkeeping
----------------------------------------------------------------------------------------------------------------
Food Defense Plan; Sec.   121.126           3,247               1        3,247  23 hrs.............       74,681
Vulnerability Assessment; Sec.              9,759               1        9,759  20 hrs.............      195,180
 121.130.
Mitigation Strategies; Sec.                 9,759               1        9,759  20 hrs.............      195,180
 121.135(b).
Monitoring, Corrective Actions,             9,759               1        9,759  175 hrs............    1,707,825
 Verification; Sec.   121.140(a),
 Sec.   121.145(a)(1), Sec.
 121.150(b).
Training; Sec.   121.4...........         367,203               1      367,203  0.67 hrs. (40            244,802
                                                                                 minutes).
Records; Sec.   121.305, Sec.               9,759               1        9,759  10 hrs.............       97,590
 121.310.
                                  ------------------------------------------------------------------------------
    Total........................  ..............  ..............      409,486  ...................    2,515,258
----------------------------------------------------------------------------------------------------------------
\1\ Costs of compliance are discussed in the Final Regulatory Impact Analysis to this final rule.

    We estimate 3,247 firms will need to create a food defense plan 
under Sec.  121.126, that a one-time burden of 50 hours will be needed 
to create such a plan, and that a burden of 10 hours will be required 
to update the plan. We annualize this estimate by dividing the total 
number of burden hours (70 hours) over a 3-year period, as reflected in 
table 5, row 1.
    Under Sec.  121.130, each of the estimated 9,759 food production 
facilities will identify and specify actionable process steps for its 
food defense plan. We estimate that an individual at the level of an 
operations manager will need 20 hours for this activity, as reflected 
in table 5, row 2. At the same time we note that this is a one-time 
burden we expect will have been realized upon implementation of the 
rule by the affected facilities. In our subsequent evaluation of the 
burden associated with this information collection provision, we will 
adjust our estimate accordingly.
    Under Sec.  121.135(b), each of the estimated 9,759 facilities must 
identify and implement mitigation strategies for each actionable 
process step to provide assurances that any significant vulnerability 
at each step is significantly minimized or prevented, ensuring that the 
food manufactured, processed, packed, or held by the facility will not 
be adulterated. The rule does not specify a specific number or set of 
mitigation strategies to be implemented. Some of the covered facilities 
are already implementing mitigation strategies. We estimate it will 
require an average of 20 hours per facility to satisfy the 
recordkeeping burden associated with these activities for a total of 
195,180 hours, as reflected in table 5, row 3.
    We estimate that the recordkeeping activities associated with 
monitoring,

[[Page 34218]]

documenting mitigation strategies, implementing necessary corrective 
actions, and verification activities will require first-line 
supervisors or others responsible for quality control an average of 175 
hours for each recordkeeper, and that these provisions apply to each of 
the 9,759 facilities. This results in a total of 1,707,825 annual 
burden hours, as reflected in table 5, row 4.
    We estimate that recordkeeping activities associated with training 
under Sec.  121.4 total 244,802 annual burden hours, as reflected in 
table 5, row 5. This figure assumes that there are an estimated 1.2 
million employees working at the regulated facilities and that 30 
percent of them (367,203) will require training. This figure also 
assumes that the average burden for the associated recordkeeping 
activity is approximately 40 minutes (or 0.67 hours) per record.
    Finally, we expect each of the estimated 9,759 firms will fulfill 
the recordkeeping requirements under Sec.  121.305 and Sec.  121.310, 
and that it will require the equivalent of an operations manager and a 
legal analyst an average of 5 hours each (10 hours) per record, as 
reflected in table 5, row 6.

XII. Analysis of Environmental Impact

    We previously considered the environmental effects of this rule, as 
stated in the proposed rule (78 FR 78014). We stated that we had 
determined under 21 CFR 25.30(h) and 21 CFR 25.30(j) that this action 
is of a type that does not individually or cumulatively have a 
significant effect on the human environment such that neither an 
environmental assessment nor an environmental impact statement is 
required. We have not received any new information or comments that 
would affect our previous determination (Ref. 18).

XIII. Federalism

    FDA has analyzed this final rule in accordance with the principles 
set forth in Executive Order 13132. FDA has determined that the rule 
does not contain policies that have substantial direct effects on the 
States, on the relationship between the National Government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. Accordingly, the Agency has concluded 
that the rule does not contain policies that have federalism 
implications as defined in the Executive order and, consequently, a 
federalism summary impact statement is not required.

XIV. References

    The following references are on display in the Division of Dockets 
Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, 
Rm. 1061, Rockville, MD 20852, and are available for viewing by 
interested persons between 9 a.m. and 4 p.m., Monday through Friday; 
they are also available electronically at http://www.regulations.gov. 
FDA has verified the Web site addresses, as of the date this document 
publishes in the Federal Register, but Web sites are subject to change 
over time.

1. FDA Memorandum. ``FDA Memorandum to Dockets on Records of 
Outreach. See Reference 7 to the 2014 supplemental human preventive 
controls notice,'' 2013.
2. FDA Memorandum. ``Memoranda of Outreach,'' 2015.
3. FDA. ``Appendix 3 to the Final Qualitative Risk Assessment: Risk 
of Activity/Food Combinations for Activities (Outside the Farm 
Definition) Conducted in a Facility Co-Located on a Farm,'' 2016.
4. Avel, D., ``ISIS Calls for Poisoning and Running Down 
Westerners.'' The Algemeiner (http://www.algemeiner.com/2014/11/28/isis-calls-for-poisoning-and-running-down-westerners/#), November 
28, 2014. Accessed December 15, 2015.
5. Norton, R.A., ``Food Defense in the Age of Domestic Terrorism.'' 
Food Safety Magazine (http://www.foodsafetymagazine.com/enewsletter/food-defense-in-the-age-of-domestic-terrorism/, December 15, 2015. 
Accessed December 15, 2015.
6. Valdmanis, R., ``Boston Bomb Suspect Influenced by Al Qaeda: 
Expert Witness.'' Reuters (http://www.reuters.com/article/us-boston-bombings-trial-idUSKBN0MJ0Z620150323), March 23, 2015. Accessed 
December 15, 2015.
7. Faiola, A., and S. Mekhennet, ``Paris Attacks Were Carried Out by 
Three Groups Tied to Islamic State, Official Says.'' The Washington 
Post (https://www.washingtonpost.com/world/string-of-paris-terrorist-attacks-leaves-over-120-dead/2015/11/14/066df55c-8a73-11e5-bd91-d385b244482f_story.html), November 15, 2015. Accessed 
December 15, 2015.
8. ``Toxins Tie Suspect to Poisonings.'' The Japan Times (http://www.japantimes.co.jp/news/2014/01/26/national/crime-legal/toxins-tie-suspect-to-poisonings/#.VvBCLnn2ZD9) January 26, 2014. Accessed 
December 14, 2015.
9. ``Toshiki Abe Arrested for Poisoning Frozen Food in Japan.'' 
news.com.au (http://www.news.com.au/world/toshiki-abe-arrested-for-poisoning-frozen-in-japan/story-fndir2ev-1226810502913) January 25, 
2014. Accessed December 15, 2015.
10. Global Food Safety Initiative. ``GFSI Guidance Document Version 
6.3.'' (http://www.mygfsi.com/images/mygfsi/gfsifiles/information-kit/GFSI_Guidance_Document.pdf), 2012.
11. Safe Quality Food Institute. ``SQF Code: A HACCP-Based Supplier 
Assurance Code for the Food Industry, Edition 7.1'' April 2013.
12. International Featured Standards. ``IFS Food: Standard for 
Auditing Quality and Food Safety of Food Products, Version 6.'' 
(http://www.ifscertification.com/images/ifs_standards/ifs6/IFS_Food_V6_en.pdf) January 2012. Accessed November 10, 2015.
13. Hamilton, P.J., ``Center for Food Safety, et al. v. Margaret A. 
Hamburg, M.D. Order Granting Injunctive Relief.'' United States 
District Court Northern District of California. http://www.centerforfoodsafety.org/files/fsma-remedy-order_52466.pdf, June 
21, 2013.
14. FDA. ``Mitigation Strategies to Protect Food Against Intentional 
Adulteration: Regulatory Impact Analysis, Regulatory Flexibility 
Analysis, and Unfunded Mandates Reform Act Analysis,'' 2016.
15. FDA Memorandum. ``Memo Detailing an Evaluation of the Potential 
For Wide-Scale Public Health Harm Resulting From Intentional 
Adulteration Of Mineral oil When Used as a Dust Control Agent During 
Storage and Handling Raw Grain,'' November 16, 2015.
16. FDA. ``CPG Sec. 555.300 Foods, Except Dairy Products--
Adulteration With Salmonella,'' March 1995.
17. FDA. ``Tribal Summary Impact Statement,'' 2016.
18. FDA. ``Memorandum to the File: Environmental Analysis Related to 
the Final Rule on Mitigation Strategies to Protect Food Against 
Intentional Adulteration.'' February 2016.

List of Subjects

21 CFR Part 11

    Administrative practice and procedure, Computer technology, 
Reporting and recordkeeping requirements.

21 CFR Part 121

    Food packaging, Foods.

    Therefore, under the Federal Food, Drug, and Cosmetic Act and under 
authority delegated to the Commissioner of Food and Drugs, 21 CFR 
Chapter 1 is amended as follows:

PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES

0
1. The authority citation for part 11 continues to read as follows:

    Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.


0
2. In Sec.  11.1, add paragraph (o) to read as follows:


Sec.  11.1  Scope.

* * * * *
    (o) This part does not apply to records required to be established 
or maintained

[[Page 34219]]

by part 121 of this chapter. Records that satisfy the requirements of 
part 121 of this chapter, but that also are required under other 
applicable statutory provisions or regulations, remain subject to this 
part.

0
3. Add part 121 to read as follows:

PART 121--MITIGATION STRATEGIES TO PROTECT FOOD AGAINST INTENTIONAL 
ADULTERATION

Sec.
Subpart A--General Provisions
121.1 Applicability.
121.3 Definitions.
121.4 Qualifications of individuals who perform activities under 
subpart C of this part.
121.5 Exemptions.
Subpart B--Reserved
Subpart C--Food Defense Measures
121.126 Food defense plan.
121.130 Vulnerability assessment to identify significant 
vulnerabilities and actionable process steps.
121.135 Mitigation strategies for actionable process steps.
121.138 Mitigation strategies management components.
121.140 Food defense monitoring.
121.145 Food defense corrective actions.
121.150 Food defense verification.
121.157 Reanalysis.
Subpart D--Requirements Applying to Records That Must Be Established 
and Maintained
121.301 Records subject to the requirements of this subpart.
121.305 General requirements applying to records.
121.310 Additional requirements applying to the food defense plan.
121.315 Requirements for record retention.
121.320 Requirements for official review.
121.325 Public disclosure.
121.330 Use of existing records.
Subpart E--Compliance
121.401 Compliance.

    Authority:  21 U.S.C. 331, 342, 350g, 350(i), 371, 374.

Subpart A--General Provisions


Sec.  121.1  Applicability.

    This part applies to the owner, operator or agent in charge of a 
domestic or foreign food facility that manufactures/processes, packs, 
or holds food for consumption in the United States and is required to 
register under section 415 of the Federal Food, Drug, and Cosmetic Act, 
unless one of the exemptions in Sec.  121.5 applies.


Sec.  121.3  Definitions.

    The definitions and interpretations of terms in section 201 of the 
Federal Food, Drug, and Cosmetic Act are applicable to such terms when 
used in this part. The following definitions also apply:
    Actionable process step means a point, step, or procedure in a food 
process where a significant vulnerability exists and at which 
mitigation strategies can be applied and are essential to significantly 
minimize or prevent the significant vulnerability.
    Adequate means that which is needed to accomplish the intended 
purpose in keeping with good public health practices.
    Affiliate means any facility that controls, is controlled by, or is 
under common control with another facility.
    Calendar day means every day as shown on the calendar.
    Contaminant means, for purposes of this part, any biological, 
chemical, physical, or radiological agent that may be added to food to 
intentionally cause illness, injury, or death.
    Facility means a domestic facility or a foreign facility that is 
required to register under section 415 of the Federal Food, Drug, and 
Cosmetic Act, in accordance with the requirements of part 1, subpart H 
of this chapter.
    Farm means farm as defined in Sec.  1.227 of this chapter.
    FDA means the Food and Drug Administration.
    Food means food as defined in section 201(f) of the Federal Food, 
Drug, and Cosmetic Act and includes raw materials and ingredients.
    Food defense means, for purposes of this part, the effort to 
protect food from intentional acts of adulteration where there is an 
intent to cause wide scale public health harm.
    Food defense monitoring means to conduct a planned sequence of 
observations or measurements to assess whether mitigation strategies 
are operating as intended.
    Food defense verification means the application of methods, 
procedures, and other evaluations, in addition to food defense 
monitoring, to determine whether a mitigation strategy or combination 
of mitigation strategies is or has been operating as intended according 
to the food defense plan.
    Full-time equivalent employee is a term used to represent the 
number of employees of a business entity for the purpose of determining 
whether the business qualifies as a small business. The number of full-
time equivalent employees is determined by dividing the total number of 
hours of salary or wages paid directly to employees of the business 
entity and of all of its affiliates and subsidiaries by the number of 
hours of work in 1 year, 2,080 hours (i.e., 40 hours x 52 weeks). If 
the result is not a whole number, round down to the next lowest whole 
number.
    Holding means storage of food and also includes activities 
performed incidental to storage of food (e.g., activities performed for 
the safe or effective storage of that food, such as fumigating food 
during storage, and drying/dehydrating raw agricultural commodities 
when the drying/dehydrating does not create a distinct commodity (such 
as drying/dehydrating hay or alfalfa)). Holding also includes 
activities performed as a practical necessity for the distribution of 
that food (such as blending of the same raw agricultural commodity and 
breaking down pallets), but does not include activities that transform 
a raw agricultural commodity into a processed food as defined in 
section 201(gg) of the Federal Food, Drug, and Cosmetic Act. Holding 
facilities could include warehouses, cold storage facilities, storage 
silos, grain elevators, and liquid storage tanks.
    Manufacturing/processing means making food from one or more 
ingredients, or synthesizing, preparing, treating, modifying or 
manipulating food, including food crops or ingredients. Examples of 
manufacturing/processing activities include: Baking, boiling, bottling, 
canning, cooking, cooling, cutting, distilling, drying/dehydrating raw 
agricultural commodities to create a distinct commodity (such as 
drying/dehydrating grapes to produce raisins), evaporating, 
eviscerating, extracting juice, formulating, freezing, grinding, 
homogenizing, irradiating, labeling, milling, mixing, packaging 
(including modified atmosphere packaging), pasteurizing, peeling, 
rendering, treating to manipulate ripening, trimming, washing, or 
waxing. For farms and farm mixed-type facilities, manufacturing/
processing does not include activities that are part of harvesting, 
packing, or holding.
    Mitigation strategies mean those risk-based, reasonably appropriate 
measures that a person knowledgeable about food defense would employ to 
significantly minimize or prevent significant vulnerabilities 
identified at actionable process steps, and that are consistent with 
the current scientific understanding of food defense at the time of the 
analysis.
    Mixed-type facility means an establishment that engages in both 
activities that are exempt from registration under section 415 of the 
Federal Food, Drug, and Cosmetic Act and activities that require the 
establishment to be registered. An example of such a facility is a 
``farm

[[Page 34220]]

mixed-type facility,'' which is an establishment that is a farm, but 
also conducts activities outside the farm definition that require the 
establishment to be registered.
    Packing means placing food into a container other than packaging 
the food and also includes re-packing and activities performed 
incidental to packing or re-packing a food (e.g., activities performed 
for the safe or effective packing or re-packing of that food (such as 
sorting, culling, grading, and weighing or conveying incidental to 
packing or re-packing)), but does not include activities that transform 
a raw agricultural commodity into a processed food as defined in 
section 201(gg) of the Federal Food, Drug, and Cosmetic Act.
    Qualified individual means a person who has the education, 
training, or experience (or a combination thereof) necessary to perform 
an activity required under subpart C of this part, as appropriate to 
the individual's assigned duties. A qualified individual may be, but is 
not required to be, an employee of the establishment.
    Significant vulnerability means a vulnerability that, if exploited, 
could reasonably be expected to cause wide scale public health harm. A 
significant vulnerability is identified by a vulnerability assessment 
conducted by a qualified individual, that includes consideration of the 
following: (1) Potential public health impact (e.g., severity and 
scale) if a contaminant were added, (2) degree of physical access to 
the product, and (3) ability of an attacker to successfully contaminate 
the product. The assessment must consider the possibility of an inside 
attacker.
    Significantly minimize means to reduce to an acceptable level, 
including to eliminate.
    Small business means, for purposes of this part, a business 
(including any subsidiaries and affiliates) employing fewer than 500 
full-time equivalent employees.
    Subsidiary means any company which is owned or controlled directly 
or indirectly by another company.
    Very small business means, for purposes of this part, a business 
(including any subsidiaries and affiliates) averaging less than 
$10,000,000, adjusted for inflation, per year, during the 3-year period 
preceding the applicable calendar year in sales of human food plus the 
market value of human food manufactured, processed, packed, or held 
without sale (e.g., held for a fee).
    Vulnerability means the susceptibility of a point, step, or 
procedure in a facility's food process to intentional adulteration.
    You means, for purposes of this part, the owner, operator, or agent 
in charge of a facility.


Sec.  121.4  Qualifications of individuals who perform activities under 
subpart C of this part.

    (a) Applicability. You must ensure that each individual who 
performs activities required under subpart C of this part is a 
qualified individual as that term is defined in Sec.  121.3.
    (b) Qualifications of individuals assigned to an actionable process 
step. Each individual assigned to an actionable process step (including 
temporary and seasonal personnel) or in the supervision thereof must:
    (1) Be a qualified individual as that term is defined in Sec.  
121.3--i.e., have the appropriate education, training, or experience 
(or a combination thereof) necessary to properly implement the 
mitigation strategy or combination of mitigation strategies at the 
actionable process step; and
    (2) Receive training in food defense awareness.
    (c) Qualifications of individuals for certain activities described 
in paragraph (c)(3) of this section. Each individual assigned to 
certain activities described in paragraph (c)(3) of this section must:
    (1) Be a qualified individual as that term is defined in Sec.  
121.3--i.e., have the appropriate education, training, or experience 
(or a combination thereof) necessary to properly perform the 
activities; and
    (2) Have successfully completed training for the specific function 
at least equivalent to that received under a standardized curriculum 
recognized as adequate by FDA or be otherwise qualified through job 
experience to conduct the activities. Job experience may qualify an 
individual to perform these functions if such experience has provided 
an individual with knowledge at least equivalent to that provided 
through the standardized curriculum. This individual may be, but is not 
required to be, an employee of the facility.
    (3) One or more qualified individuals must do or oversee:
    (i) The preparation of the food defense plan as required in Sec.  
121.126;
    (ii) The conduct of a vulnerability assessment as required in Sec.  
121.130;
    (iii) The identification and explanation of the mitigation 
strategies as required in Sec.  121.135; and
    (iv) Reanalysis as required in Sec.  121.157.
    (d) Additional qualifications of supervisory personnel. 
Responsibility for ensuring compliance by individuals with the 
requirements of this part must be clearly assigned to supervisory 
personnel with a combination of education, training, and experience 
necessary to supervise the activities under this subpart.
    (e) Records. Training required by paragraphs (b)(2) and (c)(2) of 
this section must be documented in records, and must:
    (1) Include the date of training, the type of training, and the 
persons trained; and
    (2) Be established and maintained in accordance with the 
requirements of subpart D of this part.


Sec.  121.5  Exemptions.

    (a) This part does not apply to a very small business, except that 
a very small business must, upon request, provide for official review 
documentation sufficient to show that the facility meets this 
exemption. Such documentation must be retained for 2 years.
    (b) This part does not apply to the holding of food, except the 
holding of food in liquid storage tanks.
    (c) This part does not apply to the packing, re-packing, labeling, 
or re-labeling of food where the container that directly contacts the 
food remains intact.
    (d) This part does not apply to activities of a farm that are 
subject to section 419 of the Federal Food, Drug, and Cosmetic Act 
(Standards for Produce Safety).
    (e)(1) This part does not apply with respect to alcoholic beverages 
at a facility that meets the following two conditions:
    (i) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et 
seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 
(26 U.S.C. 5001 et seq.) the facility is required to obtain a permit 
from, register with, or obtain approval of a notice or application from 
the Secretary of the Treasury as a condition of doing business in the 
United States, or is a foreign facility of a type that would require 
such a permit, registration, or approval if it were a domestic 
facility; and
    (ii) Under section 415 of the Federal Food, Drug, and Cosmetic Act 
the facility is required to register as a facility because it is 
engaged in manufacturing, processing, packing, or holding one or more 
alcoholic beverages.
    (2) This part does not apply with respect to food that is not an 
alcoholic beverage at a facility described in paragraph (e)(1) of this 
section, provided such food:

[[Page 34221]]

    (i) Is in prepackaged form that prevents any direct human contact 
with such food; and
    (ii) Constitutes not more than 5 percent of the overall sales of 
the facility, as determined by the Secretary of the Treasury.
    (f) This part does not apply to the manufacturing, processing, 
packing, or holding of food for animals other than man.
    (g) This part does not apply to on-farm manufacturing, processing, 
packing, or holding of the following foods on a farm mixed-type 
facility, when conducted by a small or very small business if such 
activities are the only activities conducted by the business subject to 
section 418 of the Federal Food, Drug, and Cosmetic Act.
    (1) Eggs (in-shell, other than raw agricultural commodities, e.g., 
pasteurized); and
    (2) Game meats (whole or cut, not ground or shredded, without 
secondary ingredients).

Subpart B--Reserved

Subpart C--Food Defense Measures


Sec.  121.126  Food defense plan.

    (a) Requirement for a food defense plan. You must prepare, or have 
prepared, and implement a written food defense plan.
    (b) Contents of a food defense plan. The written food defense plan 
must include:
    (1) The written vulnerability assessment, including required 
explanations, to identify significant vulnerabilities and actionable 
process steps as required by Sec.  121.130(c);
    (2) The written mitigation strategies, including required 
explanations, as required by Sec.  121.135(b);
    (3) The written procedures for the food defense monitoring of the 
implementation of the mitigation strategies as required by Sec.  
121.140(a);
    (4) The written procedures for food defense corrective actions as 
required by Sec.  121.145(a)(1); and
    (5) The written procedures for food defense verification as 
required by Sec.  121.150(b).
    (c) Records. The food defense plan required by this section is a 
record that is subject to the requirements of subpart D of this part.


Sec.  121.130  Vulnerability assessment to identify significant 
vulnerabilities and actionable process steps.

    (a) Requirement for a vulnerability assessment. You must conduct or 
have conducted a vulnerability assessment for each type of food 
manufactured, processed, packed, or held at your facility using 
appropriate methods to evaluate each point, step, or procedure in your 
food operation to identify significant vulnerabilities and actionable 
process steps. Appropriate methods must include, at a minimum, an 
evaluation of:
    (1) The potential public health impact (e.g., severity and scale) 
if a contaminant were added;
    (2) The degree of physical access to the product; and
    (3) The ability of an attacker to successfully contaminate the 
product.
    (b) Inside attacker. The assessment must consider the possibility 
of an inside attacker.
    (c) Written vulnerability assessment. Regardless of the outcome, 
the vulnerability assessment must be written and must include an 
explanation as to why each point, step, or procedure either was or was 
not identified as an actionable process step.


Sec.  121.135  Mitigation strategies for actionable process steps.

    (a) You must identify and implement mitigation strategies at each 
actionable process step to provide assurances that the significant 
vulnerability at each step will be significantly minimized or prevented 
and the food manufactured, processed, packed, or held by your facility 
will not be adulterated under section 402 of the Federal Food, Drug, 
and Cosmetic Act. For each mitigation strategy implemented at each 
actionable process step, you must include a written explanation of how 
the mitigation strategy sufficiently minimizes or prevents the 
significant vulnerability associated with the actionable process step.
    (b) Mitigation strategies and accompanying explanations must be 
written.


Sec.  121.138  Mitigation strategies management components.

    Mitigation strategies required underSec.  121.135 are subject to 
the following mitigation strategies management components as 
appropriate to ensure the proper implementation of the mitigation 
strategies, taking into account the nature of each such mitigation 
strategy and its role in the facility's food defense system:
    (a) Food defense monitoring in accordance with Sec.  121.140;
    (b) Food defense corrective actions in accordance with Sec.  
121.145; and
    (c) Food defense verification in accordance with Sec.  121.150.


Sec.  121.140  Food defense monitoring.

    As appropriate to the nature of the mitigation strategy and its 
role in the facility's food defense system:
    (a) Written procedures. You must establish and implement written 
procedures, including the frequency with which they are to be 
performed, for food defense monitoring of the mitigation strategies.
    (b) Food defense monitoring. You must monitor the mitigation 
strategies with adequate frequency to provide assurances that they are 
consistently performed.
    (c) Records--(1) Requirement to document food defense monitoring. 
You must document the monitoring of mitigation strategies in accordance 
with this section in records that are subject to verification in 
accordance with Sec.  121.150(a)(1) and records review in accordance 
with Sec.  121.150(a)(3)(i).
    (2) Exception records. Records may be affirmative records 
demonstrating the mitigation strategy is functioning as intended. 
Exception records demonstrating the mitigation strategy is not 
functioning as intended may be adequate in some circumstances.


Sec.  121.145  Food defense corrective actions.

    (a) Food defense corrective action procedures. As appropriate to 
the nature of the actionable process step and the nature of the 
mitigation strategy:
    (1) You must establish and implement written food defense 
corrective action procedures that must be taken if mitigation 
strategies are not properly implemented.
    (2) The food defense corrective action procedures must describe the 
steps to be taken to ensure that:
    (i) Appropriate action is taken to identify and correct a problem 
that has occurred with implementation of a mitigation strategy; and
    (ii) Appropriate action is taken, when necessary, to reduce the 
likelihood that the problem will recur.
    (b) Records. All food defense corrective actions taken in 
accordance with this section must be documented in records that are 
subject to food defense verification in accordance with Sec.  
121.150(a)(2) and records review in accordance with Sec.  
121.150(a)(3)(i).


Sec.  121.150  Food defense verification.

    (a) Food defense verification activities. Food defense verification 
activities must include, as appropriate to the nature of the mitigation 
strategy and its role in the facility's food defense system:
    (1) Verification that food defense monitoring is being conducted as 
required by Sec.  121.138 (and in accordance with Sec.  121.140);

[[Page 34222]]

    (2) Verification that appropriate decisions about food defense 
corrective actions are being made as required by Sec.  121.138 (and in 
accordance with Sec.  121.145);
    (3) Verification that mitigation strategies are properly 
implemented and are significantly minimizing or preventing the 
significant vulnerabilities. To do so, you must conduct activities that 
include the following, as appropriate to the facility, the food, and 
the nature of the mitigation strategy and its role in the facility's 
food defense system:
    (i) Review of the food defense monitoring and food defense 
corrective actions records within appropriate timeframes to ensure that 
the records are complete, the activities reflected in the records 
occurred in accordance with the food defense plan, the mitigation 
strategies are properly implemented, and appropriate decisions were 
made about food defense corrective actions; and
    (ii) Other activities appropriate for verification of proper 
implementation of mitigation strategies; and
    (4) Verification of reanalysis in accordance with Sec.  121.157.
    (b) Written procedures. You must establish and implement written 
procedures, including the frequency for which they are to be performed, 
for verification activities conducted according to Sec.  
121.150(a)(3)(ii).
    (c) Documentation. All verification activities conducted in 
accordance with this section must be documented in records.


Sec.  121.157  Reanalysis.

    (a) You must conduct a reanalysis of the food defense plan, as a 
whole at least once every 3 years;
    (b) You must conduct a reanalysis of the food defense plan as a 
whole, or the applicable portion of the food defense plan:
    (1) Whenever a significant change made in the activities conducted 
at your facility creates a reasonable potential for a new vulnerability 
or a significant increase in a previously identified vulnerability;
    (2) Whenever you become aware of new information about potential 
vulnerabilities associated with the food operation or facility;
    (3) Whenever you find that a mitigation strategy, a combination of 
mitigation strategies, or the food defense plan as a whole is not 
properly implemented; and
    (4) Whenever FDA requires reanalysis to respond to new 
vulnerabilities, credible threats to the food supply, and developments 
in scientific understanding including, as appropriate, results from the 
Department of Homeland Security biological, chemical, radiological, or 
other terrorism risk assessment.
    (c) You must complete such reanalysis required by paragraphs (a) 
and (b) of this section and implement any additional mitigation 
strategies needed to address the significant vulnerabilities 
identified, if any:
    (1) Before any change in activities (including any change in 
mitigation strategy) at the facility is operative;
    (2) When necessary within 90-calendar days after production; and
    (3) Within a reasonable timeframe, providing a written 
justification is prepared for a timeframe that exceeds 90 days after 
production of the applicable food first begins.
    (d) You must revise the written food defense plan if a significant 
change in the activities conducted at your facility creates a 
reasonable potential for a new vulnerability or a significant increase 
in a previously identified vulnerability or document the basis for the 
conclusion that no revisions are needed.

Subpart D--Requirements Applying to Records That Must Be 
Established and Maintained


Sec.  121.301  Records subject to the requirements of this subpart.

    (a) Except as provided by paragraph (b) of this section, all 
records required by subpart C of this part are subject to all 
requirements of this subpart.
    (b) The requirements of Sec.  121.310 apply only to the written 
food defense plan.


Sec.  121.305  General requirements applying to records.

    Records must:
    (a) Be kept as original records, true copies (such as photocopies, 
pictures, scanned copies, microfilm, microfiche, or other accurate 
reproductions of the original records), or electronic records;
    (b) Contain the actual values and observations obtained during food 
defense monitoring;
    (c) Be accurate, indelible, and legible;
    (d) Be created concurrently with performance of the activity 
documented;
    (e) Be as detailed as necessary to provide history of work 
performed; and
    (f) Include:
    (1) Information adequate to identify the facility (e.g., the name, 
and when necessary, the location of the facility);
    (2) The date and, when appropriate, the time of the activity 
documented;
    (3) The signature or initials of the person performing the 
activity; and
    (4) Where appropriate, the identity of the product and the lot 
code, if any.
    (g) Records that are established or maintained to satisfy the 
requirements of this part and that meet the definition of electronic 
records in Sec.  11.3(b)(6) of this chapter are exempt from the 
requirements of part 11 of this chapter. Records that satisfy the 
requirements of this part, but that also are required under other 
applicable statutory provisions or regulations, remain subject to part 
11 of this chapter.


Sec.  121.310  Additional requirements applying to the food defense 
plan.

    The owner, operator, or agent in charge of the facility must sign 
and date the food defense plan:
    (a) Upon initial completion; and
    (b) Upon any modification.


Sec.  121.315  Requirements for record retention.

    (a)(1) All records required by this part must be retained at the 
facility for at least 2 years after the date they were prepared.
    (2) Records that a facility relies on during the 3-year period 
preceding the applicable calendar year to support its status as exempt 
as a very small business must be retained at the facility as long as 
necessary to support the status of a facility as a very small business 
during the applicable calendar year.
    (b) The food defense plan must be retained for at least 2 years 
after its use is discontinued.
    (c) Except for the food defense plan, offsite storage of records is 
permitted if such records can be retrieved and provided onsite within 
24 hours of request for official review. The food defense plan must 
remain onsite. Electronic records are considered to be onsite if they 
are accessible from an onsite location.
    (d) If the facility is closed for a prolonged period, the food 
defense plan may be transferred to some other reasonably accessible 
location but must be returned to the facility within 24 hours for 
official review upon request.


Sec.  121.320  Requirements for official review.

    All records required by this part must be made promptly available 
to a duly authorized representative of the Secretary of Health and 
Human Services for official review and copying upon oral or written 
request.


Sec.  121.325  Public disclosure.

    Records required by this part will be protected from public 
disclosure to the extent allowable under part 20 of this chapter.

[[Page 34223]]

Sec.  121.330  Use of existing records.

    (a) Existing records (e.g., records that are kept to comply with 
other Federal, State, or local regulations, or for any other reason) do 
not need to be duplicated if they contain all of the required 
information and satisfy the requirements of this subpart. Existing 
records may be supplemented as necessary to include all of the required 
information and satisfy the requirements of this subpart.
    (b) The information required by this part does not need to be kept 
in one set of records. If existing records contain some of the required 
information, any new information required by this part may be kept 
either separately or combined with the existing records.

Subpart E--Compliance


Sec.  121.401  Compliance.

    (a) The operation of a facility that manufactures, processes, 
packs, or holds food for sale in the United States if the owner, 
operator, or agent in charge of such facility is required to comply 
with, and is not in compliance with, section 418 of the Federal Food, 
Drug, and Cosmetic Act or subparts C or D of this part is a prohibited 
act under section 301(uu) of the Federal Food, Drug, and Cosmetic Act.
    (b) The failure to comply with section 420 of the Federal Food, 
Drug, and Cosmetic Act or subparts C or D of this part is a prohibited 
act under section 301(ww) of the Federal Food, Drug, and Cosmetic Act.

    Dated: May 20, 2016.
Leslie Kux,
Associate Commissioner for Policy.
[FR Doc. 2016-12373 Filed 5-26-16; 8:45 am]
 BILLING CODE 4164-01-P