oversight

Food-Processing Security: Voluntary Efforts Are Under Way, but Federal Agencies Cannot Fully Assess Their Implementation

Published by the Government Accountability Office on 2003-02-14.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                United States General Accounting Office

GAO             Report to Congressional Requesters




February 2003
                FOOD-PROCESSING
                SECURITY
                Voluntary Efforts Are
                Under Way, but
                Federal Agencies
                Cannot Fully Assess
                Their Implementation




GAO-03-342
                                               February 2003


                                               FOOD-PROCESSING SECURITY

                                               Voluntary Efforts Are Under Way, but
Highlights of GAO-03-342, a report             Federal Agencies Cannot Fully Assess
to Senators Richard J. Durbin and
Tom Harkin                                     Their Implementation



The events of September 11, 2001,              Federal food safety statutes give the Food and Drug Administration (FDA)
have placed added emphasis on                  and the U.S. Department of Agriculture (USDA) broad authority to regulate
ensuring the security of the                   the safety of the U.S. food supply but do not specifically authorize them to
nation’s food supply. GAO                      impose security requirements at food-processing facilities. However, these
examined (1) whether FDA and                   agencies’ food safety statutes can be interpreted to provide authority to
USDA have sufficient authority
under current statutes to require
                                               impose certain security measures. FDA believes that its statutes authorize it
that food processors adopt security            to regulate food security to the extent that food security and safety overlap
measures, (2) what security                    but observes that there is little overlap between security and safety. USDA
guidelines FDA and USDA have                   believes that it could require food processors to adopt certain security
provided to industry, and (3) what             measures that are closely related to sanitary conditions inside the facility.
security measures food processors              USDA also believes that the statutes, however, cannot be interpreted to
have adopted.                                  authorize the regulation of security measures that are not associated with
                                               the immediate food-processing environment, such as requiring fences,
                                               alarms, and outside lighting. Neither agency believes that it has the authority
                                               to regulate all aspects of security at food-processing facilities.
This report recommends that the
Secretaries of the Departments of
                                               Both FDA and USDA issued voluntary security guidelines to help food
Health and Human Services and
Agriculture study their agencies’              processors identify measures to prevent or mitigate the risk of deliberate
existing statutes to identify what             contamination. Because these guidelines are voluntary, neither agency
additional authorities they may                enforces, monitors, or documents their implementation. Both FDA and
need relating to security measures             USDA have asked their inspectors to be vigilant and to discuss security with
at food-processing facilities to               managers at food-processing facilities, but the agencies have stressed that
reduce the risk of deliberate                  inspectors should not enforce the implementation of security measures or
contamination of the food supply.              document any observations because of the possible release of this
On the basis of these studies’                 information under the Freedom of Information Act and the potential for the
results, the agencies should seek              misuse of this information.
additional authority from the
Congress, as needed.
                                               Since FDA and USDA do not monitor and document food processors’
GAO also recommends that the                   implementation of security guidelines, the extent of the industry’s adoption
agencies provide training for all              of security measures is unknown. According to officials of trade
food inspection personnel to                   associations and the five facilities we visited, however, food processors are
enhance their awareness and                    implementing a range of security measures. In addition, the FDA and USDA
ability to discuss security measures           field inspectors we surveyed indicated that most facilities have implemented
with plant personnel.                          some security measures, such as installing fences. However, the inspectors
                                               were less able to comment on security measures that were not as obvious,
USDA agreed with this report’s                 such as accounting for missing stock and implementing proper mail-handling
recommendations. FDA agreed                    practices. The inspectors also noted that while USDA has provided some of
with the recommendation to                     its field supervisory personnel with security training on the voluntary
provide training for all food
                                               security guidelines it issued, it has not provided most of its inspectors with
inspection personnel but took no
position on GAO’s other                        such training. FDA has not provided its staff with any training on the
recommendation.                                security guidelines. Without training on the security guidelines, inspectors
                                               are limited in their ability to conduct informed discussions regarding
www.gao.gov/cgi-bin/getrpt?GAO-03-342.
                                               security with managers at food-processing facilities.
To view the full report, including the scope
and methodology, click on the link above.
For more information, contact Lawrence J.
Dyckman at (202) 512-3841 or
dyckmanl@gao.gov.
Contents


Letter                                                                                        1
               Results in Brief                                                               3
               Background                                                                     5
               Existing Food Safety Statutes Do Not Provide Sufficient Authority
                 to Regulate All Aspects of Security at Food-Processing Facilities            9
               FDA and FSIS Issued Voluntary Security Guidelines to Food
                 Processors but Do Not Track or Document the Extent to Which
                 They Are Being Implemented                                                 11
               Food Processors Are Implementing a Range of Security Measures,
                 but Extent of Implementation Is Largely Unknown to FDA and
                 FSIS                                                                       15
               Conclusions                                                                  22
               Recommendations for Executive Action                                         23
               Agency Comments and Our Evaluation                                           23

Appendix I     Scope and Methodology                                                        26



Appendix II    FDA Survey Results                                                           28



Appendix III   FSIS Survey Results                                                          33



Appendix IV    Comments from the U.S. Department of Agriculture                             43



Appendix V     Comments from the Food and Drug Administration                               44



Appendix VI    GAO Contacts and Staff Acknowledgments                                       47



Table
               Table 1: State Officials’ Satisfaction with Federal, State, and
                        Industry Efforts to Safeguard Food Products from
                        Deliberate Contamination                                            22



               Page i                                       GAO-03-342 Food-Processing Security
Figures
          Figure 1: Examples of Security Measures Contained in FDA and
                   FSIS Guidelines                                                                  12
          Figure 2: Percentage of Survey Responses Indicating Observation
                   or Knowledge of More Visible Security Measures                                   19
          Figure 3: Percentage of Survey Responses Indicating Observation
                   or Knowledge of Less Visible Security Measures                                   20




          Abbreviations

          CDC               Centers for Disease Control and Prevention
          EPA               Environmental Protection Agency
          FBI               Federal Bureau of Investigation
          FDA               Food and Drug Administration
          FSIS              Food Safety and Inspection Service
          GAO               General Accounting Office
          HACCP             Hazard Analysis and Critical Control Point
          ISAC              Information Sharing and Analysis Center
          USDA              U.S. Department of Agriculture

          This is a work of the U.S. Government and is not subject to copyright protection in the
          United States. It may be reproduced and distributed in its entirety without further
          permission from GAO. It may contain copyrighted graphics, images or other materials.
          Permission from the copyright holder may be necessary should you wish to reproduce
          copyrighted materials separately from GAO’s product.




          Page ii                                             GAO-03-342 Food-Processing Security
United States General Accounting Office
Washington, DC 20548




                                   February 14, 2003

                                   The Honorable Richard J. Durbin
                                   Ranking Democratic Member
                                   Subcommittee on Oversight of
                                    Government Management,
                                    the Federal Workforce,
                                    and the District of Columbia
                                   Committee on Governmental Affairs
                                   United States Senate

                                   The Honorable Tom Harkin
                                   Ranking Democratic Member
                                   Committee on Agriculture, Nutrition
                                    and Forestry
                                   United States Senate

                                   Ensuring the safety of the nation’s food supply—protecting the food
                                   supply from unintentional contamination—is a key objective of the
                                   Department of Health and Human Service’s Food and Drug Administration
                                   (FDA) and the Food Safety and Inspection Service (FSIS) of the U.S.
                                   Department of Agriculture (USDA). Since the terrorist attacks of
                                   September 11, 2001, however, ensuring food security—that is, protecting
                                   the food supply from deliberate contamination—has also become a
                                   heightened concern of these agencies. Bioterrorism experts, government
                                   officials, and scientists at the Centers for Disease Control and Prevention
                                   (CDC) and the National Academies warn that U.S. food-processing
                                   facilities are vulnerable to terrorist attack and that the deliberate
                                   introduction of biological and chemical agents into food supplies could
                                   sicken large numbers of people and possibly cause many deaths. Some
                                   experts note that terrorist groups could introduce infectious disease
                                   agents and chemicals into the food supply to confuse public health
                                   officials into believing that outbreaks were naturally occurring, thus
                                   delaying detection and action. Recognizing this risk, on October 8, 2001,
                                   the President added the agriculture and food industries to the list of
                                   critical infrastructure sectors needing protection from terrorist attack.

                                   Although the U.S. food supply has been mostly secure from deliberate
                                   contamination, a few such incidents have occurred. In 1984, for example, a
                                   cult group poisoned salad bars in some Oregon restaurants with
                                   Salmonella bacteria, and about 750 people became ill. Some large


                                   Page 1                                     GAO-03-342 Food-Processing Security
naturally occurring outbreaks of foodborne illness that result from
accidental contamination illustrate how widespread and costly the effects
of deliberate contamination could be. In 1994, for example, 224,000 people
nationwide were infected with Salmonella enteritidis after eating a
national brand of ice cream. This outbreak was estimated to have cost
about $18.1 million, including $6.9 million for medical care and $11.2
million in time lost from work.

The intentional contamination of the food supply could have severe
consequences for the economy and the health of the American public.
Security measures that could minimize the risk of such an event at food-
processing facilities range from restricting visitor access, securing
hazardous chemicals, and restricting access to in-plant laboratories to
conducting employee background checks, building fences around
facilities, and designating a food security management coordinator.

In this context, you asked us to determine (1) the extent to which federal
statutes can be effectively used to regulate food security at food-
processing facilities; (2) what actions FDA and USDA have taken to help
food processors prevent or reduce the risk of deliberate food
contamination and how these agencies determine the extent to which
food-processing facilities are implementing security measures; and
(3) the extent to which industry is implementing security measures to
better protect food products against deliberate contamination. While
experts acknowledge that a terrorist attack could be aimed also at
livestock and crops on farms or at foods at retail stores, this review
focused on the food-processing segment of the farm-to-table food
continuum—that is, from the farm gate to the retail level. Also, we
confined our review to domestic food processors, although we recognize
that both FDA and USDA have intensified their efforts to enhance the
oversight of imported foods at U.S. ports of entry.

In conducting our work, we sought the cooperation of industry
associations to survey a representative number of food-processing
facilities. We also sought permission to visit some food-processing
facilities to discuss the extent to which they are implementing security
measures, although we acknowledge that industry is not obligated to
respond to our inquiries. We were unsuccessful in our attempts to survey a
representative number of food-processing facilities because companies
were concerned about sharing information on security measures;
however, we were able to secure visits to five companies. To obtain a
broader overview of the security measures being adopted, we also
surveyed FDA and USDA food inspectors to obtain their views on the


Page 2                                     GAO-03-342 Food-Processing Security
                   extent of security they have observed at food-processing facilities they
                   inspect across the country. We also asked state audit offices in all 50 states
                   to interview a selected number of state food safety regulatory officials
                   concerning their food security activities, if any. Eleven agreed to
                   participate. Appendix I contains the details of our scope and methodology.
                   We conducted our review from February through December 2002 in
                   accordance with generally accepted government auditing standards.


                   Federal food safety statutes provide FDA and USDA with broad authority
Results in Brief   to regulate the safety of the U.S. food supply but do not specifically
                   authorize them to impose security requirements at food-processing
                   facilities. However, while these agencies’ food safety statutes can be
                   interpreted to provide authority to impose certain security requirements,
                   as opposed to food safety requirements, neither agency believes it has the
                   authority to regulate all aspects of security. FDA believes that its
                   authorities under the Federal Food, Drug, and Cosmetic Act and the Public
                   Health Service Act would extend to the regulation of facility security
                   measures to prevent the intentional contamination of food products to the
                   extent that they overlap with food safety. However, FDA observes that
                   there is little overlap between safety and security. USDA believes that the
                   Federal Meat, Poultry Products, and Egg Products Inspection Acts can be
                   construed to authorize it to require food processors to adopt certain
                   security measures that are closely related to sanitary conditions inside
                   food-processing plants. In addition, USDA believes that the statutes cannot
                   be interpreted to authorize the regulation of security measures that are not
                   associated with the immediate food-processing environment. As a result,
                   USDA does not believe it has the authority to require that food processors
                   adopt measures to ensure security outside the premises, such as installing
                   fences, or to require that food processors conduct employee background
                   checks.

                   Both FDA and USDA have issued voluntary guidelines to help food
                   processors identify measures they can implement to prevent or mitigate
                   the risk of deliberate contamination. Because these guidelines are
                   voluntary, neither agency monitors or documents their implementation.
                   Also, FDA and FSIS have instructed their food safety inspectors to be
                   familiar with the agencies’ guidelines as they conduct regular food safety
                   inspections and to discuss, but not interpret, the security guidelines with
                   facility personnel. The agencies have told inspectors not to document the
                   existence or lack of security measures because of the possible release of
                   this information under the Freedom of Information Act and the potential
                   for the misuse of this information. As a result, FDA and FSIS do not have


                   Page 3                                      GAO-03-342 Food-Processing Security
information on the extent of security at food-processing facilities or
whether gaps in security may exist in specific industry sectors.

FDA and USDA lack comprehensive information on the extent to which
food-processing companies are adopting security measures. However,
officials from the food trade associations that we contacted believe that
food processors are voluntarily implementing a range of security
measures, including those in the federal guidelines—from limiting access
to facilities to evaluating plant security. Although we found this to be the
case at the five food-processing facilities we visited, we could not verify
the extent to which industry has adopted security measures nationwide—
in part, because food-processing facilities prefer not to share information
about their security measures with federal agencies. They are concerned
that this sensitive information could be released to the public under the
Freedom of Information Act. In particular, the industry is worried that if
security gaps at food-processing facilities were made public they could
provide a road map for terrorist groups. FDA and FSIS officials also cited
this concern as a factor that limits the amount of information they believe
they can collect. In addition, according to FDA and FSIS food inspectors
we surveyed, the food-processing facilities they regularly inspect are
voluntarily implementing a range of security measures and most facilities
have implemented measures to enhance perimeter fencing and lighting. On
the other hand, these inspectors were less able to comment on less-visible
security measures, such as accounting for missing stock and implementing
proper mail-handling practices. The inspectors also indicated that larger
food-processing facilities are implementing more security measures than
smaller ones. Finally, the FDA inspectors that we surveyed stated that they
had not received training on food security even though the agency
encourages them to discuss security matters with plant personnel. FSIS
has provided training to its supervisory field inspection personnel, who
reported that it would be beneficial if the field inspectors—who are most
directly involved with daily processing activities at each plant—were also
trained on security measures.

This report recommends that the Secretary of the Department of Health
and Human Services and the Secretary of Agriculture study what
additional authorities their agencies may need relating to security
measures at food-processing facilities to reduce the risk of deliberate
contamination of the food supply. On the basis of the results of these
studies, the agencies should seek additional authority from the Congress,
as needed. The report also recommends executive action aimed at
ensuring that the agencies’ field personnel are provided with training on
food security measures.


Page 4                                      GAO-03-342 Food-Processing Security
             We provided FDA and USDA with a draft of this report for their review
             and comment and received written and oral comments from both agencies
             on the report’s contents and its recommendations. The agencies also
             provided technical comments, which we incorporated into the report as
             appropriate. USDA agreed with the two recommendations made in this
             report. FDA agreed with our recommendation that it provide all food
             inspection personnel with training on security measures. FDA did not have
             an opinion on our recommendation that the agency study what additional
             authorities it may need relating to security measures at food-processing
             facilities. USDA’s comments are contained in appendix IV, and FDA’s
             comments are provided in appendix V.


             Under the Federal Meat Inspection Act, the Poultry Products Inspection
Background   Act, and the Egg Products Inspection Act, USDA, through FSIS, is
             responsible for ensuring the safety of meat, poultry, and certain egg
             products. Under the Federal Food, Drug, and Cosmetic Act and the Public
             Health Service Act, FDA is responsible for all other foods, including fruits
             and vegetables; dairy products; seafood; and certain canned, frozen, and
             packaged foods. The food-processing sector is generally described as the
             middle segment of the farm-to-table continuum—it extends from the time
             livestock and crops leave the farm for slaughter and processing into food
             until it reaches retail establishments.

             FDA and FSIS work to ensure the safety of food products processed in the
             United States through a regulatory system of preventive controls that
             identifies hazards early in the production process to minimize the risk of
             contamination. Known as the Hazard Analysis and Critical Control Point
             (HACCP) system, it makes food-processing facilities responsible for
             developing a plan that identifies harmful microbiological, chemical, and
             physical hazards that are reasonably likely to occur and establishes critical
             control points to prevent or reduce contamination.1 Through their
             inspection programs, FDA and FSIS verify that food processors are
             implementing their HACCP plans. FDA inspects over 57,000 food facilities
             every 5 years on average, and USDA inspects over 6,000 meat and poultry
             slaughter and processing facilities daily. Individual states also conduct
             yearly inspections of about 300,000 food-processing facilities, including
             small firms with fewer than 10 employees and large corporations with
             thousands of employees and multiple processing plants located in many


             1
             FDA’s HACCP program applies only to seafood and juice, not to all FDA-regulated food.




             Page 5                                            GAO-03-342 Food-Processing Security
states. Both FDA and FSIS have the authority to take enforcement actions
as necessary to ensure that facilities meet the agencies’ safety and
sanitation regulatory requirements. As we reported in 2001, in fiscal year
1999, the latest year for which such information was available, FDA, FSIS,
and the states spent a total of about $1.3 billion on food safety activities.2

Following the events of September 11, 2001, the federal government
intensified its efforts to address the potential for deliberate contamination
of agriculture and food products. On October 8, 2001, the President issued
an executive order establishing the Office of Homeland Security, which
added the agriculture and food industries to the list of critical
infrastructure systems needing protection from terrorist attack. In
addition, the Congress provided FDA and USDA with emergency funding
to prevent, prepare for, and respond to potential bioterrorist attacks
through the Department of Defense Appropriation Act of 2002: $97 million
for FDA and $15 million for FSIS. For the most part, FDA has used the
emergency funds to enhance the security of imported food by hiring new
inspectors and increasing inspections at U.S. ports of entry. FSIS has used
its emergency funds to support its food security activities, which include,
among other things, providing educational and specialized training. FDA’s
fiscal year 2003 budget builds upon funding received from the fiscal year
2002 appropriation plus the fiscal year 2002 emergency supplemental
funding of $97 million to counter terrorism. FDA plans to seek additional
funding in the future for food safety activities and security activities
related to terrorism. FSIS is asking for an additional $28 million. The
Congress also enacted the Public Health Security and Bioterrorism
Preparedness and Response Act of 2002, which contains numerous
provisions designed to enhance the safety and security of the food, drug,
and water industries.3

In addition, both FDA and USDA have taken many actions to better
protect the food supply against deliberate contamination. For example,
FDA has hired 655 new food safety investigators and laboratory personnel
in the field. In addition, it has participated in several exercises at the



2
See U.S. General Accounting Office, Food Safety: Overview of Federal and State
Expenditures, GAO-01-177 (Washington, D.C.: Feb. 20, 2001).
3
 This act contains provisions that provide FDA with new authority to detain products that
are believed to present a serious health threat. It also authorizes FDA to debar importers
who have been convicted of certain food import violations, which results in the denial of
delivery of products to those importers.




Page 6                                              GAO-03-342 Food-Processing Security
federal and state levels to enhance emergency response procedures.
Furthermore, FDA is working with CDC to initiate and implement a
nationwide Laboratory Response Network for foods to identify laboratory
capacity for testing agents that could be used to deliberately contaminate
food. It has also provided additional laboratory training for food safety
personnel and sought stakeholders’ input to develop regulations that are
required by the new bioterrorism legislation. Moreover, FDA worked with
the Office of the Surgeon General, U.S. Air Force, to adapt a version of the
Operational Risk Management approach to examine the relative risks of
intentional contamination during various stages of food production and
distribution.4 Within the Department of Health and Human Services, both
FDA and CDC have worked closely with federal, state, and local agencies
to enhance their surveillance of diseases caused by foodborne pathogens.
FDA’s efforts to reduce food security risks also include working with other
federal agencies, trade associations, and the Alliance for Food Security.

USDA has formed a Homeland Security Council to develop a Department-
wide plan to coordinate efforts between all USDA agencies and offices.
The Department has also established the FSIS Office of Food Security and
Emergency Preparedness to centralize the Department’s work on security
matters. USDA has also coordinated with other government agencies, such
as the Office of Homeland Security, the Federal Bureau of Investigation
(FBI), and FDA, to develop prevention, detection, and response
procedures to better protect the nation’s food supply.5 USDA will be
increasing the number of import inspectors by 20. These inspectors will
place special emphasis on food security in addition to their traditional
food safety role. In addition, USDA has participated in several exercises at
the federal and state levels to enhance response procedures and has
conducted risk assessments for domestic and imported food. Since this
review began, USDA has conducted three simulation exercises at the
Department and agency level to test the Department’s response to a
terrorist attack and is planning three additional simulations for the spring
of 2003. USDA has also conducted preparedness-training sessions for
veterinarians and circuit supervisors. (Circuit supervisors supervise the




4
 Operational Risk Management is an approach to risk assessment that increases
operational effectiveness by anticipating hazards and reducing the potential for loss.
5
 On November 25, 2002, President Bush signed the Homeland Security Act of 2002, which
created the Department of Homeland Security. The Department will replace the Office of
Homeland Security.




Page 7                                               GAO-03-342 Food-Processing Security
work of in-plant inspection personnel and discuss the security guidelines
with them.)

Experts from government and academia generally agree that terrorists
could use food products as a vehicle for introducing harmful agents into
the food supply. Just recently, the National Academies reported that
terrorists could use toxic chemicals or infectious agents to contaminate
food production facilities and that, although much attention has been paid
to ensuring safety and purity throughout the various stages of processing
and distribution, protecting the food supply from intentional
contamination has not been a major focus of federal agencies.6 Among
other things, the report says that FDA should act promptly to extend its
HACCP methodology so that it could be used to deal effectively with the
deliberate contamination of the food supply. In February 2002, CDC
reported that although the food and water systems in the United States are
among the safest in the world, the nationwide outbreaks due to
unintentional food or water contamination demonstrate the ongoing need
for vigilance in protecting food and water supplies.7 All of the bioterrorism
experts whom we consulted from academia agreed that the food supply is
at risk.




6
 See National Research Council of the National Academies, Making the Nation Safer: The
Role of Science and Technology in Countering Terrorism (Washington, D.C: June 2002).
7
See Centers for Disease Control and Prevention, Public Health Assessment of Potential
Biological Terrorism Agents, Emerging Infectious Diseases (Atlanta, Ga.: February 2002).




Page 8                                            GAO-03-342 Food-Processing Security
                        The food safety statutes do not specifically authorize FDA or USDA to
Existing Food Safety    require food processors to implement any type of security measures
Statutes Do Not         designed to prevent the intentional contamination of the foods they
                        produce.8 While these agencies’ food safety statutes can be interpreted to
Provide Sufficient      provide authority to impose certain security requirements, as opposed to
Authority to Regulate   food safety requirements, neither agency believes it has the authority to
                        regulate all aspects of security.
All Aspects of
Security at Food-       Counsel in the Department of Health and Human Service’s Office of the
Processing Facilities   Assistant Secretary for Legislation advised that FDA’s authorities under
                        the Federal Food, Drug, and Cosmetic Act and the Public Health Service
                        Act provide FDA with tools to adopt measures to control insanitary
                        preparation, packing, and holding conditions that could lead to unsafe
                        food; detect contamination of food; and control contaminated food.
                        However, Counsel also advised that FDA’s food safety authorities do not
                        extend to the regulation of physical facility security measures. FDA’s
                        counsel provided a similar assessment, telling us that, to the extent that
                        food safety and security overlap, FDA might be able to require the industry
                        to take precautionary steps to improve security but observed that there is
                        little overlap between safety and security. One area where safety and
                        security do overlap is in the handling of hazardous materials. FDA’s
                        existing safety regulations specify that hazardous chemicals should be
                        stored so that they cannot contaminate food products. This requirement
                        overlaps with FDA’s food security guidelines advising that hazardous
                        chemicals be stored in a secure area and that access to them be limited.

                        USDA, on the other hand, has a somewhat more expansive view of the
                        extent to which its statutory authority allows it to require food processors
                        to adopt certain security measures. USDA’s general counsel concluded
                        that to the extent that security precautions pertain to activities closely
                        related to sanitary conditions in the food preparation process, FSIS has
                        the authority to require food processors to implement certain security




                        8
                         FDA, under the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act,
                        and USDA, under the Federal Meat Inspection Act, Poultry Products Inspection Act, and
                        the Egg Products Inspection Act, have broad authority to regulate food safety. These laws
                        require that food products be processed under sanitary conditions, be unadulterated, and
                        be properly labeled.




                        Page 9                                             GAO-03-342 Food-Processing Security
measures.9 The general counsel concluded that FSIS could require
facilities to develop and maintain a food security management plan
concerning their response to an actual threat involving product tampering,
since this is directly related to food adulteration. Such a plan could be
added to a current HACCP plan or it could be entirely separate. USDA also
believes that FSIS has authority to mandate its “inside security” guidelines,
such as controlling or restricting access to certain areas, monitoring the
operation of equipment to prevent tampering, and keeping accurate
inventories of restricted ingredients and hazardous chemicals. Similarly,
USDA believes that many of its security measures that address shipping
and receiving food products or protecting water and ice used in processing
products also could be made mandatory. These measures include putting
tamper-proof seals on incoming and outgoing shipments and controlling
access to water lines and ice storage.

On the other hand, USDA believes that the “outside security” measures
included in its guidelines, such as securing plant boundaries and providing
guards, alarms, and outside lighting, have little to do with sanitation in the
facility or the immediate food-processing environment and, therefore,
could not be made mandatory under existing authorities. With respect to
the guidelines’ personnel security measures, USDA noted that FSIS has
limited authority over personnel matters at food-processing facilities and
could not require facilities to perform personnel background checks
before hiring.




9
 USDA’s view on its authority to impose security requirements that are closely related to
sanitary conditions is derived from the food safety laws’ prohibitions against adulteration.
Adulterated food is virtually identically defined in the Federal Food, Drug, and Cosmetic
Act and the Federal Meat, Poultry Products, and Egg Products Inspection Acts as food that
has been “prepared, packed, [“packaged” in the egg inspection act] or held under insanitary
conditions whereby it may have become contaminated with filth, or whereby it may have
been rendered injurious to health.” See 21 U.S.C. 342(a)(4), 21 U.S.C. 601(m)(4), 21 U.S.C.
453(g)(4) and 21 U.S.C. 1033(a)(4).




Page 10                                             GAO-03-342 Food-Processing Security
                              In response to the nation’s growing concerns regarding the potential for
FDA and FSIS Issued           deliberate contamination of the food supply, FDA and USDA issued
Voluntary Security            guidelines to the food-processing industry suggesting measures to enhance
                              security at their facilities. Among other things, the guidelines suggests
Guidelines to Food            conducting a risk assessment, developing a plan to address security risks
Processors but Do             at plants, and adopting a wide range of security measures inside and
                              outside the premises. Food-processing facilities are not required to adopt
Not Track or                  any of the security measures but are encouraged to adopt those that they
Document the Extent           feel are best suited for their operations. Although both agencies have
to Which They Are             alerted their field inspection personnel to be vigilant about security issues,
                              they have also told the inspectors that they are not authorized to enforce
Being Implemented             these measures and have instructed them not to document their
                              observations regarding security because of the possible release of this
                              information under the Freedom of Information Act and the potential for
                              the misuse of this information. As a result, FDA and USDA currently do
                              not know the extent to which food security measures are being
                              implemented at food-processing facilities. In contrast, the Congress
                              directed medium-size and large-size community water systems, which are
                              privately or publicly owned, to assess their vulnerability to terrorist
                              attacks and to develop an emergency response plan to prepare for such an
                              event. The act also authorized funding to be used for basic security
                              enhancements, such as the installation of fencing, gating, lighting, or
                              security cameras. This approach enables the Environmental Protection
                              Agency (EPA) to monitor the water industry’s security efforts and could
                              be a possible model for the food safety agencies.


Industry’s Compliance         In 2002, FDA and FSIS each issued voluntary security guidelines to the
with Security Guidelines Is   food-processing industry to help federal- and state-inspected plants
Voluntary                     identify ways to enhance their security.10 The agencies encouraged food
                              processors, among others, to review their current operations and adopt
                              those security measures suggested in the guidelines that they believed
                              would be best suited for their facilities. Officials from both FDA and FSIS
                              told us that there was little or no coordination between the two agencies
                              in developing these guidelines. The FDA guidance contains over 100
                              recommended security measures covering seven areas of plant operation,
                              such as managing food security, physical (outside) security, and computer
                              security. FSIS’s guidelines contain 68 security measures and cover seven



                              10
                                FDA was first to issue guidelines in January 2002; FSIS subsequently issued its guidelines
                              in May 2002.




                              Page 11                                              GAO-03-342 Food-Processing Security
areas of plant operation. Figure 1 summarizes key aspects of both
agencies’ voluntary security guidelines for industry. FDA and FSIS have
made the guidelines available on the Internet.11 These guidelines are very
similar—one difference is that FSIS’s contain security measures for
slaughter facilities.

Figure 1: Examples of Security Measures Contained in FDA and FSIS Guidelines




Some state governments have also acted to protect food products from
deliberate contamination. We learned from 11 state auditing offices that
food safety regulatory officials from most of these states are providing
industry or state inspectors with guidelines, either in the form of the FDA
and FSIS guidelines or guidelines developed by the state officials




11
 See www.cfsan.fda.gov/~dms/secguid.html for FDA and
www.fsis.usda.gov/oa/topics/securityguide.htm for FSIS.




Page 12                                           GAO-03-342 Food-Processing Security
                         themselves.12 In addition, three states have enacted new legislation or
                         regulations addressing the security of food products.


FDA and FSIS Instruct    Although FDA and FSIS do not assess the extent to which food processors
Their Inspectors to Be   are implementing security measures, the agencies have asked their field
Observant                inspection personnel to be on heightened alert and to discuss, but not
                         interpret, the security guidance with facility officials during their routine
                         food safety inspections.13 However, both FDA and USDA have instructed
                         their field inspection personnel to refrain from enforcing any aspects of
                         the security guidelines because the agencies generally believe that they
                         lack such authority. They have also instructed their field personnel not to
                         document plants’ security measures because they are concerned that such
                         information would be subject to Freedom of Information Act requests.

                         More specifically, FDA’s instructions to its field personnel specify that
                         they should neither perform a comprehensive food security audit of the
                         establishment nor conduct extensive interviews to determine the extent to
                         which preventive measures suggested in the guidelines have been adopted.
                         The goals, according to FDA, are to heighten industry’s awareness of food
                         security practices, facilitate an exchange of information between FDA and
                         industry on the subject of food security, and encourage plant management
                         to voluntarily implement those preventive measures that they believe are
                         most appropriate for their operation. In short, FDA inspectors are
                         encouraged to discuss food security concerns with plant management and
                         to provide them with copies of the guidelines. Although the exact details
                         of such discussions are not to be recorded, inspectors are required to
                         document in their inspection reports that such discussions took place and
                         that they gave a copy of the guidelines to facility management.

                         Similarly, FSIS has informed its field inspectors that they have no
                         regulatory duties regarding the enforcement of the guidelines. Initially, the
                         agency instructed its inspectors to refer any questions from facility


                         12
                          Eleven of the 50 state audit offices we contacted for assistance in interviewing their food
                         regulatory officials responded to our request. The participating state auditing offices were
                         Arizona, Florida, Maryland, Michigan, New York, North Carolina, Oklahoma, Oregon,
                         Pennsylvania, Tennessee, and Texas. Because the state auditors collected information from
                         only 11 states, these observations cannot be generalized.
                         13
                           According to an FSIS memorandum to its field personnel, “heightened alert” is defined as
                         identifying and reporting any suspicious activities that could adversely affect our nation’s
                         security.




                         Page 13                                              GAO-03-342 Food-Processing Security
                            managers to USDA’s Technical Service Center in Omaha, Nebraska.14
                            Recently the agency modified its position regarding direct discussions of
                            food security and now allows inspectors to discuss, but not interpret,
                            security with facility management. Inspectors are still instructed not to
                            document these conversations or enforce the adoption of any security
                            measure.

                            Officials from both agencies expressed concerns about gathering security
                            information from facilities because it could be subject to public disclosure
                            through Freedom of Information Act requests. If terrorists gained access
                            to this information, it could give them a road map to target the most
                            vulnerable areas in a food-processing plant.


Water Security Provisions   Recent congressional efforts to better protect the nation’s drinking water
in the 2002 Bioterrorism    from terrorist acts may offer a model for FDA and USDA to help monitor
Act Are a Possible Model    security measures adopted at food-processing facilities as well as to
                            identify any security gaps that may exist at these facilities. Although there
for the Food Safety         are differences in how the government regulates drinking water and food,
Agencies                    food and water are essential daily consumption elements, and both are
                            regulated to ensure their safety.

                            In June 2002, the Congress enacted the Public Health Security and
                            Bioterrorism Preparedness and Response Act of 2002, which, among other
                            things, amended the Safe Drinking Water Act. The Bioterrorism Act
                            requires medium-size and large-size community water systems (those
                            serving over 3,300 people), which are privately and publicly owned, to
                            certify to EPA that they have assessed their vulnerability to a terrorist
                            attack and developed emergency plans to prepare for and respond to such
                            an attack. These water systems serve 91 percent of the United States’
                            population. Each community’s water system is required to conduct a
                            vulnerability assessment and submit a copy of the assessment to EPA.15
                            The act specifies that the vulnerability assessment is exempt from
                            disclosure under the Freedom of Information Act, except for the identity


                            14
                             The Technical Service Center provides field inspection personnel with technical
                            assistance, advice, and guidance regarding the implementation of national policies,
                            programs, and procedures. The center also serves as a central point for reporting and
                            responding to suspicious activities related to food security.
                            15
                              The vulnerability assessment must include, among other things, a review of pipes and
                            constructed conveyances; physical barriers; and water collection, pretreatment, treatment,
                            storage, and distribution facilities.




                            Page 14                                             GAO-03-342 Food-Processing Security
                              of the community water system and the date on which it certifies
                              compliance. Community water systems are also required to prepare an
                              emergency response plan that incorporates the results of their
                              vulnerability assessments. In addition, the act authorizes funding for
                              financial assistance to community water systems to support the
                              purchasing of security equipment, such as fencing, gating, lighting, or
                              security cameras.


                              FDA and FSIS lack comprehensive information on the extent to which
Food Processors Are           food-processing companies are adopting security measures. However,
Implementing a Range          officials from the majority of the food trade associations that we contacted
                              believe that their members are implementing a range of measures to
of Security Measures,         enhance security at their facilities. We found that the five food-processing
but Extent of                 facilities we visited in various geographic regions around the country are
                              also implementing an array of security measures that range from
Implementation Is             developing risk assessment plans to hiring security contractors.16
Largely Unknown to            Furthermore, our survey of FDA and FSIS inspectors indicates that,
FDA and FSIS                  generally, food-processing facilities are implementing a range of security
                              measures. The survey responses indicate, however, that the inspectors
                              were more aware of those security measures that were the most visible to
                              them during the course of their regular food safety inspections.17


Trade Association Officials   According to trade association officials, food processors are voluntarily
Indicate That Industry Is     taking steps to prevent the deliberate contamination of their products,
Implementing Various          including adopting many of the measures suggested by FDA and FSIS,
                              such as installing fences, requiring that employees wear identification, and
Security Measures             restricting access to certain plant areas. Association officials told us that
                              most large food-processing facilities already have ample security plans
                              that include many of the recommendations made by FDA and FSIS. One
                              trade association recently conducted a survey of its members and asked
                              for their opinions about FSIS’s Guidelines. Most of the respondents


                              16
                               The facilities vary in size from 100 to 800 employees.
                              17
                                We surveyed 50 FSIS Circuit Supervisors (obtained responses from 45) who oversee the
                              activities of the agency’s field inspectors and 150 FDA investigators (obtained responses
                              from 128) who perform the inspections of food-processing facilities to ask about the
                              security measures they have observed at the plants they inspect. Our survey included
                              questions about outside security, visitor access, employee screening, and shipping and
                              handling, among others. The methods used and results from these surveys are contained in
                              appendixes II and III.




                              Page 15                                              GAO-03-342 Food-Processing Security
                             indicated that they were aware of the guidelines; they believed the
                             guidelines were for the most part practical and workable; and they used
                             them in their security plans. However, these officials were unable to
                             provide data on the extent to which the food-processing industry is
                             implementing security measures to prevent or mitigate the potential
                             deliberate contamination of food products.18

                             Trade association officials also said that they provided FDA and FSIS with
                             comments on the voluntary guidelines and, in some cases, have also issued
                             their own food security guidelines to their members. Although the officials
                             generally believe that the agencies’ guidelines are reasonable, they do not
                             want the government to regulate food security. They also feel that some
                             companies, especially small facilities with limited resources, are unable to
                             implement all the measures in the guidelines. Therefore, these officials
                             believe it is important for the guidelines to remain voluntary.

                             The industry is involved in improving food security in other ways as well.
                             For example, the food industry associations formed the Alliance for Food
                             Security to facilitate the exchange of information about food security
                             issues. The Alliance is composed of trade associations representing the
                             food chain, from commodity production through processing, packaging,
                             distribution, and retail sale, as well as government agencies responsible
                             for food and water safety, public health, and law enforcement. Similarly,
                             led by the Food Marketing Institute, the food industry and FBI established
                             the Information Sharing and Analysis Center (ISAC), which serves as a
                             contact point for gathering, analyzing, and disseminating information
                             among companies and the multiagency National Infrastructure Protection
                             Center based at FBI headquarters. Through ISAC, FBI officials have
                             notified food manufacturers of warnings and threats that the Center deems
                             to be credible. ISAC also provides a voluntary mechanism for reporting
                             suspicious activity in a confidential manner and for developing solutions.


Five Processing Facilities   We visited five food-processing facilities, including a slaughter plant and
Provide Some Indication      facilities that produce beverages and ready-to-eat products. Although
about Industry’s Efforts     these facilities are not in any way representative of all food-processing
                             plants nationwide, they provide some information about the types of



                             18
                               The National Food Processors Association is in the process of evaluating the results from
                             its food security survey of its members, but not all of the results were ready in time to be
                             included in this report.




                             Page 16                                              GAO-03-342 Food-Processing Security
security measures that some facilities are implementing. All five facilities
had conducted risk analyses and, on the basis of the results, had
implemented a number of security measures similar to those suggested in
the FDA and FSIS guidelines. For example, all five facilities limited access
to the facility through such means as requiring visitors to enter through a
guard shack and to provide identification. In addition, employees at three
of the facilities could enter the facility only by using magnetic cards.

However, managers at the five facilities offered differing opinions about
personnel security. Although all of the facilities we visited performed
background checks on their employees that included verification of social
security numbers, only some verified prior work experience, criminal
history, and level of education. One company also required that its
contractors, such as construction companies working in the facility,
perform employment, education, and criminal checks of their own
employees. The facilities also used different protocols for employee access
to different areas within the plant. For example, at four of the facilities,
employees were limited to those areas of the plant in which they worked.

While the managers at these facilities generally complimented FDA’s and
USDA’s security guidelines, they said that they do not want the agencies to
regulate security. Rather, they believe that the agencies should develop a
nonprescriptive framework or strategy for industry and then leave them to
decide how to meet their individual requirements. One manager believes
that food security responsibilities should be moved to the Department of
Homeland Security.

Finally, our discussions with trade association officials and food-
processing industry officials revealed that the industry is very concerned
about sharing security information with federal agencies because of the
possibility that it could provide a road map for terrorist groups if it were
released under the Freedom of Information Act. Although the act exempts
from public release certain national security, trade secret, and commercial
or financial information, industry officials are generally skeptical about
the government’s ability to prevent the release of sensitive security
information at food-processing facilities. FBI officials told us that they
have cited these exemptions when assuring ISAC members that security
information shared with them will be protected from public release. These
officials explained that the courts have generally ruled that the
commercial information exemption protects those who voluntarily provide




Page 17                                    GAO-03-342 Food-Processing Security
                            the government with information if the information is of a kind that the
                            provider would not ordinarily release to the public.19 However, the FBI
                            officials we interviewed believe that the government should find some way
                            of assuring industry that sensitive security information is protected from
                            public release.



FDA and FSIS Survey         FDA and FSIS survey respondents observed a range of security measures
Respondents Indicate That   being implemented at food-processing facilities, although both FDA and
Processing Facilities Are   FSIS respondents were able to provide more information about those
                            security measures that were most visible during the course of their normal
Implementing a Range of     inspection duties. Figure 2 shows selected categories of security measures
Security Measures           recommended in the FDA and FSIS security guidelines that were most
                            visible to inspectors.20 The majority of the FDA survey respondents said
                            they were able to observe security measures, such as fencing around the
                            plants’ perimeter, limiting access to restricted areas, securing hazardous
                            materials, and providing adequate interior and exterior lighting. Likewise,
                            most of FSIS’s circuit supervisors were able to observe outside security
                            measures including alarmed emergency exits, plant perimeter protection,
                            positive employee identification, and the inspection of incoming and
                            outgoing vehicles.




                            19
                              See, for example, Critical Mass Energy Project v. Nuclear Regulatory Commission, 975
                            F. 2d 871 (D.C. Cir. 1992) (en banc) cert. denied, 507 U.S. 984 (1993) (information in safety
                            reports voluntarily provided to the Nuclear Regulatory Commission by nuclear safety
                            groups was confidential and thus exempt from disclosure under the Freedom of
                            Information Act’s exemption for financial or commercial information).
                            20
                             Security measures listed in FDA’s and FSIS’s food security guidelines are somewhat
                            different. The agencies developed their guidelines in January and May 2002, respectively,
                            and did not coordinate their efforts.




                            Page 18                                              GAO-03-342 Food-Processing Security
Figure 2: Percentage of Survey Responses Indicating Observation or Knowledge of
More Visible Security Measures




Note: GAO survey of FDA and FSIS inspectors.


Survey respondents provided fewer observations regarding other types of
security measures included in the FDA and FSIS guidelines—in some
instances because these measures were less visible to them. For example,
FDA respondents were less able to comment on whether they noticed or
knew of the presence of security measures designed to account for
missing stock or for other finished product irregularities. (See fig. 3.)
Similarly, FSIS respondents were less unable to comment on the extent to
which facilities were performing background checks on new employees or
implementing proper mail-handling practices.




Page 19                                        GAO-03-342 Food-Processing Security
Figure 3: Percentage of Survey Responses Indicating Observation or Knowledge of
Less Visible Security Measures




Note: GAO survey of FDA and FSIS inspectors.



More than half of FSIS’s survey respondents stated that large plants—
those with at least 500 employees—had implemented a range of security
measures, including the areas of outside security, storage, slaughter and
processing, and personnel security. Fewer of these respondents observed
these security measures at smaller plants. Some FDA and FSIS
respondents provided additional comments that the very small firms
typically lack the financial resources to implement many of the security
measures suggested in the government guidelines. Similarly, some
respondents commented that many of the security measures might not be
necessary at smaller establishments.

Additionally, most of the FDA respondents reported that they had not
received training on food security; while nearly all of the FSIS respondents
reported that they had recently received such training. Some of the FSIS
respondents further stated that although they had received food security


Page 20                                        GAO-03-342 Food-Processing Security
                             training, further training was greatly needed in the field. Such training
                             would be beneficial because field personnel are encouraged to discuss
                             security measures with managers at the facilities they inspect.

                             Finally, responses to our survey showed that FDA and FSIS respondents
                             have different levels of “satisfaction” with or “confidence” in the efforts of
                             the processing facilities they inspect to ensure the protection of food from
                             acts of deliberate contamination.21 While nearly half of the FSIS
                             respondents said they were somewhat or very confident of the efforts
                             made by the food processors they inspect, slightly over one-fourth of the
                             FDA respondents were satisfied or very satisfied with the efforts made by
                             the food processors they inspect.


Regulatory Officials from    Thirty-seven food regulatory officials interviewed by state auditors in 11
11 States Indicate Some      states provided opinions on their overall level of satisfaction with federal,
Level of Satisfaction with   state, and industry efforts to protect food from intentional contamination.
                             Table 1 shows that nearly half of the state regulatory officials interviewed
Security Efforts             expressed satisfaction with the efforts made by federal, state, and industry
                             to safeguard food products—though these results cannot be generalized to
                             all state regulatory officials.




                             21
                              FDA preferred that we ask about the level of “satisfaction,” while FSIS wanted us to ask
                             about the level of “confidence.”




                             Page 21                                             GAO-03-342 Food-Processing Security
Table 1: State Officials’ Satisfaction with Federal, State, and Industry Efforts to Safeguard Food Products from Deliberate
Contamination

 Questions asked of 37 state food safety                Percentage of officials        Percentage of officials        Percentage of officials
 regulatory officials                                        very satisfied or           neither satisfied nor           dissatisfied or very
 (11 states)                                                         satisfied                    dissatisfied                   dissatisfied
 How satisfied are you with the federal                                    43.3                           32.4                           24.3
 government’s efforts?
 How satisfied are you with the state                                          56.8                            29.7                     13.5
 government’s efforts?
 How satisfied are you with industry’s efforts?                                43.2                            45.9                     10.8
Source: State audit offices.

                                              Notes: Combined state survey of 37 state regulatory officials.

                                              Percentages may not total 100 because of rounding.


                                              Finally, most of the state officials interviewed by state auditors believed it
                                              was either “important” or “very important” for states to monitor whether
                                              companies have adopted security measures to prevent acts of deliberate
                                              contamination; 3 of the 11 states are already requiring their inspectors to
                                              do so.


                                              The vulnerability of the food supply to potential acts of deliberate
Conclusions                                   contamination is a national concern. The President addressed this concern
                                              in the October 8, 2001, executive order establishing the Office of
                                              Homeland Security and adding the agriculture and food industries to the
                                              list of critical infrastructure systems needing protection from terrorist
                                              attack. The National Academies have also concluded in a recently released
                                              report that infectious agents and toxic chemicals could be used by
                                              terrorists to contaminate food-processing facilities. Among other things,
                                              the report says that FDA should act promptly to extend its Hazard Analysis
                                              and Critical Control Point methodology so it might be used to deal
                                              effectively with deliberate contamination of the food supply. The Centers
                                              for Disease Control and Prevention also reported recently on the need to
                                              better protect our nation’s food and water supplies.

                                              These assessments underscore the need to enhance security at food-
                                              processing facilities. Although FDA and FSIS recognize that need and have
                                              taken action to encourage food processors to voluntarily adopt security
                                              measures, these actions may be insufficient. Because the agencies believe
                                              that they generally lack authority to mandate security measures and are
                                              concerned that such information would be subject to Freedom of
                                              Information Act requests, they do not collect information on industry’s



                                              Page 22                                                    GAO-03-342 Food-Processing Security
                      voluntary implementation of security measures. The agencies are,
                      therefore, unable to determine the extent to which food processors have
                      voluntarily implemented such measures. Both FDA and USDA have
                      completed risk assessments. However, without the ability to require food-
                      processing facilities to provide information on their security measures,
                      these federal agencies cannot fully assess industry’s efforts to prevent or
                      reduce the vulnerability of the nation’s food supply to deliberate
                      contamination. Similarly, they cannot advise processors on needed
                      security enhancements. Furthermore, lacking baseline information on the
                      facilities’ security condition, the agencies would be unprepared to advise
                      food-processing facilities on any additional actions needed if the federal
                      government were to go to a higher threat alert.

                      Finally, the lack of security training for FDA food inspectors on the
                      voluntary security guidelines issued for food processors and the limited
                      number of FSIS inspectors that have so far received training on the
                      voluntary security guidelines hamper the inspectors’ ability to conduct
                      informed discussions regarding security measures with facility personnel
                      as they are currently instructed to do.


                      In order to reduce the risk of deliberate contamination of food products,
Recommendations for   we are recommending that the Secretary of Health and Human Services
Executive Action      and the Secretary of Agriculture study their agencies’ existing statutes and
                      identify what additional authorities they may need relating to security
                      measures at food-processing facilities. On the basis of the results of these
                      studies, the agencies should seek additional authority from the Congress,
                      as needed.

                      To increase field inspectors’ knowledge and understanding of food
                      security issues and facilitate their discussions about the voluntary security
                      guidelines with plant personnel, we are also recommending that the
                      Secretary of Health and Human Services and the Secretary of Agriculture
                      provide training for their agencies’ field staff on the security measures
                      discussed in the voluntary guidelines.


                      We provided FDA and USDA with a draft of this report for their review
Agency Comments       and comment. We received written and clarifying oral comments from
and Our Evaluation    each agency. The agencies also provided technical comments, which we
                      incorporated into the report as appropriate. FDA agreed with our
                      recommendation that it provide all food inspection personnel with training
                      on security measures. Subsequently, FDA officials told us that the agency


                      Page 23                                     GAO-03-342 Food-Processing Security
did not have an opinion on our recommendation that it study what
additional authorities it may need relating to security measures at food-
processing facilities. In its written comments, FDA stated that the report is
factual and describes accurately the events and actions that FDA has
taken on food security. FDA also commented that one of the goals of its
voluntary guidance to industry is to heighten awareness of food security
practices and that the role of its investigators is first and foremost food
safety. FDA also said that it does not have sufficient security expertise to
provide industry with consultation in this area. FDA further commented
that although HACCP and other preventive controls are appropriate
measures to enhance food safety, HACCP does not afford similar
advantages for addressing deliberate contamination, tampering, and/or
terrorist actions related to the food supply. Our report underscores that
the role of FDA’s investigators is primarily one of food safety.
Nevertheless, we believe that it is also crucial for cognizant agencies to
have information about industry’s security efforts so that they can assess
the extent to which the risk of deliberate contamination is being mitigated.
We also believe that possessing such information is important if it
becomes necessary to advise food processors on needed security
enhancements. With regard to HACCP, our report does not take a position
on the feasibility of using HACCP as a means to control deliberate
contamination; instead, we report on the opinion of the National
Academies. FDA’s comments are presented in appendix V.

In its written comments, USDA agreed with the contents of our report.
Subsequently, USDA’s food safety officials confirmed that the agency also
agrees with the report’s recommendations. In its letter, USDA commented
that it has already conducted a comprehensive risk assessment of the food
supply without plant security information and that knowing whether a
plant employed one or several security measures was not needed to assess
the risk. Our report acknowledges that USDA has conducted a
comprehensive risk assessment, but we believe that it is crucial for
cognizant agencies to have information about industry’s security efforts so
that they can assess the extent to which the risk of deliberate
contamination is being mitigated. USDA’s comments are presented in
appendix IV.


As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from the
report date. At that time, we will send copies to the Secretaries of
Agriculture and Health and Human Services; the Director of the Federal
Bureau of Investigation; the Director, Office of Management and Budget;


Page 24                                     GAO-03-342 Food-Processing Security
and other interested parties. We will also make copies available to others
upon request. In addition, the report will be available at no charge on the
GAO Web site at http://www.gao.gov.

If you have any questions about this report, please contact Maria Cristina
Gobin or me at (202) 512-3841. Key contributors to this report are listed in
appendix VI.




Lawrence J. Dyckman
Director, Natural Resources
 and Environment




Page 25                                     GAO-03-342 Food-Processing Security
             Appendix I: Scope and Methodology
Appendix I: Scope and Methodology


             To determine the extent to which the current federal food safety statutes
             can be effectively used to regulate security at food-processing facilities,
             we analyzed the Food and Drug Administration’s (FDA) and the U.S.
             Department of Agriculture’s (USDA) existing statutory authorities. We
             discussed these authorities with FDA and USDA counsel and requested a
             legal opinion to determine the extent to which each agency believes its
             existing authorities allow it to regulate food security. We then
             independently reviewed these authorities to draw our own conclusions.

             To describe the actions that FDA and USDA have taken to help food
             processors prevent or reduce the risk of deliberate food contamination,
             we met with staff from FDA and FSIS to review the voluntary guidelines
             issued by each agency. To better understand the provisions of the
             guidelines, we met with agency program staff responsible for issuing the
             guidelines and for receiving industry comments on it. To learn how the
             guidelines would be implemented, we met with FDA and USDA’s Food
             Safety and Inspection Service (FSIS) officials responsible for field
             operations and with staff from field offices in Atlanta, Georgia, and
             Beltsville, Maryland. Finally, to gather additional information about the
             vulnerability of the food supply to acts of deliberate contamination, we
             contacted nine experts from academia, including experts in food safety
             and in bioterrorism.

             To describe how the government is determining the extent to which food-
             processing companies are implementing security procedures, we asked
             FDA and FSIS program officials about the nature of the information they
             are collecting about industry security measures. We also conducted
             surveys of agency field personnel to obtain their observations about and
             knowledge of food security measures taken at facilities they regularly
             inspect for food safety. Our FDA survey, which was Web-based, was
             administered to all 150 field investigators who recorded 465 or more hours
             for domestic food inspection from June 1, 2001 to May 31, 2002. Our
             survey of FSIS staff was a telephone survey of a randomly selected
             stratified sample of 50 circuit supervisors. Our response rate for these
             surveys was higher than 85 percent for FDA and 90 percent for FSIS, and
             respondents included participants from all the agencies’ geographic
             regions. Before administering the surveys, we discussed with and obtained
             input from FDA and FSIS program officials. We also pretested the surveys
             at field locations to ensure that our questions were valid, clear, and
             precise and that responding to the survey did not place an undue burden
             on the respondents. In addition, we contacted state audit offices in all 50
             states to collect information about state government actions designed to
             prevent the deliberate contamination of food products. Of the 50 state


             Page 26                                     GAO-03-342 Food-Processing Security
Appendix I: Scope and Methodology




audit offices we contacted, only 11 agreed to help us collect this
information: Arizona, Florida, Maryland, Michigan, New York, North
Carolina, Oklahoma, Oregon, Pennsylvania, Tennessee, and Texas.

To determine the extent to which the food-processing industry is
implementing security measures to better protect its products against
deliberate contamination, we contacted officials from 13 trade
associations representing, among others, the meat and poultry, dairy, egg,
and fruits and vegetables industries and the food-processing industry. We
discussed the guidelines that their organizations have issued, and they
described what actions their constituents are taking to protect their
products. We also visited five food-processing facilities in various
geographic regions to ask corporate and plant officials about the actions
they have taken to protect their products and facilities against intentional
contamination. These facilities included a slaughter plant as well as
facilities that produce beverages and ready-to-eat products. We recognize
that the efforts of these five facilities are not necessarily representative of
the whole food-processing industry. To identify the concerns that the
industry has about sharing sensitive information with federal agencies, we
spoke with industry representatives as well as officials from the Federal
Bureau of Investigation’s National Infrastructure Protection Center.

We conducted our review from February through December 2002 in
accordance with generally accepted government auditing standards.




Page 27                                      GAO-03-342 Food-Processing Security
              Appendix II: FDA Survey Results
Appendix II: FDA Survey Results




              Page 28                           GAO-03-342 Food-Processing Security
Appendix II: FDA Survey Results




Page 29                           GAO-03-342 Food-Processing Security
Appendix II: FDA Survey Results




Page 30                           GAO-03-342 Food-Processing Security
Appendix II: FDA Survey Results




Page 31                           GAO-03-342 Food-Processing Security
Appendix II: FDA Survey Results




Page 32                           GAO-03-342 Food-Processing Security
              Appendix III: FSIS Survey Results
Appendix III: FSIS Survey Results




              Page 33                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 34                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 35                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 36                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 37                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 38                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 39                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 40                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 41                             GAO-03-342 Food-Processing Security
Appendix III: FSIS Survey Results




Page 42                             GAO-03-342 Food-Processing Security
         Appendix IV: Comments from the U.S. Department of
Appendix IV: Comments from the
         Agriculture



U.S. Department of Agriculture




                     Page 43                                 GAO-03-342 Food-Processing Security
         Appendix V: Comments from the Food and Drug
Appendix V: Comments from the Food and
         Administration



Drug Administration




                     Page 44                           GAO-03-342 Food-Processing Security
Appendix V: Comments from the Food and Drug
Administration




            Page 45                           GAO-03-342 Food-Processing Security
Appendix V: Comments from the Food and Drug
Administration




            Page 46                           GAO-03-342 Food-Processing Security
                  Appendix VI: GAO Contacts and Staff
Appendix VI: GAO Contacts and Staff
                  Acknowledgments



Acknowledgments

                  Lawrence J. Dyckman, (202) 512-3841
GAO Contacts      Maria Cristina Gobin, (202) 512-8418


                  In addition to those named above, John Johnson, John Nicholson, Jr.,
Acknowledgments   Stuart Ryba, and Margaret Skiba made key contributions to this report.
                  Nancy Crothers, Doreen S. Feldman, Oliver Easterwood, Evan Gilman, and
                  Ronald La Due Lake also made important contributions.




(360177)
                              Page 47                     GAO-03-342 Food-Processing Security
                         The General Accounting Office, the audit, evaluation and investigative arm of
GAO’s Mission            Congress, exists to support Congress in meeting its constitutional responsibilities
                         and to help improve the performance and accountability of the federal
                         government for the American people. GAO examines the use of public funds;
                         evaluates federal programs and policies; and provides analyses,
                         recommendations, and other assistance to help Congress make informed
                         oversight, policy, and funding decisions. GAO’s commitment to good government
                         is reflected in its core values of accountability, integrity, and reliability.


                         The fastest and easiest way to obtain copies of GAO documents at no cost is
Obtaining Copies of      through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full-
GAO Reports and          text files of current reports and testimony and an expanding archive of older
                         products. The Web site features a search engine to help you locate documents
Testimony                using key words and phrases. You can print these documents in their entirety,
                         including charts and other graphics.
                         Each day, GAO issues a list of newly released reports, testimony, and
                         correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site
                         daily. The list contains links to the full-text document files. To have GAO e-mail
                         this list to you every afternoon, go to www.gao.gov and select “Subscribe to daily
                         E-mail alert for newly released products” under the GAO Reports heading.


Order by Mail or Phone   The first copy of each printed report is free. Additional copies are $2 each. A
                         check or money order should be made out to the Superintendent of Documents.
                         GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a
                         single address are discounted 25 percent. Orders should be sent to:
                         U.S. General Accounting Office
                         441 G Street NW, Room LM
                         Washington, D.C. 20548
                         To order by Phone:     Voice:    (202) 512-6000
                                                TDD:      (202) 512-2537
                                                Fax:      (202) 512-6061


                         Contact:
To Report Fraud,
                         Web site: www.gao.gov/fraudnet/fraudnet.htm
Waste, and Abuse in      E-mail: fraudnet@gao.gov
Federal Programs         Automated answering system: (800) 424-5454 or (202) 512-7470


                         Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800
Public Affairs           U.S. General Accounting Office, 441 G Street NW, Room 7149
                         Washington, D.C. 20548