Mitigation Strategies To Protect Food Against Intentional Adulteration

As Enacted ( Federal Register)

Cited authorities 20

Cited in

Federal Register, Volume 81 Issue 103 (Friday, May 27, 2016)

Federal Register Volume 81, Number 103 (Friday, May 27, 2016)

Rules and Regulations

Pages 34165-34223

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-12373

Page 34165

Vol. 81

Friday,

No. 103

May 27, 2016

Part IV

Department of Health and Human Services

-----------------------------------------------------------------------

Food and Drug Administration

-----------------------------------------------------------------------

21 CFR Parts 11 and 121

Mitigation Strategies To Protect Food Against Intentional Adulteration; Final Rule

Page 34166

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Food and Drug Administration

21 CFR Parts 11 and 121

Docket No. FDA-2013-N-1425

RIN 0910-AG63

Mitigation Strategies To Protect Food Against Intentional Adulteration

AGENCY: Food and Drug Administration, HHS.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Food and Drug Administration (FDA or we) is issuing this final rule to require domestic and foreign food facilities that are required to register under the Federal Food, Drug, and Cosmetic Act (the FD&C Act) to address hazards that may be introduced with the intention to cause wide scale public health harm. These food facilities are required to conduct a vulnerability assessment to identify significant vulnerabilities and actionable process steps and implement mitigation strategies to significantly minimize or prevent significant vulnerabilities identified at actionable process steps in a food operation. FDA is issuing these requirements as part of our implementation of the FDA Food Safety Modernization Act (FSMA).

DATES: This rule is effective July 26, 2016. See section VIII for compliance dates.

FOR FURTHER INFORMATION CONTACT: Ryan Newkirk, Center for Food Safety and Applied Nutrition (HFS-005), Food and Drug Administration, 5100 Paint Branch Pkwy., College Park, MD 20740, 240-402-3712, email: Ryan.Newkirk@fda.hhs.gov.

SUPPLEMENTARY INFORMATION:

Table of Contents

Executive Summary

Purpose and Coverage of the Rule

Summary of the Major Provisions of the Rule

Costs and Benefits

Background
1. FDA Food Safety Modernization Act
2. Proposed Rule on Intentional Adulteration
3. Appendix 4 to Draft Risk Assessment
4. Public Comments
Legal Authority
1. Section 103 of FSMA
2. Section 106 of FSMA
3. Intrastate Activities
General Comments on the Proposed Rule
1. Comments on Overall Framework for the Regulatory Approach
2. One Set of Requirements Under Sections 418 and 420 of the FD&C Act
3. Require Measures Only in the Event of a Credible Threat
4. General Comments on Implementation and Compliance
5. Comments on Requests for Additional Exemptions
6. Other General Comments
7. Other Issues Discussed in the Proposed Rule
Subpart A: Comments on Specific Provisions
1. Revisions to Definitions Also Used in Section 415 Registration Regulations (21 CFR Part 1, Subpart H) and Section 414 Recordkeeping Regulations (21 CFR Part 1, Subpart J)
2. Other Definitions That We Proposed To Establish in Part 121
3. Additional Definitions to Clarify Terms Not Defined in the Proposed Rule
4. Comments Asking FDA to Establish Additional Definitions or Otherwise Clarify Terms Not Defined in the Rule
5. Proposed Sec. 121.5--Exemptions
Subpart C: Comments on Food Defense Measures
1. Proposed Sec. 121.126--Requirement for a Food Defense Plan
2. Proposed Sec. 121.130--Identification of Actionable Process Steps
3. Proposed Sec. 121.135--Focused Mitigation Strategies for Actionable Process Steps
4. Final Sec. 121.138--Mitigation Strategies Management Components
5. Proposed Sec. 121.140--Monitoring
6. Proposed Sec. 121.145--Corrective Actions
7. Proposed Sec. 121.150--Verification
8. Proposed Sec. 121.160--Training (Final Sec. 121.4)
Subpart D: Comments on Requirements Applying to Records That Must Be Established and Maintained
1. Proposed Sec. 121.301--Records Subject to the Requirements of This Subpart D
2. Proposed Sec. 121.305--General Requirements Applying to Records
3. Proposed Sec. 121.310--Additional Requirements Applying to the Food Defense Plan
4. Proposed Sec. 121.315--Requirements for Record Retention
5. Proposed Sec. 121.320--Requirements for Official Review
6. Proposed Sec. 121.325--Public Disclosure
7. Proposed Sec. 121.330--Use of Existing Records
Subpart E: Comments on Compliance--Proposed Sec. 121.401
Effective and Compliance Dates
Executive Order 13175
Final Regulatory Impact Analysis
Paperwork Reduction Act of 1995
Analysis of Environmental Impact
Federalism
References

Executive Summary

Purpose and Coverage of the Rule

This regulation implements three provisions of the FD&C Act, as amended by FSMA, that relate to the intentional adulteration of food. Section 418 of the FD&C Act (21 U.S.C. 350g) addresses intentional adulteration in the context of facilities that manufacture, process, pack, or hold food and are required to register under section 415 of the FD&C Act (21 U.S.C. 350d). Section 419 of the FD&C Act (21 U.S.C. 350h) addresses intentional adulteration in the context of fruits and vegetables that are raw agricultural commodities. Section 420 of the FD&C Act (21 U.S.C. 350i) addresses intentional adulteration in the context of high-risk foods and exempts farms except for farms that produce milk. FDA is implementing the intentional adulteration provisions in sections 418, 419, and 420 of the FD&C Act in this rulemaking.

The purpose of this rule is to protect food from intentional acts of adulteration where there is an intent to cause wide scale public health harm. This rule applies to both domestic and foreign facilities that are required to register under section 415 of the FD&C Act. This rule establishes several exemptions as follows:

The rule does not apply to a very small business (i.e., a business, including any subsidiaries or affiliates, averaging less than $10,000,000, adjusted for inflation, per year, during the 3-year period preceding the applicable calendar year in both sales of human food plus the market value of human food manufactured, processed, packed, or held without sale, e.g., held for a fee), except that the facility is required to provide for official review, upon request, documentation sufficient to show that the facility qualifies for this exemption.

This rule does not apply to the holding of food, except the holding of food in liquid storage tanks.

This rule does not apply to the packing, re-packing, labeling, or re-labeling of food where the container that directly contacts the food remains intact.

This rule does not apply to activities of a farm that are subject to section 419 of the Federal Food, Drug, and Cosmetic Act (Standards for Produce Safety).

This rule does not apply with respect to alcoholic beverages at a facility that meets certain conditions.

This rule does not apply to the manufacturing, processing, packing, or holding of food for animals other than man.

This rule does not apply to on-farm manufacturing, processing, packing, or holding by a small or very small business of certain foods identified as having low-risk production practices if such activities are the only activities conducted by the business subject to section 418 of the FD&C Act.

Page 34167

Summary of the Major Provisions of the Final Rule

This rule establishes various food defense measures that an owner, operator, or agent in charge of a facility is required to implement to protect against the intentional adulteration of food. Specifically:

Prepare and implement a written food defense plan that includes a vulnerability assessment to identify significant vulnerabilities and actionable process steps, mitigation strategies, and procedures for food defense monitoring, corrective actions, and verification (Sec. 121.126).

Identify any significant vulnerabilities and actionable process steps by conducting a vulnerability assessment for each type of food manufactured, processed, packed, or held at the facility using appropriate methods to evaluate each point, step, or procedure in a food operation (Sec. 121.130).

Identify and implement mitigation strategies at each actionable process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by the facility will not be adulterated. For each mitigation strategy implemented at each actionable process step, include a written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step (Sec. 121.135).

Establish and implement mitigation strategies management components, as appropriate to ensure the proper implementation of each such mitigation strategy, taking into account the nature of the mitigation strategy and its role in the facility's food defense system (Sec. 121.138).

Establish and implement food defense monitoring procedures, for monitoring the mitigation strategies, as appropriate to the nature of the mitigation strategy and its role in the facility's food defense system (Sec. 121.140).

Establish and implement food defense corrective action procedures that must be taken if mitigation strategies are not properly implemented, as appropriate to the nature of the actionable process step and the nature of the mitigation strategy (Sec. 121.145).

Establish and implement specified food defense verification activities, as appropriate to the nature of the mitigation strategy and its role in the facility's food defense system (Sec. 121.150).

Conduct a reanalysis of the food defense plan (Sec. 121.157).

Ensure that all individuals who perform required food defense activities are qualified to perform their assigned duties (Sec. 121.4).

Establish and maintain certain records, including the written food defense plan (vulnerability assessment, mitigation strategies and procedures for food defense monitoring, corrective actions, and verification) and documentation related to training of personnel. All records are subject to certain general recordkeeping and record retention requirements (Sec. Sec. 121.301 to 121.330).

The effective date is 60 days after this final rule is published. However, we are providing for a longer timeline for facilities to come into compliance. Facilities, other than small and very small businesses, have 3 years after the effective date to comply with part 121. Small businesses (i.e., those employing fewer than 500 full-time equivalent employees) have 4 years after the effective date to comply with part 121. Very small businesses (i.e., businesses that have less than $10,000,000, adjusted for inflation, per year, during the 3-year period preceding the applicable calendar year in both sales of human food plus the market value of human food manufactured, processed, packed, or held without sale, e.g., held for a fee) have 5 years after the effective date to comply with Sec. 121.5(a).

As discussed in detail in later sections of the rule, we made several major revisions to the provisions of this rule, mainly in response to comments, to provide for greater flexibility and clarity. These major revisions to the regulatory text include the following:

We removed the key activity types (KATs); however, the use of the KATs is still permissible to conduct a vulnerability assessment and will be further discussed in guidance.

We specified three elements that must be evaluated when conducting a vulnerability assessment: (1) The potential public health impact (e.g., severity and scale) if a contaminant were added; (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product.

We specified that the vulnerability assessment must consider the possibility of an inside attacker.

We removed the distinction between ``broad'' and ``focused'' mitigation strategies.

We made the mitigation strategy management components (food defense monitoring, corrective actions, and verification) more flexible by providing that they are required ``as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system.''

We revised the terminology used for the food defense management components such that monitoring, corrective actions, and verification are now food defense monitoring, food defense corrective actions, and food defense verification.

We made the requirement to document food defense monitoring more flexible by providing for use of exception records.

We made the food defense corrective actions requirement more flexible by providing that it is required ``as appropriate to the nature of the actionable process step and the nature of the mitigation strategy.''

We made the requirement for verifying proper implementation of mitigation strategies more flexible by providing for ``other activities appropriate for verification of proper implementation of mitigation strategies.''

We exempted records required by this rule from the requirements of 21 Code of Federal Regulations, part 11.

We provided for the use of existing records if certain conditions are met.

We removed the term ``qualified facility'' and instead refer to ``very small business'' in the exemption under 121.5(a).

We established an exemption for certain on-farm manufacturing, processing, packing, or holding by small and very small businesses of certain foods identified as having low-risk production processes.

We added a new definition for ``qualified individual'' and included new requirements to ensure that all individuals who perform activities required under subpart C are qualified to perform their assigned activities.

We provided longer timelines for facilities to come into compliance with the rule.

Costs and Benefits

The total cost of the rule, annualized over 10 years at a 7 percent discount rate, is between $280 and $490 million. With a 3 percent discount rate, the annualized cost is between $270 and $480 million. The first-year cost is between $680 and $930 million. Counting only domestic firms, the total annualized costs are between $90 and $150 million, with initial costs of between $220 and $300 million. The average annualized cost per covered facility is between $9,000 and $16,000,

Page 34168

and the average annualized cost per covered firm is between $27,000 and $47,000.

The benefits of the actions required by the rule are a reduction in the possibility of illness and death resulting from intentional adulteration of food. We monetize the damage that various intentional adulteration scenarios might cause, and present a breakeven analysis showing the number of prevented attacks at which the benefits are larger than the costs. For attacks that are similar in impact to acts of intentional adulteration that have happened in the United States in the past, the breakeven threshold, counting only producer costs, is 28 to 48 attacks prevented every year. For attacks causing similar casualties as major historical outbreaks of food-related illness, the breakeven threshold is one or two attacks every year. For catastrophic terrorist attacks causing thousands of fatalities, the breakeven threshold is one attack prevented every 270 to 460 years.

The table shows the approximate, rounded, mean values for various cost components of the rule:

Annualized Cost and Benefit Overview

------------------------------------------------------------------------

All Numbers are USD 2014 (millions),

annualized over 10 years 3% Discount 7% Discount

------------------------------------------------------------------------

Costs:

Learning about Rule................. $3 $4

Creating Food Defense Plans......... 10 11

Mitigation Costs.................... 26 28

Monitoring, Corrective Action, 62 62

Verification.......................

Employee Training................... 5 6

Documentation....................... 9 9

Subtotal (Domestic cost)............ 115 119

Cost to Foreign Firms............... 247 256

-------------------------------

Total............................. 362 375

Benefits:

-------------------------------

Lower Chance of Intentional

Adulteration....................... Unquantified

------------------------------------------------------------------------
Background
1. FDA Food Safety Modernization Act
  
  The FDA Food Safety Modernization Act (FSMA) (Pub. L. 111-353), signed into law by President Obama on January 4, 2011, is intended to allow FDA to better protect public health by helping to ensure the safety and security of the food supply. FSMA enables us to focus more on preventing food safety problems rather than relying primarily on reacting to problems after they occur. The law also provides new enforcement authorities to help achieve higher rates of compliance with risk-based, prevention-oriented safety standards and to better respond to and contain problems when they do occur. In addition, the law contains important new tools to better ensure the safety of imported foods and encourages partnerships with State, local, tribal, and territorial authorities. A top priority for FDA are those FSMA-required regulations that provide the framework for industry's implementation of preventive controls and enhance our ability to oversee their implementation for both domestic and imported food. To that end, we proposed the seven foundational rules listed in table 1 and requested comments on all aspects of these proposed rules.
  
  Table 1--Published Foundational Rules for Implementation of FSMA
  
  ------------------------------------------------------------------------
  
  Title Abbreviation Publication
  
  ------------------------------------------------------------------------
  
  Current Good Manufacturing 2013 proposed 78 FR 3646,
  
  Practice and Hazard Analysis human preventive January 16, 2013.
  
  and Risk-Based Preventive controls rule.
  
  Controls for Human Food.
  
  Standards for the Growing, 2013 proposed 78 FR 3504,
  
  Harvesting, Packing, and produce safety January 16, 2013.
  
  Holding of Produce for Human rule.
  
  Consumption.
  
  Current Good Manufacturing 2013 proposed 78 FR 64736,
  
  Practice and Hazard Analysis animal preventive October 29, 2013.
  
  and Risk-Based Preventive controls rule.
  
  Controls for Food for Animals.
  
  Foreign Supplier Verification 2013 proposed FSVP 78 FR 45730, July
  
  Programs (FSVP) for Importers rule. 29, 2013.
  
  of Food for Humans and Animals.
  
  Accreditation of Third-Party 2013 proposed 78 FR 45782, July
  
  Auditors/Certification Bodies third-party 29, 2013.
  
  to Conduct Food Safety Audits certification
  
  and to Issue Certifications. rule.
  
  Focused Mitigation Strategies To 2013 proposed 78 FR 78014,
  
  Protect Food Against intentional December 24,
  
  Intentional Adulteration. adulteration rule. 2013.
  
  Sanitary Transportation of Human 2014 proposed 79 FR 7006,
  
  and Animal Food. sanitary February 5, 2014.
  
  transportation
  
  rule.
  
  ------------------------------------------------------------------------
  
  We also issued a supplemental notice of proposed rulemaking for the rules listed in table 2 and requested comments on specific issues identified in each supplemental notice of proposed rulemaking.
  
  Page 34169
  
  Table 2--Published Supplemental Notices of Proposed Rulemaking for the
  
  Foundational Rules for Implementation of FSMA
  
  ------------------------------------------------------------------------
  
  Title Abbreviation Publication
  
  ------------------------------------------------------------------------
  
  Current Good Manufacturing 2014 supplemental 79 FR 58524,
  
  Practice and Hazard Analysis human preventive September 29,
  
  and Risk-Based Preventive controls notice. 2014.
  
  Controls for Human Food.
  
  Standards for the Growing, 2014 supplemental 79 FR 58434,
  
  Harvesting, Packing, and produce safety September 29,
  
  Holding of Produce for Human notice. 2014.
  
  Consumption.
  
  Current Good Manufacturing 2014 supplemental 79 FR 58476,
  
  Practice and Hazard Analysis animal preventive September 29,
  
  and Risk-Based Preventive controls notice. 2014.
  
  Controls for Food for Animals.
  
  Foreign Supplier Verification 2014 supplemental 79 FR 58574,
  
  Programs (FSVP) for Importers FSVP notice. September 29,
  
  of Food for Humans and Animals. 2014.
  
  ------------------------------------------------------------------------
  
  We have finalized six of the foundational rulemakings, as listed in table 3.
  
  Table 3--Published Foundational Final Rules for Implementation of FSMA
  
  ------------------------------------------------------------------------
  
  Title Abbreviation Publication
  
  ------------------------------------------------------------------------
  
  Current Good Manufacturing PCHF final rule... 80 FR 55908,
  
  Practice, Hazard Analysis and September 17,
  
  Risk-Based Preventive Controls 2015.
  
  for Human Food.
  
  Current Good Manufacturing PCAF final rule... 80 FR 56170,
  
  Practice, Hazard Analysis and September 17,
  
  Risk-Based Preventive Controls 2015.
  
  for Food for Animals.
  
  Standards for the Growing, Produce final rule 80 FR 74354,
  
  Harvesting, Packing, and November 27,
  
  Holding of Produce for Human 2015.
  
  Consumption.
  
  Foreign Supplier Verification FSVP final rule... 80 FR 74226,
  
  Programs (FSVP) for Importers November 27,
  
  of Food for Humans and Animals. 2015.
  
  Accreditation of Third-Party Third-party final 80 FR 74570,
  
  Certification Bodies to Conduct rule. November 27,
  
  Food Safety Audits and to Issue 2015.
  
  Certifications.
  
  Sanitary Transportation of Human Transport final 81 FR 20092, April
  
  and Animal Food. rule. 6, 2016.
  
  ------------------------------------------------------------------------
  
  As FDA finalizes these seven foundational rulemakings, we are putting in place a framework for food safety that is modern and brings to bear the most recent science on provisions to enhance food safety and food defense, that is risk-based and focuses effort where the hazards are most significant, and that is flexible and practical given our current knowledge of food safety and food defense practices. To achieve this, FDA has engaged in a great deal of outreach to the stakeholder community to find the right balance in these regulations of flexibility and accountability.
  
  Since FSMA was enacted in 2011, we have been involved in approximately 600 engagements on FSMA and the proposed rules, including public meetings, Webinars, listening sessions, farm tours, and extensive presentations and meetings with various stakeholder groups (Ref. 1) (Ref. 2). As a result of this stakeholder dialogue, FDA decided to issue the four supplemental notices of proposed rulemaking to share our current thinking on key issues and get additional stakeholder input on those issues. As we move forward into the next phase of FSMA implementation, we intend to continue this dialogue and collaboration with our stakeholders, through guidance, education, training, and assistance, to ensure that stakeholders understand and engage in their roles in food safety and food defense. FDA believes these seven foundational final rules, when implemented, will fulfill the paradigm shift toward prevention that was envisioned in FSMA and be a major step forward for food safety and food defense that will protect consumers into the future.
2. Proposed Rule on Intentional Adulteration
  
  In the Federal Register of December 24, 2013 (78 FR 78014), we issued a proposed rule to implement the intentional adulteration provisions in sections 103, 105, and 106 of FSMA (proposed rule). We initially requested public comments on the proposed rule by March 31, 2014. We extended the comment period for the proposed rule until June 30, 2014, in response to several requests for an extension.
  
  The proposed rule proposed to require various food defense measures that an owner, operator, or agent in charge of a facility would be required to implement to protect against the intentional adulteration of food, and can be summarized as follows:
  
  Prepare and implement a written food defense plan that includes actionable process steps, focused mitigation strategies, and procedures for monitoring, corrective actions, and verification (proposed Sec. 121.126).
  
  Identify any actionable process steps, using one of two procedures. In the proposed rule, we explained that FDA has analyzed vulnerability assessments conducted using the CARVER+Shock methodology and identified four key activity types: Bulk liquid receiving and loading; Liquid storage and handling; Secondary ingredient handling; and Mixing and similar activities. We further explained that FDA has determined that the presence of one or more of these key activity types at a process step (e.g., manufacturing, processing, packing, or holding of food) indicates a significant vulnerability under section 418 of the FD&C Act and that the food is at high risk of intentional adulteration caused by acts of terrorism under section 420 of the FD&C Act. We proposed that facilities may identify actionable process steps using the FDA-identified key activity types as described in proposed Sec. 121.130(a) or conduct their own facility-specific vulnerability assessments as provided in proposed Sec. 121.130(b).
  
  Identify and implement focused mitigation strategies at each actionable
  
  Page 34170
  
  process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by the facility will not be adulterated (proposed Sec. 121.135).
  
  Establish and implement procedures, including the frequency with which they are to be performed, for monitoring the focused mitigation strategies (proposed Sec. 121.140)
  
  Establish and implement corrective action procedures that must be taken if focused mitigation strategies are not properly implemented (proposed Sec. 121.145).
  
  Verify that monitoring is being conducted and appropriate decisions about corrective actions are being made; verify that the focused mitigation strategies are consistently implemented and are effectively and significantly minimizing or preventing the significant vulnerabilities; and conduct a reanalysis of the food defense plan (proposed Sec. 121.150).
  
  Ensure that personnel and supervisors assigned to actionable process steps receive appropriate training in food defense awareness and their respective responsibilities in implementing focused mitigation strategies (proposed Sec. 121.160).
  
  Establish and maintain certain records, including the written food defense plan; written identification of actionable process steps and the assessment leading to that identification; written focused mitigation strategies; written procedures for monitoring, corrective actions, and verification; and documentation related to training of personnel. All such records are subject to certain recordkeeping requirements, record retention requirements, requirements for official review and public disclosure requirements (proposed Sec. Sec. 121.301 to 121.325).
  
  Proposed the effective date as 60 days after this final rule is published. However, we proposed for a longer timeline for facilities to come into compliance. Facilities, other than small and very small businesses, would have 1 year after the effective date to comply with part 121. Small businesses (i.e., those employing fewer than 500 persons) would have 2 years after the effective date to comply with part 121. Very small businesses (i.e., businesses that have less than $10,000,000 in total annual sales of food, adjusted for inflation) would be considered a qualified facility and have 3 years after the effective date to comply with Sec. 121.5(a).
  
  We requested comment on all aspects of the proposed requirements. In addition, we described our thinking and sought comment on other issues, including the framework of the rule; activities that occur on produce farms; transportation carriers; food for animals; acts of disgruntled employees, consumers, or competitors; economically motivated adulteration; low-risk activities at farm mixed-type facilities; activities that occur on dairy farms; and other ways to focus on foods with a high risk of intentional adulteration caused by terrorism.
3. Appendix 4 to Draft Risk Assessment
  
  We issued for public comment an ``Appendix 4 to Draft Qualitative Risk Assessment of Risk of Activity/Food Combinations for Activities (Outside the Farm Definition) Conducted in a Facility Co-Located on a Farm'' (the draft RA Appendix) (78 FR 78064, December 24, 2013). The purpose of the draft RA Appendix was to provide a science-based risk analysis of those foods whose production processes would be considered low risk with respect to the risk of intentional adulteration caused by acts of terrorism. We used the tentative conclusions of the section 103(c)(1)(C) draft RA Appendix to seek comment in the proposed rule on possible exemptions or modified requirements for this final rule (78 FR 78014 at 78029). We are including the final appendix to the risk assessment in the docket established for this document (Ref. 3).
4. Public Comments
  
  We received more than 200 public submissions on the proposed rule, each containing one or more comments. We received submissions from diverse members of the public, including food facilities (including facilities co-located on a farm); farms; cooperatives; coalitions; trade organizations; consulting firms; law firms; academia; public health organizations; public advocacy groups; consumers; consumer groups; Congress, Federal, State, local, and tribal Governments; and other organizations. Some submissions included signatures and statements from multiple individuals. Comments addressed virtually every provision of the proposed rule, including our requests for comment on including additional provisions that we did not include in the proposed regulatory text. In the remainder of this document, we describe these comments, respond to them, and explain any revisions we made to the proposed rule.
  
  Some comments address issues that are outside the scope of this rule. For example, some comments express concern about overregulation in general. Some comments believe the Department of Homeland Security is the Federal Agency that should protect the food supply. Some comments express concern about ``genetically modified organisms'', while other comments express concern about the amount of chemicals in food. Some comments express concern that extreme consolidation of our food system is the main reason that it could be a target for terrorism or other intentional acts aimed at causing widespread human casualties. These comments state that decentralization is the most resilient defense against those who wish to contaminate the food supply. We do not discuss such comments in this document.
Legal Authority

The proposed rule contained an explanation of its legal basis under authorities in the FDA Food Safety Modernization Act and section 701 of the FD&C Act. After considering the comments received in response to the proposed rule, FDA made changes in the final rule. The legal authorities relied on in the final rule are the same as those in the proposed rule unless otherwise described in the sections that follow.
1. Section 103 of FSMA
  
  Section 103 of FSMA, Hazard Analysis and Risk-Based Preventive Controls, amends the FD&C Act to create a new section 418, which mandates rulemaking. Section 418(n)(1)(A) of the FD&C Act requires that the Secretary issue regulations ``to establish science-based minimum standards for conducting a hazard analysis, documenting hazards, implementing preventive controls, and documenting the implementation of the preventive controls. . . .'' Section 418(n)(1)(B) of the FD&C Act requires that the regulations define the terms ``small business'' and ``very small business,'' taking into consideration the study of the food processing sector required by section 418(l)(5) of the FD&C Act. Further, section 103(e) of FSMA creates a new section 301(uu) in the FD&C Act (21 U.S.C. 331(uu)) to prohibit ``the operation of a facility that manufactures, processes, packs, or holds food for sale in the United States if the owner, operator, or agent in charge of such facility is not in compliance with section 418 of the FD&C Act.''
  
  In addition to rulemaking requirements, section 418 contains requirements applicable to the owner, operator, or agent in charge of a facility
  
  Page 34171
  
  required to register under section 415. Section 418(a) is a general provision that requires the owner, operator, or agent in charge of a facility to evaluate the hazards that could affect food manufactured, processed, packed, or held by the facility, identify and implement preventive controls, monitor the performance of those controls, and maintain records of the monitoring. In addition to the general requirements in section 418(a) of the FD&C Act, sections 418(b)-(i) contain more specific requirements applicable to facilities, including several provisions explicitly directed at intentional adulteration. For example, section 418(b)(2) of the FD&C Act specifies that the owner, operator, or agent in charge of a facility shall identify and evaluate hazards that may be intentionally introduced, including by acts of terrorism. Section 418(c)(2) of the FD&C Act specifies that the owner, operator, or agent in charge of a facility shall identify and implement preventive controls to provide assurances that any hazards that relate to intentional adulteration will be significantly minimized or prevented and addressed, consistent with section 420 of the FD&C Act.
  
  Sections 418(j)-(m) of the FD&C Act and sections 103(c)(1)(D) and (g) of FSMA provide authority for certain exemptions and modifications to the requirements of section 418 of the FD&C Act. These include provisions related to seafood and juice hazard analysis critical control point (HACCP), and low-acid canned food (section 418(j)); activities of facilities subject to section 419 of the FD&C Act (Standards for Produce Safety) (section 418(k)); qualified facilities (section 418(l)); facilities that are solely engaged in the production of food for animals other than man, the storage of raw agricultural commodities (other than fruits and vegetables) intended for further distribution or processing, or the storage of packaged foods that are not exposed to the environment (section 418(m)); facilities engaged only in certain low risk on-farm activities on certain foods conducted by small or very small businesses (section 103(c)(1)(D) of FSMA), and dietary supplements (section 103(g) of FSMA). We are issuing all of the provisions of the rule under section 418 of the FD&C Act, except with respect to facilities that are exempt from its coverage.
2. Section 106 of FSMA
  
  Section 106 of FSMA, Protection Against Intentional Adulteration, amends the FD&C Act to create a new section 420, which mandates rulemaking. Section 420 of the FD&C Act requires FDA to issue regulations to protect against the intentional adulteration of food. Section 420(b)(1) of the FD&C Act requires that such regulations are to specify how a person is to assess whether the person is required to implement mitigation strategies or measures intended to protect against the intentional adulteration of food. Section 420(b)(2) of the FD&C Act requires that the regulations specify appropriate science-based mitigation strategies or measures to prepare and protect the food supply chain at specific vulnerable points, as appropriate. Section 420(c) of the FD&C Act provides that such regulations are to apply only to food for which there is a high risk of intentional adulteration and for which such intentional adulteration could cause serious adverse health consequences or death to humans or animals. Section 420(c)(1) provides that such foods are to include those for which FDA has identified clear vulnerabilities. Section 420(d) of the FD&C Act limits applicability on farms to farms that produce milk. Further, section 106(d) of FSMA creates a new section 301(ww) in the FD&C Act to prohibit ``the failure to comply with section 420 of the FD&C Act.'' We are issuing all of the provisions of the rule under section 420 of the FD&C Act.
3. Intrastate Activities
  
  FDA concludes that the rule should apply to activities that are intrastate in character. Facilities are required to register under section 415 of the FD&C Act regardless of whether the food from the facility enters interstate commerce (Sec. 1.225(b)). The plain language of section 418 of the FD&C Act applies to facilities that are required to register under section 415 of the FD&C Act (section 418(o)(2)) and does not exclude a facility because food from such a facility is not in interstate commerce. Similarly, the plain language of section 420 of the FD&C Act requires FDA to issue regulations to protect against the intentional adulteration of food and does not include a limitation to interstate commerce. Further, the prohibited act provisions in sections 301(uu) and (ww) of the FD&C Act (21 U.S.C. 331(uu) and (ww)) do not require an interstate commerce nexus. Notably, other subsections in section 301 of the FD&C Act, and section 304 of the FD&C Act (21 U.S.C. 334) demonstrate that Congress has included a specific interstate commerce nexus in the provisions of the FD&C Act when that is its intent. Accordingly, it is reasonable to interpret sections 418, 420, 301(uu), and 301(ww) of the FD&C Act as not limited to those facilities with a direct connection to interstate commerce.
General Comments on the Proposed Rule
1. Comments on Overall Framework for the Regulatory Approach
  
  We proposed a HACCP-type approach, like the one proposed for the systematic control of food safety hazards in the PCHF proposed rule, as the most effective means of ensuring that mitigation strategies are consistently applied once the significant vulnerabilities are identified and appropriate mitigation strategies are developed. We requested comment on the appropriateness of a HACCP-type system to ensure that mitigation strategies designed to significantly minimize or prevent intentional adulteration related to terrorism are effective and implemented as intended. We also requested comment about whether there are other approaches that would be more suitable to address intentional adulteration related to terrorism.
  
  In the following paragraphs, we discuss the comments that disagree with, or request changes to, the proposed approach. After considering these comments, we are continuing to require an approach based on an analysis of hazards/vulnerabilities and the implementation of measures to mitigate the identified hazards/vulnerabilities (a HACCP-type approach); however, we are providing for additional flexibility, as requested.
  
  (Comment 1) Some comments state food defense and food safety require different approaches because they are different disciplines. The comments explain that the science is different, that food safety deals with known and identifiable risks whereas food defense deals with unknown, often unidentifiable, and ever changing threats and that food safety risks can be prevented or reduced to an acceptable level but food defense threats only can be mitigated. The comments conclude that regulatory requirements addressing food defense must reflect these key differences between food defense and food safety and use different terminology. Some comments state that FSMA does not require a preventive controls approach for food defense, and a traditional HACCP approach is too rigorous and prescriptive for food defense. Conversely, other comments support regulatory requirements for food defense that are based on the proactive approach found in HACCP, specifically HACCP concepts related to
  
  Page 34172
  
  analyzing problems and devising appropriate solutions.
  
  (Response 1) We disagree that food safety and food defense require entirely different approaches to ensure that food is not adulterated. We agree that there are important, specific differences between food safety and food defense, and these differences require different requirements for particular components of the approaches. However, we believe that food safety and food defense are more similar than they are different. For both food safety and food defense, the framework for preventing adulteration, whether it is intentional or unintentional, is the same: (1) An analysis is needed to identify the hazards for which measures should be taken to mitigate the hazard; (2) appropriate measures must be identified and implemented; and (3) management components are needed to ensure systematically that the measures are functioning as intended. This is the foundation of the HACCP approach, and we continue to believe this approach is appropriate for food defense as well as food safety. In food defense terms, the three elements are as follows: (1) A vulnerability assessment is needed to identify significant vulnerabilities; (2) mitigation strategies must be identified and implemented; and (3) mitigation strategy management components are needed to ensure systematically that the mitigation strategies are functioning as intended. See the proposed rule (78 FR 78014 at 78025) for a discussion of how the hazard analysis/preventive control model is consistent with a vulnerability assessment/mitigation strategy model.
  
  We agree that the nature of the hazards being analyzed for food safety and food defense purposes are different, but we disagree that this means they need a different analytical approach. As discussed more in the responses to Comment 71 and Comment 72, the vulnerabilities considered for food defense, while not as predictable as some food safety hazards, lend themselves to analytical assessment because they have commonalities that would make them attractive to an attacker, particularly an inside attacker. In this rule, we are focusing on preventing the actions of an inside attacker. Our interactions with the intelligence community, as well as the conclusions reached during vulnerability assessments conducted in collaboration with industry, have identified the inside attacker as the highest threat. Though FDA is not aware of any information that points to an imminent, credible threat to the food supply, achieving public health harm through an attack via food remains an advocated option for terrorist groups (Ref. 4). Additionally, recent events have shown a general evolution in terrorist activity away from large, centrally planned attacks to attacks that are locally planned and implemented. These locally planned attacks may be conducted by assailants inspired by terrorist groups but who otherwise have no formal connection to, or regular contact with, a terrorist organization (Ref. 5, 6, 7). Moreover, recent attacks indicate that terrorist groups are adept at responding to protections put in place to harden certain targets and will evolve their thinking toward less-protected targets. Given the potential for wide scale public health harm from intentional adulteration of the food supply, we believe that a comprehensive, systematic approach, such as a HACCP-type approach, is the most appropriate one and is not too rigorous. Further, as an example of what can happen when someone intending harm has inside access, in December 2013 a contract employee at Aqlifoods (a subsidiary of Naruha Nichiro Holdings, Japan's largest seafood company), intentionally adulterated several frozen foods with the pesticide malathion. Japanese authorities believe the assailant brought malathion to the plant and injected it into frozen foods during the manufacturing process (Ref. 8). The employee exploited his access to the food prior to packaging to introduce the agent. The adulteration resulted in at least 2,843 mild foodborne illnesses and a recall of 6.4 million packages of frozen seafood (Ref. 9). Though this assailant was most likely trying to harm the company and not trying to cause massive public health harm, this example indicates the damage that can be done by an inside attacker.
  
  Section 103 of FSMA reflects a Congressional determination that the ``hazard analysis and risk-based preventive controls'' approach is appropriate for food defense. Section 103 directs us to promulgate a framework for intentional adulteration that includes concepts that are similar to those in HACCP. Section 103 of FSMA contains requirements applicable to the owner, operator, or agent in charge of a facility required to register under section 415 of the FD&C Act. Section 103(a) of FSMA is a general provision that requires the owner, operator, or agent in charge of a facility to evaluate the hazards that could affect food manufactured, processed, packed, or held by the facility, identify and implement preventive controls, monitor the performance of those controls, and maintain records of the monitoring. Section 103(a) specifies that the purpose of the preventive controls is to ``prevent the occurrence of such hazards and provide assurances that such food is not adulterated under section 402 of the FD&C Act or misbranded under section 403(w) of the FD&C Act. . . .'' In addition to the general requirements in section 418(a) of the FD&C Act, sections 418(b)-(i) contain more specific requirements applicable to facilities. These include hazard analyses for both unintentionally and intentionally introduced hazards (section 418(b)(1)(2)), preventive controls for both unintentionally and intentionally introduced hazards (section 418(c) (1)(2)), monitoring (section 418(d)), corrective actions (section 418(e)), verification (section 418(f)), recordkeeping (section 418(g)), a written plan and documentation (section 418(h)), and reanalysis of hazards (section 418(i)). Therefore, we believe that FSMA directs us to take a ``preventive controls approach'' for food defense, as well as food safety.
  
  We agree that, while the regulatory approaches for food defense and food safety fundamentally should be similar, there need to be differences in how the approach is implemented for food defense. We do not agree that a HACCP-type approach is too prescriptive in general for food defense, but additional flexibility is needed in the application of the approach for food defense given the difference in the nature of the potential adulteration and the implementation of mitigation strategies that are not likely to be process-oriented or readily lend themselves to validation. We also agree that differences in terminology are appropriate. (See responses to Comment 2, Comment 45, and Comment 47.)
  
  (Comment 2) While some comments acknowledge that section 103 of FSMA directs us to promulgate a framework for intentional adulteration that includes concepts that are similar to those in HACCP, these comments also request that we provide more flexibility than a traditional HACCP framework, with specific requests for flexibility in the management components of monitoring, corrective actions, and verification.
  
  (Response 2) We agree that the intentional adulteration regulatory framework should provide more flexibility than that of a traditional HACCP approach. We believe there are key disciplinary differences between food safety and food defense that argue for additional flexibility in the intentional adulteration framework. Most significantly, improper implementation of preventive controls is more likely to result in adulterated
  
  Page 34173
  
  food than is improper implementation of mitigation strategies. Preventive controls are more likely to be process-oriented and lend themselves to being scientifically validated. Mitigation strategies are more likely to be implemented to reduce physical access to a point, step, or procedure, and/or reduce the opportunity for an attacker to successfully contaminate the food and, in most instances, do not lend themselves to scientific validation. These differences indicate a need to apply the concepts of the HACCP approach in a more flexible manner for food defense.
  
  Recognizing the differences in the likelihood of adulteration and the differences in mitigation strategies compared to the process-
  
  oriented preventive controls, the intentional adulteration corrective actions requirements contain neither provisions for the evaluation of all affected food for safety in the event a corrective action is required nor provisions for unanticipated corrective actions (see Sec. 121.145). Further, the intentional adulteration verification requirement does not contain provisions for validation, calibration, product testing, environmental monitoring, review of records for calibration, testing, or supplier verification (see Sec. 121.150). We believe this more flexible approach for food defense is appropriate and adds flexibility compared to the provisions of the PCHF final rule.
  
  We also have added flexibility to the identification of mitigation strategies similar to the flexibility added to the identification of preventive controls in the PCHF final rule (80 FR 55908 at 56020). Although each facility subject to this rule must prepare and implement a food defense plan, the mitigation strategies that the facility would establish and implement would depend on the facility, the food, and the outcome of the facility's vulnerability assessment to identify actionable process steps (Sec. Sec. 121.130 and 121.135). For examples of this added flexibility related to mitigation strategies, see the discussion in section V.C.
  
  As requested in comments, we also have changed regulatory text to reflect the inclusion of more flexibility in monitoring, corrective actions, and verification (see Sec. Sec. 121.138, 121.140, 121.145, and 121.150 and discussed in more detail in the relevant sections later in this document). These changes are similar to those made in the regulatory text for preventive controls management components.
  
  As we have concluded that similar regulatory approaches are appropriate for both food safety and food defense, we have adopted the flexibility included in the PCHF final rule management components regulatory text, as appropriate for these intentional adulteration requirements. The intentional adulteration provisions for mitigation strategies management components make clear that mitigation strategies management components are required as appropriate to ensure the proper implementation of each such mitigation strategy, taking into account the nature of the mitigation strategy and its role in the facility's food defense system, and we have added Sec. 121.138 to reflect this change. Likewise, the provisions for each of the individual mitigation strategies management components (i.e., food defense monitoring, food defense corrective actions and food defense verification) individually provide flexibility, either by specifying that the provisions apply as appropriate to the nature of the mitigation strategy and its role in the facility's food defense system (i.e., for food defense monitoring and food defense verification) or as appropriate to both the nature of the mitigation strategy and the nature of the significant vulnerability (i.e., for food defense corrective actions) (see Sec. Sec. 121.140, 121.145, and 121.150). For additional discussion of the flexibility added for the mitigation strategies management components, see sections V.E, V.F, and V.G and in particular the responses to Comment 88, Comment 89, Comment 90, Comment 92, Comment 93, and Comment 95.
  
  (Comment 3) Some comments state that the intentional adulteration proposed HACCP approach is ``one size fits all.''
  
  (Response 3) We disagree. The intentional adulteration requirements to conduct a vulnerability assessment to identify actionable process steps, identify and implement mitigation strategies, and use mitigation strategies management components provide significant flexibility, are tailored to the facility and its processes, and are therefore not ``one-size-fits-all.'' Although each facility with significant vulnerabilities is required to identify and implement mitigation strategies, the mitigation strategies that the facility would establish and implement would depend on the facility, the food, and the outcome of the facility's vulnerability assessment (Sec. Sec. 121.130 and 121.135). In addition, the mitigation strategies management components (i.e., food defense monitoring, food defense corrective actions, and food defense verification) that a facility would establish and implement for its mitigation strategies would be established as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food safety system (Sec. 121.138).
  
  (Comment 4) Some comments state that management and oversight activities of mitigation strategies should occur if they are ``appropriate'' (suitable for a particular purpose or capable of being applied) and ``necessary'' (taking into account the nature of both the significance of the vulnerability and the particular mitigation strategy) for food defense.
  
  (Response 4) We agree that mitigation strategies management components of the HACCP-type framework should occur if they are appropriate and necessary. As we have concluded that similar regulatory approaches are appropriate for food safety and food defense, we have adopted the flexibility included in the PCHF final rule management components regulatory text (Sec. 117.140(a)), as appropriate for these intentional adulteration requirements. The intentional adulteration provisions for mitigation strategies management components make clear that mitigation strategies management components are required as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system, and we have revised proposed requirements for monitoring, corrective actions, and verification to reflect these changes (see Sec. Sec. 121.138, 121.140, 121.145, and 121.150).
  
  (Comment 5) Some comments state that the requirement for the amount of paperwork associated with a HACCP-type approach, and the information contained therein, may be counterproductive to the goal of mitigating or preventing vulnerabilities because individuals or groups interested in conducting these types of attacks may try to access this information.
  
  (Response 5) We disagree. A written food defense plan and its required contents, which include the vulnerability assessment, the identification and implementation of mitigation strategies, and mitigation strategies management components, are essential to significantly minimizing or preventing significant vulnerabilities related to intentional adulteration of food, where the intent of the adulteration is to cause wide scale public health harm. The required documentation of the plan and implementation of the plan are necessary so that both the facility and FDA can ensure that the significant
  
  Page 34174
  
  vulnerabilities are being addressed properly. We encourage facilities covered by this rule to adequately protect food defense plans and associated information and records. For a more detailed discussion related to protecting food defense plan information, see section VI.F.
  
  (Comment 6) One comment disagrees with the HACCP framework, and requests we use a current good manufacturing practice (CGMP) approach. This comment states that such an approach provides facilities with sufficient flexibility to address intentional adulteration. Another comment supports using a HACCP approach in the context of allowing facilities to utilize prerequisite programs.
  
  (Response 6) We disagree that a CGMP approach is the most appropriate approach. We address the appropriateness and flexibility of the HACCP-type approach in responses to Comment 1 and Comment 2. We address the potential to consider pre-existing activities while conducting a vulnerability assessment and identifying and implementing mitigation strategies in Response 72 and Response 83.
  
  We are requiring a HACCP-type approach rather than a CGMP-type approach for several reasons. First, the management components in a HACCP-type approach are the most effective means, as discussed in the response to Comment 1, of ensuring that the mitigation strategies are consistently applied. Second, as with food safety, there are hazards (or in food defense terms, vulnerabilities) that warrant requirements that are more rigorous than general, non-targeted CGMP provisions. The vulnerabilities that warrant such requirements are those that we have concluded are the highest risk, namely intentional adulteration conducted at actionable process steps, including those vulnerabilities associated with an inside attacker, intended to cause wide scale public health harm. It is precisely these attacks at these points that require the most robust and rigorous system to ensure that vulnerabilities are assessed, significant vulnerabilities are identified, and mitigation strategies are properly implemented to reduce these significant vulnerabilities. General, non-targeted CGMP requirements (e.g., restricting access to outsiders) would not necessarily focus on the significant vulnerabilities or ensure that mitigation strategies are implemented to harden the potential targets. Finally, section 418 of the FD&C Act requires that hazards intentionally introduced be addressed in a HACCP-type framework.
  
  (Comment 7) One comment asserts that because we already have required food safety plans for facilities under a separate rulemaking, and because an act of intentional adulteration of food that would cause wide scale public health harm is not likely to occur, a separate food defense plan, and thus this rule, is not necessary.
  
  (Response 7) We disagree. Although it is true that most facilities covered by this rule will also have a food safety or HACCP plan, the focus of those plans is on preventing the contamination of food from hazards that are unintentionally introduced and, therefore, the control points and the measures implemented in those plans differ from those in a food defense plan. It is unlikely that a facility would choose preventive controls under the PCHF final rule that would be sufficient to address vulnerabilities to intentional adulteration. For example, it is unlikely that a facility conducting a hazard analysis would identify the step of holding a liquid, such as a syrup, in a tank in a facility as a hazard requiring a preventive control. In conducting a hazard analysis, the facility would likely be considering whether there are hazards associated with the incoming syrup or ingredients for the syrup or the syrup production process (inadequate heating), but would not likely identify the step of holding the syrup as requiring a preventive control. However, in a vulnerability assessment, the step of holding liquid syrup may be identified as a significant vulnerability if (1) there would be significant public health consequences if a contaminant were added, (2) there is access to the product while being held, and (3) an attacker would be able to successfully contaminate the product.
  
  With regard to the statement that an act of intentional adulteration is not likely to occur, we agree that the likelihood of an incident is low. However, given the potential for a successful intentional adulteration of food to cause wide scale public health harm, it is prudent for the largest facilities to take preventive measures, and it is required by sections 418 and 420 of the FD&C Act that they do so.
2. One Set of Requirements Under Sections 418 and 420 of the FD&C Act
  
  (Comment 8) One comment asserts that the proposed rule blends sections 103 and 106 of FSMA into one set of requirements and disagrees with that approach. The comment states that section 103 requires basic foundational food defense activities, including food defense plans at all registered food facilities. The comment contrasts this with section 106, which it states provides FDA with the authority to designate certain foods as ``high risk,'' and to require certain escalated food defense activities for those foods. The comment asserts that FDA should designate foods as ``high risk'' based on real-time actionable intelligence of a credible threat. The comment acknowledges that section 103 of FSMA does not apply to facilities required to comply with the seafood HACCP program, the juice HACCP program, or the dietary supplement CGMPs, but because none of these regulations address food defense programs, the comment asserts the Agency can use other legal authority to require these food facilities to have food defense programs.
  
  (Response 8) The final rule requires ``basic foundational food defense activities'' as well as providing for ``escalated food defensive activities'' where warranted. To provide for foundational food defense, the rule requires a food defense plan (i.e., a vulnerability assessment, mitigation strategies, and procedures for food defense monitoring, corrective actions, and verification) and associated actions. These requirements are the minimum measures necessary to provide assurances that hazards that relate to intentional adulteration intended to cause wide scale public health harm will be significantly minimized or prevented. Weakening these provisions, such as by eliminating the requirement to implement mitigation strategies to address significant vulnerabilities at each actionable process step, would result in food defense measures inadequate to address the threat of an inside attacker. As discussed in response to Comment 1, our interactions with the intelligence community, as well as the conclusions reached during vulnerability assessments conducted in collaboration with industry, have identified an inside attacker as the highest threat.
  
  Further, the suggested approach would place too much reliance on FDA having real-time actionable intelligence of a credible threat. As discussed in the responses to Comment 11 and Comment 12, there are a number of limitations to this approach. FDA may not receive specific, real-time, credible threat intelligence. Further, rapidly communicating even specific, actionable information to the food industry so that it is received by all of the relevant facilities would present challenges. Although some facilities may be able to identify some or all actionable process steps and implement mitigation strategies within a short
  
  Page 34175
  
  timeframe, many other facilities would not be able to identify and implement the necessary mitigation strategies and the mitigation strategies management components (e.g., food defense monitoring, corrective actions, verification) within the short time period that could be required in the event of a credible threat. In addition, taking action only in the event of a credible threat may not be sufficient to prevent wide scale public health harm. Measures taken after the threat is known may not be sufficient to prevent an attack if the intelligence does not provide enough specific information, such as the food product, contaminant, point of attack in a facility, and geographic location of an attack.
  
  Because the vulnerability assessment identifies the specific foods at specific process steps at greatest risk, it also serves to identify those foods that must be protected against intentional adulteration under section 420. Having one set of requirements for food defense measures helps ensure that the significant vulnerabilities will be significantly minimized or prevented and addressed consistently across sections 418 and 420 (see section 418(c)(2)). Further, as suggested by the comment, the rule provides for escalated food defense activities when necessary. Specifically, Sec. 121.157(b)(4) requires reanalysis of a food defense plan (which could lead to the identification of additional needed mitigation strategies) whenever FDA requires it to respond to new vulnerabilities or credible threats to the food supply.
  
  (Comment 9) One comment asserts that the proposed combination of provisions under sections 418 and 420 of the FD&C Act has created complexity that could be eliminated by removing acts intended to cause massive public health harm from section 418 and covering them solely under section 420. The comment further asserts that although section 418 includes ``acts of terrorism'' within the hazard analysis, Congress did not intend to add this level of complexity to the rule and create new work that is inconsistent with materials previously created to address food defense. Further, the comment states that it appears these new requirements were included in the rule as a consequence of the statutory language rather than to reduce risk.
  
  The comment states that one key difference between sections 418 and 420 is that section 418 requires the facility to identify hazards related to intentional adulteration while section 420 requires FDA to identify vulnerabilities that could result in serious adverse health consequences. The comment asserts that due to the confidentiality of information that serves as the basis for the FDA vulnerability assessments, it would be more appropriate for FDA to perform the assessment for acts that could cause massive public health harm and for the facility to perform a vulnerability assessment for other types of intentional adulteration that may be specific to a facility and are outside of the FDA's vulnerability assessment.
  
  (Response 9) FDA believes that a single unified set of requirements (i.e., this rule) is more clear and less complex than dividing the types of intentional adulteration covered by this rule into two categories with two sets of requirements, as suggested by the comment. It is not clear what would be covered under section 418 if it applied only to ``other types of intentional adulteration that may be specific to a facility,'' as suggested by the comment. Further, we do not believe the provisions of the rule are inconsistent with our current guidance; rather, they are more comprehensive and robust. FDA believes that these new requirements will reduce risk beyond what is contained in our current guidance documents. Our guidance documents mainly focus on assessing vulnerabilities and identifying mitigation strategies, but do not include recommendations for mitigation strategy management components. We believe the management components (part of a HACCP-type framework) are critical to ensuring that any hazards that relate to intentional adulteration intended to cause wide scale public health harm will be significantly minimized or prevented. Further, the confidentiality of vulnerability assessments that FDA conducted is not a barrier to a facility conducting a vulnerability assessment under this rule. The key activity types that FDA has identified were derived from FDA's vulnerability assessments and using key activity types to conduct a vulnerability assessment remains a permissible option under the final rule.
  
  In addition, as recognized by the comment, section 418 explicitly applies to ``acts of terrorism.'' Specifically, 418(b)(2) requires that a hazard analysis identify and evaluate hazards that may be intentionally introduced, including by acts of terrorism. Further, section 418(i) authorizes FDA to require a reanalysis to respond to new hazards including, as appropriate, results from terrorism risk assessments. Generally, acts of terrorism involving the food supply would be committed with the intention to cause wide scale public health harm. Therefore, they are clearly covered by section 418.
  
  (Comment 10) Some comments suggest that FDA require a hybrid approach where all facilities subject to section 103 are required to conduct a vulnerability assessment and develop and implement a basic food defense plan. Under the hybrid approach, if a credible threat is identified, then section 106 would serve as an escalation provision and allow FDA to designate specific food(s) associated with the credible threat as ``high risk.'' Comments suggest that FDA could then require facilities with these high risk foods to reassess their food defense plans and implement appropriate mitigation strategies that FDA may specify to address the threat. Comments argue that if all potential mitigation strategies need to be identified through the vulnerability assessment and are managed in the absence of actionable intelligence of a credible threat, then there is no ability to escalate the plan with respect to certain mitigation strategies when needed.
  
  (Response 10) FDA agrees with the comment in part. As discussed in response to Comment 8, this rule requires facilities to conduct a vulnerability assessment and develop and implement foundational food defense activities. Further, the rule provides a mechanism which serves a similar function to the ``escalation provision'' described in the comment. Specifically, under Sec. 121.157(b)(4), FDA can require facilities to reassess their food defense plans, which could trigger a requirement to implement additional mitigation strategies.
  
  FDA disagrees that the rule requires ``all potential mitigation strategies'' to be identified and managed. We believe we have appropriately balanced the need to provide assurances that hazards associated with intentional adulteration are being prevented with the low likelihood of a successful attack on the food supply. The rule does not mandate specific mitigation strategies be implemented at actionable process steps but rather allows strategies to be tailored to the facility and its procedures. We also disagree that there is ``no ability to escalate the plan with respect to certain mitigation strategies.'' In response to a credible threat involving a specific agent, a covered facility could reanalyze its food defense plan with specific focus on the relevant agent. The facility then could implement specific mitigation strategies to counter this threat (such as processing changes, product testing, or other appropriate measures) that are not currently required by the rule.
  
  Page 34176
3. Require Measures Only in the Event of a Credible Threat
  
  In the proposed rule, we sought comment on whether it would be feasible to require measures to protect against intentional adulteration only in the event of a credible threat. We also sought comment on whether such an approach would be consistent with the intentional adulteration provisions of FSMA and how such requirements would be communicated to industry in a timely and actionable manner.
  
  Many comments agree with the requirements as proposed that measures to protect food against intentional adulteration be required even in the absence of a credible threat but some comments support requirements only in the event of a credible threat. Some comments assert that FDA has the tools available in the Registration of Food Facility database to establish a communications protocol to notify industry if there is a credible threat. A few comments express concern over the difficulty of developing and implementing food defense plans in a timely manner in the event of a credible threat.
  
  In the following paragraphs, we discuss these comments and our responses. After considering the comments, we have revised the regulatory text in Sec. 121.157(b)(4) to include specific language that provides for FDA to require facilities to conduct a reanalysis of their food defense plans to, among other things, respond to credible threats to the food supply.
  
  (Comment 11) Some comments state that this rule should only go into effect in the event of a credible threat. One of these comments argues that the oilseed processing industry that they represent has never been the target of attacks or threats and therefore they are unlikely targets for intentional adulteration and should be exempted from the rule unless there is a credible threat against a facility or industry as a whole.
  
  (Response 11) We disagree with these comments. The fact that the oilseed processing industry and other food industry sectors have not been attacked in the past does not mean that these industry sectors will never be attacked. Nor does it mean that preventive mitigation strategies are unnecessary. As discussed in response to Comment 8, taking action only in the event of a credible threat may not be sufficient to prevent wide scale public health harm.
  
  (Comment 12) Some comments encourage FDA to collaborate with the U.S. Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and other Federal and State Agencies to ensure that the relevant stakeholders of the food industry are notified in a timely manner upon discovery of a credible threat. These comments discuss that alerting the food industry to known credible threat information would be valuable because there may be additional mitigation strategies that could be put into place when there is a threat. The comments further explain that having such knowledge would allow for industry stakeholders with specific, technical knowledge of their products, equipment and plant security to better collaborate and support the efforts of law enforcement. Some comments recommend that we establish and formalize a mechanism and process to communicate credible threat information to relevant stakeholders in industry and that the Food Facility Registration database could help facilitate this. The comments also recommend that we conduct exercises to test this mechanism so that all stakeholders are aware of the established communications process and can make adjustments and improvements as necessary. Several comments recommended that we convene a panel of industry stakeholders annually to discuss threat intelligence at the ``Secret'' level.
  
  (Response 12) We concur with the recommendation that we should collaborate with our Federal and State Agency partners on the discovery and communication of credible threats in a timely manner. Currently, FDA regularly meets and communicates with DHS, FBI, the U.S. Department of Agriculture (USDA), and State and local Agency partners through the Food and Agriculture Sector Government Coordinating Council (GCC) to discuss food defense issues and research activities and introduce new initiatives for mutual evaluation, implementation, and education. FDA's Office of Criminal Investigations (OCI) works closely with the FBI and other Agencies on a regular basis on threats against FDA-regulated products, including food. We also agree that notifying relevant stakeholders within industry of credible threats is essential to protecting the food supply. The Food and Agriculture Sector GCC and Sector Coordinating Council (consisting of private sector members) hold in-person joint meetings twice a year and, when needed, classified meetings at the ``Secret'' level are held to exchange information. As we move towards implementing this rule, we will continue to work with our partners--both in government and the private sector--to include them in discussions regarding communicating credible threat information.
  
  (Comment 13) One comment states that the term ``credible threat'' is not adequately defined in the proposed rule, nor is the relationship between a ``credible threat'' and a ``reasonably foreseeable hazard'' adequately described. The same comment also notes that because the term ``credible threat'' is commonly used to discuss sensitive or classified information, the use of the term may place an unrealistic expectation for sharing of sensitive or classified threat information between government agencies and the private sector. The comment suggests either removing the term ``credible threat'' from the rule or including a definition with an explanation of the mechanism for sharing information about credible threats with the food industry.
  
  (Response 13) We disagree with this comment and decline the request to include a definition for credible threat. It is not possible to identify with precision what constitutes a credible threat. There are many factors to consider in regards to how, what, when, or why those who intend to cause harm may take action. As such, it is not possible to write a definition for credible threat that is neither so broad that it covers potentially any piece of intelligence, nor so narrow that it is unnecessarily limiting. FDA routinely works with other agencies to maintain situational awareness of potential threats to the food supply and will consider that information in determining whether intelligence rises to the level of a credible threat.
  
  Within the context of protecting food against intentional adulteration with the intent to cause wide scale public health harm, we see no direct relationship between a ``credible threat'' and a ``reasonably foreseeable hazard.'' ``Known or reasonably foreseeable hazard'' is defined in the PCHF final rule to mean a biological, chemical (including radiological), or physical hazard that is known to be, or has the potential to be, associated with the facility or the food. We do not use the phrase ``reasonably foreseeable'' within the context of intentional adulteration because it does not apply.
  
  We acknowledge that there will be challenges to sharing sensitive or classified threat information between government agencies and the private sector. That is one of several reasons that we are not making the requirement for mitigation strategies dependent on a particular credible threat. In the event such information was to become known, FDA intends to work with its
  
  Page 34177
  
  government partners to determine the appropriate course of action.
  
  (Comment 14) Some comments recommend that in the event of a credible threat, a facility could conduct a reassessment or reanalysis of its food defense plan so that it could better tailor its mitigation strategies to the threat. Some comments recommend that FDA revise the regulatory text within proposed Sec. 121.150 for reanalysis to require facilities to reassess their food defense plans when the Agency has actionable intelligence of a credible threat of intentional adulteration.
  
  (Response 14) In the proposed rule, we describe that we may require a reanalysis of the food defense plan in the event of a credible threat. However, this was not specifically stated within the regulatory text. Therefore, we have revised Sec. 121.157(b)(4) to provide that reanalysis may be required by FDA to respond to credible threats to the food supply. We did not see the need to include ``actionable intelligence'' in the regulatory text because we believe that ``credible threat to the food supply'' implies a threat that also requires actionable intelligence.
4. General Comments on Implementation and Compliance
  
  We received a substantial number of comments with regard to how the Agency will implement this rule. Many comments focused specifically on the need for inspectors to be provided food defense training to enable them to make informed decisions during inspections and compliance activities. Another issue raised by many comments is that the Agency should make available guidance resources, tools, training, and other information to help facilities comply with the final rule. In the section that follows, comments related to implementation and compliance are discussed.
  
  (Comment 15) Some comments state that existing regulatory inspections should include evaluation of the intentional adulteration rule requirements for the best use of time and resources.
  
  (Response 15) FDA is currently considering the best approach for structuring and conducting food defense inspections. We recognize that inspections require resources from facilities and recognize that some facilities may prefer that food defense inspections be conducted as part of an inspection for other regulatory programs, such as preventive controls for human food. We will consider this when developing our enforcement strategy.
  
  (Comment 16) Some comments express concern about the level of training that will be needed for inspectors. These comments state that the inspectors must be trained specifically on food defense and that FDA should be transparent about the training that we provide the inspectors. Comments emphasize the importance that FDA provide specialized training to ensure consistent compliance and enforcement activity by the Agency.
  
  (Response 16) FDA understands and agrees with comments that state that training for inspectors conducting food defense inspections is critical to a consistent and adequate inspection, compliance, and enforcement system. We agree with the comment that specialized training in food defense will be required for inspection and compliance staff to evaluate a facility's compliance with this rule. FDA has begun the process of assessing its training needs for inspectors on food defense. It is our intention that training provided to our inspection and compliance staff will be consistent with that training for industry that will be provided by the Intentional Adulteration subcommittee organized within the Food Safety Preventive Controls Alliance (see Comment 105) to facilitate consistent implementation of this rule. This strategy is consistent with the other FSMA food safety regulations and training strategies.
  
  (Comment 17) Some comments state that inspections should have a ``big picture'' focus, and focus on the evaluation of the facility's vulnerability assessment. Additionally, comments state that this inspection should not compare the mitigation strategies used at other facilities to the facility being inspected.
  
  (Response 17) We agree. The rule is designed to provide flexibility such that facilities can select appropriate mitigation strategies that are best suited for their operations. FDA investigators will consider a facility's written explanations regarding identification of actionable process steps and selection of mitigation strategies when evaluating a food defense plan to understand a facility's rationale. In addition, we will work to educate industry before and while we regulate to assist industry to gain and maintain compliance with the rule.
  
  (Comment 18) Some comments request that FDA not cite food defense-
  
  related items on FDA's Form 483 until the facilities and inspectors learn about compliance with the intentional adulteration rule. Additionally, some comments state concerns about FDA including potentially sensitive information from food defense plans when citing food defense-related items on Form 483.
  
  (Response 18) FDA is currently in the process of developing its inspection and compliance strategy for the intentional adulteration rule and an important part of this strategy development will include methods and processes for information exchange with regulated industry. We recognize that food defense inspections could include evaluation of sensitive information, including vulnerability assessments and mitigation strategies. For a more detailed discussion on how FDA will protect food defense-related information, see section VI.F, Public disclosure.
  
  (Comment 19) Some comments request that FDA include State departments of agriculture in the process to develop and implement inspection and compliance programs.
  
  (Response 19) As mentioned previously, FDA is currently in the process of developing its inspection and compliance strategy for the intentional adulteration rule. FDA's implementation working group for this rule includes representation from State partners, and State partners will continue to play an essential and collaborative role throughout the process.
  
  (Comment 20) Several comments state that an alliance would be beneficial for the implementation of the intentional adulteration rule.
  
  (Response 20) Training alliances have played an important role in facilitating industry compliance with many regulations in the past. We agree with the comment and are in the initial stages of organizing and establishing the Intentional Adulteration subcommittee within the Food Safety Preventive Controls Alliance operated out of the Institute for Food Safety and Health at the Illinois Institute of Technology. We anticipate the Intentional Adulteration training subcommittee will assist industry compliance with this final rule by supporting the development and dissemination of training resources. We further anticipate that the curriculum developed through the Intentional Adulteration subcommittee will form the basis of training for regulators as well.
  
  (Comment 21) Some comments state that equal enforcement of this rule across companies domestically and globally may require FDA to adopt different enforcement mechanisms.
  
  (Response 21) We intend to enforce this rule in a consistent manner with regard to imported and domestically produced foods. FDA is currently in the
  
  Page 34178
  
  process of developing its inspection and compliance strategy, including how facilities will be selected for inspections and how inspections will be conducted for both domestic and foreign facilities. Further, we intend to engage in significant outreach activities--both domestically and internationally--to facilitate industry compliance with this rule and to communicate the Agency's current thinking on inspection, compliance, and enforcement strategies. Additionally, we intend to develop fact sheets, FAQ documents, guidance documents, and other informational materials as needed to support domestic and foreign industry compliance with the rule.
  
  (Comment 22) Several comments recommend that food defense activities conducted under programs, such as the Department of Homeland Security's (DHS) Customs-Trade Partnership Against Terrorism (C-TPAT) and mutually recognized international programs, the Chemical Facility Anti-Terrorism Standards (CFATS), the USDA Food Safety and Inspection Services (FSIS) food defense plan template, should be recognized as meeting the requirements of this rule. Several comments state that there are global food safety schemes that include food defense requirements which could be leveraged in inspections and implementation. Comments suggest that audits and private certifications done under these food safety schemes should be sufficient for meeting the requirements of this rule.
  
  (Response 22) We disagree. The programs identified by comments are not sufficient to substitute for compliance with this rule. For example, they do not require mitigation strategies at all actionable process steps and therefore are not sufficient to significantly minimize or prevent intentional adulteration intended to cause wide scale public health harm. Further, even if currently they were sufficient for compliance for this rule, they could change at any time.
  
  C-TPAT is a voluntary supply-chain security certification program led by U.S. Customs and Border Protection (CBP) that focuses on private companies (including food companies) implementing anti-terrorism measures to protect their supply chains. When companies join C-TPAT, they sign an agreement to work with CBP to identify supply chain security gaps and implement specific security measures and best practices. CBP has found that the security standards of some foreign industry partnership programs are similar to those of the C-TPAT program.
  
  CFATS is a DHS program which regulates high-risk chemical facilities to ensure they have anti-terrorism measures in place to reduce risks associated with the storage and use of these high-risk chemicals. Any facility that possesses ``chemicals of interest,'' as identified by DHS, in certain quantities is considered a covered facility that must meet some or all of the requirements under CFATS. Some agriculture and food facilities are subject to CFATS requirements. Covered chemical facilities are required to prepare Security Vulnerability Assessments that identify facility security vulnerabilities and to develop and implement Site Security Plans that identify measures that satisfy risk-based performance standards. These risk-based performance standards focus on physical security of the chemicals.
  
  Although both CFATS and C-TPAT programs address some of the security concerns related to some food facilities, neither program addresses the unique vulnerabilities associated with the food being manufactured, processed, packed or held at the facility. In general, voluntary security programs such as C-TPAT focus on global supply chain security measures involved in the transportation of goods from location to location. The CFATS program focuses on reducing risks related to chemicals, even in facilities that are mainly geared toward food production. In contrast, vulnerability assessments required by this rule require identification of significant vulnerabilities at discrete processing steps within a facility, where the intent of the attack is to cause wide scale public health harm by contaminating the food supply. Further, a vulnerability assessment must consider the threat stemming from an inside attacker. Once these significant vulnerabilities are identified, mitigation strategies are implemented at or near those most vulnerable processing steps. Given these differences, it is unlikely that facilities would be compliant with this rule were they to rely wholly on assessments and mitigation strategies conducted as part of other programs.
  
  The food defense plan template from USDA FSIS is voluntary for FSIS-regulated facilities, and is organized in four sections: (1) Outside Security Measures, (2) Inside Security Measures, (3) Personnel Security Measures, and (4) Incident Response Security Measures. The template focuses on a facility's physical security measures, which are analogous to recommended, but not required, facility wide security measures in this rule. FSIS-regulated facilities are encouraged to read and sign the template, adopt it as their food defense plan, and then implement, test, and maintain the plan.
  
  There are important similarities between the plan template and some requirements in this rule. For example, some security measures listed in the template are similar to some mitigation strategies included in the FDA Mitigation Strategies Database. The testing of the plan is somewhat similar to food defense monitoring. The plan template also suggests awareness training for employees, which is similar to a food defense awareness training requirement in this rule. The similarities reflect FDA and USDA collaboration on food defense activities for many years as discussed in the proposed rule (78 FR 78014 at 78021).
  
  However, food defense plans developed using the FSIS template would not meet all requirements of this final rule. Specifically, FSIS's food defense plan template does not include a vulnerability assessment of the points, steps, or procedures in a food process, nor does it include implementation of mitigation strategies specific to the vulnerable points. Additionally, the plan template does not include food defense monitoring, food defense corrective action, food defense verification, and some training required by this rule.
  
  In addition, we recognize that there are existing global food safety schemes that include food defense requirements and that many in the food industry have already adopted and implemented these requirements. For example, the Global Food Safety Initiative's (GFSI) Guidance Document Sixth Edition (Ref. 10) addresses food defense. Subsequently, many of the GFSI-recognized schemes include more specific food defense requirements. The Safe Quality Foods (SQF) Code, edition 7.1 is a process and product certification standard that specifies various food defense elements, including that the methods, responsibility, and criteria for preventing food adulteration caused by a deliberate act of sabotage or terrorist-like incident shall be documented, implemented and maintained (Ref. 11). Another example of industry standards that incorporate food defense elements is the International Featured Standards (IFS) Food Version 6 Standard, which specifies that areas critical to security be identified, food defense hazard analysis and assessment of associated risks be conducted annually or upon changes that affect food integrity, and an appropriate alert system be defined and periodically tested for effectiveness (Ref. 12). We recognize that some in the food industry have already voluntarily taken steps to incorporate and implement food
  
  Page 34179
  
  defense measures; however, they are not adequate to substitute for meeting the requirements of this rule.
  
  Although participation with global food safety schemes and other programs administered by our Federal partners are not substitutes for compliance with this rule, we believe that participation in programs such as C-TPAT, CFATS, the use of the FSIS food defense plan template, or international programs granted mutual recognition status as that of C-TPAT, for example, decreases a facility's vulnerability to intentional adulteration and can work in concert with the requirements of the final rule. Additionally, a facility's participation in such programs may be considered by FDA as we prioritize risk-based inspections of facilities subject to the final rule. Further, we note that a facility may use existing records (e.g., records that are kept as part of these other programs) to meet the requirements of this rule, if they contain all of the required information and, facilities may supplement existing records as necessary to include all of the information required by this rule (Sec. 121.330).
  
  (Comment 23) Some comments state that laws in the European Union currently require food facilities to take necessary measures to prevent intentional adulteration, and it is therefore not justified to request additional safety or security requirements for facilities subject to these laws.
  
  (Response 23) We disagree. This rule contains those measures FDA has determined are necessary to protect food against intentional adulteration. To the extent a facility is already taking actions that are required by this rule, a facility will have to make fewer changes to its operations. These security measures should be evaluated on a case-by-case basis to determine if they qualify as a mitigation strategy under this rule.
  
  (Comment 24) Some comments request that FDA focus on education over enforcement and use discretion during inspections.
  
  (Response 24) As FSMA as a whole is a substantial change in how FDA approaches regulating the food and agriculture sector, we recognize that significant outreach, education, and training will be required to facilitate industry compliance with all FSMA rules. As previously stated by the Agency, one of the guiding principles for implementing FSMA is that the Agency will educate before and while we regulate. This includes a focus on sector-specific guidance, education, outreach, and technical assistance for industry. The intentional adulteration rule implementation will include these efforts to ensure facilities gain understanding and awareness to comply with the rule. In addition, we are providing for a longer timeline for facilities to come into compliance, allowing for more outreach and dialogue with industry. Facilities, other than small and very small businesses, have 3 years after the effective date to comply with part 121. Small businesses (i.e., those employing fewer than 500 full-time equivalent employees) have 4 years after the effective date to comply with part 121. Very small businesses (i.e., businesses that have less than $10,000,000, adjusted for inflation, per year, during the 3-year period preceding the applicable calendar year in both sales of human food plus the market value of human food manufactured, processed, packed, or held without sale, e.g., held for a fee) have 5 years after the effective date to comply with Sec. 121.5(a).
  
  (Comment 25) Some comments recommend that FDA update the Food Defense Plan Builder software tool to capture the elements of a food defense plan required by the final rule, such as monitoring, corrective actions, and verification.
  
  (Response 25) FDA plans to update existing tools and resources, including the Food Defense Plan Builder software, to assist industry with meeting the requirements for the final rule.
  
  (Comment 26) Several comments request that FDA periodically update its online tools and resources for companies to have access to information about broad mitigation strategies, although they are not required under the rule.
  
  (Response 26) FDA intends to publish guidance to support industry compliance with the final rule. This guidance will include information relevant to the required provisions of the final rule and also will likely include helpful information on facility-wide security measures as well as other best practices and recommendations to assist facilities in their development of a comprehensive food defense program. In addition, FDA has a number of tools and resources currently available on our Web site (http://www.fda.gov/fooddefense) that were developed for our voluntary food defense program that can assist industry.
5. Comments on Requests for Additional Exemptions
  
  In the proposed rule we specifically requested comments on whether there are other ways in which the coverage of this regulation can be further focused on foods that present a high risk of intentional adulteration caused by acts of terrorism. In this document we discuss comments we received with specific recommendations on foods or activities to exempt from the rule.
  
  (Comment 27) Some comments assert that facilities engaged solely in cooling, holding, handling, packing, repacking, packaging and shipping of raw, intact fresh produce, similar to activities that may be performed on farms, are unlikely to be engaged in any of the key activity types and should be exempt from this rule. The comments describe activities conducted by these facilities, including application of fungicide, food grade wax coating, sorting and placing whole intact produce into boxes for shipping. The comments further state that whole intact produce would not be an attractive or feasible target for an act of intentional adulteration with the intent to cause wide scale public health harm, regardless of where the activities occur.
  
  (Response 27) We decline the requested exemption for facilities engaged solely in cooling, holding, handling, packing, repacking, packaging and shipping of raw, intact fresh produce. We recognize that some of these facilities may not have any significant vulnerabilities; however, some may. For example, packaging may be a significant vulnerability, depending on the degree of access to the food and the characteristics of the packaging area (e.g., in a minimally trafficked area where individuals are working alone for extended periods of time, or if the product is being sprayed with fumigant or fungicide applications that may serve to apply a contaminant onto the food). Therefore, to determine whether any mitigation strategies are needed, each facility must conduct a facility specific vulnerability assessment that considers, at a minimum: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to product; and (3) the ability of an attacker to successfully contaminate the product. Any of the activities described in the comments that are otherwise covered by existing exemptions do not need to be considered in the vulnerability assessment. For example, holding of foods other than in liquid storage tanks is exempt from the rule (Sec. 121.5(b)). Also, packing or re-packing of food where the container that directly contacts the food remains intact is exempt (Sec. 121.5(c)).
  
  If after conducting a vulnerability assessment, a facility appropriately concludes that it has no actionable process steps, the facility would not be required to implement mitigation strategies. The facility's food defense plan would include the vulnerability
  
  Page 34180
  
  assessment, the conclusion that no actionable process steps are present, and an explanation for this conclusion at each step. In contrast, facilities with actionable process steps are required to implement mitigation strategies and the appropriate mitigation strategies management components.
  
  (Comment 28) One comment suggests that we exempt food additives used in low dosages. The comment asserts that ``the dosage of food additives are approximately 0.01--1 percent of the total food, and the final amount of the food additive absorbed into the human body should be very small, roughly 1/100--1/10,000 of the total food consumed.'' The comment further asserts that if a contaminant is added to a food additive used in low dosages, the risk to public health is very small.
  
  (Response 28) We decline this request. Our vulnerability assessments considered a number of factors when evaluating a product's vulnerability to acts of intentional adulteration and the potential public health consequences of such an act, including a wide variety of threat agents. Our vulnerability assessments concluded that there were situations where an act of intentional adulteration could still result in wide scale public health harm even if the dose of the adulterant were at or below the levels highlighted in this comment. Moreover, the concentration of a food additive in the finished product may vary depending on the nature of the product (e.g., citric acid can be added to a food as a flavor enhancer in relatively low concentrations, or to other foods in higher concentrations as a color retention agent).
  
  (Comment 29) One comment recommends that we exempt production and packaging of food ingredients from the rule. The comment asserts that terrorist groups are more likely to attack finished food production than food ingredient production because they want the publicity associated with seeing the harm that their act causes. The comment further asserts that it may be months or years before a contaminated ingredient reaches consumers, and therefore it would not be a likely or attractive target for terrorists who want to make a more immediate impact. The comment also states that a contaminant can be degraded, inactivated, or destroyed in further processing or prolonged storage if it is added to an ingredient. The comment maintains that it is far easier to select an appropriate contaminant with some knowledge of what types of processing it will have to survive. The comment requests that, at a minimum, we exempt the production and packaging of food ingredients from requirements for focused mitigation strategies and make them subject only to requirements for broad mitigation strategies.
  
  (Response 29) We decline this request. As discussed in section IV.B.3, the rule now refers to ``mitigation strategy'' rather than ``focused mitigation strategy.'' Further, our vulnerability assessments concluded that an act of intentional adulteration could still result in wide scale public health harm even if the adulteration occurred during the production of an ingredient. Ingredients have many different distribution paths. Many ingredients can be sold in bulk to manufacturing facilities for inclusion in processed finished foods or be sold in consumer sized packaging for home use. Some ingredients can be used in later processing as a primary ingredient or as a secondary ingredient added in much lower volumes. In either case, the ingredient manufacturer could be an effective point for an attacker to achieve wide scale public health harm.
  
  (Comment 30) One comment supports our proposed exemption Sec. 121.5(c) applicable to packing, repacking, labeling, or re-labeling of food where the container that directly contacts the food remains intact. The comment would like us to further exempt the transportation and holding of foods in retail packaged form from coverage under this rule.
  
  (Response 30) The holding of food, except for holding of food in liquid storage tanks, is exempt under Sec. 121.5(b). Therefore, the holding of foods in retail packaged form is exempt from this rule. Furthermore, as explained in section III.G.1, transportation carriers are not included in the scope of this rule.
  
  (Comment 31) One comment requests that food gases be considered for an exemption for several reasons. The comment states that food gas containers are extremely difficult to breach. Further, the comment states that food gases may be stored in bulk storage tanks either during manufacture, or prior to containerization (i.e., pressurized cylinders) or transport (i.e., cryogenic tankers) but a person intentionally trying to contaminate the product during storage or transportation would require use and knowledge of specialized equipment that is not readily available. The comment argues therefore that food gases are not at high risk for intentional adulteration. In addition, the comment notes that there are several uses for food gases, such as processing aids (e.g., freezing, chilling, pressure transfer) that will have minimal contact with the food provided to consumers, and whether used as a food additive or an ingredient the gas comprises a very small percentage of the final food product.
  
  (Response 31) We decline the request. The comment identifies that food gases may be stored in bulk storage tanks either during manufacture, or prior to containerization or transport. We recognize at some facilities manufacturing food gas may not have any significant vulnerabilities; however, each covered facility must conduct a facility specific vulnerability assessment, and that assessment must consider, at a minimum: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to product; (3) the ability of an aggressor to successfully contaminate the product. The comment mentions that breaching food gas containers would require use and knowledge of specialized equipment that is not readily available. However, the vulnerability assessment must include consideration of an inside attacker, so this information may be available to such an individual. The comment also mentions that gases can be stored or transported in liquid form. Based on our vulnerability assessments, liquids storage and handling has been identified as potentially significantly vulnerable. Therefore, facilities manufacturing food gas would need to evaluate their manufacturing process through a vulnerability assessment. If after conducting a vulnerability assessment, the facility appropriately concludes that there are no actionable process steps in the facility, the facility would not be required to implement mitigation strategies. The food defense plan at this facility would include the vulnerability assessment, the conclusion that no actionable process steps are present, and an explanation for this conclusion at each step.
  
  (Comment 32) Some comments request that FDA exempt research and development (R&D) and pilot plants from the rule. These comments argue that a vulnerability assessment conducted at such a facility would in all likelihood conclude that there are no significant vulnerabilities due to the low volume of product produced, because such products are not typically for retail sale, and because of the narrow scope of consuming individuals, if any.
  
  (Response 32) We decline the request. We note that if food at an R&D facility is not for consumption, the facility is not required to register and would not be subject to this rule. Food processed at R&D facilities may be consumed as samples, distributed at special events, or
  
  Page 34181
  
  may take other routes to public consumption. As with other facilities covered by the rule, it is possible, based on a facility specific vulnerability assessment, that an R&D facility may conclude that it does not contain any significant vulnerabilities. If, after conducting a vulnerability assessment, the facility appropriately concludes that it has no actionable process steps, the facility would not be required to implement mitigation strategies. The facility's food defense plan would include the vulnerability assessment, the conclusion that no actionable process steps are present, and an explanation for this determination at each step. In contrast, an R&D facility with actionable process steps is required to implement mitigation strategies and the appropriate mitigation strategies management components.
6. Other General Comments
  
  (Comment 33) Some comments ask us to publish a revised proposed rule or an interim rule before proceeding to a final rule because of anticipated, significant changes resulting from comments that we received in response to the proposed rule. Some comments state that food defense is a new and evolving area without existing regulatory requirements or a long history of broadly accepted practices and that further substantive dialogue with industry is needed. Some comments state that a reproposal would serve the same purpose as an Advance Notice of Proposed Rulemaking which was FDA's stated intent prior to the imposition of judicial deadlines. Some comments state that because FSMA rules are dependent on one another, some proposed FSMA rules should be issued concurrently so that a concurrent evaluation and comment period may be conducted. Some comments state that industry must first get used to the new food safety regulations and then concentrate on new food defense regulations and believe reproposing at a later date will give industry a chance to comply with all the new regulations.
  
  (Response 33) We decline these requests. These revisions in the final rule more closely align the rule with many current food defense best practices and increase flexibility for facilities to comply. With regard to the suggestion that we should issue the FSMA foundational proposed rules simultaneously for comment, this was not feasible given our judicial deadlines for the seven rules (Ref. 13). We believe that stakeholders were given adequate opportunity to comment on the proposed rules, and we extended many comment periods. With regard to the comments that suggest we repropose this rule to give industry more time to comply, we have addressed this issue by extending the compliance dates by an additional 2 years (see section VIII).
  
  (Comment 34) One comment disagrees with the exemption for holding non-liquid bulk food. The comment asserts that most bulk foods, irrespective of their physical form, are likely to be mixed or blended at some point after receipt by the end-user (i.e., the manufacturer or packager that will convert the bulk food into retail packaged food), and are likely to be processed into a much larger volume of finished food. Thus, the comment maintains that any contamination introduced into a bulk food during storage prior to its use in the preparation of a retail packaged food may affect a large volume of finished food and may thereby cause massive public health harm.
  
  (Response 34) As discussed in the proposed rule, based on an analysis of the vulnerability assessments that FDA has conducted using the CARVER+Shock methodology, we identified four key activity types (Bulk liquid receiving and loading; Liquid storage and handling; Secondary ingredient handling; and Mixing and similar activities) as production processes that require focused mitigation strategies. With the exception of the holding of food in liquid storage tanks, which is not included in the exemption, we are not aware of activities performed during the holding of food that fit within any of these four key activity types (see 78 FR 78014 at 78036). There is no likely way that a contaminant can be homogeneously mixed throughout a non-liquid bulk food during storage. We found in our vulnerability assessments that the potential for uniform distribution of a contaminant into the food is a major factor in elevating vulnerability. Since it is highly unlikely that an inside attacker would be able to evenly distribute a contaminant into a dry bulk ingredient during storage, the vulnerability associated with these steps did not rise to the level associated with the vulnerability associated with the key activity types.
7. Other Issues Discussed in the Proposed Rule
  1. Transportation Carriers
    
    In the proposed rule, we tentatively determined that there is a significant vulnerability to intentional adulteration during bulk liquid receiving and loading, one of the four key activity types included in the proposal as an option to identify actionable process steps. We did not identify receiving and loading of other types of foods (e.g., non-bulk liquid, solid, gaseous) as key activity types because we determined through our vulnerability assessments that they do not present the same level of risk. Further, we tentatively concluded that requiring receivers and shippers of bulk liquids to implement mitigation strategies at actionable process steps involving loading and receiving of bulk liquid foods would significantly minimize or prevent the potential for intentional adulteration of these foods during transportation.
    
    Based on our vulnerability assessments, we proposed to require that mitigation strategies to ensure the integrity of food during transport would be implemented by facilities, rather than carriers. Where such measures are implemented by the shippers and receivers of bulk liquids, we tentatively concluded that the food would be sufficiently protected, and that no further actions by a carrier would be needed. For this reason, we did not propose to cover transportation carriers in the proposed rule. We requested comment on our analysis and tentative conclusion.
    
    Some comments agree with the tentative conclusion in the proposed rule to exclude transportation carriers. Some comments oppose this approach. In the following paragraphs, we discuss comments that disagree with the proposed approach. After considering the comments, we are finalizing the rule as proposed with regard to transportation carriers.
    
    (Comment 35) Some comments disagree with our conclusion that implementing mitigation strategies at the receiving and loading steps for bulk liquids will adequately protect food during transportation. Some comments argue that transport of food is one of the most vulnerable stages in a process, as food is not protected by a secure facility and may often be parked at a truck stop or other unsecure locations for extended periods of time which provides the opportunity for an attacker to gain access. One comment states that food shipments have consistently been documented as either the first or second most stolen truckloads on U.S. highways, and if terrorists were to use this mode of attack on the food supply, the result could be a major event for which we were not only unprepared, but for which we could have foreseen the risk.
    
    (Response 35) We disagree with these comments. Based on our vulnerability assessments, we determined that the most practical mitigation strategies to
    
    Page 34182
    
    ensure the integrity of food during transport would be implemented by facilities, rather than by carriers. For example, to significantly minimize or prevent the product from being intentionally adulterated during transport, a shipper may elect to use seals to secure access points, such as doors or hatches, on the transport conveyance. The shipper seals the load prior to departure from its facility by using seals with unique identification numbers. The shipper includes the seal numbers on shipping documentation and transmits the seal numbers to the receiving facility. Once the shipment arrives at the receiving facility, the receiver would verify the seals are in place and that the identification numbers match. This mitigation strategy ensures the food was not accessible during transport. To ensure that the driver cannot exploit his position to gain access and intentionally adulterate the food during transport, the carrier has no role in the seal mitigation strategy. If seals are missing or the identification numbers do not match the shipping documentation, the receiving facility would reject the load and notify the shipper.
    
    Facilities are required to implement mitigation strategies that significantly minimize or prevent significant vulnerabilities associated with actionable process steps. Therefore, if a food operation has a significant vulnerability associated with transportation, the facility must choose a mitigation strategy or combination of strategies to significantly reduce the vulnerability at the receiving or loading step. Mitigation strategies implemented at inbound receiving and outbound shipping would work complementary to each other to protect the food during transport. For example, if the vulnerability assessment concludes that loading is an actionable process step because of a vulnerability during transportation, the facility would implement mitigation strategies to protect its outbound food from intentional adulteration (e.g., sealing the bulk liquid tanker truck access points). Likewise, if the facility receiving the food identifies receiving as an actionable process step because of a vulnerability during transportation, it would implement mitigation strategies to reduce the vulnerability of the food to intentional adulteration during shipping. The mitigations employed at the receiving/unloading step may include procedures to accept only scheduled shipments, verification of shipping documentation, procedures to investigate delayed or missing shipments, inspecting loads prior to receipt, and rejecting damaged or suspect items. These steps together will then work to significantly reduce the significant vulnerabilities associated with the transport of food. With respect to the prevalence of theft of food during transport, such theft is economically motivated; the scope of this rule is limited to acts of intentional adulteration where the intent is to cause wide scale public health harm.
    
    (Comment 36) One comment states that the use of seals or tamper-
    
    evident containers is insufficient to protect bulk foods during transportation and/or holding because tamper-evident seals can be defeated and cannot be expected to prevent a determined attacker. The comment further states that tamper-evident containers or seals should be used in combination with other measures.
    
    (Response 36) Mitigation strategies are ``risk-based,'' ``reasonably appropriate measures'' employed to ``significantly minimize or prevent'' significant vulnerabilities. They cannot always eliminate entirely any possibility of intentional adulteration. Furthermore, each facility has some degree of discretion in determining how, and whether, each mitigation strategy is properly implemented, as part of the facility's written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step. Facilities are required to implement mitigation strategies that significantly minimize or prevent the significant vulnerability; therefore, if a significant vulnerability is identified, the mitigation strategy or combination of strategies chosen by the facility must be sufficient to reduce the vulnerability to an acceptable level at these steps.
    
    In many cases the use of tamper evident seals may be an appropriate mitigation strategy for limiting access to the product. Additionally, if a tamper evident seal had been circumvented by an attacker, a close inspection of the seal at receiving may reveal suspicious activity or tampering which reduces the likelihood of a successful attack. However if the facility concludes that tamper evident seals are not by themselves sufficient to significantly reduce the vulnerability, they should employ other or additional measures (such as directing carriers to travel directly to the end destination without stop-overs, or requiring teamed drivers to prevent the load from being unsupervised during transport).
    
    (Comment 37) One comment requests clarification of expectations in situations where only one of the entities involved is covered by the intentional adulteration rule (e.g., the shipper is covered, but the receiver is exempt due to size or vice versa) and states that FDA may need to take a closer look into exemption of carriers.
    
    (Response 37) A covered facility may ship food to or receive food from a facility that is not covered by the rule (e.g., it is a very small business). The covered facility is responsible for implementing mitigation strategies to address transportation if it has a significant vulnerability associated with transportation at the receiving or shipping steps. The mitigation strategies used by the covered facility must significantly minimize or eliminate the significant vulnerability at this step. Mitigation strategies are available to protect the food during transport regardless of whether the shipper or receiver is exempt from the rule. If the receiving facility is exempt, the shipping facility can address the vulnerability by implementing mitigation strategies such as those discussed in Response 36. If the shipping facility is exempt, the receiving facility can address the vulnerability by implementing mitigation strategies such as visually inspecting seals and cargo to identify any suspicious activity or tampering, verifying shipping documents are accurate, ensuring only scheduled deliveries are accepted, and investigating delayed or inaccurate shipments. Additionally, we do not believe a shipping and/or receiving facility that qualifies for the very small business exemption is an attractive target for attackers intending to cause wide scale public health harm, as detailed in section IV.B.11.
    
    (Comment 38) Some comments state that covering carriers under this rule may not be the best approach and this component of the food sector may be better addressed in guidance. Some comments ask us to continue to develop materials, guidelines and other tools to promote voluntary compliance of food defense measures by the transportation component of the food sector.
    
    (Response 38) We agree with these comments. As resources allow, we will continue to develop best practices for the transportation industry to assist with voluntary compliance with food defense measures.
    
    Page 34183
  2. Other Types of Intentional Adulteration: Disgruntled Employees, Consumers, and Competitors; and Economically Motivated Adulteration
    1. Disgruntled Employees, Consumers, and Competitors
      
      In the proposed rule, we explained that when we considered the spectrum of risk associated with intentional adulteration of food, attacks conducted with the intent of causing massive casualties and to a lesser extent, economic disruption, would be ranked as relatively high risk. (Note that to further clarify the rule's focus we have removed the reference to economic disruption from the definition of ``food defense.'') We further explained that attacks by disgruntled employees, consumers, or competitors would be consistently ranked as relatively low risk mainly because their public health and economic impact would be generally quite small. We further stated that disgruntled employees are generally understood to be interested primarily in attacking the reputation of the company and otherwise have little interest in public health harm. Typically, acts of disgruntled employees, consumers, or competitors target food and the point(s) in its production that are convenient (i.e., a point at which they can easily access the food and contaminate it). To minimize or prevent this type of adulteration would require restricting access to nearly all points in the food system. Instead, we proposed to focus on those points in the food system where an attack would be expected to cause massive adverse public health impact.
      
      We received comments supporting the proposed approach; comments stating that measures should be required to protect against acts of terrorism and disgruntled employees; and a comment stating that disgruntled employees can be recruited by terrorist organizations. The final rule is focused on protecting food against intentional adulteration where the intent of the adulteration is to cause wide scale public health harm. In the circumstance described by the comment where a disgruntled employee is recruited by a terrorist organization, the motivation of the employee has changed from harming the reputation of the company to that of the terrorist organization intending to cause wide-scale public health harm. The rule is designed to reduce the likelihood that such an attack would be successful. Further, the protections required by the rule would be effective in minimizing the likelihood of success of a disgruntled employee, consumer, or competitor who attempts an act of intentional adulteration at an actionable process step--even if that act of intentional adulteration is not intended to cause wide-scale public health harm. We continue to believe that an approach that does not focus on preventing wide-scale public health harm, but rather attempts to address intentional acts regardless of their potential severity, would require restricting access to nearly all points in the food system because these types of attacks are typically conducted at areas of convenience and could occur at any point in the food system.
    2. Economically Motivated Adulteration
      
      In the proposed rule, we stated that the goal of the perpetrator of economically motivated adulteration is for the adulteration to go undetected so the perpetrator can continue to obtain the desired economic benefit. Unlike with intentional adulteration, where the intent is to cause wide scale public health harm through instances such as acts of terrorism focused on the food supply, occurrences of economically motivated adulteration are expected to be long term, and would not be appropriately viewed as a rare occurrence, but rather as reasonably likely to occur. Because of these reasons, we concluded that the approaches in the PCHF and PCAF final rules are better suited to address economically motivated adulteration. We sought comment on our conclusions.
      
      We received numerous comments related to economically motivated adulteration, including comments suggesting economically motivated adulteration is best addressed in this rule, comments suggesting it is best addressed in the PCHF and PCAF final rules, comments recommending different hazard identification methodologies, comments related to terminology and definitions, and comments requesting postponement of any economically motivated adulteration-associated requirements.
      
      We continue to believe that the approaches in the PCHF and PCAF final rules are better suited to address economically motivated adulteration, and have finalized this rule with no requirements related to economically motivated adulteration for facilities covered by those rules. For further discussion see the PCHF final rule (80 FR 55908 at 56028-56029) and the PCAF final rule (80 FR 56170 at 56243-56246).
      
      In the proposed rule, we also tentatively decided not to require produce farms subject to section 419 of the FD&C Act and farms that produce milk (also referred to in this document as ``dairy farms'') subject to section 420 of the FD&C Act to take measures to address economically motivated adulteration. With regard to produce farms, we tentatively concluded that there are not procedures, processes, or practices that are reasonably necessary to be implemented by these entities to prevent the introduction of known or reasonably foreseeable biological, chemical, or physical hazards that can cause serious adverse health consequences or death as a result of economically motivated adulteration. With regard to farms that produce milk, we tentatively concluded that there are not appropriate science-based strategies or measures intended to protect against economically motivated adulteration that can be applied at the farm. Those tentative conclusions were based on our assessment that preventive controls are suitable to address economically motivated adulteration when it is perpetrated by the entity's supplier, but not when it is perpetrated by the entity itself, and supplier controls are not warranted in this context because of the lack of inputs into the growing, harvesting, packing, or holding of produce or milk (i.e., activities within our farm definition) that could be subject to economically motivated adulteration that could cause serious adverse health consequences or death under sections 419 and 420 of the FD&C Act.
      
      We received one comment suggesting we include requirements related to economically motivated adulteration on produce farms and stating that economically motivated adulteration (e.g., illegal use of dyes and ripening agents) has occurred on foreign produce farms. We continue to believe that preventive controls are suitable to address economically motivated adulteration when it is perpetrated by an entity's supplier, but not by the entity itself. Preventive controls for economically motivated adulteration are not suitable to address the situation where the same farm that would be economically adulterating the food (which is already prohibited) would also be responsible for implementing preventive controls to prevent the adulteration. After considering this comment, we have finalized this rule with no requirements related to economically motivated adulteration on produce and dairy farms.
  3. Dairy Farms
    
    In the proposed rule, we stated that FDA-led vulnerability assessments and associated data analyses identified certain categories of points, steps, or
    
    Page 34184
    
    procedures in the food system which scored high on vulnerability scales related to intentional adulteration of food, regardless of the food being assessed. Two of these key activity types, liquid storage and handling, and bulk liquid receiving and loading, are present on dairy farms in areas such as the bulk liquid storage tank. We requested comment on several questions, including whether and how access to the bulk milk storage tank and milk house could be limited; the presence and types of any mitigation strategies currently used on farms; and whether and what mitigation strategies would be appropriate and feasible given current dairy farming practices.
    
    Some comments acknowledge that limiting access to the bulk milk tank and milk house is an important objective; however, these comments describe significant challenges regarding limiting access to milk. These comments state that some State laws require unannounced access to the bulk tank and/or the milk house for food safety inspections. Additionally, comments state that locking only the bulk tank would be ineffective because this would still leave the milk accessible via the milk house. These comments also state that it is common for many dairy farms to leave the bulk tank and the milk house unlocked to facilitate normal day-to-day operations and that any regulation requiring strictly limiting access, such as locking the milk house, would be impractical due to the multiple entry points and the number of personnel needed for these measures to function effectively. Some comments suggest that FDA engage in substantial dialogue with industry to gain a better understanding of current practices and better ascertain the food defense measures that would be effective and appropriate before issuing regulations. Some comments state that FDA should utilize existing programs to identify potential activities to reduce the vulnerability to intentional adulteration on dairy farms because these programs have demonstrated efficacy and have the structures in place to successfully implement new food defense measures.
    
    Some comments state that FDA should not issue requirements for dairy farms because they are not at high risk for intentional adulteration. Some comments describe the willingness of stakeholders to adopt voluntary food defense measures, with specific examples including State-led education efforts and adoption of some elements of existing FDA guidance relating to food defense measures on dairy farms. Some comments state that any requirements should be limited to food defense awareness training while other comments state that such training may be beneficial and is provided on some farms, but more information is needed to identify effective training programs.
    
    Additionally, several comments address procedural matters, with many comments stating that FDA must either allow a full and separate comment period for any potential requirements for dairy farms because there were no requirements related to dairy farms in the proposed rule, or issue a fully separate proposal for dairy farms which will cover the requirements in their entirety independent of the intentional adulteration regulations for facilities that are not farms. Some comments also request that dairy processing facilities be exempt from the requirements of this rule.
    
    Although we believe requiring mitigation strategies that restrict access to milk on dairy farms is warranted based on risk, at this time there are not strategies that limit access to milk that are appropriate and practical to require for all farms. We believe it is important that any mitigation strategies we consider imposing include restricting access to milk while it is on farms. We agree with comments that state that potential mitigation strategies, such as locking the milk tank and milk house, are not currently workable given the realities of milking schedules and the access to the bulk tank needed for food safety inspections and milk collection. We need further dialogue with key stakeholders and collaborative research to develop and identify strategies that are protective and practical; we are aware of technology-mediated advancements that are under development, and are potentially promising for the future in this area. Given the current lack of mitigation strategies that would practically limit access to milk, we agree that working with the Federal-State collaborative program for milk safety, the National Conference on Interstate Milk Shipments (NCIMS), is the most appropriate way to address concerns regarding intentional adulteration on dairy farms in the near term as strategies that can limit access to milk while on farm are developed. We believe NCIMS offers an effective platform for FDA to advance the development and implementation of mitigation strategies for dairy farms because the cooperative program includes key partners, such as the U.S. Public Health Service/FDA, the States, and the dairy industry, and has a central role in helping to ensure the safety of milk and milk products.
    
    We are not exempting Pasteurized Milk Ordinance (PMO) facilities that are not farms (e.g., dairy processing facilities) from complying with this rule. Unlike farms, such facilities have identified effective mitigation strategies available to them. In addition, PMO requirements do not currently address intentional adulteration. Further, unlike farms, these facilities are not exempt from the PCHF rule. We note that the earliest compliance date for this rule (3 years) is the same as the extended compliance date in the PCHF rule, which was chosen to give the NCIMS time to modify the PMO to include the requirements of the PCHF rule.
Subpart A: Comments on Specific Provisions
1. Revisions to Definitions Also Used in Section 415 Registration Regulations (21 CFR Part 1, Subpart H) and Section 414 Recordkeeping Regulations (21 CFR Part 1, Subpart J)
  
  As discussed in the proposed rule (78 FR 78014 at 78030), several terms we proposed have the same definitions as proposed in 21 CFR part 117 (the PCHF proposed rule) and therefore we did not include an extensive discussion in the proposed rule of the following terms: facility, farm, holding, manufacturing/processing, mixed-type facility, and packing. We did not receive specific comments on any of our proposed definitions for these terms, except that many comments state that it is critical for FDA to cross-reference and be consistent with the same terms as finalized in the PCHF final rule. We agree and we have amended each of these terms to be consistent with the definitions as finalized in the PCHF final rule. See section IV. of the PCHF final rule for extensive discussion of the comments received and changes made to these definitions.
  1. Facility
    
    We proposed to define the term ``facility'' to mean a domestic facility or a foreign facility that is required to register under section 415 of the FD&C Act (21 U.S.C. 350d), in accordance with the requirements of 21 CFR part 1, subpart H. We have finalized this term as proposed, except that we have made editorial changes by removing the U.S. Code citation and amended the Code of Federal Regulations citation.
  2. Farm
    
    We proposed to define the term ``farm'' by reference to the definition of that term in Sec. 1.227 of this chapter. We have finalized this term as proposed. For a detailed discussion of the definition of ``farm,'' see sections IV.A and IV.B of the PCHF final rule.
    
    Page 34185
  3. Holding
    
    We proposed to define the term ``holding'' to mean storage of food. In addition, we proposed that holding facilities include warehouses, cold storage facilities, storage silos, grain elevators, and liquid storage tanks. Further, we proposed that for farms and farm mixed-type facilities, holding also includes activities traditionally performed by farms for the safe or effective storage of raw agricultural commodities grown or raised on the same farm or another farm under the same ownership, but does not include activities that transform a raw agricultural commodity (RAC), as defined in section 201(r) of the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 321), into a processed food as defined in section 201(gg). In this final rule, consistent with the PCHF final rule, we have revised the definition for ``holding'' by removing the distinction for farms and farm mixed-type facilities and added that holding also includes activities performed incidental to storage of a food, but does not include activities that transform a RAC into a processed food and included additional examples of holding activities. For a detailed discussion of the definition of ``holding,'' see section IV.D of the PCHF final rule.
  4. Manufacturing/Processing
    
    We proposed to define manufacturing/processing to mean making food from one or more ingredients, or synthesizing, preparing, treating, modifying or manipulating food, including food crops or ingredients. Further, the proposed definition provided that examples of manufacturing/processing activities are cutting, peeling, trimming, washing, waxing, eviscerating, rendering, cooking, baking, freezing, cooling, pasteurizing, homogenizing, mixing, formulating, bottling, milling, grinding, extracting juice, distilling, labeling, or packaging. In addition, the proposed definition provided that for farms and farm mixed-type facilities, manufacturing/processing does not include activities that are part of harvesting, packing, or holding. In this final rule, consistent with PCHF final rule, we have revised the definition of ``manufacturing/processing'' by adding to the list of examples and we have reorganized the listed examples to present them in alphabetical order. For a detailed discussion of the definition of ``manufacturing/processing,'' see section IV.E of the PCHF final rule.
  5. Mixed-Type Facility
    
    We proposed to define mixed-type facility to mean an establishment that engages in both activities that are exempt from registration under section 415 of the FD&C Act and activities that require the establishment to be registered. The proposed definition also stated that an example of such a facility is a ``farm mixed-type facility,'' which is an establishment that grows and harvests crops or raises animals and may conduct other activities within the farm definition, but also conducts activities that require the establishment to be registered. In this final rule, consistent with PCHF final rule and as a conforming change associated with the revisions to the ``farm'' definition, we have revised the example of a ``farm mixed-type facility'' to specify that it is an establishment that is a farm, but also conducts activities outside the farm definition that require the establishment to be registered. For a detailed discussion of the definition of ``mixed-type facility,'' see section IV.F of the PCHF final rule.
  6. Packing
    
    We proposed to define packing to mean placing food into a container other than packaging the food. Further, the proposed rule provided that for farms and farm mixed-type facilities, packing also includes activities traditionally performed by farms to prepare RACs grown or raised on the same farm or another farm under the same ownership for storage and transport, but does not include activities that transform a RAC, as defined in section 201(r) of the FD&C Act, into a processed food as defined in section 201(gg). In this final rule, consistent with the PCHF final rule, we have revised the definition for ``packing'' by removing the distinction for farms and farm mixed-type facilities and adding that packing includes activities performed incidental to packing a food, but does not include activities that transform a RAC into a processed food. We have also revised the definition to clarify that packing includes ``re-packing.'' For a detailed discussion of the definition of ``packing,'' see section IV.G of the PCHF final rule.
2. Other Definitions That We Proposed To Establish in Part 121
  
  To establish the scope of facilities, activities and food covered by this regulation, we proposed to define key terms. We also proposed to establish that the definitions in section 201 of the FD&C Act apply when used in part 121. We received no comments regarding the use of statutory definitions in section 201 of the FD&C Act, and we are finalizing that provision without change. In this section, we discuss each definition as proposed, related comments, and our responses.
  1. Actionable Process Step
    
    We proposed to define the term ``actionable process step'' to mean a point, step, or procedure in a food process at which food defense measures can be applied and are essential to prevent or eliminate a significant vulnerability or reduce such vulnerability to an acceptable level. Although we did not receive comments on the proposed definition for actionable process step, we have revised the definition to improve understanding of the regulatory requirements in Sec. 121.130 (Vulnerability assessment to identify significant vulnerabilities and actionable process steps) and to be consistent with the definition of mitigation strategies. In this final rule, actionable process step is defined to mean a point, step, or procedure in a food process where a significant vulnerability exists and at which mitigation strategies can be applied and are essential to significantly minimize or prevent the significant vulnerability.
  2. Contaminant
    
    We proposed to define the term ``contaminant'' to mean any biological, chemical, physical or radiological agent that may be intentionally added to food and that may cause illness, injury or death.
    
    (Comment 39) Some comments assert the proposed language defining ``contaminant'' could be interpreted to include ingredients intentionally added to food that resulted in harm, even if unintentional, such as an unintended allergic or other adverse health response. The comments urge FDA to clarify the meaning to be an ``intentional'' contaminant, for the purpose of this rule, by amending the proposed definition as follows: ``Contaminant means any biological, chemical, physical or radiological agent added to food to intentionally cause illness, injury or death.''
    
    (Response 39) We agree with the possible confusion as pointed out by the comments and have amended the proposed definition. The term ``contaminant'' is used in the context of intentional acts of adulteration with intent to cause wide scale public health harm. We agree that amending the proposed definition for contaminant to make clear that the harm must be intended better reflects how the term is used in this rule.
    
    Page 34186
    
    (Comment 40) One comment asserts the term ``contaminant,'' is used widely in the food and dietary supplement industries and that if FDA were to include a definition for this term, it must employ a definition that is consistent throughout all regulations pertaining to food and dietary supplements. Further, one comment notes that this term is defined differently in the proposed rule (i.e., a contaminant is any agent that may be added to food) than it is in the Codex Alimentarius guidelines (i.e., contaminants are substances that are ``not intentionally added to food or feed''). The comment suggests that FDA take note of this difference and consider revisions with the goal of promoting consistency and common understanding of terminology.
    
    (Response 40) As discussed in the proposed rule (78 FR 78014 at 78031), we based the proposed definition, in part, on the definition of ``contaminant'' used in Codex Alimentarius guidelines, but made modifications to reflect the narrower context that the term is used within this rule. Further, as discussed in response to Comment 39, we are amending the definition of ``contaminant'' to better reflect its limited use in this rule.
  3. Focused Mitigation Strategies
    
    We proposed to define the term ``focused mitigation strategies'' to mean those risk-based, reasonably appropriate measures that a person knowledgeable about food defense would employ to significantly minimize or prevent significant vulnerabilities identified at actionable process steps, and that are consistent with the current scientific understanding of food defense at the time of the analysis.
    
    We explained in the proposed rule that a ``mitigation strategy'' is a measure taken by a facility to reduce the potential for intentional adulteration of food. We further explained that FDA divides mitigation strategies into two types, ``broad mitigation strategies'' and ``focused mitigation strategies.'' We explained that broad mitigation strategies are general facility-level measures that are intended to minimize a facility's vulnerability, as a whole, to potential acts of intentional adulteration. We provided some examples of broad mitigation strategies, such as (1) physical security, such as perimeter security fencing, locking exterior doors, penetration alarms; (2) personnel security, such as pre-hire background and reference checks, identification badges, and controlled visitor access; (3) securing hazardous materials, such as cleaning products, laboratory materials, and pesticides; (4) management practices, such as ingredient storage inventory procedures; key security procedures, PINs or passwords; procedures to restrict personal items from all food production areas; procedures requiring IDs and uniforms to be returned when a person's employment ends; and supplier verification or certification procedures; and (5) crisis management planning, such as maintenance of updated emergency contact information, procedures for responding to reported threats, and establishment of a designated food defense leadership team. We further explained that broad mitigation strategies, by nature, are generally applicable to a facility, regardless of the type of food being processed, and, as such, are not targeted to a specific processing step in a food operation.
    
    In contrast, focused mitigation strategies are specific to an actionable process step in a food operation where a significant vulnerability is identified. They represent reasonably appropriate measures that are necessary to reduce the likelihood of intentional adulteration intended to cause wide scale public health harm. Focused mitigation strategies are customized to the processing step at which they are applied, tailored to existing facility practices and procedures, and depend on an evaluation of the significant vulnerability associated with the actionable process step at which they are applied. In the proposal we tentatively concluded, based on our vulnerability assessments, that the implementation of focused mitigation strategies at actionable process steps in a food operation is necessary to minimize or prevent the significant vulnerabilities that are identified in a vulnerability assessment, regardless of the existence of broad mitigation strategies.
    
    We further explained, in contrast to broad mitigation strategies, focused mitigation strategies are targeted to actionable process steps and, therefore, are more effective at countering an attacker who has legitimate access to the facility. Our conclusion was based upon our interactions with the intelligence community and the many vulnerability assessments we conducted with industry, which showed that an act of intentional adulteration by an insider presents significant risk for that adulteration to result in wide scale public health harm and that broad mitigation strategies are not specific enough, for example, to counter the actions of an attacker who has legitimate access to the facility (i.e., insider attack) or an attacker who circumvents perimeter protections (e.g., scaling a fence), with the goal of intentionally contaminating the food.
    
    Although the regulatory text now only refers to ``mitigation strategies,'' we continue to believe that facilities must protect vulnerable points in their operation from acts of intentional adulteration intended to cause wide scale public health harm and that a facility's vulnerability to acts of intentional adulteration by attackers who have achieved access to the facility must be significantly reduced or prevented to protect the food from intentional adulteration intended to cause wide scale public health harm. General, facility-level protections do not sufficiently address the significant vulnerabilities within a facility because they do not address an inside attacker who has obtained access to the facility.
    
    (Comment 41) Some comments state that the distinction between ``broad'' and ``focused'' mitigation strategies is confusing, and request that the distinction be removed. One comment states the line between broad and focused mitigation strategies is often blurry. The comment asks how close ingredient handling needs to be to a gate for the gate to be considered a focused mitigation strategy and not a broad one. The comment further asserts that a mandate for focused mitigation strategies will result in endless debates between facility management and FDA investigators as to whether a particular mitigation strategy is broad or focused and that this potential for difference of opinion between facilities and FDA investigators is of significant concern for industry stakeholders.
    
    (Response 41) The question asked by the comment highlights the nuance and gradation that exists within mitigation strategies. After considering the comments, we agree that many mitigation strategies may not lend themselves to clear categorizations as either ``broad'' or ``focused,'' and we agree that the delineation between broad and focused mitigation strategies, as described in the proposed rule, may be confusing because of the wide diversity of potential mitigations as well as variation as to how a facility chooses to implement a particular strategy. As a result, we have modified the regulatory text throughout the final rule to refer to ``mitigation strategy'' rather than ``focused mitigation strategy.'' For example, Sec. 121.135 now requires ``mitigation strategies for actionable process steps.'' Also, the title of the rule has been modified to reflect this change.
    
    Page 34187
  4. Food
    
    We proposed to define the term ``food'' to mean food as defined in section 201(f) of the FD&C Act and include raw materials and ingredients.
    
    (Comment 42) Some comments urged us to clarify that the definition of food does not include food contact substances as defined in section 409(h)(6) of the FD&C Act (21 U.S.C. 348(h)(6)). One comment recommends FDA amend the definition of food to exempt EPA registered antimicrobials/pesticides and food contact substances which have no ongoing intended technical effect in the final finished food.
    
    (Response 42) This rule only applies to facilities required to register with FDA. The registration rule does not include food contact substances and pesticides (21 CFR 1.227(a)(4)(i)). No change to the definition of food in this rule is necessary.
  5. Food Defense
    
    We proposed to define the term ``food defense'' to mean the effort to protect food from intentional acts of adulteration where there is an intent to cause public health harm and economic disruption.
    
    (Comment 43) One comment states that references to ``terrorism'' in the preamble to the proposed rule were unnecessarily limiting and confusing and recommends that instead of attempting to narrow the scope of intentional adulteration to ``terrorism,'' FDA should use the definition of ``food defense'' to explain and further clarify the focus of activities covered by the rule.
    
    (Response 43) We agree with this comment and have modified the definition of ``food defense'' in the final rule as follows: ``Food defense means, for purposes of this part, the effort to protect food from intentional acts of adulteration where there is intent to cause wide scale public health harm.'' As discussed in the preamble to the proposed rule, although we referred to the protection of the food supply from ``acts of terrorism'' throughout the proposed rule, we expect our approach would generally address acts intended to cause wide scale public health harm, whether committed by terrorists, terrorist organizations, individuals or groups of individuals. The purpose of this rule is to protect the food supply against individuals or organizations with the intent to cause wide scale public health harm. Further, although economic disruption is likely to occur in any such instance of wide scale public health harm, because the focus of the rule is not the protection against economic disruption we have removed that language from the definition of ``food defense'' for purposes of this rule. In addition, as discussed in section III.G.2, economically motivated adulteration is not addressed in this final rule.
    
    (Comment 44) One comment states that the proposed rule defines ``food defense'' within the scope of the rule and requests that FDA establish a generalized definition of ``food defense'' that can be adopted for the purposes of all FDA activities and subsequently the scope of this rule can then be further elaborated. The comment proposes the following definition of food defense: ``Actions and activities related to prevention, protection, mitigation, response, and recovery of the food system from intentional acts of adulteration. This includes intentional adulteration from both terrorism and criminal activities. Criminal activities include economically motivated adulteration, as well as acts by disgruntled employees, consumers, or competitors intending to cause public health harm or business disruption.''
    
    (Response 44) We decline this request. The purpose of Sec. 121.3 (Definitions) is to define terminology that is used within the regulatory text of the rule. Therefore, the definitions of terms need to be within the context and scope of the rule, rather than a definition to be used by FDA or industry activities not related to the rule in particular.
  6. Monitor
    
    We proposed to define the term ``monitor'' to mean to conduct a planned sequence of observations or measurements to assess whether focused mitigation strategies are consistently applied and to produce an accurate record for use in verification.
    
    (Comment 45) Some comments assert that food safety and food defense require different terminology and suggest referring to the activities as ``checking'' instead of ``monitoring.'' These comments go on to suggest that the definition of checking should be ``to observe or otherwise assess whether mitigation strategies or measures are in place and fully implemented.'' The comments also state that ``a planned sequence of observations and measurements'' may not be appropriate for all or any mitigation strategies, and questions what kind of measurements of a mitigation strategy a facility would take.
    
    (Response 45) We agree that using completely different terminology is appropriate when components of a food safety and food defense HACCP-
    
    type system differ in important, specific ways. As noted in the Regulatory Approach discussion in section III.A, food safety uses the term ``hazard analysis'' to identify hazards, while food defense uses the term ``vulnerability assessment'' to identify significant vulnerabilities. These terms are completely different because they represent key disciplinary differences which require different methodological considerations related to whether the adulteration is intentional. A hazard analysis has very different considerations than a vulnerability assessment.
    
    However, we disagree that completely different terminology is appropriate for a term that describes the performance of similar activities for both food safety and food defense. Monitoring is conducted to perform a similar function and in similar ways in both a food defense and a food safety framework. In both contexts monitoring is conducted to assess whether control measures are operating as intended, and in accordance with the food safety or food defense plan. However, constant monitoring of some preventive controls is necessary (e.g., time-temperature monitoring for pasteurization), while periodic monitoring is likely to be more appropriate for many mitigation strategies (e.g., checking the lock on an access hatch to a liquid storage tank at the end of the tank cleaning cycle). Therefore, to recognize that the management components for food safety and food defense perform similar activities, but also include some differences, we are changing the term to ``food defense monitoring'' to make clear that the expectations for compliance are different. In additional recognition that the management components for food safety and food defense perform similar activities, we are finalizing the definition of food defense monitoring to mean to conduct a planned sequence of observations or measurements to assess whether mitigation strategies are operating as intended. This definition is similar to the definition of monitoring in the PCHF final rule.
    
    As we have concluded that, in some instances, similar terminology is appropriate for activities that are conducted to perform similar functions for food safety and food defense, incorporation of elements from definitions of internationally recognized standards (e.g., Codex) is appropriate for this rule. A ``planned sequence'' is included in the definition because it is important to thoughtfully and systematically assess whether mitigation
    
    Page 34188
    
    strategies are operating as intended, and the inclusion of ``a planned sequence'' in the definition conveys this importance. For example, a facility may establish and implement written monitoring procedures to include a planned sequence of observations to monitor a lock on an access hatch to occur at the end of every silo cleaning cycle, when there is potential to add a contaminant because the access hatch can be opened without the contents of the silo spilling out. Without planning the sequence of observations of this mitigation strategy, monitoring the strategy may occur in the middle of the cleaning cycle when the access hatch must be open to complete the cleaning process, and would therefore not be able to assess if the mitigation strategy was functioning as intended (i.e., properly locking the access hatch at the end of the cleaning cycle). Additionally, we include the term ``measurements'' not only to align more so with definitions from international standards, but also to reflect a facility's flexibility to choose the most appropriate mitigation strategy and how to monitor that strategy. In many cases, a facility will observe that a mitigation strategy is functioning as intended; however, there are some cases where a facility may measure whether a strategy is functioning as intended. For example, a facility may choose to implement a mitigation strategy that is a thermal-kill step. It would then be necessary for the facility to take measurements of the time and temperature to ensure the thermal-kill step is functioning as intended. Additionally, we have deleted ``consistently applied'' in the proposed definition and added ``operating as intended'' as this more closely aligns with the ISO 22000:2005 and with a similar change made in the PCHF final rule. Finally, we have removed ``and to produce an accurate record for use in verification'' from the proposed definition because the requirement for documenting monitoring records is established by the requirement for monitoring, and not by the definition of monitor. As discussed in Response 89, we have made several revisions to the regulatory text, with associated editorial changes, to clarify that monitoring records may not always be necessary.
  7. Significant Vulnerability
    
    We proposed to define the term ``significant vulnerability'' to mean a vulnerability for which a prudent person knowledgeable about food defense would employ food defense measures because of the potential for serious adverse health consequences or death and the degree of accessibility to that point in the food process.
    
    Although we did not receive comments on the proposed definition for significant vulnerability, we have revised the definition to improve understanding of the regulatory requirements in Sec. 121.130 (Vulnerability assessment to identify significant vulnerabilities and actionable process steps). In this final rule, significant vulnerability is defined to mean a vulnerability that, if exploited, could reasonably be expected to cause wide scale public health harm. A significant vulnerability is identified by a vulnerability assessment, conducted by a qualified individual, that includes consideration of the following: (1) Potential public health impact (e.g., severity and scale) if a contaminant were added, (2) degree of physical access to the product, and (3) ability of an attacker to successfully contaminate the product. The assessment must consider the possibility of an inside attacker. For further discussion of the related changes made to the requirement in Sec. 121.130 for a vulnerability assessment to identify significant vulnerabilities and actionable process steps, see section V.B.
  8. Significantly Minimize
    
    We proposed to define the term ``significantly minimize'' to mean to reduce to an acceptable level, including to eliminate.
    
    We did not receive comments on the proposed definition for significantly minimize and we are finalizing the definition as proposed.
  9. Small Business
    
    We proposed to define the term ``small business'' to mean a business employing fewer than 500 persons. We proposed to establish the same definition for small businesses as that which has been established by the U.S. Small Business Administration under 13 CFR part 121 for most food manufacturers. We did not receive any comments on this definition. We are finalizing the definition as proposed, with several changes for clarity. We are using the term ``500 full-time equivalent employees'' rather than ``500 persons.'' In addition, we are adding a definition of ``full-time equivalent employee'' to the definition section (Sec. 121.3). We have made these changes because we will base the calculation on ``full-time equivalent employees'' and use the same approach to calculating full-time equivalent employees for the purpose of this rule as we used to calculate full-time equivalent employees in the section 414 recordkeeping regulations (see Sec. 1.328). Under this approach, the number of full-time equivalent employees is determined by dividing the total number of hours of salary or wages paid directly to employees of the business entity claiming the exemption and of all of its affiliates and subsidiaries by the number of hours of work in 1 year, 2,080 hours (i.e., 40 hours x 52 weeks).
    
    In addition, we are adding ``including any subsidiaries and affiliates'' to the definition to provide clarity on how to calculate ``500 full-time equivalent employees'' for purposes of this rule.
  10. Verification
    
    We proposed to define the term ``verification'' to mean those activities, other than monitoring, that establish that the system is operating according to the food defense plan.
    
    (Comment 46) One comment suggests ``verification'' be defined as ``the application of methods, procedures, tests and other evaluations, in addition to monitoring, to determine whether a focused mitigation strategy is or has been operating as intended.''
    
    (Response 46) We have revised the definition of food defense verification to more closely align with the Codex definition of verification. The term is now defined as the application of methods, procedures, and other evaluations, in addition to food defense monitoring, to determine whether a mitigation strategy or combination of mitigation strategies is or has been operating as intended according to the food defense plan. ``Methods, procedures, and other evaluations'' better describes the scope of verification than ``activities'' used in the proposal. Although the Codex definition includes ``test'' as a form of verification, we have not included it because the rule does not require verification testing. We believe changing ``that establish the system is operating'' to ``to determine whether a mitigation strategy is or has been operating'' more accurately describes the purpose of food defense verification. We have added ``a combination of mitigation strategies'' to recognize that facilities may use more than one mitigation strategy to significantly minimize or prevent a significant vulnerability. The definition proposed by the comment limits verification to mitigation strategies; it does not require verification of the food defense plan. Verification of the food defense plan reflects the fact that verification is broader than just mitigation strategies; it includes, for example, verification of food defense monitoring and corrective actions.
    
    Page 34189
    
    (Comment 47) Some comments suggest using the term ``evaluation'' instead of verification. These comments suggest that evaluation be defined as ``those activities, in addition to checking, that establish that the facility is implementing a food defense plan.''
    
    (Response 47) We deny this request. As discussed in response to Comment 46, we have revised the definition of food defense verification to include ``evaluation'' because evaluation is an appropriate verification activity. However, we disagree that completely different terminology (in this case, ``evaluation'' rather than ``verification'') is appropriate for a term that describes the performance of similar activities for both food safety and food defense (see Responses 45 and 46). Verification is conducted to perform a similar function and in similar ways in both a food defense and a food safety framework. In both frameworks verification is conducted to determine whether control measures are operating as intended according to the food safety or food defense plan, and these verification activities are in addition to monitoring. At the same time, by using the term ``food defense verification,'' we make clear that verification as required by this rule is not identical to verification required in the preventive controls context.
  11. Very Small Business
    
    We proposed to define the term ``very small business'' to mean a business that has less than $10,000,000 in total annual sales for food, adjusted for inflation. In the preamble of the proposed rule we explained our rationale for defining ``very small businesses'' at the $10,000,000 threshold because the purpose of this rule is to protect the food supply against individuals or organizations with the intent to cause wide scale public health harm. We tentatively conclude these individuals or groups would likely target the product of relatively large facilities, especially firms whose brand is nationally or internationally recognizable. Some comments agree with our proposed definition while others disagree. Among the comments that disagree with the definition, some state that the $10,000,000 amount is too high or too low, and several comments suggest alternatives to using dollar amount as the threshold. We further discuss these comments and our response to them in this document.
    
    Some comments submitted to the PCHF proposed rule request that we specify that the monetary threshold for the definition be based on average sales during a 3-year period on a rolling basis because otherwise firms may be subject to significant changes in status from year to year. Those comments also ask us to clarify that the sales are to be evaluated retrospectively, not prospectively. Although we did not receive similar comments to this rule, in an effort to be consistent with the PCHF final rule, we have revised the definition of very small business to specify that it is based on average sales during the 3-year period preceding the applicable calendar year. The applicable calendar year is the year after the 3 calendar years used to determine whether a facility is a very small business.
    
    We also revised the definition to include the market value of human food manufactured, processed, packed, or held without sale (e.g., held for a fee). When there are no sales of human food, market value of the human food manufactured, processed, packed, or held without sale is a reasonable approach to calculating the dollar threshold for a very small business.
    
    (Comment 48) One comment requests that FDA change the definition of ``very small business'' to only apply to $10,000,000 in annual sales of food that is covered under the rule, and not to total annual food sales. The comment asserts that basing the threshold on the sale of food covered by the intentional adulteration rule, rather than all food, would be necessary to be consistent with the fact that covered produce is regulated under the produce rule. Specifically, the comment requests that we exclude the sale of animal foods from the calculation of annual food sales because this rule exempts the manufacturing, processing, packing, or holding of animal foods. The comment further argues that this approach is consistent with the statutory mandate that FDA regulations be flexible in scale and supply chain appropriate and provide special considerations for small and very small businesses.
    
    (Response 48) We have revised the definition of very small businesses to include only the sale of human food plus the market value of human food manufactured, processed, packed, or held without sale (e.g., held for a fee). Under this revised definition, firms that process both human and animal foods will not be required to include sale of animal food in their calculation to determine whether they fall under the $10,000,000 threshold.
    
    (Comment 49) Several comments expressed confusion with the varying business size thresholds across the seven FSMA rules and stated that it will be a significant challenge for the food industry to interpret and decide which rules under FSMA they are required to comply with if the definitions of the size of business are not consistent throughout all FSMA rules. Some comments encourage us to establish a tiered system that clearly outlines coverage under all FSMA rules by business size, while others request that we provide clear guidance to assist firms, especially small and very small businesses, to identify which of the seven FSMA rules are applicable to them.
    
    (Response 49) We recognize that the varying business size thresholds across the FSMA rules may be cause for confusion. However, each of the rules differs in scope and intent, which compels us to establish requirements and exemptions that are specific to and appropriate for each rule. To help small and very small businesses comply with each rule, we plan to issue Small Entity Compliance Guides.
    
    (Comment 50) One comment objected to exempting any facilities from the rule, arguing that this would give terrorists a ``road map'' to those facilities not covered and make them targets for intentional adulteration. The comment recommends that FDA remove the exemptions for very small businesses and qualified facilities completely.
    
    (Response 50) We disagree with this comment. Section 418(l)(2) of the FD&C Act specifies that qualified facilities, which include very small businesses, are not subject to the requirements in sections 418(a) through (i) and (n). We note that section 418(l)(2) requires qualified facilities to submit one of two types of documentation to the Secretary. The PCHF and PCAF rules have requirements reflecting this provision but this rule does not. Section 418(l)(2)(B)(i)(I) requires documentation that demonstrates that the facility has identified potential hazards and is implementing and monitoring the preventive controls. We have concluded that very small businesses are at reduced risk and therefore do not have significant vulnerabilities that require mitigation strategies. Therefore, there is nothing for very small businesses to document under this option. In contrast, a human or animal food facility is not at lesser risk of a food safety problem solely because it is relatively small. Section 418(l)(i)(II) is similarly inapplicable for several reasons. That section requires documentation that a facility is in compliance with State, local, county, or other applicable non-Federal food safety law. First, food safety is traditionally viewed as separate from food defense. Second, no States currently require food defense
    
    Page 34190
    
    measures, and States are unlikely to impose measures different from those in this rule. Therefore, compliance with ``food safety law'' as described in the provision would be irrelevant. In contrast, all States have food safety laws. Further, regulations issued under section 420 of the FD&C Act are to apply to food for which there is a high risk of intentional contamination (section 420(c)). Individuals or groups intending to cause wide scale public health harm are more likely to target the product of relatively large facilities, especially for facilities whose brands are nationally or internationally recognizable, than to target very small businesses. Covering all facilities would be inconsistent with the statutory requirement to limit coverage to foods at high risk. The $10,000,000 threshold for very small businesses still covers 97-98 percent of the market share of manufactured packaged foods (Ref. 14). In addition, section 420(a)(1)(B) of the FD&C Act directs FDA to consider the risks, costs, and benefits associated with protecting food against intentional adulteration. Imposing the full requirements of the rule on all facilities, regardless of size, would almost triple the current cost of the rule while only covering an additional 2-3 percent of the market share of manufactured foods.
    
    (Comment 51) One comment recommends we apply the lower dollar amount used to define ``very small businesses'' in the PCHF proposed rule. Another comment recommends that the threshold be lowered to $3,000,000 because smaller companies are less likely to implement food defense measures unless mandated.
    
    (Response 51) The higher threshold for very small businesses in this rule as compared to the PCHF rule reflects the difference in the nature of risk of intentional adulteration as compared to unintentional adulteration (i.e., traditional food safety). This rule protects food against intentional adulteration caused by individuals or organizations whose goal is to maximize public health harm. An attacker would more likely target the product of relatively large facilities, especially firms whose brand is nationally or internationally recognizable. An attack on such a target would potentially provide the desired wide scale public health consequences and the significant public attention that would accompany an attack on a recognizable brand. Such facilities are likely to have larger batch sizes, potentially resulting in greater human morbidity and mortality. Further, an attack on a well-recognized, trusted brand is likely to result in greater loss of consumer confidence in the food supply and in the government's ability to ensure its safety and, consequently, cause greater economic disruption than a relatively unknown brand that is distributed regionally.
    
    (Comment 52) Several comments argue that the $10,000,000 threshold is too high, is arbitrary and not risk-based, and excludes many suppliers and co-manufacturers to large food companies. The comments state that suppliers who provide ingredients to larger firms would not be covered under the rule and therefore would pose a significant vulnerability to these large, nationally branded food manufacturers that have large consumer exposure. They argue that this high threshold creates a major hole in the industry that may be exploited, and they point out that we identified ``ingredient handling'' as a key activity type having significant vulnerabilities and therefore all ingredient manufacturers need to be covered.
    
    (Response 52) The full name of the key activity type referenced is ``secondary ingredient handling.'' Secondary ingredient handling refers to activity occurring in the production facility where the ingredient is being added; it does not refer to a facility's ingredient supply chain. The potential for incoming ingredients to be intentionally adulterated is addressed by the rule's applicability to ingredient suppliers. As with finished food, not all ingredient suppliers are covered. The rule focuses on those foods at highest risk of intentional adulteration; it does not eliminate all risk.
    
    (Comment 53) Several comments argue that the $10,000,000 threshold is too low and recommend that we increase it to $50,000,000 or $1,000,000,000 in annual sales. One comment states that for an intentional adulteration event to happen, the brand or food must be one that a terrorist or a similarly ill-intentioned person is likely to target, which would encompass only the largest and most well-known food brands. The comment goes on to argue that, ``the top roughly 250 food brands in the Western world are owned by only a handful companies having annual human food revenues from tens of billions of dollars to over 100 billion dollars,'' and therefore, if we are focusing the rule on those at ``high risk,'' as specified under section 420 of the FD&C Act, then there is little benefit to be gained by imposing the requirements of this rule on hundreds of thousands of companies whose products are not likely to be targeted. The comment points out that because we are ``unable to identify any previous act of intentional adulteration intended to cause public health harm that was perpetrated in a setting that would be covered by this rule (i.e., all such previous attacks have involved restaurant or donated food), it would appear that the risk of any such attack occurring is overall quite low, and that only the most attractive targets can conceivably be considered ``high'' risk.''
    
    (Response 53) We decline this request. Although we agree that those intending to cause wide scale public health harm would more likely target the larger well known food brands, we disagree that there is little benefit to be gained by imposing the requirements of this rule on companies under a $50,000,000 or $1,000,000,000 threshold. To identify which facilities to cover under this rule, we assessed risk based on both the likelihood of being a target and the potential impact to public health. If we were to increase the threshold for a very small business to $50,000,000 or $1,000,000,000, a large number of facilities producing large quantities of food, including some well-known brands, would not be covered.
    
    (Comment 54) Several comments state that using annual sales is not indicative of risk and offer alternative ways to define which facilities are covered under the rule. The comments argue that annual sales do not determine the potential consumer exposure as it relates to preventing wide scale public health harm because more expensive products could have higher annual sales but lower consumer exposure. The comments point out that a manufacturer of a premium chocolate bar would sell fewer chocolate bars than a commodity chocolate manufacturer with sales of the same dollar amount. Some comments suggest alternatives to using annual sales, including units of a product sold (e.g., 100,000 retail units), number of servings, volume manufactured, and distribution patterns of the product. Other comments recommend using the shelf life of products or the shelf stableness of product as alternatives.
    
    (Response 54) We use sales and the market value of food manufactured, processed, packed, or held without sale as a proxy for volume. We are aware that dollar amounts can be skewed by product values and, thus, sales are an imperfect proxy for volume. However, we are not aware of a more practical way to identify a threshold based on volume or amount of product that could be applied across all product sectors, and the comments provide no suggestions for how their recommendations could be carried out.
    
    Shelf life and shelf stability are not necessarily good indicators of the speed at which a particular product moves
    
    Page 34191
    
    through the distribution system because many products are sold and consumed months, and even years, before their shelf life expires. The risk of a product for intentional adulteration does not increase based solely on a short shelf life. Similarly, a product that has a longer shelf life is not necessarily at lower risk for intentional adulteration; it could be an attractive target based on the potential to cause wide scale public health harm.
    
    (Comment 55) One comment suggests that we base the very small business definition on the number of full-time employees, similar to how we define ``small business.'' The comment recommends that we define ``very small business'' at 50 full-time employees.
    
    (Response 55) We deny this request. The purpose of the definition of ``very small business'' is to exempt the smallest businesses from the requirements of the rule because they are less likely to be targeted by individuals or organizations intending to cause wide scale public health harm. The consideration of sales is consistent with the other option for being a qualified facility under section 418 of the FD&C Act, which also considers sales (section 418(l)(1)(C)). (As discussed in IV.E.1 of this rule, we have removed the term ``qualified facility'' from the exemption provided in Sec. 121.5(a) for simplicity because any facility that would be a ``qualified facility'' as proposed in Sec. 121.5(a) will also meet the definition for a ``very small business.'')
    
    In contrast, section 418(l) of the FD&C Act does not specify any particular criterion (whether sales or number of employees) for the definition of ``small business,'' other than directing us to consider the results of the Food Processing Sector Study. Basing the definition of ``small business'' on the number of employees is consistent with our approach to defining ``small business'' in many other regulations (see, e.g., the PCHF final rule, Produce final rule, HACCP regulation for juice (Sec. 120.1(b)(1)), the section 414 recordkeeping regulations (69 FR 71562, December 9, 2004), and our CGMP regulation for manufacturing, packaging, labeling, or holding operations for dietary supplements (72 FR 34752, June 25, 2007)).
    
    (Comment 56) Some comments request that we change the definition of ``very small business'' to only include the total annual sales of food in the United States, adjusted for inflation, for foreign facilities that export food to the United States.
    
    (Response 56) A foreign business that sells more than the threshold dollar amount of food has more resources than the businesses being excluded, even if less than that threshold dollar amount reflects sales to the United States. Likewise, a domestic business that sells more than the threshold dollar amount of food has more resources than the businesses being excluded, even if that domestic business exports some of its food and, as a result, less than that threshold dollar amount reflects sales within the United States. Further, this is consistent with the PCHF final rule.
  12. Vulnerability
    
    We proposed to define the term ``vulnerability'' to mean the susceptibility of a point, step, or procedure in a facility's food process to intentional adulteration.
    
    We did not receive comments on the proposed definition of vulnerability and we are finalizing the definition as proposed.
3. Additional Definitions To Clarify Terms Not Defined in the Proposed Rule
  1. Adequate
    
    We have defined the term ``adequate'' to mean that which is needed to accomplish the intended purpose in keeping with good public health practices. See section V.E for a detailed discussion of the changes to the requirement for food defense monitoring in Sec. 121.140, including the requirement to monitor the mitigation strategies with ``adequate'' frequency to provide assurances that they are consistently performed.
  2. Affiliate and Subsidiary
    
    We have defined the term ``affiliate'' to mean any facility that controls, is controlled by, or is under common control with another facility. We have defined the term ``subsidiary'' to mean any company which is owned or controlled directly or indirectly by another company. These definitions incorporate the definitions in sections 418(l)(4)(A) and (D) of the FD&C Act and would make the meanings of these terms clear when used in the definition of ``very small business.''
  3. Full-Time Equivalent Employee
    
    We have established a definition for ``full-time equivalent employee'' as a term used to represent the number of employees of a business entity for the purpose of determining whether the business qualifies as a small business. The number of full-time equivalent employees is determined by dividing the total number of hours of salary or wages paid directly to employees of the business entity and of all of its affiliates by the number of hours of work in 1 year, 2,080 hours (i.e., 40 hours x 52 weeks). If the result is not a whole number, round down to the next lowest whole number. Because the calculation for the number of employees affects the small business definition and extended compliance dates, we are establishing the definition of ``full-time equivalent employees'' in the definitions for this rule and modifying the definition of ``small business'' to use the term ``500 full-time equivalent employees'' rather than ``500 persons.''
  4. Qualified Individual
    
    In this final rule, we have defined the term ``qualified individual'' to mean a person who has the education, training, or experience (or a combination thereof) necessary to perform an activity required under subpart C, as appropriate to the individual's assigned duties. A qualified individual may be, but is not required to be, an employee of the establishment. See section V.H. for a detailed discussion of the new requirements in Sec. 121.4--Qualifications of Individuals Who Perform Activities Under Subpart C.
  5. You
    
    In this final rule, we have defined the term ``you'' for purposes of this part, to mean the owner, operator, or agent in charge of a facility. We have made conforming changes throughout the regulatory text to replace ``owner, operator, or agent in charge'' with ``you'' for simplicity and consistency with the PCHF and PCAF regulations.
4. Comments Asking FDA To Establish Additional Definitions or Otherwise Clarify Terms Not Defined in the Rule
  1. Correction
    
    (Comment 57) Some comments that request the addition of corrections to the requirement related to corrective actions request we define ``correction'' to mean the action to eliminate a non-conformity.
    
    (Response 57) We decline this request. Because we are not providing for corrections and the term ``corrections'' is not in the regulatory text, there is no need to define the term.
  2. Defensive Controls or Defensive Control Point
    
    (Comment 58) One comment requests that FDA consider adoption of food defense terminology that is complementary to food safety terminology used in the PCHF final rule, such as ``defensive controls'' or ``defense control point.''
    
    (Response 58) We decline the request to adopt the specific terms of ``defense controls'' or ``defense control point.''
    
    Page 34192
    
    Although the comment did not further explain what terms ``defense controls'' or ``defense control point'' would replace, we believe ``actionable process steps'' and ``mitigation strategies'' appropriately differentiate these terms, related to intentional adulteration, from analogous food safety terms used in the PCHF final rule.
  3. Reasonably Foreseeable
    
    (Comment 59) Some comments state FDA should clearly define what constitutes a ``reasonably foreseeable'' threat as it relates to the risk of intentional adulteration.
    
    (Response 59) We decline this request. The term ``reasonably foreseeable'' is not used in the regulatory text of this rule.
  4. Supply Chain
    
    (Comment 60) One comment requests that FDA define ``supply chain'' as it relates to food and provides a recommended definition to be included in the rule.
    
    (Response 60) We decline this request. The term ``supply chain'' is not used in the regulatory text of this rule.
  5. Validation
    
    (Comment 61) One comment suggests we define ``validation'' as obtaining evidence that a control measure or combination of control measures, if properly implemented, is capable of controlling the hazard to a specified outcome.
    
    (Response 61) We decline this request. The term ``validation'' is not used in the regulatory text of this rule.
  6. Miscellaneous
    
    (Comment 62) One comment requests that FDA define certain terms or phrases that are used in some definitions and that the comment suggests will have a wide range of interpretations. The comment cites ``acceptable level'' (used in the definitions of ``actionable process step'' and ``significantly minimize''), ``reasonably appropriate measures'' and ``person knowledgeable about food defense'' (both used in the definition of ``focused mitigation strategies''), and ``prudent person knowledgeable about food defense'' (used in the definition of ``significant vulnerability'').
    
    (Response 62) The terms ``acceptable level'' and ``reasonably appropriate measures'' are meant to be flexible standards. We do not need to define every term used in the definitions. By specifying that a point, step, or procedure in a food process at which food defense measures can be applied and are essential to prevent or eliminate a significant vulnerability or reduce such vulnerability to an acceptable level, the definition for actionable process step provides flexibility for a facility to determine what that level would be in a particular circumstance. We now use ``person knowledgeable about food defense'' without reference to ``prudent'' in the definitions of ``significant vulnerability'' and ``mitigation strategies.'' A person knowledgeable about food defense would meet the requirements of being a Qualified Individual (Sec. 121.4).
5. Proposed Sec. 121.5--Exemptions
  
  We proposed to establish a series of exemptions from the intentional adulteration requirements. We also sought comments on whether we should exempt on-farm manufacturing, processing, packing, or holding of the food identified as having low-risk production practices identified in Appendix 4 to the Draft Risk Assessment (further discussed in section I.C). We discuss these in the following sections.
  1. Proposed Sec. 121.5(a)--Exemption Applicable to a Qualified Facility
    
    We proposed to exempt a qualified facility, except that qualified facilities must, upon request, provide for official review documentation that was relied upon to demonstrate that the facility meets this exemption. We also proposed that such documentation must be retained for 2 years. We proposed to define qualified facility, in part, as a facility that is (1) a very small business; or (2) a facility to which certain circumstances must apply.
    
    We have removed the exemption applicable to a qualified facility and replaced it with a very small business exemption. Revised Sec. 121.5(a) provides that this part does not apply to a very small business, except that a very small business must, upon request, provide for official review documentation sufficient to show that the facility meets the exemption and that such documentation must be retained for 2 years. We have removed the term ``qualified facility'' from the exemption provided in Sec. 121.5(a) to simplify the provision and provide clarity as to the applicability of the exemption. For purposes of this rule, any facility that would be a ``qualified facility'' as proposed in Sec. 121.5(a) will also meet the definition for a ``very small business.'' Further, section 418(l)(3) of the FD&C Act, which provides for withdrawal of an exemption from a ``qualified facility,'' is not relevant because we are also issuing these requirements under section 420 of the FD&C Act.
  2. Proposed Sec. 121.5(b)--Exemption Applicable to Holding of Food
    
    We proposed to exempt holding of food, except the holding of food in liquid storage tanks. We received one comment that disagrees with the holding exemption, and have addressed the comment in Response 34. After considering this comment, we are finalizing the exemption as proposed.
  3. Proposed Sec. 121.5(c)--Exemption Applicable To Packing, Re-
    
    Packing, Labeling, or Re-Labeling of Food Where the Container That Directly Contacts the Food Remains Intact
    
    We proposed to exempt packing, re-packing, labeling, or re-labeling of food where the container that directly contacts the food remains intact. We did not receive comments on the proposed exemption and we are finalizing the exemption as proposed.
  4. Proposed Sec. 121.5(d)--Exemption Applicable to Activities of a Facility That Are Subject to Section 419 of the FD&C Act
    
    We proposed to exempt activities of a facility that are subject to section 419 of the FD&C Act (Standards for Produce Safety). We did not receive comments on the proposed exemption and we are finalizing the exemption as proposed.
  5. Proposed Sec. 121.5(e)--Exemption With Respect to Alcoholic Beverages
    
    Section 116 of FSMA (21 U.S.C. 2206) (Alcohol-Related Facilities) provides a rule of construction for certain facilities engaged in the manufacturing, processing, packing, or holding of alcoholic beverages and other food. In the proposed rule, we discussed our interpretation of section 116 of FSMA and requested comment on our interpretation. Based on our interpretation, we proposed that part 121 would not apply with respect to alcoholic beverages at facilities meeting two specified conditions (78 FR 78014 at 78037). We also proposed that part 121 would not apply with respect to food other than alcoholic beverages at facilities described in the exemption, provided such food is in prepackaged form that prevents direct human contact with the food and constitutes not more than 5 percent of the overall sales of the facility. No comments disagreed with the exemption of alcoholic beverages, but some comments requested changes or clarifications to the proposed activities covered in the exemption. After reviewing the comments, we are finalizing this exemption as proposed.
    
    (Comment 63) Two comments supported the exemption for alcoholic beverages and FDA's interpretation of
    
    Page 34193
    
    section 116 of FSMA, but one comment requests changing the language from just ``alcoholic beverages'' to ``manufacturing, processing, packing and holding of alcoholic beverages,'' stating that in reducing the words FDA may unintentionally limit the scope of the exemption to facilities holding finished beverage alcohol products.
    
    (Response 63) We agree with the comments that support the exemption as written. We do not believe it is necessary to list the activities in the codified as requested by one comment. Under section 415 of the FD&C Act a facility is required to register as a facility because it is engaged in manufacturing, processing, packing, or holding of one or more alcoholic beverages. Therefore, the language stating ``alcoholic beverages at a facility'' encompasses facilities engaged in the activities listed previously and the regulatory text in Sec. 121.5(e) clearly covers the intended exemption for the ``manufacturing, processing, packing and holding of alcoholic beverages.''
    
    (Comment 64) One comment supports the exemption for alcoholic beverages but requests that we further exempt craft breweries from drying and packaging requirements for disposal of spent grains as cattle feed to small farmers.
    
    (Response 64) The exemption established under the rule of construction in section 116 of FSMA applies to alcoholic beverages, not to any other food (see section 116(c) of FSMA (21 U.S.C. 2206(c)). The by-products described in this comment appear to be products that would be used in food for animals rather than in human food, and we exempt these foods in section Sec. 121.5(f). Since this rule exempts both alcoholic beverages at a facility, provided certain conditions are met, and food for animals, we believe this comment misunderstands the exemptions.
  6. Proposed Sec. 121.5(f)--Exemption Applicable To Manufacturing, Processing, Packing, or Holding of Food for Animals Other Than Man
    
    We proposed to exempt manufacturing, processing, packing, or holding of food for animals other than man. Section 418(m) of the FD&C Act authorizes FDA to exempt or modify the requirements for compliance with section 418 with regard to facilities that engage solely in the production of animal food. Further, section 420(c) of the FD&C Act requires that regulations that FDA issues under that section apply only to food for which there is a high risk of intentional contamination. FDA tentatively concluded in the proposed rule that animal food is not at a high risk for intentional contamination because our analysis shows that adulteration of animal food has minimal potential for human morbidity and mortality which would lead to wide scale public health harm. In considering whether to provide an exemption related to animal food, we evaluated three types of possible attack scenarios: (1) Incorporation of a contaminant into feed to be used for muscle meat-
    
    producing animals; (2) incorporation of a contaminant into feed to be used for egg-producing or milk producing animals; and (3) incorporation of a contaminant into pet food. With regard to the two former scenarios, we did not identify any contaminants that could be incorporated into feed at levels that would lead to human morbidity or mortality among consumers that subsequently eat the meat, eggs or milk without first showing noticeable clinical signs and/or mortality in the animals. While some contaminants can increase the risk of chronic disease, such as cancer, among consumers, such an outcome is not consistent with our understanding of the goals of terrorist organizations, which include a more immediate impact. Regarding the third attack scenario, adulterants could be incorporated into feed or pet food that result in significant animal morbidity and mortality as well as lead to secondary infections of humans through cross contamination, but this type of intentional adulteration of animal food poses a lower risk because secondary human illness or death is not the primary goal of an attacker with the intent to cause wide scale public health harm. As such, the proposed rule would not apply to the manufacturing, processing, packing, or holding of food for animals other than man. We requested comment on our tentative conclusions. Some comments agreed with our conclusions and support the exemption as proposed. One comment supported the exemption but requested a clarification of exempted activities. Some comments disagreed with our conclusions and assert that animal food is at high risk for intentional adulteration because it has been intentionally contaminated in the past. Some comments state that FDA should protect against intentional adulteration that leads to serious health consequences or death to humans or animals. After reviewing the comments, we are finalizing the exemption as proposed.
    
    (Comment 65) Some comments support our tentative conclusions and agree that animal food would not be at high risk for intentional contamination and lacks a significant potential for human morbidity and mortality. One comment supports the exemption but requests clarification that the exemption of animal feed includes the byproduct of manufactured human food regardless of the small business exemption.
    
    (Response 65) We conclude that animal food, regardless of whether it is produced at a facility solely engaged in the production of animal food or at a facility engaged in the production of both animal and human food, does not involve significant vulnerabilities that require mitigation strategies under section 418 of the FD&C Act, and is not high risk under section 420 of the FD&C Act. Therefore, we are not requiring a vulnerability assessment to determine that there are no actionable process steps present and no mitigation strategies needed. Regarding the requested clarification, the exemption applies to animal food regardless of whether a facility is part of a small business.
    
    (Comment 66) Some comments disagree with our conclusion that animal feed would not be at high risk for intentional contamination for several reasons. Some comments cite the 2007 incident of melamine in animal food that sickened and killed many animals as an example of previous intentional contamination suggesting that animal food is at high risk for intentional contamination. Some comments state that in section 420(c) of the FD&C Act the intent of Congress was for regulations to be issued that addressed hazards that would cause ``serious health consequences or death to humans or animals.'' One comment asserts that pet food and human food supply chains are interconnected, and therefore should be covered by this rule. One comment believes that animal food comes into our homes as pet food therefore can harm families via cross-contamination. One comment asserts that the risk of Foot and Mouth Disease has been the focus of many exercises and discussions with respect to intentional adulteration and asserts that terrorists have attacked livestock in the past.
    
    (Response 66) We disagree with these comments and continue to believe that animal food is not at high risk for intentional adulteration within the context of this rule. While we agree that some animal feed could be intentionally contaminated, our analysis shows only minimal potential for human morbidity and mortality as a result of an attack during, or associated with, animal food production. We analyzed both human and animal food using CARVER+Shock methodology. For human food, our analyses show the potential for
    
    Page 34194
    
    significant human morbidity and mortality should intentional adulteration occur at certain points in a food operation. In contrast, for animal food, our analysis shows only minimal potential for human morbidity or mortality as a result of attacks at points in an animal food operation.
    
    Significantly, our CARVER+Shock vulnerability assessments of animal food have had to focus entirely on economic consequences because of the lack of potential for human morbidity and mortality. As stated in the preamble to the proposed rule (78 FR 78014 at 78037), in considering whether to provide an exemption related to animal food, we evaluated three types of possible attack scenarios: (1) Incorporation of a contaminant into feed to be used for muscle meat-producing animals; (2) incorporation of a contaminant into feed to be used for egg-producing or milk producing animals; and (3) incorporation of a contaminant into pet food. With regard to the two former scenarios, we are not aware of contaminants that could be incorporated into feed at levels that would not produce noticeable clinical signs and/or mortality in animals but would result in significant human morbidity or mortality among consumers that subsequently eat the meat, eggs or milk. While such contaminants can increase the long-term risk of chronic disease, such as cancer, among consumers, such an outcome is not consistent with our understanding of the more-immediate goals of individuals or groups intending to cause wide scale public health harm.
    
    Regarding the third attack scenario, incorporation of a contaminant into pet food, we are aware of contaminants that could be incorporated into feed or pet food that could result in significant animal (including pet) morbidity and mortality, including some which could result in secondary infectious spread of disease (because some infectious agents can be transmitted orally as well as through aerosol). Such attacks could be significant from an economic and societal standpoint. However, the risk that they pose with regard to targeting by individuals or groups intending to cause wide scale public health harm appears to be significantly lower than those involving human morbidity and mortality.
    
    Foot and mouth disease, mentioned in one comment, can lead to animal death and economic consequences, but does not affect human morbidity or mortality. Because foot and mouth disease would not cause wide scale public health harm, it does not change our conclusion that animal food is a less attractive target than human food, when the intent of the adulteration is to cause wide scale public health harm for humans. The event in 2007 involving contamination of wheat flour and wheat gluten with melamine that resulted in pet illnesses and deaths did not affect human health and was motivated by economic gain. That form of intentional adulteration (i.e., economically motivated adulteration) is addressed by the PCHF and PCAF final rules.
  7. Exemption for Low-Risk Activities at Farm Mixed-Type Facilities
    
    As discussed in section I.D, we issued for public comment an ``Appendix to Draft Qualitative Risk Assessment of Risk of Activity/
    
    Food Combinations for Activities (Outside the Farm Definition) Conducted in a Facility Co-Located on a Farm'' (the draft RA Appendix) (78 FR 78064, December 24, 2013). The draft RA Appendix was conducted to provide a science-based risk analysis to determine which foods' production processes would be considered low risk with respect to the risk of intentional adulteration. Based on the tentative conclusions of the draft RA Appendix, we asked for comment in the proposed rule on possible exemptions or modified requirements for this final rule. In the draft RA Appendix we tentatively concluded that the production processes for the following finished foods are low-risk: Eggs (in-
    
    shell); fruits and vegetables other than pods, seeds for direct consumption, and hesperidia (fresh, intact); game meats (whole or cut, not ground or shredded, without secondary ingredients); peanuts and tree nuts (raw, in-shell); and sugarcane and sugar beets (fresh, intact). We sought comment on whether we should exempt on-farm manufacturing, processing, packing, or holding of the foods identified as having low-risk production practices when conducted by a small or very small business if such activities are the only activities conducted by the business that are subject to section 418 of the FD&C Act.
    
    (Comment 67) Several comments agree with the conclusions of the draft RA Appendix and state we should provide exemptions in the regulatory text for those on-farm manufacturing, processing, packing, or holding activities identified as having low-risk production practices when conducted by a small or very small business if such activities are the only activities conducted by the business subject to section 418 of the FD&C Act.
    
    (Response 67) We agree with these comments. In addition, we have conducted a reanalysis of the risk assessment and have identified some foods included in the draft RA Appendix as being out of scope of the final appendix because of the changes to the definition of ``farm'' made by the PCHF rule, including some foods determined to have low risk production practices in the draft appendix. Finished foods that are produced using only activities that fall within the farm definition (e.g., RACs such as fruits and vegetables, grains, and unpasteurized milk) are out of scope for the purposes of this final appendix because this evaluation focuses on the production processes used to produce a finished food and applies only to activities outside the farm definition performed by facilities co-located on farms. Accordingly, we have provided a new exemption in the regulatory text in Sec. 121.5(g) that exempts on-farm manufacturing, processing, packing, or holding of eggs (in-shell, other than RACs, e.g., pasteurized), and game meats (whole or cut, not ground or shredded, without secondary ingredients) when conducted by a small or very small business if such activities are the only activities conducted by the business subject to section 418 of the FD&C Act. This exemption is also appropriate under section 420 of the FD&C Act because such activities are not high risk under that provision.
    
    The draft RA, considered fruits and vegetables other than pods, seeds for direct consumption, and hesperidia, and determined them to be low risk. Because these foods are produced using only activities that fall within the modified farm definition, these finished foods are now out of scope of the RA. Additionally, peanuts, tree nuts (raw, in shell), sugarcane, and sugar beets were also considered and determined to be low risk in the draft RA. These foods similarly are out of scope of the evaluation of risk because these foods are produced using only activities that fall within the modified farm definition. The finished foods mentioned in this paragraph, when produced on farms, are exempt under Sec. 121.5(d).
Subpart C: Comments on Food Defense Measures
1. Proposed Sec. 121.126--Requirement for a Food Defense Plan
  
  We proposed that the owner, operator, or agent in charge of a facility must prepare, or have prepared, and implement a written food defense plan which must include: (1) Written identification of actionable process steps; (2) written focused mitigation strategies; (3) written procedures for monitoring; (4) written corrective action
  
  Page 34195
  
  procedures; and (5) written verification procedures.
  
  Some comments agree with the requirements for a food defense plan as proposed. In general, comments support the proposed requirement that facilities develop and maintain food defense plans to protect food against intentional adulteration. In the following paragraphs, we discuss comments that disagree with, or suggest one or more changes to, the proposed requirements. After considering these comments, we are finalizing the provisions as proposed, with editorial and conforming changes as discussed in the other applicable sections of this document.
  
  (Comment 68) Some comments state that facilities should be allowed to develop food defense plans that are tailored to and best meet the needs and unique characteristics of the establishment. Other comments state that the requirements should be adequately broad and provide flexibility so that companies can build on their plans over time based on emerging threats and new mitigation strategies.
  
  (Response 68) We agree with these comments and recognize that there needs to be flexibility within the requirements for a facility to develop a food defense plan that meets its needs and unique characteristics. In the final rule we have added flexibility for management components (see Comment 88, Comment 92, Comment 93, and Comment 95 for a detailed discussion). Additionally, we agree that food defense plans should change over time based on emerging threats and identification of new mitigation strategies. The rule (Sec. 121.157) requires a reanalysis of the food defense plan as a whole or to the applicable portion of the plan when any of the following circumstances occur: a significant change made in the activities conducted at the facility creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability; a facility becomes aware of new information about potential vulnerabilities; a mitigation strategy, a combination of mitigation strategies, or the food defense plan as a whole is not properly implemented; or whenever FDA requires reanalysis to respond to new vulnerabilities, credible threats to the food supply, or developments in scientific understanding. See section V.G.2 for more detailed discussion of the reanalysis section.
  
  (Comment 69) Some comments state that many food facilities have already voluntarily developed and implemented food defense plans. The comments express concern that FDA would require companies to completely overhaul their existing food defense plans that are already in place and working properly. These comments argue that existing food defense plans should be adequate to meet the requirements of this rule so long as they were thoughtfully developed.
  
  (Response 69) We recognize that some facilities have already voluntarily developed and implemented food defense plans. These facilities likely have a head start on compliance with this rule. To the extent a food defense plan satisfies elements of this rule, a facility has less to do to meet these requirements. Further, in the final rule we have specified that existing records do not need to be duplicated if they contain all of the required information and satisfy the requirements of part 121, subpart D (Sec. 121.330).
  
  (Comment 70) Some comments express concern that it is too premature to require that all foreign facilities prepare and implement a food defense plan.
  
  (Response 70) All foreign facilities do not have to prepare and implement a food defense plan. For example, foreign facilities that are not required to register are not subject to this rule. This includes a foreign facility, if food from such a facility undergoes further manufacturing/processing (including packaging) by another facility outside the United States (21 CFR 1.226(a)). In addition, the rule contains exemptions applicable to domestic and foreign facilities (Sec. 121.5). For example, very small businesses are only required to keep records documenting their status.
2. Proposed Sec. 121.130--Identification of Actionable Process Steps
  
  We proposed to require that the owner, operator, or agent in charge of a facility identify any actionable process steps by either conducting a facility-specific vulnerability assessment or by using the four key activity types we identified. Recognizing that various methodologies may exist to conduct a facility-specific vulnerability assessment, and not wishing to preclude the benefits of future science in this area, we did not propose to require a specific methodology for the facility-specific vulnerability assessment. Further, we proposed that regardless of the method chosen, the identification of actionable process steps and the assessment leading to that identification must be written.
  
  Some comments agree with the requirements as proposed. In the following paragraphs, we discuss comments that suggest one or more changes to, and/or disagree with the proposed requirements. After considering the comments, we have revised this section as follows: (1) Removing from the regulatory text the option to identify actionable process steps by utilizing the four FDA-identified key activity types, (2) adding to the regulatory text the factors that must be considered when conducting a vulnerability assessment, (3) adding to the regulatory text a requirement to explain why each process step was or was not identified as an actionable process step, (4) adding to the regulatory text a requirement that the vulnerability assessment must consider the possibility of an inside attacker, and (5) changing the title of this section to ``Vulnerability Assessment to Identify Significant Vulnerabilities and Actionable Process Steps.''
  
  (Comment 71) Some comments recommend removing from the regulatory text the option for facilities to use the key activity types as a method for identifying actionable process steps, and instead, requiring all facilities to conduct facility-specific vulnerability assessments. Some comments recommend continuing to provide the option to use key activity types but not specifically providing for it in the regulatory text. Under this approach, key activity types would be considered an ``appropriate method'' for identifying actionable process steps with the specific key activity types identified in guidance. These comments express concern that identifying a particular methodology (i.e., key activity types) in the codified indicates there is one ``right'' way to conduct vulnerability assessments. Furthermore, some comments express concern that the key activity types may become the de facto standard for the regulatory inspection of actionable process steps, even if facilities conduct facility-specific vulnerability assessments. Some comments express concerns that including key activity types in the codified would result in mitigation strategies being required at key activity types regardless of the outcome of a facility-specific vulnerability assessment.
  
  (Response 71) The key activity types are based upon the results of over 50 vulnerability assessments which reflect the activities and associated vulnerabilities present in a wide array of manufacturing settings. The vulnerability assessments included consideration of the three elements now required by Sec. 121.130 to be evaluated in any vulnerability assessment: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to product; and (3) the ability of
  
  Page 34196
  
  an attacker to successfully contaminate the food. The four identified key activity types are processes, steps, or procedures that consistently ranked as the most vulnerable, regardless of the commodity being assessed, and reflect significant vulnerabilities to intentional adulteration caused by acts intended to cause wide scale public health harm. Therefore, using the key activity types is an appropriate method to conduct a vulnerability assessment. In addition, using key activity types has the benefit of allowing facilities with less technical expertise in conducting food defense vulnerability assessments to leverage their expertise in food processing to identify actionable process steps.
  
  However, in response to comments, we are no longer singling out key activity types in the regulatory text. Importantly, using key activity types remains as one appropriate vulnerability assessment method. We intend to place the key activity types in guidance, which will provide us with greater flexibility to update them in the future, if necessary. The final rule provides firms the flexibility to choose a vulnerability assessment methodology appropriate to their operations, provided that methodology includes the three fundamental elements required by Sec. 121.130(a). We expect that some firms will use key activity types, and some firms will use other methods.
  
  (Comment 72) Some comments recommend that vulnerability assessments should consider the contribution of existing practices, procedures, and programs that may already function to reduce vulnerability.
  
  (Response 72) When conducting facility-specific vulnerability assessments, the role of existing measures (e.g., security practices, procedures, or programs) should be determined on a case-by-case basis. In general, existing measures that are applied to the process (e.g., locks, area access controls, peer or supervisory monitoring) and are not inherent characteristics of a particular process step, should be considered after the vulnerability assessment is completed and actionable process steps have been identified, and should not be considered during the identification of significant vulnerabilities. For example, when evaluating the vulnerability of a mixing tank, a facility would not conclude the tank does not represent a significant vulnerability because the mixing tank lid and sampling ports are routinely locked. Instead, the vulnerability of the mixing tank would be evaluated as if the existing measure (in this case the locks) were not in place. If, in the absence of properly implemented locks, the mixing tank would be significantly vulnerable, then the facility would identify the mixing tank as an actionable process step. The facility may then decide that the existing locks could serve as a mitigation strategy that reduces the significant vulnerability of the mixing tank and evaluate if any other mitigation strategies are necessary. The food defense plan would then capture the mixing tank step as an actionable process step and the locks as the mitigation strategy. As a mitigation strategy, the locks would be subject to mitigation strategy management components (i.e., food defense monitoring, corrective actions, and verification).
  
  There are some instances where it is appropriate to consider existing food defense measures before the vulnerability assessment is completed. For example, the owner of the same facility may assess a second mixing tank that is part of an entirely closed system, with no direct access points into the system, such that an individual attempting to access this mixing tank likely would cause a major disruption to the line, foiling any attempted intentional adulteration. Because this second mixing tank has specific closed properties designed into the system, that are inherent characteristics of the mixing tank, it would be appropriate for the facility to consider these inherent characteristics in the vulnerability assessment. Based on this assessment, the facility may conclude that the inherent characteristics of this mixing tank, in this case its enclosed nature, renders the product inaccessible at this step and, therefore would not identify an actionable process step associated with this mixing tank (in which case, there would also be no requirement to implement a mitigation strategy at this step).
  
  Permanent equipment changes may reduce a significant vulnerability to such an extent that a processing step would no longer be considered an actionable process step. For example, a facility might identify a rotating air dryer as an actionable process step and in the supporting rationale discuss the high degree of accessibility at the point where product is fed from a pneumatic conveyor into the top of the dryer. The facility later installs a permanent, clear plastic shield affixed to, and extending from, the discharge of the pneumatic conveyor to the opening of the dryer. The clear plastic shield enables workers to supervise the product flow into the dryer while serving as an effective barrier to an attacker wishing to introduce a contaminant into the product at the dryer. This engineering improvement would significantly minimize or eliminate access to product in the dryer and thereby significantly minimize or prevent a significant vulnerability at this process step. The implementation of this engineering improvement would be detailed in the facility's food defense plan and, upon reanalysis, the facility may determine that this processing step is no longer an actionable process step.
  
  (Comment 73) Some comments recommend that vulnerability assessments should consider downstream processing steps, the volume of product, shelf life, marketplace turnover, and consumption patterns and that additional details regarding vulnerability assessments should be in the regulatory text. The comments did not provide specifics or recommendations regarding what additional details about vulnerability assessments should be included.
  
  (Response 73) As previously stated, we are not prescribing a specific methodology that facilities must use to conduct vulnerability assessments to identify actionable process steps. In the preamble to the proposed rule, we listed a number of elements to consider when conducting vulnerability assessments (78 FR 78014 at 78042) and did not require particular elements in the regulatory text. However, in light of comments requesting further vulnerability assessment details in the regulatory text, and the removal of key activity types as a separately identified option, we are specifying that three elements must be considered in any vulnerability assessment. These three elements are based on our extensive experience conducting vulnerability assessments and collaborating with stakeholders to refine vulnerability assessment methodology and are critical elements of an acceptable vulnerability assessment methodology. Specifically, we have revised Sec. 121.130 to require that for each processing step under evaluation, the facility must consider, at a minimum: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to product; and (3) the ability of an attacker to successfully contaminate the product.
  1. Element 1: The potential public health impact if a contaminant were added (e.g., severity and scale). This factor includes, for each processing step, consideration of the volume of product impacted, the number of at risk servings generated, and the number of potential exposures. As appropriate, and with sufficient scientific rigor, the facility may also consider other factors such as food velocity (i.e., the speed at which a
    
    Page 34197
    
    particular product moves through the distribution system); potential agents of concern; the infectious or lethal dose of agents of concern; and the morbidity/mortality rate if the intentional adulteration were successful. This element is required in the vulnerability assessment because it enables facilities to focus resources on processing steps with the highest degree of public health impact if the intentional adulteration were successful.
    
    We recognize that some facilities may not have the scientific knowledge to critically identify and evaluate individual agents of concern across their production process. The potential public health impact can also be determined through the consideration of the volume of food at risk should an act of intentional adulteration be successful at each process step. This approach would serve to extrapolate the potential public health impact without the scientifically rigorous examination of specific agents (e.g., consideration of infectious or lethal dose). For example, using this approach, a facility considering the potential public health impact of the intentional adulteration of its primary ingredient storage tank would consider the volume of food in the tank and the servings generated from this volume. If the facility has a 50,000 gallon primary ingredient liquid storage tank that would generate 800,000 one cup servings (50,000*16), the facility would consider all of these 800,000 servings as being at risk. Note that potential servings at risk is not limited to the amount of food being processed at an actionable process step. This is illustrated by a process step that applies a minor ingredient, such as a vitamin mixture applied over toasted cereal as it passes underneath spray nozzles. The facility's metering tank for application to the cereal is 10 gallons. However, these 10 gallons will be sprayed over 100,000 servings of cereal. The facility would conclude that 100,000 servings are at risk if the intentional adulteration were successful at this point.
    
    A number of other factors may also go into the calculations a facility uses to determine the potential public health impact. For example, if a facility has conducted market research and concludes that each distribution unit of 20 servings is typically consumed by four persons, the potential public health impact of that distribution unit could be considered four persons rather than 20.
  2. Element 2: The degree of physical access to product. This element includes consideration of, at a minimum, the ability of an attacker to conduct the attack at the particular processing step under evaluation; and the openness of the processing step to intentional adulteration, based on the presence of physical barriers such as gates, railings, doors, lids, seals, shields, and other barriers. This element is required in the vulnerability assessment because it enables facilities to prioritize how easy or difficult it is to access product at each processing step, based on the inherent characteristics of the physical environment surrounding the step.
  3. Element 3: The ability of an attacker to successfully contaminate the product. This element includes, for each processing step, consideration of, at a minimum, the ease of introducing an agent to the product; the ability for an agent to be uniformly mixed or evenly applied; and the ability of an attacker to work unobserved and have sufficient time to introduce the agent. As appropriate, and with sufficient scientific rigor, the facility may also consider: The amount of specific agent required; whether downstream dilution or concentration steps would affect the volume of agent required; whether downstream processing would or would not neutralize the agent(s) under evaluation; and the ability of the attacker to successfully introduce a sufficient volume of agent to the food without being detected or interdicted. This element is required in the vulnerability assessment because it enables facilities to understand whether the amount of agent required at each processing step is feasible and if subsequent processing steps would successfully remove an agent if present.
    
    Taken together, these three required vulnerability assessment elements provide facilities appropriate tools to adequately identify which vulnerabilities should be identified as significant vulnerabilities (i.e., those vulnerabilities, if attacked, could reasonably be expected to cause wide scale public health harm). If the step under evaluation has significant vulnerabilities associated with it and requires the application of mitigation strategies to prevent or eliminate a significant vulnerability or reduce such vulnerability to an acceptable level, the step would be categorized as an actionable process step.
    
    By utilizing these three required elements when conducting a vulnerability assessment, regardless of the vulnerability assessment methodology utilized, facilities are provided with a systematic approach that enables them to move in a logical, step-wise manner to identify actionable process steps. First, a facility would develop a list or flow diagram of each point, step, or procedure in the food process under evaluation, recognizing that each processing step has some associated vulnerability (i.e., the susceptibility of a point, step, or procedure in a facility's food process to intentional adulteration). Second, the facility would identify which vulnerabilities are significant vulnerabilities (by using the three required elements), and third, the facility would identify actionable process steps where significant vulnerabilities are present. We intend to provide further guidance on conducting vulnerability assessments to satisfy these requirements.
    
    As noted previously, some comments suggested that vulnerability assessments should consider downstream processing steps, the volume of product, shelf life, marketplace turnover, and consumption patterns. We have found that shelf life is not necessarily a good indicator of the speed at which a particular product moves through the distribution system (i.e., food velocity), because many products are sold and consumed months, if not years, before their shelf life expires. Marketplace turnover and consumption patterns are captured within the concept of food velocity, which may be considered in a vulnerability assessment as a component of Element 1, detailed previously in this document. Likewise, the potential effect of downstream processing can be considered as a component of Element 3, detailed previously in this document.
    
    (Comment 74) One comment suggests adding laboratory professionals to the list of possible vulnerability assessment team members.
    
    (Response 74) The list of potential members of the vulnerability assessment team discussed in the preamble to the proposed rule is not exhaustive (78 FR 78014 at 78042). The original list included ``personnel working in the areas of security, food safety/quality assurance or control, human resources, operations, maintenance, and other individuals deemed necessary to facilitate the formation of the vulnerability assessment.'' We agree that laboratory professionals can provide important contributions to the vulnerability assessment and can be included as potential team members.
    
    (Comment 75) A few comments seek clarification on what type of justification would be required in the instance where no significant vulnerabilities are identified through a vulnerability assessment.
    
    (Response 75) It has been our experience that most facilities will identify one or more significant vulnerabilities. For a facility to
    
    Page 34198
    
    conclude that it has no significant vulnerabilities and therefore no actionable process steps, the facility would need to determine that none of its production steps present a significant vulnerability for wide scale public health harm from intentional adulteration. In conducting its vulnerability assessment, the facility would need to consider at each step of its process: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product. The written vulnerability assessment, including the accompanying rationale supporting the decision not to identify any significant vulnerabilities would be important for determining if such a facility had complied with Sec. 121.130.
    
    (Comment 76) One comment suggests the term ``vulnerability assessment'' should be clearly defined in the rule.
    
    (Response 76) We deny this request. As discussed in Response 73, Sec. 121.130 has been revised to provide required elements the facility would need to consider at each step of its process when conducting vulnerability assessments: (1) The potential public health impact if a contaminant were added (e.g., severity and scale); (2) the degree of physical access to the product; and (3) the ability of an attacker to successfully contaminate the product. Additionally, the definition for significant vulnerability has been revised to include these three required elements, which underscores the importance of the evaluation that leads to the identification of significant vulnerabilities, which in turn leads to the identification of actionable process steps.
    
    We believe the combination of required vulnerability assessment elements in Sec. 121.130 and a revised definition for significant vulnerability provides a high degree of specificity regarding what constitutes a vulnerability assessment and will provide direction to facilities as they select an appropriate vulnerability assessment methodology.
    
    (Comment 77) One comment suggests that the term ``secondary ingredient handling'' used in a key activity type is confusing because it is not obvious whether ``secondary'' describes ``ingredient'' or ``handling,'' nor what is meant by ``secondary.''
    
    (Response 77) We are removing the key activity types from the regulatory text, although the key activity types are one appropriate method to conduct vulnerability assessments to identify actionable process steps. Consequently, we will consider these comments when developing guidance to support the use of key activity types as an appropriate method to conduct a vulnerability assessment.
    
    (Comment 78) One comment suggests that the definition for ``holding'' used in two key activity types should be modified to account for activities that involve the safe and effective storage of raw agricultural commodities, other than fruits and vegetables, intended for further distribution or processing, but does not include activities that transform a raw agricultural commodity into a processed food. The specific example of mineral oil applied to raw grains and oilseeds for dust control was provided.
    
    (Response 78) In response to the comment, we have conducted an analysis of this activity and believe that the storage of mineral oil and its application onto raw, whole grains or oilseeds in accordance with 21 CFR 172.878 is not a significant vulnerability and facilities engaged in these specific practices are not required to evaluate these processing steps when conducting vulnerability assessments (Ref. 15). Facilities storing and using mineral oil on other food products, such as baked goods, condiments, spices, or confectionery products, are required to evaluate mineral oil storage and use when conducting vulnerability assessments.
    
    Additionally, we are removing the key activity types from the regulatory text, as discussed previously, although the key activity types are one appropriate method to conduct vulnerability assessments to identify actionable process steps. Further, we are revising the definition of ``holding'' in this final rule, as discussed in section IV.A.3, by removing the distinction for farms and farm mixed-type facilities and adding that holding also includes activities performed incidental to storage of a food, but does not include activities that transform a RAC into a processed food and we include additional examples of holding activities. However, the holding of food in liquid storage tanks remains an activity subject to the rule under Sec. 121.5(b).
    
    (Comment 79) Some comments state that when conducting vulnerability assessments, facilities should take different processing steps into consideration, but facilities should not be expected to conduct vulnerability assessments based on product type. Rather, they should be able to conduct a tailored vulnerability assessment based on the best methodology for each facility, either in its entirety or by any appropriate, locally determined methodological approach, such as grouping different production areas or processing steps.
    
    (Response 79) Facilities have the flexibility to choose a vulnerability assessment methodology appropriate to their operations, provided that methodology includes consideration of three fundamental elements (i.e., the evaluation of the potential public health impact if a contaminant were added (e.g., severity and scale), the degree of physical access to the product, and the ability of an attacker to successfully contaminate the product) and is performed by an individual qualified by training and/or experience to conduct vulnerability assessments. A facility must conduct written vulnerability assessments for all of the foods that it manufactures/processes, packs, or holds. We recognize there are instances where facilities are manufacturing very similar products using either the same equipment and/or very similar processes. In such instances, it is appropriate for the facility to conduct vulnerability assessments of like products by grouping these products into one or more processes and conducting vulnerability assessments on these process groupings. However, any product or process-specific differences must be carefully delineated and noted in the vulnerability assessment, and the facility must clearly identify the specific products included in each vulnerability assessment. In some facilities with limited types of products, the written vulnerability assessment may contain a single set of process steps that addresses all of the products produced. For example, a facility making fruit-flavored beverages may be able to conduct a single vulnerability assessment for all of its beverages using a single set of processing steps.
    
    In other facilities, there may not be a practical way to group all products into a single set of process steps, and vulnerability assessments may be needed for multiple groups of products. For example, a facility that makes both ready-to-eat (RTE) entrees and entrees that are not RTE may need to conduct a vulnerability assessment of the RTE entrees and conduct a separate vulnerability assessment for the entrees that are not RTE.
  4. Qualified Individual
    
    (Comment 80) Several comments requested more information regarding the requirement that vulnerability assessments must be conducted by individual(s) qualified by experience and/or training using appropriate methods. Specifically, additional clarification was requested regarding
    
    Page 34199
    
    training such individuals must receive (particularly in the absence of FDA standardized curriculum); the process and criteria by which relevant work experience may supplement or substitute for training; and the criteria by which FDA will determine if the individual is adequately qualified to conduct vulnerability assessments. Additionally, several comments believe there is confusion with the use of qualified individuals in this rule compared to other rules and believe the term should be defined.
    
    (Response 80) We agree that further clarification is needed regarding a definition for a qualified individual in the context of this rule and in particular, how it relates to the qualifications necessary to conduct vulnerability assessments. Consequently, in Sec. 121.3 we have defined a qualified individual to mean ``a person who has the education, training, or experience (or a combination thereof) necessary to perform an activity required under subpart C, as appropriate to the individual's assigned duties. A qualified individual may be, but is not required to be, an employee of the establishment.'' We have further clarified the qualifications necessary for the conduct of a vulnerability assessment by creating a new section (Sec. 121.4, Qualifications of Individuals Who Perform Activities Under Subpart C). In Sec. 121.4 we state ``each individual responsible for . . . conducting or overseeing a vulnerability assessment as required in Sec. 121.130'' must (1) have the appropriate education, training, or experience (or a combination thereof) necessary to properly perform the activities; and (2) have successfully completed training for the specific function at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities. Job experience may qualify an individual to perform these functions if such experience has provided an individual with knowledge at least equivalent to that provided through the standardized curriculum. This new definition and qualifications section has provided more information on what would qualify an individual to perform a vulnerability assessment. We believe that our definition of ``qualified individual'' as well as the qualifications required of those individuals have addressed this need and fulfill the request of the comments. This new approach is consistent with other FSMA rules, including the PCHF final rule, which we believe allows for easier understanding and implementation for the regulated industry.
    
    As stated in the preamble to the proposed rule, we recognize that the task of performing a vulnerability assessment requires an individual with a specific skill set to properly assess and prioritize the various points, steps, or procedures in a food process to characterize their susceptibility to intentional adulteration, to identify significant vulnerabilities and to identify actionable process steps where mitigation strategies are essential to significantly minimize or eliminate the significant vulnerabilities. We also believe that various activities required by this rule may require higher levels of training based on the difficulty and intensity of the task. We believe that a standardized curriculum will be required to ensure clear and consistent training is provided for this activity. The training developed for the purpose of conducting or overseeing a vulnerability assessment will require an in-depth analysis of the functional and thought processes required to properly characterize significant vulnerabilities associated with a facility's points, steps or procedures and the identification of actionable process steps. The process of conducting a vulnerability assessment may be new to much of the industry and the training must take this into consideration. The standardized curriculum for conducting a vulnerability assessment will need to be a comprehensive training that teaches an individual the required components of a vulnerability assessment and provides enough information for an individual to calibrate their decision making based on the scientific analysis required by a vulnerability assessment. We believe that the curriculum designed for this activity will require multiple days and may best be offered in person.
    
    (Comment 81) A few comments believe the key activity type option for identifying actionable process steps should include a requirement that the evaluation be performed by an individual(s) qualified by experience and/or training using appropriate methods.
    
    (Response 81) We agree with the comments and this is reflected in the revised requirements. As explained in Response 71, key activity types have been removed from the regulatory text, but are still considered an appropriate method to conduct a vulnerability assessment. The rule requires that a vulnerability assessment, no matter which methodology is used, must be conducted or overseen by a qualified individual. We note that the requirements to conduct or oversee a vulnerability assessment will differ depending on the type of vulnerability assessment conducted. Using key activity types requires less technical expertise and experience than other methodologies and this would be reflected in the necessary qualifications.
3. Proposed Sec. 121.135--Focused Mitigation Strategies for Actionable Process Steps
  
  We proposed that the owner, operator, or agent in charge of a facility must identify and implement focused mitigation strategies at each actionable process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by such facility will not be adulterated under section 402 of the FD&C Act (21 U.S.C. 342). As discussed in section IV.B.3, in the final rule we use the term ``mitigation strategies'' and no longer reference focused and broad mitigation strategies.
  
  In addition, we have modified this provision to provide that for each mitigation strategy or combination of strategies implemented at each actionable process step, the facility must include a written explanation of how the mitigation strategy(ies) sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step. In the preamble to the proposed rule, we stated that a justification for how the strategy significantly reduces or eliminates the risk of intentional adulteration at that actionable process step(s) must be documented (see 78 FR 78014 at 78048); however, this was not explicitly included in the regulatory text. We believe that providing additional flexibility in the nature of the mitigation strategies facilities may employ makes it critical that facilities explain their rationale as to how the strategy(ies) are, in fact, protective of the actionable process step. This explanation will include a facility's rationale for selecting its mitigation strategies. This explanation can provide additional benefits to the facility by assisting them in the decision-making process for identifying mitigation strategies as well as identifying the most appropriate mitigation strategies management components for the mitigation strategy(ies).
  
  Based on our vulnerability assessments, we believe that adequate mitigation strategies are designed to minimize or eliminate the chances an attacker would be successful if an act of intentional adulteration were attempted at the actionable process step by either
  
  Page 34200
  
  (1) minimizing the accessibility of the product to an attacker (e.g., physically reducing access to the product by locking storage tanks) or (2) reducing the opportunity for an attacker to successfully contaminate the product (e.g., increasing observation of the area through supervision or use of the buddy system), or a combination of both. Mitigation strategies found within FDA's Mitigation Strategies Database, generally, are designed to address one or both of these concepts. The content of the Mitigation Strategies Database is derived from our experience conducting vulnerability assessments with industry and can serve as a resource for facilities to identify adequate and appropriate mitigation strategies. The explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step would, generally, address the mitigation strategy's impact on one or both of these outcomes.
  
  For example, a facility seeking to protect its liquid storage tank's access hatch with a lock may conclude that the lock significantly reduces access to the liquid food stored in the tank by rendering the hatch inaccessible and include this explanation in its food defense plan. As another example, a facility may elect to protect its liquid storage tank actionable process step with a policy to require two or more employees to be in the area at all times. The facility's explanation would include the rationale that this ``buddy system'' reduces the opportunity and ability of an attacker to bring a contaminant into the vulnerable production area and introduce the contaminant into the food without being detected by his or her co-
  
  workers. These two examples show that the same actionable process step can be protected in a variety of ways. The explanation will clarify the facility's thinking and rationale as to how a mitigation strategy significantly minimizes or prevents a significant vulnerability.
  
  We believe that the explanation accompanying the mitigation strategy(ies) will be highly beneficial to the facility in gauging the proper implementation of the mitigation strategy during required verification activities. In identifying and implementing appropriate mitigation strategies, the facility will need to reason through how and why the mitigation strategy(ies) will be protective of the respective actionable process step in question. This explanation and the monitoring of the mitigation strategy play key roles in enabling the facility to determine if the mitigation strategy is achieving its intended aim and, therefore, is properly implemented.
  
  For example, for a facility that secures its liquid storage tank with a lock, a review of monitoring records may show that the lock is consistently in place and locked, therefore reducing accessibility and significantly reducing the vulnerability associated with the liquid storage tank. By being consistently implemented as intended, the lock is achieving the aim as explained in the food defense plan to reduce access to the liquid food held in the liquid storage tank. In this case, the facility can conclude that this mitigation strategy is properly implemented and is reducing a significant vulnerability.
  
  In contrast, consider a lock on a mixer that is not achieving its intended aim. In this example, the worker at the mixer must routinely open the mixer's lid to determine if the product is being sufficiently mixed. The worker finds the lock to be interfering with his or her responsibilities and frequently does not engage the lock after checking on the product, repeatedly leaving the mixer unsecured. This deviation is documented in monitoring records by the production supervisor. In this case, the facility's explanation as to how the mitigation strategy would be protective of the mixer included the rationale that the lock would reduce access to the product. A component of the facility's corrective action procedure for this mitigation strategy was to retrain the employee on the importance of locking the mixer, but the employee continues to repeatedly leave the mixer unlocked due to its interference with his or her responsibilities. Since the mitigation strategy, as determined through a review of monitoring and corrective action records, was not consistently implemented, it is not achieving the aim as specified in the mitigation strategy's explanation. Therefore, the mitigation strategy cannot be determined to be properly implemented and is not reducing significant vulnerabilities associated with the mixer. Since the facility has found that the mitigation strategy is not properly implemented, the facility must reanalyze this portion of the food defense plan under the requirements of Sec. 121.157(b)(3) and then identify and implement a different mitigation strategy, or combination of strategies, for the mixer that would reduce the likelihood that an act of intentional adulteration would be successful.
  
  Additionally, we believe that the explanation for how the mitigation strategy(ies) are suitable and intended to reduce the significant vulnerability will also be highly beneficial in establishing common understanding and communication between the facility and inspectors during inspections.
  
  (Comment 82) Many comments support our proposed requirement that mitigation strategies be targeted at high vulnerability process steps instead of setting requirements for general facility-level protections. Further, some comments assert that significant vulnerabilities by nature present themselves at particular points in a process and that these individual points, steps, or procedures must be protected. These comments also state that broad mitigation strategies would be far reaching and require significantly more capital investment from industry, while not directly protecting the most vulnerable processes.
  
  (Response 82) We agree with comments supporting the direction of mitigation strategies to those areas where vulnerability is highest. As discussed previously, we now refer to mitigation strategies, rather than broad and focused mitigation strategies. However, we continue to believe that to be sufficient and appropriate mitigation strategies must be specifically tailored to the significant vulnerability and customized to the actionable process step where they are applied rather than applied to the entire facility (e.g., locking exterior doors, or ensuring employees and visitors have identification badges). We would not consider these two examples to be adequate to significantly reduce or prevent a significant vulnerability because they do not address an inside attacker.
  
  However, we believe that many policies or procedures that a facility currently has in place can be modified or altered to provide protection against acts of intentional adulteration without the facility incurring significant costs, or requiring additional capital investment. For example, consider a liquid food storage tank with an inward opening hatch. When the tank is full, the pressure of the liquid prevents the hatch from being opened, rendering the tank inaccessible. However, when the tank is empty, the hatch may be opened and a contaminant added. It may be part of normal facility practice for a supervisor to conduct a visual check of storage tanks after a cleaning cycle to ensure the cleaning has been conducted properly. Rather than incur the cost of installing a lock or other access control on the hatch, the facility may elect to implement a food defense mitigation strategy by altering its visual check procedure so that the visual check by the supervisor is conducted
  
  Page 34201
  
  immediately prior to food being added to the storage tank so that the tank is observed after the tank has been empty and accessible for an extended period of time. Alternatively, the facility could elect to secure the tank's hatch with a tamper-evident seal or tape after the visual inspection. This slight modification of an existing facility practice could be implemented with little, if any, cost to the facility and serve to protect the actionable process step--in this case the storage tank--from an attacker adding a contaminant to the tank while it is empty and accessible after it been cleaned and visually inspected.
  
  (Comment 83) Some comments state that those strategies previously termed as broad mitigation strategies should be considered as being among appropriate mitigation strategies for compliance with the requirements, with the majority of those comments indicating that FDA should not distinguish between focused and broad mitigation strategies in the final rule. Some comments disagree with FDA's statement in the proposed rule that the implementation of focused mitigation strategies at actionable process steps in a food operation is necessary to minimize or prevent the significant vulnerabilities that are identified in a vulnerability assessment regardless of the existence of broad mitigation strategies. These comments contend that mitigation strategies (whether broad or focused) can work in concert with one another and play an important role in a facility's food defense approach. Additionally, some comments state that broad mitigation strategies can sometimes achieve the same results as focused mitigation strategies and some comments state that the differentiation between the two types of strategies is confusing and subjective.
  
  (Response 83) We believe this comment is largely addressed by changing the regulatory text to refer to only mitigation strategies in this final rule. We agree with comments that mitigation strategies exist across a spectrum from those that are very broad and facility-
  
  wide in nature to those that are very specific and tailored to unique processing steps and areas. If implemented in a directed manner, a strategy that may tend to be thought of as ``broad'' can be effective at reducing vulnerability associated with a specific actionable process step and could sufficiently minimize the likelihood of a successful act of intentional adulteration at the actionable process step.
  
  Based on the results of our vulnerability assessments, we believe that mitigation strategies implemented at actionable process steps that are customized to the processing step at which they are applied, tailored to existing facility practices and procedures, and consider the actionable process step's vulnerability to an insider attack are sufficient to protect the actionable process step. An insider attack must be considered because an attacker who has achieved access to the facility will have already circumvented the facility's general facility-level protections. During the course of our vulnerability assessments, we determined that if an actionable process step was sufficiently protected against an attack perpetrated by an insider with legitimate access to the facility, it would be similarly protected against the actions of an outside attacker who has circumvented perimeter protections. Facility-wide security measures can support or compliment the mitigation strategy(ies) the facility implements; however the significant vulnerability associated with the actionable process step must be significantly reduced or prevented.
  
  For example, if a facility implements a strategy to restrict access at an actionable process step to only those authorized individuals who work in the area, and the facility leverages identification badges to enforce this strategy, then the strategy becomes much more targeted. In this case, the strategy is simply not about identifying personnel who work anywhere in the facility, but rather, restricting access to a specifically vulnerable area. In this case, the pre-existing badging process the facility had in place to positively identify employees and visitors serves as the foundation upon which the more tailored mitigation strategy is built. However, the badging process itself is not a mitigation strategy sufficient to significantly reduce or prevent a significant vulnerability at the actionable process step because the badging process alone does not restrict access to the actionable process step.
  
  Another example to illustrate how different practices can work in concert with each other to achieve protection is that of vetting employees. In the proposal we described a hypothetical scenario where a facility's secondary ingredient handling area was identified as significantly vulnerable and was, therefore, identified as an actionable process step. In the scenario, the facility elected to mitigate this vulnerability by (1) reducing the time ingredients were open and accessible, (2) entrusting the handling of secondary ingredients to one of the most trusted employees, and (3) increasing observation over the secondary ingredient handling area. To implement the second mitigation strategy (use of most trusted employees), the facility could utilize either senior and/or long-term employees who had earned their trust over time, or the facility could conduct a more detailed background check on specific employees.
  
  Much the same way the Federal government assigns more sensitive tasks to Federal workers based on a multi-layered classification and security clearance process, the facility could require basic level pre-
  
  employment screening for most employees, but for those employees working at actionable process steps, a mitigation strategy could be to require a more detailed level of background check. The facility would also conduct periodic review of the background check, as appropriate. By applying a more targeted approach to establishing trust for the employee working in the secondary ingredient handing area, the facility leveraged what was previously described in the proposal as a ``broad'' mitigation strategy in a much more directed and targeted way such that it was specifically addressing the significant vulnerability associated with the secondary ingredient staging area. This example shows how what were ``broad'' and ``focused'' mitigation strategies can work together to protect an actionable process step.
  
  We caution against using background checks as the sole mitigation strategy to reduce significant vulnerabilities at an actionable process step because a background check may not identify all indicators of an insider threat. Additionally, information within a background check may be outdated or missing more recent key information that could be indicators of an insider threat. Background checks should be used in concert with other mitigation strategies to counter the risk of an insider attack. In this example, the facility also mitigated vulnerability at the secondary ingredient staging area by reducing the staging time of ingredients and increasing observation of the area.
  
  Similarly, some other mitigation strategies may not be adequate when used in isolation. For example, ensuring adequate lighting around an actionable process step would generally be a mitigation strategy that must be used in concert with other strategies to significantly reduce the likelihood of, or prevent, successful acts of intentional adulteration at an actionable process step. The increased lighting can support other mitigation strategies (i.e., increased supervision of an actionable process step) but, generally, increased
  
  Page 34202
  
  lighting would not by itself be sufficient to address the significant vulnerability associated with the actionable process step.
  
  (Comment 84) Some comments state that existing facility practices and facility-level measures should be considered when a facility is identifying appropriate mitigation strategies.
  
  (Response 84) We agree. As discussed previously, mitigation strategies should be tailored to existing facility practices and procedures, and take into account the nature of the actionable process step's significant vulnerability. Mitigation strategies can be complemented by or built on top of existing practices or facility-level measures. For example, a facility might prepare secondary ingredients in an area near the process step where they will be added to the product line. The facility weighs and measures ingredients the night before use so they are ready for introduction into the product line in the morning. To identify a suitable and appropriate mitigation strategy, the facility would consider its normal practice of staging ingredients the night before and any other relevant practices the facility engages in regarding its handling of secondary ingredients in this area. The facility might conclude that staging ingredients the night before is unnecessary and elect to implement the mitigation strategy that ingredients will only be handled immediately before their introduction into the product line to prevent them from being open and accessible for extended periods of time. Alternatively, if the facility concludes that their operating practices prevent this approach, it could implement the mitigation strategy to place the ingredients in tamper evident storage containers overnight to prevent an attacker from being able to introduce an agent without indications of tampering with the ingredients. The facility would implement the most appropriate mitigation strategy taking into consideration its existing practices and procedures.
  
  (Comment 85) One comment asserts broad mitigation strategies offer significant protections to the food supply and that focused mitigation strategies are of questionable or at least unproved efficacy. This comment goes on to request that FDA focus requirements only on broad mitigation strategies that limit access to bulk foods prior to and at process steps that may disperse contamination in a large volume of finished food.
  
  (Response 85) During the course of our vulnerability assessments, we found that appropriate mitigation strategies must be specifically tailored to the significant vulnerability they are addressing and customized to the actionable process step where they are applied, while taking into account existing facility practices and procedures. We disagree with the comment's assertion that strategies previously termed as ``focused mitigation strategies'' are questionable or of unproven efficacy. Indeed, we conclude as determined through our vulnerability assessments that mitigation strategies specifically designed to protect the most vulnerable points in a food operation are the most effective at reducing the likelihood that an act of intentional adulteration would be successful. General facility-level security measures have questionable value in protecting actionable processing steps from significant vulnerabilities, especially those significant vulnerabilities associated with attackers with legitimate access to the facility. However, this comment illustrates why we are changing the codified to refer to only ``mitigation strategies.'' We would consider the efforts described by this comment to be focused mitigation strategies as we used that term in the proposed rule. We agree that ``bulk foods prior to and at process steps that may disperse contamination in a large volume of finished food'' would most likely be significantly vulnerable and thus require appropriate mitigation strategies.
  
  (Comment 86) Some comments state that some of the mitigation strategies identified in the preamble of the proposed rule may not be appropriate or suitable in certain circumstances. For example, some comments mention that one-way sample ports as a mitigation strategy may not be appropriate for products that require aseptic sampling. Some comments contend that making engineering enhancements to equipment or repositioning equipment to increase visual observation may be prohibitively costly.
  
  (Response 86) We agree that certain mitigation strategies may not be appropriate or suitable in some situations. Therefore, we are not requiring any specific mitigation strategies in this rule. A facility may identify the most appropriate and suitable mitigation strategies for its facility, the food being processed, the actionable process step being protected, and the nature of the significant vulnerability being mitigated.
  
  (Comment 87) Some comments urge FDA to permit requirements that are already in place by other government agencies to count as mitigation strategies, when appropriate based on a thoughtful vulnerability assessment. In particular, these comments suggest the C-TPAT program has proved successful in requiring that broad mitigation strategies be implemented, including physical security, personnel security, ingredient storage and inventory procedures, and crisis management planning.
  
  (Response 87) As discussed in section III.D, we believe that participation in other security programs, such as C-TPAT or CFATS for example, raises the overall security posture for a facility and can be beneficial along with the requirements of the final rule. In certain circumstances, security measures implemented under other security programs may also prove to be effective mitigation strategies once actionable process steps are identified. These security measures should be evaluated on a case-by-case basis to determine if they significantly reduce or prevent significant vulnerabilities at actionable process steps. If so, the facility may consider these protections as mitigation strategies under Sec. 121.135 and document them in the food defense plan. However, FDA will not consider a facility's participation with other security programs as de facto compliance with this rule.
4. Final Sec. 121.138--Mitigation Strategies Management Components
  
  We have added a new Sec. 121.138 (Mitigation Strategies Management Components) to establish that mitigation strategies required under Sec. 121.135 are subject to the following mitigation strategies management components as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system: (1) Food defense monitoring in accordance with Sec. 121.140; (2) Food defense corrective actions in accordance with Sec. 121.145; and (3) Food defense verification in accordance with Sec. 121.150. We have created this new section to provide clarity and understanding regarding the application of the three management components to the mitigation strategies as required by Sec. 121.135.
5. Proposed Sec. 121.140--Monitoring
  1. Proposed Sec. 121.140(a)-(b) Requirement for Written Procedures for and Frequency of Monitoring
    
    We proposed that you must establish and implement written procedures, including the frequency with which they are to be performed, for monitoring the mitigation strategies, and you must monitor the mitigation strategies with
    
    Page 34203
    
    sufficient frequency to provide assurance that they are consistently applied.
    
    Some comments support the proposed requirements. In the following paragraphs, we discuss comments that disagree with the proposed requirements, ask us to clarify the proposed requirements, or suggest one or more changes to the proposed requirements. Some comments request that we provide more flexibility than a traditional HACCP framework, with specific requests for flexibility in the management components, including monitoring.
    
    After considering these comments, we are making three revisions to the requirements for monitoring in Sec. 121.140. First, we are adding the qualification ``as appropriate to the nature of the mitigation strategy and its role in the facility's food defense system,'' to the beginning of the provision. Second, we are changing ``sufficient'' to ``adequate'' in Sec. 121.140(b), which now states that ``you must monitor the mitigation strategies with adequate frequency to provide assurances that they are consistently performed.'' We are substituting the term ``adequate'' for the term ``sufficient'' to be consistent with the PCHF final rule definition for monitoring. We conclude that there is no meaningful difference between ``adequate'' and ``sufficient'' for the purposes of part 121. We have also added a definition for the term ``adequate'' in the regulatory text to mean that which is needed to accomplish the intended purpose in keeping with good public health practice. We also conclude that the regulations will be clearer if we use the single term ``adequate'' throughout the regulations. Third, we are changing ``applied'' to ``performed'' to address comments that state the language was unclear. Section 121.140(b) now states that ``you must monitor the mitigation strategies with adequate frequency to provide assurances that they are consistently performed.''
    
    (Comment 88) Some comments argue that the language of section 418(d) of the FD&C Act is ambiguous, and state that monitoring in section 418(d) does not require that facilities conduct monitoring as described in the National Advisory Committee on Microbiological Criteria for Foods' HACCP Principles and Application Guidelines. These comments state that the statute sets a standard for facilities to ``monitor the effectiveness of the preventive controls.'' The comments state that the statute does not indicate how facilities are to monitor the effectiveness of the mitigation strategies; it does not indicate that each mitigation strategy must be monitored, and it does not specify the frequency at which monitoring must occur. However, the comments agree that facilities should assess whether mitigation strategies are in place and are fully implemented. The comments agree that facilities should have written procedures regarding how, and the frequency at which, observations take place, but also indicate that these procedures and frequencies should be less rigorous than procedures and frequencies for preventive controls.
    
    (Response 88) We agree that facilities must assess whether mitigation strategies are in place. We also agree that facilities must provide written procedures regarding how, and the frequency at which, monitoring occurs. This rule implements section 103 of FSMA, and therefore includes components for monitoring (section 418(d) of the FD&C Act). We agree that monitoring in the intentional adulteration regulatory framework should be more flexible than monitoring as described in the National Advisory Committee on Microbiological Criteria for Foods' HACCP Principles and Application Guidelines. Therefore, we have modified the requirement for monitoring in the regulatory text to include ``as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system'' (see Sec. Sec. 121.138, 121.140) and to provide for the use of exception records (see Sec. 121.140(c)(2)). These changes allow a facility to select the appropriate rigor and frequency of its monitoring based on its particular circumstances and are similar to those made in the PCHF final rule regulatory text for monitoring in the preventive controls management components.
    
    For example, a facility stages ingredients overnight so the first shift can immediately begin adding ingredients to a hopper. The facility identifies staged ingredient containers as an actionable process step because the overnight staging makes the ingredient containers significantly vulnerable. The facility then identifies a mitigation strategy of reducing ingredient staging time. The facility establishes and implements food defense monitoring procedures to include observations of the staging area to ensure the ingredients are staged immediately prior to addition into the hopper rather than overnight. This monitoring procedure is tailored to the facility's circumstances and is appropriate to the mitigation strategy (i.e., suitable for a particular purpose and capable of being applied) because it allows for the assessment or observation that the ingredient staging time is being reduced. When establishing the monitoring procedure, the facility considered the nature of the mitigation strategy (i.e., an observation would determine if reducing the staging time was being consistently performed) and its role in the facility's food defense system (i.e., the facility deemed it necessary to conduct the monitoring for the mitigation strategy because the reducing the staging time significantly minimized the significant vulnerability associated with the ingredient containers). Additionally, the facility reasoned that monitoring the staging area immediately prior to the addition of the ingredients to the hopper met the requirement for monitoring to be conducted on an adequate frequency because this frequency meets the definition of adequate (i.e., that which is needed to accomplish the intended purpose in keeping with good public health practice) in that monitoring prior to ingredient addition to the hopper ensures that employees will properly implement the reduced staging time and reduce the significant vulnerability.
  2. Proposed Sec. 121.140(c)--Requirement for Records
    
    We proposed that all monitoring of focused mitigation strategies in accordance with this section must be documented in records that are subject to verification in accordance with proposed Sec. 121.150(a) and records review in accordance with proposed Sec. 121.150(c).
    
    In the following paragraphs, we discuss comments that disagree with the proposed requirements, ask us to clarify the proposed requirements, or suggest one or more changes to the proposed requirements. After considering these comments, we have revised the regulatory text to provide that exception records may be adequate in some circumstances (see Sec. 121.140(c)(2)).
    
    (Comment 89) Some comments state that a facility will be much more likely to document a deviation from an established mitigation strategy (i.e., a light is broken or turned off) rather than a confirmation that the light was working properly each day. These comments seem to indicate that this could be a potential area where greater flexibility is needed regarding how monitoring is documented.
    
    (Response 89) New Sec. 121.140(c)(2) provides for exception records and states records may be affirmative records demonstrating the mitigation strategy is functioning as intended and
    
    Page 34204
    
    that exception records demonstrating the mitigation strategy is not functioning as intended may be adequate in some circumstances. This revision to the regulatory text was made to clarify that exception records, in certain circumstances, are acceptable. We understand exception reporting as a structure where automated systems are designed to alert operators and management on an exception basis--i.e., only when a deviation from food safety parameter limits are observed by the system.
    
    Exception reporting would be an acceptable monitoring system in some circumstances. A facility must be able to verify that food defense monitoring is being conducted (Sec. 121.150(a)(1)). This is straightforward with affirmative monitoring records but can be more difficult or impossible with exception records. The following example provides an instance where a facility may choose exception records when monitoring a mitigation strategy. A facility identifies an ingredient storage area as an actionable process step, and identifies and implements a restricted access system that uses electronic swipe/key cards to limit access to the area. The restricted access system is designed to allow authorized personnel to open a door to the area, while also alerting management when the door is left unlocked. While the system would not need to produce a record for every authorized access to the area, the system would produce a record for each instance that the door is left unlocked and alert operators to those instances. In this example, the facility would periodically verify that the restricted access system is working properly, in part, by leaving the door unlocked, and ensuring the system alerts the operator by generating a record that documents the door being unlocked. Exception records are not always appropriate. For example, it would not be appropriate to create a record that indicates adequate lighting is not functioning as intended, rather than documenting adequate lighting is functioning as intended, unless the facility devised an approach that would allow it to verify that food defense monitoring was being conducted as required.
6. Proposed Sec. 121.145--Corrective Actions
  1. Proposed Sec. 121.145(a)(1)-(2) Requirement To Establish and Implement Corrective Action Procedures That Must Describe Steps To Be Taken
    
    We proposed that you must establish and implement written corrective action procedures that must be taken if the mitigation strategy is not properly implemented. The corrective action procedures must describe the steps to be taken to ensure that appropriate action is taken to identify and correct a problem with implementation of a mitigation strategy to reduce the likelihood that the problem will recur.
    
    Some comments support the proposed requirements. In the following paragraphs, we discuss comments that disagree with the proposed requirements, ask us to clarify the proposed requirements, or suggest one or more changes to the proposed requirements. Some comments request that the intentional adulteration requirements provide more flexibility than a traditional HACCP framework, with specific requests for flexibility in the management components, including corrective actions. After considering these comments, we are making several revisions to the proposed requirements for corrective actions. First, we are adding the qualification ``as appropriate to the nature of the actionable process step and the nature of the mitigation strategy'' to the beginning of the provision in Sec. 121.145(a). Second, we are separating the requirements to take appropriate action to identify and correct a problem that has occurred from the requirement to take appropriate action, when necessary, to reduce the likelihood that the problem will recur. The separated requirements are now included in the regulatory text as Sec. 121.145(a)(2)(i) and Sec. 121.145(a)(2)(ii), respectively. Similar changes were made to the PCHF final rule regulatory text for corrective actions, as comments related to that rule asserted the proposed corrective action regulatory text could have been misunderstood as a requirement to establish a new preventive control after implementing a corrective action procedure. These comments also asserted that it would be inappropriate to assume that corrective action procedures always correct a problem with the implementation of a new or additional preventive control. We have addressed these comments to the requirement to identify and correct a problem by adding ``that has occurred'' after ``correct a problem'' in Sec. 121.145(a)(2)(i). We have also addressed these comments by qualifying the requirement that the corrective action procedures must describe the steps to be taken to ensure that appropriate action is taken to reduce the likelihood that the problem will recur by inserting ``when necessary'' after ``appropriate action is taken'' in Sec. 121.145(a)(2)(ii).
    
    (Comment 90) A few comments state that greater flexibility is needed to reflect the differences between mitigation strategies and preventive controls and that corrective actions is one potential area in which to increase flexibility. While comments agree that a facility should take action when a mitigation strategy is not properly or fully implemented, these comments further state that detailed, written corrective action procedures should not be required to address every possible deviation for each mitigation strategy. In addition, comments state that facility employees should make corrections, rather than take corrective actions, in some circumstances. These comments provide an example of corrections where a door is simply closed, and the action is not documented, in response to a single, isolated event where a door is propped open.
    
    (Response 90) As described previously, we have modified the provision to provide that corrective action procedures are established and implemented based on the nature of the actionable process step in addition to the nature of the mitigation strategy (see Sec. 121.145(a)). The rule allows for a facility's corrective action procedures to reflect the extent of the deviation. For example, a facility's monitoring indicates that a peer monitoring mitigation strategy is not implemented as intended because one of the employees does not accompany the other employee at the actionable process step. A component of the facility's written corrective action is to retrain the employee on the importance of accompanying the other employee while at the actionable process step. We expect, in most cases, that food defense corrective action procedures will be simple and easy to undertake. Further, we agree that written corrective action procedures need not address every possible deviation, and the rule does not require this. Written corrective action procedures should address circumstances where deviations are likely to occur. The reason to have corrective action procedures is to consider the likely scenarios in advance, rather than react to these scenarios on an ad hoc basis.
    
    We do not agree that certain situations are more appropriate for corrections rather than corrective actions. A ``correction'' does not include, among other things, actions to reduce the likelihood that the problem will recur. The comment describes a situation where a facility is locking the door to serve as the mitigation strategy, and the
    
    Page 34205
    
    monitoring of the mitigation strategy indicates the strategy is not performing as intended (i.e., the door is not locked, and it is propped open). Because monitoring has indicated the mitigation strategy is not properly implemented, a corrective action is required (Sec. 121.145(a)(1)). While the example includes a corrective action that is quite simplistic and easy to undertake, it is important that a corrective action, and not a correction, be taken because the corrective action includes actions to reduce the likelihood that the problem will recur, while the correction does not. An unlocked door leaves the significant vulnerability unmitigated, and therefore, this seemingly isolated problem directly impacts product vulnerability.
    
    Furthermore, corrections, such as those discussed in the PCHF final rule (e.g., facility observes food residue on ``clean'' equipment prior to production of food, and then cleans the equipment), are appropriate for minor and isolated problems that do not directly impact product safety. An analogous situation does not exist in the context of intentional adulteration where requirements of this rule are designed to reduce significant vulnerabilities associated with an insider attack. Additionally, food defense corrective action requirements are less rigorous and resource-intensive than corrective actions for food safety purposes. Food defense corrective actions do not include requirements to evaluate all affected food for safety, prevent affected food from entering commerce, or include requirements for unanticipated problems.
  2. Proposed Sec. 121.145(a)(3)--Documentation
    
    We proposed that all corrective actions taken in accordance with this section must be documented in records that are subject to verification in accordance with proposed Sec. 121.150(b) and records review in accordance with proposed Sec. 121.150(c).
    
    Some comments support the proposed requirements without change. One comment states that documentation would not be needed in a single, isolated event, such as where a door is propped open, and the corrective action would simply result in the door being closed. While the example includes a corrective action that is simple and easy to undertake, it is necessary that it be documented. Without such documentation, verification of proper implementation of the mitigation strategy, as required in Sec. 121.150(a)(3), may not be possible because there are no records to review which reflect failure to implement the mitigation strategy. Further, without documentation, it may not be known whether it was a one-time event or the door was propped up more regularly. Documentation of the corrective actions and review of the documentation to verify proper implementation of mitigation strategies is necessary to identify trends and patterns of implementation of mitigation strategies over time, and is also necessary to ensure appropriate decisions about corrective actions are being made. After considering the comment, we are finalizing these requirements as proposed.
7. Proposed Sec. 121.150--Verification
  
  We proposed to require verification of monitoring, verification of corrective actions, verification of implementation and effectiveness, reanalysis, and documentation of all verification activities. Specifically regarding verification of implementation and effectiveness, (proposed Sec. 121.150(c)), we proposed that you must verify that the focused mitigation strategies are consistently implemented and are effectively and significantly minimizing or preventing the significant vulnerabilities. We proposed that this must include, as appropriate to the facility and the food, review of the monitoring and corrective actions records within appropriate timeframes to ensure that the records are complete, the activities reflected in the records occurred in accordance with the food defense plan, the focused mitigation strategies are effective, and appropriate decisions were made about corrective actions. We also requested comment on whether we should specify the verification activities that must be conducted for verification of monitoring and for verification of corrective actions and, if so, what verification activities should be required.
  1. Verification of Monitoring, Corrective Actions and Implementation and Effectiveness
    
    Some comments support the proposed requirements. In the following paragraphs, we discuss comments that disagree with the proposed requirements, ask us to clarify the proposed requirements, or suggest one or more changes to the proposed requirements. Some comments request that the intentional adulteration requirements provide more flexibility than a traditional HACCP framework, with specific requests for flexibility in the management components, including verification. Most of the comments addressing verification activities request clarification specifically related to implementation and effectiveness. One comment requests that we provide for other activities appropriate for verification of implementation and effectiveness. After considering these comments, we are making several changes to the requirements for verification.
    
    First, we are adding text to Sec. 121.150(a) (Food defense verification) to reflect that verification procedures are established and implemented based on the nature of the mitigation strategy and its role in the facility's food defense system. Second, we made edits to reflect new Sec. 121.138. We have changed proposed Sec. 121.150(a) to final Sec. 121.150(a)(1), which now states ``Verification that food defense monitoring is being conducted as required by Sec. 121.138 (and in accordance with Sec. 121.140).'' We have changed proposed Sec. 121.150(b) to final Sec. 121.150(a)(2), which now states ``Verification that appropriate decisions about food defense corrective actions are being made as required by Sec. 121.138 (and in accordance with Sec. 121.145).'' We have changed proposed Sec. 121.150(c) to final Sec. 121.150(a)(3) which requires verification that mitigation strategies are properly implemented and significantly minimizing the significant vulnerabilities.
    
    Third, we have removed the requirement to verify that mitigation strategies are effectively significantly minimizing or preventing significant vulnerabilities in Sec. 121.150(c) because it is more appropriate to verify mitigation strategies are being properly implemented, in accordance with the food defense plan, rather than verifying these strategies are effective. In the food safety context, verification of effectiveness is mainly accomplished via validation and testing, which are not required in this final rule due to the nature of mitigation strategies. Fourth, we are adding a new section Sec. 121.150(a)(3)(ii) to provide for ``other activities appropriate for verification of proper implementation'' to allow for increased flexibility in verifying mitigation strategies are properly implemented beyond what is included in Sec. 121.150(a)(3)(i). Fifth, we added a requirement (Sec. 121.150(b)), to establish and implement written procedures, including the frequency for which they are performed, for verification activities. This requirement was added because the flexibility, provided in Sec. 121.150(a)(3)(ii), is significant but not unbounded. Written procedures are essential to ensure these activities are occurring in accordance with the food defense plan. Sixth, we moved the more
    
    Page 34206
    
    extensive section for reanalysis (proposed Sec. 121.150(d)) to a new section (final Sec. 121.157) to improve readability and clarity. As a result, we created a new Sec. 121.150(a)(4) (``Verification of Reanalysis in accordance with Sec. 121.157'') to include in Sec. 121.150 the requirement to verify that reanalysis has been conducted. Some of these changes are similar to those made in the PCHF final rule regulatory text for verification and preventive controls management components.
    
    (Comment 91) Some comments request clarification and elaboration for verification activities related to implementation and effectiveness of mitigation strategies (proposed Sec. 121.150(c)).
    
    (Response 91) As mentioned previously, we have removed the requirement to verify the effectiveness of mitigation strategies. As part of food defense verification, a facility must determine if each mitigation strategy is properly implemented and significantly minimizing or preventing significant vulnerabilities. To do this, a facility would determine whether the mitigation strategies are consistently implemented and functioning as intended. Part of this determination would be based on review of monitoring and corrective action records. In addition, as mentioned in section V.D, facilities may use, but are not limited to, two important factors to determine the proper implementation of mitigation strategies to significantly minimize or prevent significant vulnerabilities: (1) The degree of physical access to the product at the actionable process step and (2) the ability of an attacker to successfully contaminate the product at the actionable process step.
    
    For example, if a mitigation strategy is significantly minimizing the degree of physical access to the product at an actionable process step, and the strategy is consistently implemented as determined by record review, the strategy can be considered properly implemented. Likewise, if the mitigation strategy is significantly minimizing the ability of an attacker to successfully contaminate the product at the actionable process step, and the strategy is consistently implemented as determined by record review, the strategy can be considered properly implemented. These factors are the same as two of the factors required to be evaluated in a vulnerability assessment (Sec. 121.130(a)(2) and (3)).
    
    We are not including the third factor (the potential for public health impact (Sec. 121.130(a)(1)) because it has been our experience that mitigation strategies either directly reduce access to a point, step, or procedure, or directly reduce the ability of an attacker to contaminate the food at a point, step, or procedure, and in doing so, indirectly reduce the potential public health impact if a contaminant were added at a point, step, or procedure.
    
    As a facility reasons through its explanation of how the mitigation strategy significantly minimizes or prevents the significant vulnerability (Sec. 121.135(a)), the facility's explanation will most likely include the rationale for how the mitigation strategy reduces, to an acceptable level, either the degree of unauthorized access to the actionable process step or the ability of an attacker to successfully contaminate the product at the actionable process step. When the facility reviews the monitoring and corrective action records to ensure that activities reflected in the records occur as envisioned by the food defense plan (Sec. 121.135(a)) and are consistently implemented (Sec. 121.150(a)(3)), the facility can then determine whether the mitigation strategy is properly implemented and is significantly minimizing the significant vulnerability at the actionable process step.
    
    (Comment 92) One comment states that verification methods other than those required by proposed Sec. 121.150(c) may be appropriate, and provides suggestions of such methods, including direct observation of monitoring, such as a supervisor observing monitoring conducted by an employee, and review of monitoring and corrective actions activities during team meetings.
    
    (Response 92) We agree that the rule should provide flexibility for additional activities related to verification of properly implemented mitigation strategies, and have revised the specific requirements to provide for other activities appropriate for verification of proper implementation of mitigation strategies in Sec. 121.150(a)(3)(ii). Providing specific requirements for verification of implementation (Sec. 121.150(a)(3)(i)), but allowing for other activities appropriate for verification of implementation (Sec. 121.150(a)(3)(ii)), addresses, in part, comment requests that mitigation strategies management components need to provide more flexibility.
    
    (Comment 93) One comment disagrees with the requirement that, as part of verification, monitoring and corrective action records must be reviewed and further states that the proposed requirement is too prescriptive and not applicable to food defense.
    
    (Response 93) Review of monitoring and corrective action records is a key component of verification in a food defense system. Review of monitoring records is necessary to determine whether mitigation strategies are implemented as intended and are therefore significantly minimizing significant vulnerabilities. For example, review of monitoring records for a mitigation strategy of using a lock to secure an access hatch on top of a silo could indicate that the lock is functioning as intended because the securing mechanism is fully engaged, and the hatch cannot be accessed without a key to the lock. The significant vulnerability has been significantly minimized because the food in the silo is no longer accessible. The facility determines the mitigation strategy is properly implemented because it is functioning as intended and minimizes the significant vulnerability.
    
    Review of corrective action records is necessary to determine whether appropriate decisions are being made to identify and correct any problems with the implementation of a mitigation strategy and whether actions are being taken to reduce the likelihood that a problem would recur. To continue with the example, if the review of monitoring records indicated that the lock was not properly implemented due to employee error, the facility implements the corrective action, which consists of engaging the securing mechanism of the lock on the access hatch, and retraining the employee assigned to this step in how to properly use the securing mechanism. During the review of the corrective action records, the facility determines that appropriate decisions about corrective actions were made because the problem was identified that the lock was not properly implemented due to employee error, the problem was corrected because the facility engaged the securing mechanism of the lock to lock the access hatch, and actions were taken to reduce the likelihood the problem would recur by training the employee on how to successfully engage the securing mechanism of the lock in order to lock the access hatch.
    
    Further, FDA has provided a flexible time period for review, allowing review of monitoring and corrective action records to take place in an ``appropriate timeframe.'' For example, a facility chooses to use several mitigation strategies, including adequate lighting, at the bulk truck unloading bay to protect the actionable process step, and the lighting may be monitored each time a shipment is received or on a weekly basis depending on the facility's determination of the frequency of the monitoring procedures. The review of these monitoring records may occur on
    
    Page 34207
    
    a weekly or monthly basis, depending on the frequency of the monitoring procedures and the role this mitigation strategy plays in a facility's food defense system. We disagree that this requirement is too prescriptive.
    
    (Comment 94) Some comments assert that industry cannot be held to a standard of absolute prevention of intentional adulteration, and given this assertion, one of these comments further states that effectiveness of mitigation strategies should be interpreted reasonably by both FDA and industry. The comment agrees that facilities should be expected to take reasonably appropriate measures to mitigate vulnerabilities and also states that facilities should have discretion to determine how mitigation strategies are effective. This comment goes on to state that facilities should not be expected to employ a certain measure just because the measure is available, particularly when the added benefit might be minimal. Finally, the comment states that, in the context of interpreting effectiveness of mitigation strategies in a reasonable manner, FDA should be mindful of the extremely low likelihood of an intentional adulteration event that may cause massive public health harm or economic disruption.
    
    (Response 94) We acknowledged the low probability of an intentional adulteration event that may cause wide scale public health harm in the proposed rule (78 FR 78014 at 78024). The rule does not create a standard of absolute prevention at every identified actionable process step. Mitigation strategies are, among other things, ``risk-based'' and ``reasonably appropriate measures.'' They are employed to ``significantly minimize or prevent'' significant vulnerabilities.
    
    Furthermore, each facility has some degree of discretion in determining how, and whether, each mitigation strategy is properly implemented, as part of the facility's written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step.
    
    Additionally, facilities are not required to employ measures just because they are available or convenient. Rather, facilities are required to identify and implement mitigation strategies that reflect the specific circumstances of the actionable process step and the facility. Because the facility considers these circumstances when identifying and implementing an appropriate mitigation strategy, and provides a written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with an actionable process step, a facility may choose a mitigation strategy that it believes provides maximum benefit, regardless of availability or convenience, if it complies with the requirement to significantly minimize, or prevent, the significant vulnerability.
  2. Proposed Sec. 121.150(d)--Reanalysis (Final Sec. 121.157)
    
    We proposed that you must conduct a reanalysis of the food defense plan (1) At least once every 3 years; (2) Whenever a significant change in the activities conducted at your facility creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability; (3) Whenever you become aware of new information about potential vulnerabilities associated with the food operation or facility; (4) Whenever you find that a focused mitigation strategy is ineffective; and (5) Whenever FDA requires reanalysis to respond to new vulnerabilities and developments in scientific understanding including, as appropriate, results from the Department of Homeland Security biological, chemical, radiological, or other terrorism risk assessments. These requirements for reanalysis of the food defense plan were proposed within Sec. 121.150 Verification.
    
    Many comments responded to Sec. 121.150 (Verification) as a whole, without specifically referring to reanalysis as an area needing edits. However, some comments regarding verification potentially apply to reanalysis, and these are addressed in this section. Some comments support the proposed requirements without change and some support the proposed provisions but ask for more flexibility and suggest alternative regulatory text. After considering these comments, to improve clarity and readability and to be consistent with the PCHF final rule with respect to the regulatory text for reanalysis, we have removed reanalysis from Sec. 121.150 and created a new section Sec. 121.157 devoted entirely to requirements for reanalysis. We have revised the regulatory text within this section to clarify which portions of the food defense plan will need reanalysis and how often (e.g., the whole plan needs reanalysis at least every 3 years, and the whole plan or the applicable portions of the plan need reanalysis for all other reasons required in the text), to expand the scope of situations that trigger a reanalysis (e.g., added a reanalysis requirement when required by FDA based on credible threats to the food supply), and we increased clarity for when the reanalysis requires a revision to the food defense plan (e.g., the proposed language stated a revision to the food defense plan is required when a significant change is made, and the text was edited to state that a revision to the food defense plan is required when a significant change in activities conducted at your facility creates a reasonable potential for a new significant vulnerability or a significant increase in a previously identified vulnerability). Also, the new reanalysis section provides more flexibility in the timeframe for when a reanalysis must be completed, and clarifies when a reanalysis requires a revision to the food defense plan.
    
    In the following paragraphs, we discuss comments that suggest one or more changes to the proposed requirements.
    
    (Comment 95) Some comments state that greater flexibility is needed to reflect the differences between mitigation strategies and preventive controls and that verification is one potential area in which to increase flexibility. These comments believe that the oversight burden and the records burden associated with verification could be lessened by adding more flexibility.
    
    (Response 95) We interpreted these comments to include reanalysis in the verification activities mentioned. We agree that the overall regulatory framework for this rule should provide more flexibility than that of a traditional HACCP approach and have described our general thinking in Comment 1 and Comment 2 of this document. To align with this thinking we have made specific changes to the reanalysis requirements. We removed reanalysis from Sec. 121.150 and created a new section Sec. 121.157 devoted entirely to requirements for reanalysis to help clarify activities for the purpose of verification versus activities specific to reanalysis. Within this section we provide for reanalysis of an applicable portion of the food defense plan (rather than the complete food defense plan) in specified circumstances. We have revised the regulatory text to state that when reanalysis is conducted for any reason other than Sec. 121.157(a) (every 3 years), the food defense plan as a whole may need to be reanalyzed, or just the applicable portion of the food defense plan that may be affected by the proposed change or the new information (see Sec. 121.157(a) and 121.157(b)). In the proposed rule, the portions of the plan that required reanalysis were not detailed, and the implication was that the entire plan must be reanalyzed in all cases. Our clarification of this language
    
    Page 34208
    
    allows flexibility for the facility to determine the extent of the required reanalysis based on the nature of the reanalysis trigger. In addition, we made associated editorial changes for the intentional adulteration reanalysis requirements to improve the readability of the requirement to conduct reanalysis ``whenever a mitigation strategy, a combination of mitigation strategies, or the food defense plan as a whole, is not properly implemented'' (see Sec. 121.157(b)(3)). In the proposed rule this requirement applied only to the ineffective nature of a mitigation strategy and did not take into account other areas of the food defense plan that may be contributing to an ineffective food defense plan. We also added new text to the reanalysis requirement to allow FDA to require a reanalysis ``when credible threats are made to the food supply'', as discussed more fully in section III.C.
    
    Further, additional flexibility has been provided with respect to timeframes associated with completing reanalysis. The proposed rule required that reanalysis be completed ``before the change in activities at the facility were operative'' or ``when necessary, during the first 6 weeks of production.'' The new requirement states that the reanalysis must be complete ``before any changes in activities (including any change in mitigation strategy) at the facility is operative,'' or ``when necessary, within 90 days of production'' or ``within a reasonable timeframe, providing a written justification is prepared for a timeframe that exceeds 90 days after production of the applicable food first begins.'' This flexibility in timeframes lessens the burden on the facility. We believe the 90-day timeframe is sufficient for completing the reanalysis but recognize that there may be instances where the 90-day timeframe is exceeded and this is allowed with sufficient written justification.
    
    We lessened the documentation burden by only requiring a revision to the food defense plan ``if a significant change in the activities conducted at your facility creates a reasonable potential for a new significant vulnerability or a significant increase in a previously identified vulnerability.'' The proposed rule required a revision to the food defense plan if ``a significant change was made.'' By stating specifically that revisions are only required if a change is made in activities that affect vulnerabilities, we eliminate the revision requirements for changes that are not directly related to the risk of intentional adulteration. Both the proposed and final rules provide for the option to conclude that a revision to the food defense plan is not needed as long as the basis for that conclusion has been documented.
    
    Many of the changes we made to the reanalysis provisions are similar to changes made in the PCHF final rule, and we believe this consistency will assist with overall understanding and implementation of these rules.
    
    (Comment 96) Some comments ask us to recognize other terminologies suggesting reanalysis could be referred to as ``reassessment.''
    
    (Response 96) We decline this request. We have acknowledged that the terminology used in relation to the concept of ``reanalysis'' varies in current regulations and guidelines for systems such as HACCP (78 FR 3646 at 3759). A facility may choose to use a term such as ``reassessment'' in its records--e.g., if it relies on existing records that use the term ``reassessment'' to satisfy some or all of the requirements of this rule for reanalysis. However, the rule will use a single term to minimize the potential for confusion about whether different terms have a different meaning for the purposes of the rule.
8. Proposed Sec. 121.160--Training (Final Sec. 121.4)
  
  We proposed in Sec. 121.160 to require that (1) Personnel and supervisors assigned to actionable process steps must receive appropriate training in food defense awareness and their respective responsibilities in implementing focused mitigation strategies and (2) All required training must be documented in records. We asked for comment on several questions related to training, including whether we should require that basic food defense awareness training be completed by all employees and whether we should require training to be repeated periodically. We also requested comment on the adequacy of FDA's Food Defense 101 training materials and whether additional FDA training materials are needed. Finally, we requested comment on the feasibility of the proposed training requirements, in light of the current state of food defense awareness in the industry and available training resources.
  
  No comments disagree with the need for training for facilities to be able to properly implement this rule, and many comments acknowledge that training is crucial to creating an effective food defense environment in a facility. Some comments agree with our proposed training approach, and other comments request changes. After considering the comments, we have changed the training requirements by creating a new section, Sec. 121.4 (Qualifications of Individuals Who Perform Activities Under Subpart C), which replaces Sec. 121.160 and defining the term ``qualified individual'' in Sec. 121.3. In summary, the final rule requires all individuals who perform activities under Subpart C to be qualified through training or job experience or a combination thereof. Individuals and their supervisors at actionable process steps are required to take food defense awareness training and individuals who prepare the food defense plan, conduct a vulnerability assessment, identify and explain mitigation strategies and perform reanalysis must have successfully completed training for the specific activity at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities.
  
  Section 121.4 requires that individuals performing activities under Subpart C have certain qualifications that vary based on the activity performed. Section 121.4(a) requires that you ensure that each individual who performs activities required under Subpart C is a qualified individual. A qualified individual is ``a person who has the education, training, or experience (or a combination thereof) necessary to perform an activity required under Subpart C, as appropriate to the individual's assigned duties. A qualified individual may be, but is not required to be, an employee of the establishment'' (Sec. 121.3). See section IV.C.4 for further discussion of this definition. Section 121.4(b) requires that each individual assigned to an actionable process step (including temporary and seasonal personnel) or in the supervision thereof must (1) be a qualified individual and (2) receive training in food defense awareness. Section 121.4(c) requires that each individual assigned to (1) the preparation of the food defense plan, (2) the conduct of a vulnerability assessment, (3) the identification and explanation of the mitigation strategies, or (4) the reanalysis of the food defense plan must be a qualified individual and have successfully completed training for the specific activity at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities. Job experience may qualify an individual to perform any of the activities listed previously if such experience has provided an individual with knowledge at least equivalent to that provided through the standardized
  
  Page 34209
  
  curriculum. Section 121.4(d) requires that responsibility for ensuring compliance by individuals with the requirements be clearly assigned to supervisory personnel with adequate qualifications to supervise the activities. Section 121.4(e) requires that the training required by Sec. 121.4(b) and (c) must be documented in records that include the date of the training, the type of training, and the person trained, and must be established and maintained in accordance with the requirements of subpart D.
  
  In the following paragraphs, we discuss comments that respond to our request for comment regarding the proposed training requirement and comments that request changes to the training requirement as proposed.
  
  (Comment 97) Some comments assert that FDA should require facilities to conduct food defense awareness training for all employees and not just for employees and supervisors who work at actionable process steps. Some comments indicate that, since food defense is a new area of regulation, that training to increase general awareness by all employees would be a useful requirement in gaining familiarity with the risk and mitigation of intentional adulteration. Some comments state that food defense awareness training for all employees is fundamental for creating a food defense culture at a facility and may be the critical element for preventing a successful attack. Alternatively, some comments state that expanding the food defense awareness training requirement to all employees will not advance food defense and could create a generalized approach that may diminish the ability of the facility to effectively train personnel who have significant roles in implementing food defense requirements. Some comments state that the cost of requiring training of all employees would be overly burdensome.
  
  (Response 97) Although we agree that food defense awareness training would be useful for all employees, we believe that the best use of training resources for industry would be to focus the requirement for food defense awareness training on personnel who are assigned to an actionable process step. We do not believe it is necessary to require that facilities provide all employees with awareness training to significantly minimize or prevent significant vulnerabilities. Although we disagree that training all employees could diminish the ability of a facility to effectively train personnel, we agree that concentrating awareness training on certain individuals is less burdensome than a general training requirement. We believe it is the best use of resources to train individuals at actionable process steps in food defense awareness because that is where intentional adulteration, when intended to cause wide scale public health harm, is most likely to occur. Our food defense guidance includes options for increasing general awareness of food defense throughout a facility by incorporating the importance of food defense procedures into routine facility communications, such as brochures, staff meetings, or payroll stuffers. We recommend that facilities encourage all employees to report unusual or suspicious individuals or activities to management.
  
  In addition to requiring food defense awareness training for certain individuals, the rule requires that each individual who performs activities required by subpart C be a qualified individual as that term is defined in Sec. 121.3. In addition, the rule requires individuals performing certain activities, including the preparation of the food defense plan or the conduct of a vulnerability assessment, to have successfully completed training for the specific activity at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities.
  
  (Comment 98) Some comments express a need for advanced food defense training requirements for individuals conducting higher level food defense activities such as food defense coordinators, individuals who prepare, monitor, verify, or conduct corrective actions associated with food defense plans, managers or quality control personnel or personnel who would be responsible for identification of appropriate mitigation strategies. Some comments assert that these food defense activities require specialized knowledge that would not be covered in food safety training and that qualified individuals should perform these higher level functions.
  
  (Response 98) We agree with these comments and are requiring that each individual engaged in activities in subpart C must be a qualified individual with the appropriate education, training, or experience (or a combination thereof) to perform the activity. Further, the rule requires increased qualifications for individuals responsible for higher level activities, such as preparation of the food defense plan, conducting a vulnerability assessment, identifying and explaining mitigation strategies, and reanalysis (Sec. 121.4(c)). These individuals must have the appropriate education, training, or experience (or a combination thereof) necessary to properly perform their assigned activities and have successfully completed training at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities. Job experience may qualify an individual to perform these functions if such experience has provided an individual with knowledge at least equivalent to that provided through the standardized curriculum. We believe the activities listed previously require an additional level of expertise and training than other activities required under subpart C and, therefore, FDA is establishing a standardized curriculum for training which individuals performing these activities must successfully complete (or be otherwise qualified through job experience). This approach is consistent with the PCHF final rule, where additional food safety training is required for individuals who prepare or oversee preparation of the food safety plan, including conducting the hazard analysis (21 CFR 117.126(a)(2)).
  
  We anticipate that the standardized curriculum for activities other than the conduct of a vulnerability assessment will be an approximately 4-hour training that will cover food defense awareness and food defense planning components such as preparing, implementing, and reanalysis of a food defense plan and selecting and explaining mitigation strategies. We plan for the training to be available online.
  
  The training for conducting or overseeing a vulnerability assessment will require in-depth analysis of the functional and thought processes required to properly characterize significant vulnerabilities associated with a facility's points, steps, or procedures and the identification of actionable process steps. The process of conducting a vulnerability assessment may be new to much of the industry and the training will take this into consideration. The standardized curriculum for conducting a vulnerability assessment will need to cover each required component of the vulnerability assessment and provide enough information for an individual to calibrate their decision making based on the scientific analysis required by a vulnerability assessment. We believe that the curriculum designed for this activity will require multiple days and may be best offered in person. Based on the vulnerability assessment method chosen, the length of the standardized curriculum may vary, for example if a
  
  Page 34210
  
  facility is using the key activity types the training could be shorter.
  
  Finally, with regard to comments that suggest that individuals who prepare, monitor, verify, or conduct corrective actions associated with food defense plans receive specialized training, we agree that individuals responsible for these activities should be qualified individuals and may need training to perform such activities. However, we are not standardizing a curriculum for such training and realize that individuals may be qualified through education or experience to do these activities because these concepts are not completely unique to food defense planning and analogous food safety concepts have been in routine practice in many food facilities for the purpose of food safety plans and/or HACCP approaches.
  
  (Comment 99) Some comments state that food defense awareness training should be recognized as a beneficial mitigation strategy within food defense plans to create heightened awareness and that this training can be used to address intentional contamination including insider threats. Other comments state that the only requirement for food defense should be training and that any requirements beyond this approach are not necessary.
  
  (Response 99) We agree that food defense awareness training for employees and supervisors assigned to actionable process steps would increase awareness and could assist with recognizing or thwarting an insider threat; however, the training alone will not protect the food at that actionable process step. It is the properly implemented mitigation strategies, which are designed to reduce the significant vulnerability at that step, which would protect the food against intentional adulteration.
  
  (Comment 100) Some comments recommend that FDA set a requirement for periodic retraining, and some comments suggest the training requirement should specify training intervals such as during an employee ``onboarding'' process and periodically thereafter or when significant changes are made to the food defense plan. One comment did not request a requirement for retraining but stated that it should be understood that education and training are not a one-time occurrence. One comment asked for flexibility for training and retraining frequencies so a facility can take into account facility size, environment, seasonality of employees, and other circumstances.
  
  (Response 100) We agree that training should not be a one-time occurrence and believe that by defining ``qualified individual'' in terms of an ability to perform assigned responsibilities we have provided the flexibility for firms to consider relevant factors in determining how often to perform training. Individuals conducting activities under subpart C must be qualified to successfully implement the food defense measures contained in the food defense plan. If the food defense plan changes, because of a production change resulting in a mitigation strategy change, for example, employees and supervisors may need retraining if their responsibilities under subpart C change. Also, retraining may be needed as a component of corrective action. For example, if during the course of monitoring a facility determines that certain mitigations strategies are not being implemented consistently or appropriately, a component of the corrective action may be to retrain the responsible staff and their supervisors. To ensure that employees remain qualified to perform their duties under subpart C, facilities will need to retrain employees when the food defense plan changes and when a problem has been identified that training would address.
  
  (Comment 101) Some comments commend FDA on the development of a broad range of free training materials that will be efficient and useful to meet training requirements. Some comments suggest updating and expanding these trainings to include options for free, downloadable, and customizable materials to reach a broad range of cultural and language groups, and to include information on how to protect food defense-related documents. One comment recommends that FDA update all of its food defense resources to reflect the requirements ultimately included in this final rule. One comment suggests that FDA develop a ``train-the-trainer'' course that could be effectively utilized by industry to equip management of food companies with the training materials needed to comply with the training requirements.
  
  (Response 101) We agree that many of our trainings and other resources will assist industry in complying with this rule. However, we recognize that many of our existing materials will need to be updated to reflect the provisions of the rule and new training materials will need to be developed. We intend to update our training materials to provide an option to comply with the food defense awareness training requirement, and we will be developing a standardized curriculum for training in accordance with the requirements of Sec. 121.4(c). We anticipate the standardized content of the training will be modular, with certain modules varying based on the difficulty and skill level of the activity being performed, with the vulnerability assessment training module being the most in-depth and lengthy (See Comment 80 and Comment 81).
  
  The training for individuals and supervisors assigned to actionable process steps may require facility-specific information for proper implementation of the mitigation strategy or strategies and, therefore, will need to be developed and administered on the job and will not be developed by FDA.
  
  We will continue to provide food defense training and other materials in as many formats as resources allow, such as online, DVD, and hard copy. FDA currently has some food defense materials in languages other than English, but will work as we are able towards translating more materials in other languages to reach a broader audience.
  
  In response to the development of a ``train the trainer'' course to assist management with meeting the training requirements of this rule, we interpret this comment to mean that we should offer materials so that companies can deliver their own food defense awareness training. Since the requirement for awareness training has inherent flexibility, facilities can deliver their own food defense awareness trainings. We believe the training tools and resources that we intend to update, based on the requirements of this rule, will assist facility management with gaining knowledge necessary for delivering food defense awareness training, and we intend to explore the development of a ``train the trainer'' in consultation with the alliance to meet the needs of the standardized curriculum requirements.
  
  (Comment 102) Some comments request that FDA support the development and distribution of educational and training resources to assist very small facilities exempt from the rule with voluntary compliance. Some comments request that FDA clarify how it will work with retail stakeholders to strengthen education and training for retail facilities that want to take voluntary food defense risk reduction measures.
  
  (Response 102) FDA offers free tools and food defense awareness training, as well as guidance, that we intend to update based on the final requirements which should assist non-covered entities, such as those at the retail level, who wish to voluntarily comply with the final provisions of this rule.
  
  (Comment 103) Some comments support the food defense awareness
  
  Page 34211
  
  training requirement but ask that FDA keep the requirement flexible and make clear that online training or other non-FDA developed trainings are acceptable. One comment asked us to state whether the ``Food Defense 101'' training released in 2013 by FDA is the preferred resource for employee awareness training. Some comments state that it might not be possible to provide the same type of training to all staff at various levels, and that it should be up to the facility to determine which training to provide to which staff, based on their food defense responsibilities.
  
  (Response 103) We agree with the need to avoid rigid requirements with respect to training content for food defense awareness. We recognize that many food defense awareness trainings exist and may already be utilized at facilities, and mandating specific content in trainings may lead to redundancy and additional cost. We intend to update our ``Food Defense 101, Food Defense Awareness for the Front-
  
  line Employee'' training such that it would satisfy the requirement for food defense awareness training; however, it is not the only acceptable training. In addition, we believe that there are several existing trainings that would be acceptable for other activities that may require training such as food defense monitoring, food defense corrective actions, and food defense verification.
  
  (Comment 104) Some comments recommend that, because food defense is a new and evolving area, and because this regulation will be the first of its kind worldwide, training and education need to occur at many levels to effectively implement this rule. These comments state that FDA must provide significant outreach and education to both industry and State regulatory Agencies with jurisdiction over the production of human food. These comments emphasize that FDA and State and local inspection personnel will need significant training in conducting food defense inspections and that training developed for FDA investigators should be extended to State and local governments as well as industry to help food facilities understand what is expected and how compliance will be determined.
  
  (Response 104) We appreciate these comments regarding consistency of training between industry and Federal, State, local and tribal regulators, and we agree that this is a novel area of regulation that could benefit from alignment of training between the regulated industry and its regulators. We have addressed the issue of training for the purposes of inspection and compliance in section III.D, but in general, FDA is still in the process of assessing its training needs for inspection and enforcement of this rule.
  
  (Comment 105) Some comments state that Alliances have been successfully used to support implementation of other national requirements, including other FSMA rules, using a partnership model. These comments recommend that FDA consider formation of an Alliance structure for the area of food defense as well. Comments state that Alliances, made up of State and local public health professionals, State and local public health associations, and industry can play an important role in information sharing and outreach and a formal Alliance for food defense is the best way to accomplish the development of standardized food defense training content and effective training tools and resources.
  
  (Response 105) We agree with these comments and have funded the establishment of an Intentional Adulteration Subcommittee under the existing Food Safety Preventive Controls Alliance. We intend to leverage the expertise of State and local public health professionals, State and local public health associations, and industry associations to develop the standardized curriculum needed to meet the training requirement.
  
  (Comment 106) Some comments suggest that FDA establish a technical assistance office based out of the Center for Food Safety and Applied Nutrition (CFSAN) that can answer queries, provide guidance, and release information consistently to both regulators and the covered industry to assist with educating industry and regulators.
  
  (Response 106) FDA has established a FSMA Technical Assistance Network (TAN) to provide technical assistance to industry, regulators, academia, consumers, and others regarding FSMA implementation. Inquiries are answered by FDA Information Specialists or Subject Matter Experts, based on the complexity of the question. To find out more about the FSMA TAN please visit http://www.fda.gov/food/guidanceregulation/fsma/ucm459719.htm.
  
  (Comment 107) Some comments request funding from FDA for the training of State, local, tribal, and territorial regulators.
  
  (Response 107) Funding associated with training State, local, tribal, and territorial regulators is outside the scope of this rule.
  
  (Comment 108) One comment asserts that training and compliance incentives must be available at the same time the final regulation is released to give facilities time to learn about, build, and deploy an effective implementation plan.
  
  (Response 108) It is unclear what is meant by training and compliance incentives, but we have established extended compliance dates to allow facilities the time necessary to comply with this training requirement. See section VIII for information on compliance dates.
  
  (Comment 109) One comment suggests that FDA should mandate training on a ``code of ethics'' to prevent economically motivated adulteration.
  
  (Response 109) Acts of intentional adulteration for the purpose of economic gain, i.e., economically motivated adulteration, are outside the scope of the rule and are addressed in the preventive controls for human food rule (80 FR 55907 at 56028-56029) and the preventive controls for animal food final rule (80 FR 56170 at 56244-56246).
Subpart D: Comments on Requirements Applying to Records That Must Be Established and Maintained

We proposed to establish in subpart D requirements that would apply to all records that would be required by the various provisions of proposed part 121, including general requirements related to the content and form of records, additional requirements specific to the food defense plan, requirements for record retention, requirements for official review of records by FDA, and public disclosure.

Some comments generally support requiring records to demonstrate that a food defense plan has been created, is functioning, and is being monitored. However, many comments disagreed with some of the specific requirements that we proposed. In the following paragraphs, we discuss comments that ask us to clarify the proposed requirements, disagree with, or suggest one or more changes to the proposed requirements.
1. Proposed Sec. 121.301--Records Subject to the Requirements of This Subpart D
  
  We proposed that all records required by proposed subpart C (Food Defense Measures) are subject to all requirements of this subpart except that the requirements of Sec. 121.310 apply only to the written food defense plan. We received no comments on this section and are finalizing as proposed.
2. Proposed Sec. 121.305--General Requirements Applying to Records
  
  We proposed that the records must (1) be kept as original records, true copies, or electronic records (and that electronic records must be kept in accordance with
  
  Page 34212
  
  part 11 (21 CFR part 11)); (2) contain the actual values and observations obtained during monitoring; (3) be accurate, indelible, and legible; (4) be created concurrently with performance of the activity documented; (5) be as detailed as necessary to provide history of work performed; and (6) include the name and location of the plant or facility, the date and time of the activity documented, the signature or initials of the person performing the activity, and, where appropriate, the identity of the product and the production code, if any. In the following paragraphs, we discuss comments that ask us to clarify the proposed requirements or that disagree with, or suggest one or more changes to, the proposed requirements.
  
  (Comment 110) Several comments express concern over the proposed requirement that all electronic records be kept in accordance with part 11 and request that FDA exempt electronic records under part 121 from compliance with part 11. Comments argue that while some of the larger companies may have the technologies in place to comply with part 11, many of the covered facilities do not. These comments assert that compliance with part 11 would create the need to redesign and recreate existing systems, thus leading to considerable cost, which was not taken into account in the cost analysis in the preliminary regulatory analysis for the proposed rule. The comments go on to point out that we do not impose these requirements for recordkeeping requirements imposed under section 414 of the FD&C Act, and that this requirement is an added burden and expense that does not have any added benefit to public health.
  
  (Response 110) The final rule does not require compliance with part 11 (Sec. 121.305 (a)). Similar to the PCHF final rule, we are making a conforming change in part 11 to specify in new Sec. 11.1(o) that part 11 does not apply to records required to be established or maintained under part 121, and that records that satisfy the requirements of part 121, but that also are required under other applicable statutory provisions or regulations, remain subject to part 11. Although we are not specifying that part 11 applies, facilities should take appropriate measures to ensure that records are trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper.
  
  (Comment 111) One comment asserts that while it is common for certain records to be created concurrently with performance of the activity, some records may require more time for writing, reviewing, editing, or approving. The comment requests that we provide for the creation of records ``in a timely manner following performance of the activity,'' rather than ``concurrently with performance of the activity.''
  
  (Response 111) We decline this request. The comment did not provide any specific examples of activities where concurrent record creation would prove difficult, and we are not aware of any such circumstance. For example, we are not aware of any difficulty complying with longstanding similar requirements associated with our HACCP regulations for seafood and juice (see Sec. Sec. 123.9(a)(4) and 120.12(b)(4), respectively).
  
  (Comment 112) Some comments assert that for certain production and associated activities documenting the time of activity is not necessary. Specific examples cited include equipment setup, verification of equipment setup, charging an ingredient into a blender, and weighing material for process yield and reconciliation purposes. These comments ask us to modify the proposed requirements so that the records would only be required to include the time of the activity where appropriate for food defense.
  
  (Response 112) The recordkeeping requirements in the rule only apply to records required by subpart C (Food defense measures). It is not clear that all of the activities specified by the comments relate to food defense measures and therefore are subject to the recordkeeping requirements in the rule. For records that are required, we agree that documenting the time of the activity is not always necessary. The rule requires that records must contain ``when appropriate, the time of the activity documented'' (Sec. 121.305(f)(2)). Monitoring records are an example of when documenting the time of the activity is appropriate because monitoring records are used to determine if a particular mitigation strategy is properly implemented. Without documenting the time the monitoring was conducted, a facility cannot identify patterns over time as to the mitigation strategy's implementation and whether appropriate corrective actions were being made. For mitigations strategies that are not time-dependent (e.g., permanent equipment changes to reduce access to the product, such as permanently affixing a shield to the rotating air drying to prevent access to the food at the point where product is introduced into the dryer from the pneumatic conveyance), facilities are not required to document the time the activity was performed.
  
  (Comment 113) Some comments express concern that we will require records to be kept in English. These comments ask us to limit the documents that must be written in English to reduce translation and records duplication. These comments ask that records related to verification and monitoring should be allowed to be written in languages other than English.
  
  (Response 113) The rule does not require that any records be kept in English.
  
  (Comment 114) One comment seeks clarification on whether the use of checklist-type forms to document monitoring observations would satisfy the requirement in Sec. 121.305(b) that records contain actual values and observations obtained during monitoring. The comment argues that properly developed checklists will allow monitoring records to be accurate, indelible, and legible as required in Sec. 121.305(c) and will lessen the recordkeeping burden. For example, monitoring a mitigation strategy such as adequate lighting at the truck unloading bay could be recorded as a ``yes'' or ``no'' by checking the appropriate box on a checklist.
  
  (Response 114) Although monitoring records must contain the actual values and observations obtained during monitoring, facilities have flexibility to tailor the amount of detail to the nature of the record (Sec. 121.305(e)). Monitoring for adequate lighting at the truck unloading bay could be recorded as ``yes'' or ``no'' in either a narrative or checklist format. However, in the case of an improperly implemented mitigation strategy, we would recommend that the facility also document the extent to which the strategy was incorrectly applied, because this information would support the identification of previously written corrective actions that could be used to remedy the situation, as well as provide context as to why the mitigation strategy failed in this instance, which would be beneficial information for verification activities. For example, if lighting in the bulk unloading bay was insufficient, the monitoring document may record this instance as ``no'' in a checklist and also may note that half of the lights were inoperative due to a circuit-breaker that failed. This information would be helpful to facility management to determine whether the mitigation strategy is consistently applied and appropriate to the actionable process step in question. In this case, a faulty circuit breaker would be replaced, thereby correcting the deviation in the mitigation strategy. The mitigation strategy could still be determined to be achieving its aim with
  
  Page 34213
  
  this corrective action. Alternatively, if monitoring records document that the lighting was turned off by an employee, a different corrective action may be required, such as retraining of the employee on the importance of maintaining adequate lighting in the area. We note in Response 83 that ensuring adequate lighting around an actionable process step would generally be a mitigation strategy that must be used in concert with other strategies to significantly reduce the likelihood of, or prevent, successful acts of intentional adulteration at an actionable process step.
3. Proposed Sec. 121.310--Additional Requirements Applying to the Food Defense Plan
  
  We proposed that the food defense plan must be signed and dated by the owner, operator, or agent in charge of the facility upon initial completion and upon any modification. We did not receive any comments related to this section, and we are finalizing as proposed.
4. Proposed Sec. 121.315--Requirements for Record Retention
  
  We proposed that (1) All required records must be retained at the facility for at least 2 years after the date they were prepared; (2) The food defense plan must be retained at the facility for at least 2 years after its use is discontinued; (3) Except for the food defense plan, offsite storage of records is permitted after 6 months following the date that the records were made if such records can be retrieved and provided onsite within 24 hours of request for official review; and (4) If the facility is closed for a prolonged period, the records may be transferred to some other reasonably accessible location but must be returned to the plant or facility within 24 hours for official review upon request.
  
  (Comment 115) One comment asserts that a 2-year retention period for monitoring, corrective actions, and verification records for a product with a short shelf life is unnecessary. The comment argues that industry has been following record retention requirements in the Seafood HACCP regulation which requires 1 year records retention for refrigerated products and 2 years records retention for frozen, preserved, or shelf-stable products and requests that we use the same requirements in this rule.
  
  (Response 115) We decline this request. The 2-year record retention period is explicitly provided for by section 418(g) of the FD&C Act. Further, shelf life is more relevant to record retention requirements for the purpose of tracking potentially contaminated food than to record retention requirements for the purpose of evaluating compliance with this rule. Finally, 2 years is the same retention period as required by the PCHF final rule.
  
  (Comment 116) Some comments ask us to exercise flexibility regarding the 2-year record retention requirement because the unique nature of food defense activities and the technologies used in protecting the food supply against intentional adulteration do not typically allow for record retention for such a long period of time. For example, several comments explain that records related to video surveillance cannot be kept for 2 years because it is impractical; industry practice is typically to keep video records for 30 days or less. Comments argue that requiring 2-year retention of video records would be very difficult and costly, and that FDA likely did not include calculations for those added costs in our preliminary regulatory impact analysis for the proposed rule.
  
  (Response 116) The assertion that it is impractical for food defense records cannot be kept for 2 years seems to reflect a misunderstanding of the rule. The rule does not require maintaining video surveillance footage for 2 years. Video surveillance used as part of a mitigation strategy is not a monitoring record. If the video is being sent to a security office for observation, the monitoring record could be a log affirming that a security officer reviewed the video and detected no abnormal activities. If the video is being watched by a security officer in real time, the monitoring record could be the timesheets of the security officer showing he was in the security office performing his duties in observing the video feed.
  
  (Comment 117) Some comments ask us to specify our expectations for record availability and allow companies the flexibility in using technology to meet those expectations. The comments explain that many companies keep important records such as food defense plans at their corporate headquarters or other central locations and not at individual facilities but that the facilities can easily access those records electronically if needed. The comments also assert that 6-month onsite record retention requirement is arbitrary and that FDA should establish a workable requirement that provides for the efficient storage and retrieval of records in a timely manner. Some comments ask us to revise the requirement so that records that can be retrieved and provided onsite within 24 hours would be sufficient.
  
  (Response 117) We have revised the provisions to provide for offsite storage of all records (except the food defense plan), provided that the records can be retrieved and made available to us within 24 hours of a request for official review. We expect that many records will be electronic records that are accessible from an onsite location and, thus, would be classified as being onsite (see Sec. 121.315(c)). As a companion change, we have revised the proposed provision directed to the special circumstance of storing records when a facility is closed for prolonged periods of time so that it only relates to the offsite storage of the food defense plan in such circumstances (see Sec. 121.315(d)). Further, we require records that a facility relies on during the 3-year period preceding the applicable calendar year to support its status as exempt as a very small business must be retained at the facility as long as necessary to support the status of a facility as a very small business during the applicable calendar year (see Sec. 121.315(a)(2)).
  
  (Comment 118) One comment states that records and documentation should not increase costs for farm-based operations, most of whom operate as small businesses. They argue that these businesses already maintain a variety of records but some do not have the technical or financial resources available to maintain an electronic system for records. The comment requests that FDA accept records in formats that are not electronic.
  
  (Response 118) To clarify, we did not propose to require that any records must be kept in electronic format. In addition, this rule does not apply to farms.
5. Proposed Sec. 121.320--Requirements for Official Review
  
  We proposed that all records required by this part must be made promptly available to a duly authorized representative of the Secretary of Health and Human Services upon oral or written request. In the following paragraphs, we discuss comments that ask us to clarify the proposed requirements or that disagree with, or suggest one or more changes to, the proposed requirements.
  
  (Comment 119) Some comments assert that FDA investigators should only review food defense plans on site and that we should not copy, photograph, transmit, or take possession of food defense plans. These comments assert that onsite review of records allows facility staff that is familiar with the documents and recordkeeping
  
  Page 34214
  
  practices to answer any questions or provide clarification to the investigator. Some comments state that we should make it clear that any State investigators must follow the same policy and not copy, photograph, transmit, or take possession of food defense plans. Other comments assert that we should only take possession of food defense plans for compliance reasons or in the event of an emergency or a credible threat.
  
  (Response 119) Some of the issues raised by these comments are similar to issues raised by comments on the PCHF rule (see the discussion at 80 FR 55908 at 56091) and seafood HACCP rule (see the discussion at 60 FR 65096 at 65137-65140, December 18, 1995). During an inspection, we expect that FDA investigators will determine whether to copy records on a case-by-case basis as necessary and appropriate. It may be necessary to copy records when, for example, our investigators need assistance in reviewing a certain record from relevant experts in headquarters. If we are unable to copy records, we would have to rely solely on our investigators' notes and reports when drawing conclusions. In addition, copying records will facilitate follow-up regulatory actions. The public availability of any records that FDA would possess as a result of copying during an inspection would be governed by section 301(j) of the FD&C Act and by the Freedom of Information Act (FOIA) and regulations issued pursuant to it by the Department of Health and Human Services (DHHS) and FDA. Section 301(j) of the FD&C Act expressly prohibits FDA from disclosing trade secret information obtained during the course of an inspection. FDA's disclosure regulations also provide that FDA will not divulge either trade secret or confidential commercial information. See section VI.F. for a further discussion of protecting food defense records from disclosure.
  
  (Comment 120) Some comments assert that FDA investigators should not include details of food defense plans in the Establishment Inspection Reports (EIR) Form 483 and that food defense information should be kept separate from food safety information on FDA reports. The comments argue that if investigators include food defense-related noncompliance on an official report, that report could become public and could increase the risk to public health by disclosing weak points in a facility's food defense plan.
  
  (Response 120) As we do now, FDA would redact any protected information in an EIR or other document before publically releasing the document. See section VI.F for further discussion of protecting food defense records from disclosure.
  
  (Comment 121) One comment asserts that section 106 of FSMA does not give FDA express access to review food defense plans and that FSMA indicates a Congressional intent to limit the distribution of certain materials related to food defense.
  
  (Response 121) The provisions in section 106 of FSMA concerning limited distribution relate to the ability of the Secretary of HHS (and by delegation, FDA) to limit the distribution of certain information already in the Agency's possession. Specifically, section 420(a)(2) of the FD&C Act authorizes FDA to determine the time, manner, and form in which a vulnerability assessment is made publically available. Further, section 420(b)(3) provides for FDA to determine the time, manner, and form in which certain guidance documents are made public. The provisions do not limit FDA's authority to access information in a facility's possession, such as a food defense plan.
  
  Further, the ability of FDA to review food defense plans is necessary for the efficient enforcement of the FD&C Act. The rule requires a food defense plan consisting of a written vulnerability assessment, mitigation strategies, and procedures for food defense monitoring, corrective actions, and verification. Access to food defense plans is necessary for FDA to assess the adequacy of each of these documents and determine compliance with the rule. For example, to assess compliance with Sec. 121.130(a), FDA must review a facility's vulnerability assessment to determine whether it includes an evaluation of the potential public health impact if a contaminant were added, the degree of physical access to the product, and the ability of an attacker to successfully contaminated the product.
  
  In addition to section 420 (added to the FD&C Act by section 106 of FSMA), FDA is issuing this rule under the authority of section 418 of the FD&C Act. Section 418 explicitly provides authority for FDA access to certain documents. Under section 418, the required ``written plan, together with the documentation of monitoring, instances of nonconformance, the results of testing and other appropriate means of verification, instances where corrective actions were implemented, and the efficacy of preventive controls and corrective actions shall be made promptly available to FDA upon oral or written request.''
  
  (Comment 122) One comment asserts that neither section 103 nor 106 of FSMA expressly provide FDA with the authority to copy food defense plans or records.
  
  (Response 122) As we described in the seafood HACCP rule (60 FR 65096 at 65101, December 18, 1995), to effectuate the broad purposes of the FD&C Act, there may be some circumstances in which access to the records would be meaningless without the opportunity to copy them, and therefore copying records is necessary for the efficient enforcement of the FD&C Act. For further discussion of copying records, see response to Comment 121.
6. Proposed Sec. 121.325--Public Disclosure
  
  We proposed that records required by this part will be protected from public disclosure to the extent allowable under part 20 of this chapter. We received numerous comments expressing concern with protecting food defense plans and records from public disclosure, especially due to the sensitive nature of the content within a food defense plan. One comment fully supports our proposal and believes there is sufficient precedent and need to protect the sensitive documents from public disclosure. In the following paragraphs, we discuss comments that ask us to clarify the proposed requirements or that disagree with, or suggest one or more changes to, the proposed requirements.
  
  (Comment 123) Some comments assert that food defense plans include information that is commercial confidential or trade secret and, therefore, should be exempt from disclosure under FOIA. The comments argue that food defense plans may include information on a facility's food defense-related measures and that disclosure of one facility's food defense plan may adversely affect other facilities and companies that may process similar foods or have similar processing procedures.
  
  (Response 123) FDA protects records from disclosure under Exemption 4 of FOIA to the extent they contain ``trade secrets'' or ``commercial or financial information obtained from a person and privileged or confidential.'' The questions raised in these comments are similar to some of the questions raised during the rulemaking to establish our HACCP regulation for seafood (see the discussion at 60 FR 65096 at 65137-65140). Our experience in conducting CGMP inspections in processing plants, our experience with enforcing our HACCP regulations for seafood and juice, and our understanding from the Regulatory Impact Analysis for this rule make it clear that food defense plans
  
  Page 34215
  
  will take each facility time and money to develop.
  
  There is value in a plan to a company that produces it for no other reason than that it took work to write. The equity in such a product is not readily given away to competitors. We expect that plant configurations will be unique to individual processors, or at least have unique features, as was the case in the seafood industry (Ref. 16). While generic plans will have great utility in many circumstances, they will serve primarily as starting points for facilities to develop their own plans. Facilities will still need to expend time and money to tailor a generic food defense plan to their individual circumstances. Thus, we conclude that food defense plans generally will meet the definition of trade secret, including the court's definition in Public Citizen Health Research Group v. FDA, 704 F.2d 1280 (D.C. Cir. 1983).
  
  (Comment 124) Some comments ask us to provide assurances that food defense plans and related records will not be made public and assert that protecting these documents from disclosure to the extent allowable under part 20 may not be sufficient. They argue that food defense plans are more sensitive than food safety plans because food defense plans contain specifics on a facility's vulnerabilities and how they protect those vulnerabilities, and as such, could provide a ``road map'' for individuals intending to cause harm. These comments state that FDA should be more protective of food defense plans and argue that due to the sensitivity of information contained in food defense plans, it is too risky to rely on FOIA exemptions alone.
  
  (Response 124) We agree that food defense plans contains information that presents sensitivities not likely to be present in food safety plans. Exemption 7(F) of FOIA allows Agencies to withhold ``records or information compiled for law enforcement purposes . . . to the extent that production of such law enforcement records or information . . . could reasonably be expected to endanger the life or physical safety of any individual.'' Food defense plans are likely to meet the criteria to withhold them from disclosure under exemption 7(F). Food defense plans in FDA's possession would be compiled for law enforcement purposes because they would be collected as part of compliance efforts. Further, production of such records could reasonably be expected to endanger life or physical safety. Specifically, a food defense plan is likely to contain information that could be used to identify weaknesses in a facility's security, to choose targets, and to help plan and execute an attack involving intentional adulteration.
  
  (Comment 125) Some comments state that food defense plans could be classified under Executive Order 13526 because their unauthorized disclosure could reasonably be expected to cause identifiable or describable damage to national security and because food defense plans pertain to ``vulnerabilities or capabilities of systems, installations, infrastructures, projects, plans, or protection services relating to national security.'' These comments acknowledge that classifying food defense plans would be cumbersome and access to the classified documents would be extremely restricted and therefore, they recommend that FDA implement a policy that FDA investigators not copy, photograph, or transmit any food defense plan records or make detailed notes about the food defense plans in the Establishment Inspection Reports that could reveal sensitive information.
  
  (Response 125) See response to Comment 124 for a discussion of FDA handling of food defense plans. We note that FDA cannot classify food defense plans under Executive Order 13526. That executive order provides that information may be originally classified only if several conditions are met, including that the information is owned by, produced by or for, or is under the control of the U.S. Government. A food defense plan that is developed by industry for use by industry is not owned by, produced by or for, or under the control of, the U.S. Government.
  
  (Comment 126) One comment suggests that FDA only allow investigators who have the appropriate national security credentials (e.g., background checks, security clearances) to review the content of a food defense plan. The comment asserts that this will help prevent the risk of a sophisticated insider attack by a potential wrongdoer who has infiltrated the Agency.
  
  (Response 126) All FDA investigators and contracted State investigators are required to undergo background checks by the Federal government prior to employment and periodically thereafter. Food defense plans are not classified, and therefore FDA investigators would not need national security clearances.
  
  (Comment 127) Some comments state that FDA should, at a minimum, be aligned with and apply the same protection for food defense plans and records required under this part as HACCP seafood and juice regulations (see Sec. Sec. 123.9(d) and 120.12(f), respectively).
  
  (Response 127) We disagree that the proposed provisions governing public disclosure are not aligned with the public disclosure provisions of our HACCP regulations for seafood and juice. Our regulations in part 20 regarding public information apply to all Agency records, regardless of whether a particular recordkeeping requirement says so. In the public disclosure provisions for our HACCP regulations for seafood and juice, we provided specific details about how particular provisions in part 20 (i.e., Sec. 20.61 (Trade secrets and commercial or financial information which is privileged or confidential) and Sec. 20.81 (Data and information previously disclosed to the public)) would apply to the applicable records, because we recognized that such details were of particular interest to the regulated industries and such recordkeeping requirements were relatively new. In this rule, we framed the provisions regarding public disclosure more broadly by referring to all the requirements of part 20, consistent with our more recent approach to public disclosure provisions in regulations (see e.g., 21 CFR 112.167, 117.325).
  
  (Comment 128) Some comments assert that FDA should develop guidance and training for industry on how to protect food defense-related documents because industry is developing these documents to meet an FDA requirement and has a potential to increase the risk to public health.
  
  (Response 128) Our implementation of this rule will involve a broad, collaborative effort to foster awareness and compliance through guidance, education, and technical assistance. We agree that protection of food defense plans--by FDA and by industry--is important; we plan on including information within guidance for industry on best practices for how to protect food defense plans.
7. Proposed Sec. 121.330--Use of Existing Records
  
  We are adding new section Sec. 121.330 (Use of Existing Records) to the final rule to increase recordkeeping flexibility. Section 121.330 specifies that existing records (e.g., records that are kept to comply with other Federal, State, or local regulations) do not need to be duplicated if they contain all of the required information and satisfy the requirements of subpart D. Section 121.330 also provides that existing records may be supplemented as necessary to include all of the required information. Further, Sec. 121.330 clarifies that the information required does not need to be kept in one set of records; if existing records contain some of the required information, any new
  
  Page 34216
  
  information required may be kept either separately or combined with the existing records.
Subpart E: Comments on Compliance--Proposed Sec. 121.401
1. Proposed Sec. 121.401(a)--Failure To Comply With Section 418 of the FD&C Act
  
  We proposed that the operation of a facility that manufactures, processes, packs, or holds food for sale in the United States if the owner, operator, or agent in charge of such facility is required to comply with, and is not in compliance with, section 418 of the FD&C Act or subparts C or D of this part is a prohibited act under section 301(uu) of the FD&C Act.
  
  We did not receive any comments on this provision, and we are finalizing as proposed.
2. Proposed Sec. 121.401(b)--Failure To Comply With Section 420 of the FD&C Act
  
  We proposed that the failure to comply with section 420 of the FD&C Act or subparts C or D of this part is a prohibited act under section 301(ww) of the FD&C Act.
  
  We did not receive any comments on this provision, and we are finalizing as proposed.
Effective and Compliance Dates

We proposed the effective date would be 60 days after this final rule is published. However, we proposed for a longer timeline for facilities to come into compliance. As proposed, facilities, other than small and very small businesses, would have 1 year after the effective date to comply with part 121. Small businesses (i.e., those employing fewer than 500 persons) would have 2 years after the effective date to comply with part 121. Very small businesses (i.e., businesses that have less than $10,000,000 in total annual sales of food, adjusted for inflation) would have 3 years after the effective date to comply with Sec. 121.5(a).

Some comments express concern that facilities will not have the time or resources to implement requirements for the intentional adulteration rule at the same time they must comply with other FSMA rules. Some comments also state that more time is necessary to comply with this rule because food defense is different from current requirements for food safety. These comments request additional time for compliance.

We agree with the comments and are providing more time for facilities to come into compliance. Facilities, other than small and very small businesses, have 3 years after the effective date to comply with part 121. Small businesses (i.e., those employing fewer than 500 full-time equivalent employees) have 4 years after the effective date to comply with part 121. Very small businesses (i.e., businesses that have less than $10,000,000, adjusted for inflation, per year, during the 3-year period preceding the applicable calendar year in both sales of human food plus the market value of human food manufactured, processed, packed, or held without sale) have 5 years after the effective date to comply with Sec. 121.5(a).
Executive Order 13175

In accordance with Executive Order 13175, FDA has consulted with tribal government officials. A Tribal Summary Impact Statement has been prepared that includes a summary of Tribal officials' concerns and how FDA has addressed them (Ref. 17). Persons with access to the Internet may obtain the Tribal Summary Impact Statement at http://www.fda.gov/Food/GuidanceRegulation/FSMA/ucm378628 or at http://www.regulations.gov. Copies of the Tribal Summary Impact Statement also may be obtained by contacting the person listed under FOR FURTHER INFORMATION CONTACT.
Final Regulatory Impact Analysis

We have examined the impacts of the final rule under Executive Order 12866, Executive Order 13563, the Regulatory Flexibility Act (5 U.S.C. 601-612), and the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4). Executive Orders 12866 and 13563 direct Agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity). We have developed a comprehensive Economic Analysis of Impacts that assesses the impacts of the final rule. We believe that this final rule is a significant regulatory action under Executive Order 12866.

The Regulatory Flexibility Act requires us to analyze regulatory options that would minimize any significant impact of a rule on small entities. The annualized costs per entity due to this rule are about $13,000 for a one-facility firm with 100 employees, and there are about 4,100 small businesses that would be affected by the rule, so we tentatively conclude that the final rule could have a significant economic impact on a substantial number of small entities.

The Small Business Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121) defines a major rule for the purpose of congressional review as having caused or being likely to cause one or more of the following: An annual effect on the economy of $100 million or more; a major increase in costs or prices; significant adverse effects on competition, employment, productivity, or innovation; or significant adverse effects on the ability of U.S.-based enterprises to compete with foreign-based enterprises in domestic or export markets. In accordance with the Small Business Regulatory Enforcement Fairness Act, the Office of Management and Budget (OMB) has determined that this rule is a major rule for the purpose of Congressional review.

The Unfunded Mandates Reform Act of 1995 (section 202(a)) requires us to prepare a written statement, which includes an assessment of anticipated costs and benefits, before proposing ``any rule that includes any Federal mandate that may result in the expenditure by State, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.'' The current threshold after adjustment for inflation is $144 million, using the most current (2014) Implicit Price Deflator for the Gross Domestic Product. This final rule may result in a 1-year expenditure that would meet or exceed this amount.
Paperwork Reduction Act of 1995

This rule contains information collection requirements that are subject to review by the OMB under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501-3521). A description of these provisions is given in this section with an estimate of the annual reporting and recordkeeping burden; there is no third-party disclosure burden associated with the information collection. Included in the estimate is the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing each collection of information.

Title: Mitigation Strategies to Protect Food Against Intentional Adulteration

Description: The Food and Drug Administration (FDA or we) is requiring domestic and foreign food facilities that are required to register under the Federal Food, Drug, and Cosmetic Act to address hazards that may be introduced with the intention to cause wide scale public health harm. These food facilities are required to identify and implement mitigation strategies that significantly minimize or prevent significant

Page 34217

vulnerabilities identified at actionable process steps in a food operation. FDA is promulgating these requirements as part of our implementation of the FDA Food Safety Modernization Act (FSMA). We expect the rule to help protect food from acts of intentional adulteration intended to cause wide scale public health harm.

Description of Respondents: Respondents to the collection are food production facilities with more than $10 million in annual sales. We estimate there are 9,759 such facilities owned by 3,247 firms. We estimate there are 18,080 facilities with less than $10 million in annual sales that will need to show documentation of their exemption status under the rule, upon request.

In the Federal Register of December 24, 2013, FDA published a proposed rule including a PRA analysis of the information collection provisions found in the regulations. While FDA did not receive specific comments in response to the four information collection topics solicited, comments in response to the rule are addressed elsewhere in this document. Comments filed in response to the rulemaking are filed under Docket No. FDA-2013-N-1425.

We estimate the burden for this information collection as follows:

Reporting: The rule does not apply to very small businesses, except that ``a very small business'' is required to provide for official review, upon request, documentation that was relied upon to demonstrate that the facility meets this exemption. At this time we estimate there are 18,080 firms with less than $10 million in annual sales, exempting them from the rule. However, these facilities must show documentation upon request to verify their exempt status under the regulations (Sec. 121.5(a)). We estimate preparing and updating relevant files will require an average of 30 minutes per respondent for a total annual burden of 9,040 hours (30 minutes x 18,080), as reflected in table 4.

Table 4--Estimated Annual Reporting Burden \1\

--------------------------------------------------------------------------------------------------------------------------------------------------------

Number of

21 CFR Section; activity Number of responses per Total annual Average burden per Total hours

respondents respondent responses response

--------------------------------------------------------------------------------------------------------------------------------------------------------

Sec. 121.5; Exemption for food from very small businesses........ 18,080 1 1 0.50 (30 minutes) 9,040

--------------------------------------------------------------------------------------------------------------------------------------------------------

\1\ There are no capital costs, or operating and maintenance costs associated with this collection.

Recordkeeping: Under the rule, the owner, operator, or agent in charge of a facility must prepare, or have prepared, and implement a written food defense plan, including a written vulnerability assessment; written mitigation strategies; written procedures for defense monitoring; written procedures for food defense corrective actions; and written procedures for food defense verification. Table 5 shows the estimated recordkeeping burden associated with these activities, totaling 2,515,258 annual burden hours and 409,486 annual responses. This is a revision from our previous estimate, reflecting a slight decrease in burden hours as a result of finalizing regulatory requirements from the proposed rule and revising the number of estimated respondents.

Table 5--Estimated Annual Recordkeeping Burden \1\

----------------------------------------------------------------------------------------------------------------

Number of Total

21 CFR Section; activity Number of records per annual Average burden per Total hours

recordkeepers recordkeeper records recordkeeping

----------------------------------------------------------------------------------------------------------------

Food Defense Plan; Sec. 121.126 3,247 1 3,247 23 hrs............. 74,681

Vulnerability Assessment; Sec. 9,759 1 9,759 20 hrs............. 195,180

121.130.

Mitigation Strategies; Sec. 9,759 1 9,759 20 hrs............. 195,180

121.135(b).

Monitoring, Corrective Actions, 9,759 1 9,759 175 hrs............ 1,707,825

Verification; Sec. 121.140(a),

Sec. 121.145(a)(1), Sec.

121.150(b).

Training; Sec. 121.4........... 367,203 1 367,203 0.67 hrs. (40 244,802

minutes).

Records; Sec. 121.305, Sec. 9,759 1 9,759 10 hrs............. 97,590

121.310.

------------------------------------------------------------------------------

Total........................ .............. .............. 409,486 ................... 2,515,258

----------------------------------------------------------------------------------------------------------------

\1\ Costs of compliance are discussed in the Final Regulatory Impact Analysis to this final rule.

We estimate 3,247 firms will need to create a food defense plan under Sec. 121.126, that a one-time burden of 50 hours will be needed to create such a plan, and that a burden of 10 hours will be required to update the plan. We annualize this estimate by dividing the total number of burden hours (70 hours) over a 3-year period, as reflected in table 5, row 1.

Under Sec. 121.130, each of the estimated 9,759 food production facilities will identify and specify actionable process steps for its food defense plan. We estimate that an individual at the level of an operations manager will need 20 hours for this activity, as reflected in table 5, row 2. At the same time we note that this is a one-time burden we expect will have been realized upon implementation of the rule by the affected facilities. In our subsequent evaluation of the burden associated with this information collection provision, we will adjust our estimate accordingly.

Under Sec. 121.135(b), each of the estimated 9,759 facilities must identify and implement mitigation strategies for each actionable process step to provide assurances that any significant vulnerability at each step is significantly minimized or prevented, ensuring that the food manufactured, processed, packed, or held by the facility will not be adulterated. The rule does not specify a specific number or set of mitigation strategies to be implemented. Some of the covered facilities are already implementing mitigation strategies. We estimate it will require an average of 20 hours per facility to satisfy the recordkeeping burden associated with these activities for a total of 195,180 hours, as reflected in table 5, row 3.

We estimate that the recordkeeping activities associated with monitoring,

Page 34218

documenting mitigation strategies, implementing necessary corrective actions, and verification activities will require first-line supervisors or others responsible for quality control an average of 175 hours for each recordkeeper, and that these provisions apply to each of the 9,759 facilities. This results in a total of 1,707,825 annual burden hours, as reflected in table 5, row 4.

We estimate that recordkeeping activities associated with training under Sec. 121.4 total 244,802 annual burden hours, as reflected in table 5, row 5. This figure assumes that there are an estimated 1.2 million employees working at the regulated facilities and that 30 percent of them (367,203) will require training. This figure also assumes that the average burden for the associated recordkeeping activity is approximately 40 minutes (or 0.67 hours) per record.

Finally, we expect each of the estimated 9,759 firms will fulfill the recordkeeping requirements under Sec. 121.305 and Sec. 121.310, and that it will require the equivalent of an operations manager and a legal analyst an average of 5 hours each (10 hours) per record, as reflected in table 5, row 6.
Analysis of Environmental Impact

We previously considered the environmental effects of this rule, as stated in the proposed rule (78 FR 78014). We stated that we had determined under 21 CFR 25.30(h) and 21 CFR 25.30(j) that this action is of a type that does not individually or cumulatively have a significant effect on the human environment such that neither an environmental assessment nor an environmental impact statement is required. We have not received any new information or comments that would affect our previous determination (Ref. 18).
Federalism

FDA has analyzed this final rule in accordance with the principles set forth in Executive Order 13132. FDA has determined that the rule does not contain policies that have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. Accordingly, the Agency has concluded that the rule does not contain policies that have federalism implications as defined in the Executive order and, consequently, a federalism summary impact statement is not required.
References

The following references are on display in the Division of Dockets Management (HFA-305), Food and Drug Administration, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852, and are available for viewing by interested persons between 9 a.m. and 4 p.m., Monday through Friday; they are also available electronically at http://www.regulations.gov. FDA has verified the Web site addresses, as of the date this document publishes in the Federal Register, but Web sites are subject to change over time.
1. FDA Memorandum. ``FDA Memorandum to Dockets on Records of Outreach. See Reference 7 to the 2014 supplemental human preventive controls notice,'' 2013.
2. FDA Memorandum. ``Memoranda of Outreach,'' 2015.
3. FDA. ``Appendix 3 to the Final Qualitative Risk Assessment: Risk of Activity/Food Combinations for Activities (Outside the Farm Definition) Conducted in a Facility Co-Located on a Farm,'' 2016.
4. Avel, D., ``ISIS Calls for Poisoning and Running Down Westerners.'' The Algemeiner (http://www.algemeiner.com/2014/11/28/isis-calls-for-poisoning-and-running-down-westerners/#), November 28, 2014. Accessed December 15, 2015.
5. Norton, R.A., ``Food Defense in the Age of Domestic Terrorism.'' Food Safety Magazine (http://www.foodsafetymagazine.com/enewsletter/food-defense-in-the-age-of-domestic-terrorism/, December 15, 2015. Accessed December 15, 2015.
6. Valdmanis, R., ``Boston Bomb Suspect Influenced by Al Qaeda: Expert Witness.'' Reuters (http://www.reuters.com/article/us-boston-bombings-trial-idUSKBN0MJ0Z620150323), March 23, 2015. Accessed December 15, 2015.
7. Faiola, A., and S. Mekhennet, ``Paris Attacks Were Carried Out by Three Groups Tied to Islamic State, Official Says.'' The Washington Post (https://www.washingtonpost.com/world/string-of-paris-terrorist-attacks-leaves-over-120-dead/2015/11/14/066df55c-8a73-11e5-bd91-d385b244482f_story.html), November 15, 2015. Accessed December 15, 2015.
8. ``Toxins Tie Suspect to Poisonings.'' The Japan Times (http://www.japantimes.co.jp/news/2014/01/26/national/crime-legal/toxins-tie-suspect-to-poisonings/#.VvBCLnn2ZD9) January 26, 2014. Accessed December 14, 2015.
9. ``Toshiki Abe Arrested for Poisoning Frozen Food in Japan.'' news.com.au (http://www.news.com.au/world/toshiki-abe-arrested-for-poisoning-frozen-in-japan/story-fndir2ev-1226810502913) January 25, 2014. Accessed December 15, 2015.
10. Global Food Safety Initiative. ``GFSI Guidance Document Version 6.3.'' (http://www.mygfsi.com/images/mygfsi/gfsifiles/information-kit/GFSI_Guidance_Document.pdf), 2012.
11. Safe Quality Food Institute. ``SQF Code: A HACCP-Based Supplier Assurance Code for the Food Industry, Edition 7.1'' April 2013.
12. International Featured Standards. ``IFS Food: Standard for Auditing Quality and Food Safety of Food Products, Version 6.'' (http://www.ifscertification.com/images/ifs_standards/ifs6/IFS_Food_V6_en.pdf) January 2012. Accessed November 10, 2015.
13. Hamilton, P.J., ``Center for Food Safety, et al. v. Margaret A. Hamburg, M.D. Order Granting Injunctive Relief.'' United States District Court Northern District of California. http://www.centerforfoodsafety.org/files/fsma-remedy-order_52466.pdf, June 21, 2013.
14. FDA. ``Mitigation Strategies to Protect Food Against Intentional Adulteration: Regulatory Impact Analysis, Regulatory Flexibility Analysis, and Unfunded Mandates Reform Act Analysis,'' 2016.
15. FDA Memorandum. ``Memo Detailing an Evaluation of the Potential For Wide-Scale Public Health Harm Resulting From Intentional Adulteration Of Mineral oil When Used as a Dust Control Agent During Storage and Handling Raw Grain,'' November 16, 2015.
16. FDA. ``CPG Sec. 555.300 Foods, Except Dairy Products--
  
  Adulteration With Salmonella,'' March 1995.
17. FDA. ``Tribal Summary Impact Statement,'' 2016.
18. FDA. ``Memorandum to the File: Environmental Analysis Related to the Final Rule on Mitigation Strategies to Protect Food Against Intentional Adulteration.'' February 2016.
  
  List of Subjects
  
  21 CFR Part 11
  
  Administrative practice and procedure, Computer technology, Reporting and recordkeeping requirements.
  
  21 CFR Part 121
  
  Food packaging, Foods.
  
  Therefore, under the Federal Food, Drug, and Cosmetic Act and under authority delegated to the Commissioner of Food and Drugs, 21 CFR Chapter 1 is amended as follows:
  
  PART 11--ELECTRONIC RECORDS; ELECTRONIC SIGNATURES
  
  0
19. The authority citation for part 11 continues to read as follows:
  
  Authority: 21 U.S.C. 321-393; 42 U.S.C. 262.
  
  0
20. In Sec. 11.1, add paragraph (o) to read as follows:
  
  Sec. 11.1 Scope.
  
  * * * * *
  
  (o) This part does not apply to records required to be established or maintained
  
  Page 34219
  
  by part 121 of this chapter. Records that satisfy the requirements of part 121 of this chapter, but that also are required under other applicable statutory provisions or regulations, remain subject to this part.
  
  0
21. Add part 121 to read as follows:
  
  PART 121--MITIGATION STRATEGIES TO PROTECT FOOD AGAINST INTENTIONAL ADULTERATION
  
  Sec.
  
  Subpart A--General Provisions
  
  121.1 Applicability.
  
  121.3 Definitions.
  
  121.4 Qualifications of individuals who perform activities under subpart C of this part.
  
  121.5 Exemptions.
  
  Subpart B--Reserved
  
  Subpart C--Food Defense Measures
  
  121.126 Food defense plan.
  
  121.130 Vulnerability assessment to identify significant vulnerabilities and actionable process steps.
  
  121.135 Mitigation strategies for actionable process steps.
  
  121.138 Mitigation strategies management components.
  
  121.140 Food defense monitoring.
  
  121.145 Food defense corrective actions.
  
  121.150 Food defense verification.
  
  121.157 Reanalysis.
  
  Subpart D--Requirements Applying to Records That Must Be Established and Maintained
  
  121.301 Records subject to the requirements of this subpart.
  
  121.305 General requirements applying to records.
  
  121.310 Additional requirements applying to the food defense plan.
  
  121.315 Requirements for record retention.
  
  121.320 Requirements for official review.
  
  121.325 Public disclosure.
  
  121.330 Use of existing records.
  
  Subpart E--Compliance
  
  121.401 Compliance.
  
  Authority: 21 U.S.C. 331, 342, 350g, 350(i), 371, 374.
  
  Subpart A--General Provisions
  
  Sec. 121.1 Applicability.
  
  This part applies to the owner, operator or agent in charge of a domestic or foreign food facility that manufactures/processes, packs, or holds food for consumption in the United States and is required to register under section 415 of the Federal Food, Drug, and Cosmetic Act, unless one of the exemptions in Sec. 121.5 applies.
  
  Sec. 121.3 Definitions.
  
  The definitions and interpretations of terms in section 201 of the Federal Food, Drug, and Cosmetic Act are applicable to such terms when used in this part. The following definitions also apply:
  
  Actionable process step means a point, step, or procedure in a food process where a significant vulnerability exists and at which mitigation strategies can be applied and are essential to significantly minimize or prevent the significant vulnerability.
  
  Adequate means that which is needed to accomplish the intended purpose in keeping with good public health practices.
  
  Affiliate means any facility that controls, is controlled by, or is under common control with another facility.
  
  Calendar day means every day as shown on the calendar.
  
  Contaminant means, for purposes of this part, any biological, chemical, physical, or radiological agent that may be added to food to intentionally cause illness, injury, or death.
  
  Facility means a domestic facility or a foreign facility that is required to register under section 415 of the Federal Food, Drug, and Cosmetic Act, in accordance with the requirements of part 1, subpart H of this chapter.
  
  Farm means farm as defined in Sec. 1.227 of this chapter.
  
  FDA means the Food and Drug Administration.
  
  Food means food as defined in section 201(f) of the Federal Food, Drug, and Cosmetic Act and includes raw materials and ingredients.
  
  Food defense means, for purposes of this part, the effort to protect food from intentional acts of adulteration where there is an intent to cause wide scale public health harm.
  
  Food defense monitoring means to conduct a planned sequence of observations or measurements to assess whether mitigation strategies are operating as intended.
  
  Food defense verification means the application of methods, procedures, and other evaluations, in addition to food defense monitoring, to determine whether a mitigation strategy or combination of mitigation strategies is or has been operating as intended according to the food defense plan.
  
  Full-time equivalent employee is a term used to represent the number of employees of a business entity for the purpose of determining whether the business qualifies as a small business. The number of full-
  
  time equivalent employees is determined by dividing the total number of hours of salary or wages paid directly to employees of the business entity and of all of its affiliates and subsidiaries by the number of hours of work in 1 year, 2,080 hours (i.e., 40 hours x 52 weeks). If the result is not a whole number, round down to the next lowest whole number.
  
  Holding means storage of food and also includes activities performed incidental to storage of food (e.g., activities performed for the safe or effective storage of that food, such as fumigating food during storage, and drying/dehydrating raw agricultural commodities when the drying/dehydrating does not create a distinct commodity (such as drying/dehydrating hay or alfalfa)). Holding also includes activities performed as a practical necessity for the distribution of that food (such as blending of the same raw agricultural commodity and breaking down pallets), but does not include activities that transform a raw agricultural commodity into a processed food as defined in section 201(gg) of the Federal Food, Drug, and Cosmetic Act. Holding facilities could include warehouses, cold storage facilities, storage silos, grain elevators, and liquid storage tanks.
  
  Manufacturing/processing means making food from one or more ingredients, or synthesizing, preparing, treating, modifying or manipulating food, including food crops or ingredients. Examples of manufacturing/processing activities include: Baking, boiling, bottling, canning, cooking, cooling, cutting, distilling, drying/dehydrating raw agricultural commodities to create a distinct commodity (such as drying/dehydrating grapes to produce raisins), evaporating, eviscerating, extracting juice, formulating, freezing, grinding, homogenizing, irradiating, labeling, milling, mixing, packaging (including modified atmosphere packaging), pasteurizing, peeling, rendering, treating to manipulate ripening, trimming, washing, or waxing. For farms and farm mixed-type facilities, manufacturing/
  
  processing does not include activities that are part of harvesting, packing, or holding.
  
  Mitigation strategies mean those risk-based, reasonably appropriate measures that a person knowledgeable about food defense would employ to significantly minimize or prevent significant vulnerabilities identified at actionable process steps, and that are consistent with the current scientific understanding of food defense at the time of the analysis.
  
  Mixed-type facility means an establishment that engages in both activities that are exempt from registration under section 415 of the Federal Food, Drug, and Cosmetic Act and activities that require the establishment to be registered. An example of such a facility is a ``farm
  
  Page 34220
  
  mixed-type facility,'' which is an establishment that is a farm, but also conducts activities outside the farm definition that require the establishment to be registered.
  
  Packing means placing food into a container other than packaging the food and also includes re-packing and activities performed incidental to packing or re-packing a food (e.g., activities performed for the safe or effective packing or re-packing of that food (such as sorting, culling, grading, and weighing or conveying incidental to packing or re-packing)), but does not include activities that transform a raw agricultural commodity into a processed food as defined in section 201(gg) of the Federal Food, Drug, and Cosmetic Act.
  
  Qualified individual means a person who has the education, training, or experience (or a combination thereof) necessary to perform an activity required under subpart C of this part, as appropriate to the individual's assigned duties. A qualified individual may be, but is not required to be, an employee of the establishment.
  
  Significant vulnerability means a vulnerability that, if exploited, could reasonably be expected to cause wide scale public health harm. A significant vulnerability is identified by a vulnerability assessment conducted by a qualified individual, that includes consideration of the following: (1) Potential public health impact (e.g., severity and scale) if a contaminant were added, (2) degree of physical access to the product, and (3) ability of an attacker to successfully contaminate the product. The assessment must consider the possibility of an inside attacker.
  
  Significantly minimize means to reduce to an acceptable level, including to eliminate.
  
  Small business means, for purposes of this part, a business (including any subsidiaries and affiliates) employing fewer than 500 full-time equivalent employees.
  
  Subsidiary means any company which is owned or controlled directly or indirectly by another company.
  
  Very small business means, for purposes of this part, a business (including any subsidiaries and affiliates) averaging less than $10,000,000, adjusted for inflation, per year, during the 3-year period preceding the applicable calendar year in sales of human food plus the market value of human food manufactured, processed, packed, or held without sale (e.g., held for a fee).
  
  Vulnerability means the susceptibility of a point, step, or procedure in a facility's food process to intentional adulteration.
  
  You means, for purposes of this part, the owner, operator, or agent in charge of a facility.
  
  Sec. 121.4 Qualifications of individuals who perform activities under subpart C of this part.
  
  (a) Applicability. You must ensure that each individual who performs activities required under subpart C of this part is a qualified individual as that term is defined in Sec. 121.3.
  
  (b) Qualifications of individuals assigned to an actionable process step. Each individual assigned to an actionable process step (including temporary and seasonal personnel) or in the supervision thereof must:
  
  (1) Be a qualified individual as that term is defined in Sec. 121.3--i.e., have the appropriate education, training, or experience (or a combination thereof) necessary to properly implement the mitigation strategy or combination of mitigation strategies at the actionable process step; and
  
  (2) Receive training in food defense awareness.
  
  (c) Qualifications of individuals for certain activities described in paragraph (c)(3) of this section. Each individual assigned to certain activities described in paragraph (c)(3) of this section must:
  
  (1) Be a qualified individual as that term is defined in Sec. 121.3--i.e., have the appropriate education, training, or experience (or a combination thereof) necessary to properly perform the activities; and
  
  (2) Have successfully completed training for the specific function at least equivalent to that received under a standardized curriculum recognized as adequate by FDA or be otherwise qualified through job experience to conduct the activities. Job experience may qualify an individual to perform these functions if such experience has provided an individual with knowledge at least equivalent to that provided through the standardized curriculum. This individual may be, but is not required to be, an employee of the facility.
  
  (3) One or more qualified individuals must do or oversee:
  
  (i) The preparation of the food defense plan as required in Sec. 121.126;
  
  (ii) The conduct of a vulnerability assessment as required in Sec. 121.130;
  
  (iii) The identification and explanation of the mitigation strategies as required in Sec. 121.135; and
  
  (iv) Reanalysis as required in Sec. 121.157.
  
  (d) Additional qualifications of supervisory personnel. Responsibility for ensuring compliance by individuals with the requirements of this part must be clearly assigned to supervisory personnel with a combination of education, training, and experience necessary to supervise the activities under this subpart.
  
  (e) Records. Training required by paragraphs (b)(2) and (c)(2) of this section must be documented in records, and must:
  
  (1) Include the date of training, the type of training, and the persons trained; and
  
  (2) Be established and maintained in accordance with the requirements of subpart D of this part.
  
  Sec. 121.5 Exemptions.
  
  (a) This part does not apply to a very small business, except that a very small business must, upon request, provide for official review documentation sufficient to show that the facility meets this exemption. Such documentation must be retained for 2 years.
  
  (b) This part does not apply to the holding of food, except the holding of food in liquid storage tanks.
  
  (c) This part does not apply to the packing, re-packing, labeling, or re-labeling of food where the container that directly contacts the food remains intact.
  
  (d) This part does not apply to activities of a farm that are subject to section 419 of the Federal Food, Drug, and Cosmetic Act (Standards for Produce Safety).
  
  (e)(1) This part does not apply with respect to alcoholic beverages at a facility that meets the following two conditions:
  
  (i) Under the Federal Alcohol Administration Act (27 U.S.C. 201 et seq.) or chapter 51 of subtitle E of the Internal Revenue Code of 1986 (26 U.S.C. 5001 et seq.) the facility is required to obtain a permit from, register with, or obtain approval of a notice or application from the Secretary of the Treasury as a condition of doing business in the United States, or is a foreign facility of a type that would require such a permit, registration, or approval if it were a domestic facility; and
  
  (ii) Under section 415 of the Federal Food, Drug, and Cosmetic Act the facility is required to register as a facility because it is engaged in manufacturing, processing, packing, or holding one or more alcoholic beverages.
  
  (2) This part does not apply with respect to food that is not an alcoholic beverage at a facility described in paragraph (e)(1) of this section, provided such food:
  
  Page 34221
  
  (i) Is in prepackaged form that prevents any direct human contact with such food; and
  
  (ii) Constitutes not more than 5 percent of the overall sales of the facility, as determined by the Secretary of the Treasury.
  
  (f) This part does not apply to the manufacturing, processing, packing, or holding of food for animals other than man.
  
  (g) This part does not apply to on-farm manufacturing, processing, packing, or holding of the following foods on a farm mixed-type facility, when conducted by a small or very small business if such activities are the only activities conducted by the business subject to section 418 of the Federal Food, Drug, and Cosmetic Act.
  
  (1) Eggs (in-shell, other than raw agricultural commodities, e.g., pasteurized); and
  
  (2) Game meats (whole or cut, not ground or shredded, without secondary ingredients).
  
  Subpart B--Reserved
  
  Subpart C--Food Defense Measures
  
  Sec. 121.126 Food defense plan.
  
  (a) Requirement for a food defense plan. You must prepare, or have prepared, and implement a written food defense plan.
  
  (b) Contents of a food defense plan. The written food defense plan must include:
  
  (1) The written vulnerability assessment, including required explanations, to identify significant vulnerabilities and actionable process steps as required by Sec. 121.130(c);
  
  (2) The written mitigation strategies, including required explanations, as required by Sec. 121.135(b);
  
  (3) The written procedures for the food defense monitoring of the implementation of the mitigation strategies as required by Sec. 121.140(a);
  
  (4) The written procedures for food defense corrective actions as required by Sec. 121.145(a)(1); and
  
  (5) The written procedures for food defense verification as required by Sec. 121.150(b).
  
  (c) Records. The food defense plan required by this section is a record that is subject to the requirements of subpart D of this part.
  
  Sec. 121.130 Vulnerability assessment to identify significant vulnerabilities and actionable process steps.
  
  (a) Requirement for a vulnerability assessment. You must conduct or have conducted a vulnerability assessment for each type of food manufactured, processed, packed, or held at your facility using appropriate methods to evaluate each point, step, or procedure in your food operation to identify significant vulnerabilities and actionable process steps. Appropriate methods must include, at a minimum, an evaluation of:
  
  (1) The potential public health impact (e.g., severity and scale) if a contaminant were added;
  
  (2) The degree of physical access to the product; and
  
  (3) The ability of an attacker to successfully contaminate the product.
  
  (b) Inside attacker. The assessment must consider the possibility of an inside attacker.
  
  (c) Written vulnerability assessment. Regardless of the outcome, the vulnerability assessment must be written and must include an explanation as to why each point, step, or procedure either was or was not identified as an actionable process step.
  
  Sec. 121.135 Mitigation strategies for actionable process steps.
  
  (a) You must identify and implement mitigation strategies at each actionable process step to provide assurances that the significant vulnerability at each step will be significantly minimized or prevented and the food manufactured, processed, packed, or held by your facility will not be adulterated under section 402 of the Federal Food, Drug, and Cosmetic Act. For each mitigation strategy implemented at each actionable process step, you must include a written explanation of how the mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step.
  
  (b) Mitigation strategies and accompanying explanations must be written.
  
  Sec. 121.138 Mitigation strategies management components.
  
  Mitigation strategies required underSec. 121.135 are subject to the following mitigation strategies management components as appropriate to ensure the proper implementation of the mitigation strategies, taking into account the nature of each such mitigation strategy and its role in the facility's food defense system:
  
  (a) Food defense monitoring in accordance with Sec. 121.140;
  
  (b) Food defense corrective actions in accordance with Sec. 121.145; and
  
  (c) Food defense verification in accordance with Sec. 121.150.
  
  Sec. 121.140 Food defense monitoring.
  
  As appropriate to the nature of the mitigation strategy and its role in the facility's food defense system:
  
  (a) Written procedures. You must establish and implement written procedures, including the frequency with which they are to be performed, for food defense monitoring of the mitigation strategies.
  
  (b) Food defense monitoring. You must monitor the mitigation strategies with adequate frequency to provide assurances that they are consistently performed.
  
  (c) Records--(1) Requirement to document food defense monitoring. You must document the monitoring of mitigation strategies in accordance with this section in records that are subject to verification in accordance with Sec. 121.150(a)(1) and records review in accordance with Sec. 121.150(a)(3)(i).
  
  (2) Exception records. Records may be affirmative records demonstrating the mitigation strategy is functioning as intended. Exception records demonstrating the mitigation strategy is not functioning as intended may be adequate in some circumstances.
  
  Sec. 121.145 Food defense corrective actions.
  
  (a) Food defense corrective action procedures. As appropriate to the nature of the actionable process step and the nature of the mitigation strategy:
  
  (1) You must establish and implement written food defense corrective action procedures that must be taken if mitigation strategies are not properly implemented.
  
  (2) The food defense corrective action procedures must describe the steps to be taken to ensure that:
  
  (i) Appropriate action is taken to identify and correct a problem that has occurred with implementation of a mitigation strategy; and
  
  (ii) Appropriate action is taken, when necessary, to reduce the likelihood that the problem will recur.
  
  (b) Records. All food defense corrective actions taken in accordance with this section must be documented in records that are subject to food defense verification in accordance with Sec. 121.150(a)(2) and records review in accordance with Sec. 121.150(a)(3)(i).
  
  Sec. 121.150 Food defense verification.
  
  (a) Food defense verification activities. Food defense verification activities must include, as appropriate to the nature of the mitigation strategy and its role in the facility's food defense system:
  
  (1) Verification that food defense monitoring is being conducted as required by Sec. 121.138 (and in accordance with Sec. 121.140);
  
  Page 34222
  
  (2) Verification that appropriate decisions about food defense corrective actions are being made as required by Sec. 121.138 (and in accordance with Sec. 121.145);
  
  (3) Verification that mitigation strategies are properly implemented and are significantly minimizing or preventing the significant vulnerabilities. To do so, you must conduct activities that include the following, as appropriate to the facility, the food, and the nature of the mitigation strategy and its role in the facility's food defense system:
  
  (i) Review of the food defense monitoring and food defense corrective actions records within appropriate timeframes to ensure that the records are complete, the activities reflected in the records occurred in accordance with the food defense plan, the mitigation strategies are properly implemented, and appropriate decisions were made about food defense corrective actions; and
  
  (ii) Other activities appropriate for verification of proper implementation of mitigation strategies; and
  
  (4) Verification of reanalysis in accordance with Sec. 121.157.
  
  (b) Written procedures. You must establish and implement written procedures, including the frequency for which they are to be performed, for verification activities conducted according to Sec. 121.150(a)(3)(ii).
  
  (c) Documentation. All verification activities conducted in accordance with this section must be documented in records.
  
  Sec. 121.157 Reanalysis.
  
  (a) You must conduct a reanalysis of the food defense plan, as a whole at least once every 3 years;
  
  (b) You must conduct a reanalysis of the food defense plan as a whole, or the applicable portion of the food defense plan:
  
  (1) Whenever a significant change made in the activities conducted at your facility creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability;
  
  (2) Whenever you become aware of new information about potential vulnerabilities associated with the food operation or facility;
  
  (3) Whenever you find that a mitigation strategy, a combination of mitigation strategies, or the food defense plan as a whole is not properly implemented; and
  
  (4) Whenever FDA requires reanalysis to respond to new vulnerabilities, credible threats to the food supply, and developments in scientific understanding including, as appropriate, results from the Department of Homeland Security biological, chemical, radiological, or other terrorism risk assessment.
  
  (c) You must complete such reanalysis required by paragraphs (a) and (b) of this section and implement any additional mitigation strategies needed to address the significant vulnerabilities identified, if any:
  
  (1) Before any change in activities (including any change in mitigation strategy) at the facility is operative;
  
  (2) When necessary within 90-calendar days after production; and
  
  (3) Within a reasonable timeframe, providing a written justification is prepared for a timeframe that exceeds 90 days after production of the applicable food first begins.
  
  (d) You must revise the written food defense plan if a significant change in the activities conducted at your facility creates a reasonable potential for a new vulnerability or a significant increase in a previously identified vulnerability or document the basis for the conclusion that no revisions are needed.
  
  Subpart D--Requirements Applying to Records That Must Be Established and Maintained
  
  Sec. 121.301 Records subject to the requirements of this subpart.
  
  (a) Except as provided by paragraph (b) of this section, all records required by subpart C of this part are subject to all requirements of this subpart.
  
  (b) The requirements of Sec. 121.310 apply only to the written food defense plan.
  
  Sec. 121.305 General requirements applying to records.
  
  Records must:
  
  (a) Be kept as original records, true copies (such as photocopies, pictures, scanned copies, microfilm, microfiche, or other accurate reproductions of the original records), or electronic records;
  
  (b) Contain the actual values and observations obtained during food defense monitoring;
  
  (c) Be accurate, indelible, and legible;
  
  (d) Be created concurrently with performance of the activity documented;
  
  (e) Be as detailed as necessary to provide history of work performed; and
  
  (f) Include:
  
  (1) Information adequate to identify the facility (e.g., the name, and when necessary, the location of the facility);
  
  (2) The date and, when appropriate, the time of the activity documented;
  
  (3) The signature or initials of the person performing the activity; and
  
  (4) Where appropriate, the identity of the product and the lot code, if any.
  
  (g) Records that are established or maintained to satisfy the requirements of this part and that meet the definition of electronic records in Sec. 11.3(b)(6) of this chapter are exempt from the requirements of part 11 of this chapter. Records that satisfy the requirements of this part, but that also are required under other applicable statutory provisions or regulations, remain subject to part 11 of this chapter.
  
  Sec. 121.310 Additional requirements applying to the food defense plan.
  
  The owner, operator, or agent in charge of the facility must sign and date the food defense plan:
  
  (a) Upon initial completion; and
  
  (b) Upon any modification.
  
  Sec. 121.315 Requirements for record retention.
  
  (a)(1) All records required by this part must be retained at the facility for at least 2 years after the date they were prepared.
  
  (2) Records that a facility relies on during the 3-year period preceding the applicable calendar year to support its status as exempt as a very small business must be retained at the facility as long as necessary to support the status of a facility as a very small business during the applicable calendar year.
  
  (b) The food defense plan must be retained for at least 2 years after its use is discontinued.
  
  (c) Except for the food defense plan, offsite storage of records is permitted if such records can be retrieved and provided onsite within 24 hours of request for official review. The food defense plan must remain onsite. Electronic records are considered to be onsite if they are accessible from an onsite location.
  
  (d) If the facility is closed for a prolonged period, the food defense plan may be transferred to some other reasonably accessible location but must be returned to the facility within 24 hours for official review upon request.
  
  Sec. 121.320 Requirements for official review.
  
  All records required by this part must be made promptly available to a duly authorized representative of the Secretary of Health and Human Services for official review and copying upon oral or written request.
  
  Sec. 121.325 Public disclosure.
  
  Records required by this part will be protected from public disclosure to the extent allowable under part 20 of this chapter.
  
  Page 34223
  
  Sec. 121.330 Use of existing records.
  
  (a) Existing records (e.g., records that are kept to comply with other Federal, State, or local regulations, or for any other reason) do not need to be duplicated if they contain all of the required information and satisfy the requirements of this subpart. Existing records may be supplemented as necessary to include all of the required information and satisfy the requirements of this subpart.
  
  (b) The information required by this part does not need to be kept in one set of records. If existing records contain some of the required information, any new information required by this part may be kept either separately or combined with the existing records.
  
  Subpart E--Compliance
  
  Sec. 121.401 Compliance.
  
  (a) The operation of a facility that manufactures, processes, packs, or holds food for sale in the United States if the owner, operator, or agent in charge of such facility is required to comply with, and is not in compliance with, section 418 of the Federal Food, Drug, and Cosmetic Act or subparts C or D of this part is a prohibited act under section 301(uu) of the Federal Food, Drug, and Cosmetic Act.
  
  (b) The failure to comply with section 420 of the Federal Food, Drug, and Cosmetic Act or subparts C or D of this part is a prohibited act under section 301(ww) of the Federal Food, Drug, and Cosmetic Act.
  
  Dated: May 20, 2016.
  
  Leslie Kux,
  
  Associate Commissioner for Policy.
  
  FR Doc. 2016-12373 Filed 5-26-16; 8:45 am
  
  BILLING CODE 4164-01-P

Subscribers can access the reported version of this case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the cited cases and legislation of a document.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a list of all the documents that have cited the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the revised versions of legislation with amendments.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see any amendments made to the case.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see a visualisation of a case and its relationships to other cases. An alternative to lists of cases, the Precedent Map makes it easier to establish which ones may be of most relevance to your research and prioritise further reading. You also get a useful overview of how the case was received.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Subscribers are able to see the list of results connected to your document through the topics and citations Vincent found.

You can sign up for a trial and make the most of our service including these benefits.

Request your trial

Why Sign-up to vLex?

Over 100 Countries

Search over 120 million documents from over 100 countries including primary and secondary collections of legislation, case law, regulations, practical law, news, forms and contracts, books, journals, and more.
Thousands of Data Sources

Updated daily, vLex brings together legal information from over 750 publishing partners, providing access to over 2,500 legal and news sources from the world’s leading publishers.
Find What You Need, Quickly

Advanced A.I. technology developed exclusively by vLex editorially enriches legal information to make it accessible, with instant translation into 14 languages for enhanced discoverability and comparative research.
Over 2 million registered users

Founded over 20 years ago, vLex provides a first-class and comprehensive service for lawyers, law firms, government departments, and law schools around the world.

Mitigation Strategies To Protect Food Against Intentional Adulteration

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users

You can sign up for a trial and make the most of our service including these benefits.

Why Sign-up to vLex?

Over 100 Countries

Thousands of Data Sources

Find What You Need, Quickly

Over 2 million registered users