FSMA Food Defense Rule Requires Firms to Address Risk of Terrorism

May 31, 2016

In an effort to prevent wide-scale public harm through the nation’s food supply from acts of terrorism, the U.S. Food and Drug Administration (FDA) has published its final rule regarding Mitigation Strategies to Protect Food Against Intentional Adulteration (the “Food Defense Rule”). Covered domestic and foreign food facilities for the first time will be required to prepare written food defense plans based on identified vulnerabilities at each facility, monitor and verify mitigation strategies, prepare for corrective actions, and ensure that personnel are properly trained and maintain appropriate records. The rule focuses on larger companies whose food products are more likely to reach greater numbers of people. Smaller companies and specific products and sectors of the industry are exempt from the requirements.

The Food Defense Rule is the seventh and final major substantive rule to implement the landmark provisions of the FDA Food Safety Modernization Act (FSMA), the most sweeping reform of the nation’s food safety system in 70 years. The Food Defense Rule builds on the Hazard Analysis and Risk-Based Preventive Controls Rules for Human and Animal Food, the Produce Safety Rule, the Foreign Supplier Verification Rule, the Third-Party Certification Rule, and the Sanitary Transport Rule. Together, these rules reflect a shift toward developing a food safety system focused on preventing adulteration before it occurs rather than one focused on responding to contamination after it happens.

Here are the highlights from the final Food Defense Rule:

Focus on Inside Attacks and Massive Public Health Impact

FDA clarifies in the final rule that its focus is on “the inside attacker” who gains access to a facility with the intention of causing wide-scale public harm or massive public health impact through an act of terrorism directed at the nation’s food supply. FDA gives the example of a contract employee who exploited access to prepackaged fish at a foreign facility in 2013 and injected the fish with the pesticide malathion. Although FDA notes that authorities believed the motivation was to harm the company and not the public, FDA points to the subsequent recall of 6.4 million packages of fish as an example of the kind of harm that can be caused by an inside attacker. FDA also asserts that its focus on internal attacks is supported by FDA’s consultations with the intelligence community, and with what FDA characterizes as a general trend in recent terrorist activity toward locally planned and implemented attacks.

Written Food Defense Plans Based on Vulnerability Assessments

The Food Defense Rule will require each covered facility to develop a written food defense plan based on a vulnerability assessment and an identification of “actionable process steps” where mitigation strategies are needed to minimize or prevent a “significant vulnerability” of potential wide-scale public harm. The vulnerability assessment must be conducted for each food product by a “qualified individual” and should consider (1) the severity and scale of any potential public health impact, (2) the degree of physical access to the product, and (3) the ability of any attacker to contaminate the product. The assessment also must consider the possibility of an inside attacker. The assessment must include an explanation as to why every step in the food operation was or was not identified as an “actionable process step” where mitigation is necessary. FDA indicates that the written vulnerability assessment will be important in evaluating compliance if a facility concludes that it has no significant vulnerabilities.

Focused Mitigation Strategies, Corrective Actions and Verification Measures

Each facility’s written food defense plan must identify mitigation strategies for each actionable process step and explain how the specific mitigation strategy sufficiently minimizes or prevents the significant vulnerability associated with the actionable process step. Procedures to monitor mitigation strategies must be written and monitoring activities must be documented. The effectiveness of any mitigation strategies also must be verified and corrective actions must be taken to address failed mitigation efforts. The food defense plan must be reanalyzed at least once every three years or as needed (e.g., if a change at the facility requires reassessment or FDA requires reanalysis to respond to a specific threat).

Comparison of “Actionable Process Steps” to HARPC and HACCP

The Food Defense Rule takes a comprehensive and systematic approach to intentional adulteration that is similar to Hazard Analysis and Critical Control Points (HACCP) or Hazard Analysis and Risk-Based Preventive Controls (HARPC) analysis, but with some important differences. Primarily, FDA emphasizes that managing the threat of intentional adulteration at certain “actionable process steps” requires more flexibility than HACCP or HARPC. Improper implementation of HACCP or HARPC is more likely to lead to contamination than insufficient food defense mitigation. Accordingly, the Preventive Controls Rules require a facility to evaluate all affected food when a preventive control has not been implemented correctly or has been found to be ineffective. There is no similar requirement in the Food Defense Rule. Food defense strategies are more likely to focus on reducing physical access to a process step and not on how a process step should be implemented pursuant to HACCP or HARPC. In this respect, HACCP and HARPC are more susceptible to scientific validation. Under HACCP or HARPC, verification of a control might require validation, calibration, and environmental reporting. No similar requirements are specifically set forth in the Food Defense Rule, although verification is generally required. The bottom line is that most facilities covered by the Food Defense Rule also will have HACCP or HARPC plans, but those plans will not be sufficient to address intentional adulteration for the Food Defense Rule.

Whatever You Are Doing Already – It’s Likely Not Enough

Firms covered by the final rule may already be subject to or participate in food defense activities through other government agencies or voluntary industry organizations. For example, food defense programs are conducted by the Department of Homeland Security’s Customs-Trade Partnership Against Terrorism (C-TPAT), the Chemical Facility Anti-Terrorism Standards (CFATS), and the USDA Food Safety and Inspection Services (FSIS) food defense template. Voluntary industry standards also have been established by the Global Food Safety Initiative (GFSI), the International Featured Standards (IFS) Food Standard, and the Safe Quality Foods (SQF) Code. Although participation in such programs may decrease a facility’s vulnerability to intentional adulteration, FDA emphasizes that compliance with these other agency and industry standards will not be sufficient to comply with the Food Defense Rule. FDA does state that existing records may be used to comply with the new requirements, and that it might consider participation in such programs when prioritizing risk-based inspections of food facilities.

Protecting the Security of Food Defense Information

The Food Defense Rule requires documentation and related recordkeeping of a facility’s compliance efforts in addition to requiring a written food defense plan. In response to concerns regarding the sensitivity of food defense information, FDA confirms that food defense plans “generally” will meet the definition of a “trade secret” that is protected from disclosure under the Freedom of Information Act (FOIA). FDA also acknowledges that “food defense plans will take each facility time and money to develop” and “[t]here is value in a plan to a company that produces it for no other reason than it took work to write” and “[t]he equity in such a product is not readily given away to competitors.” This is a helpful clarification, but it also reflects the specificity that FDA will expect in a food defense plan. According to FDA, “plant configurations will be unique to individual processors, or at least have unique features,” and facilities will need to tailor a food defense plan to its “individual circumstances.”


All personnel who are assigned to an “actionable process step” (including temporary and seasonal personnel) and their supervisors must be “qualified individuals” with the appropriate education, training or experience to properly implement the mitigation strategy required at the actionable process step. Each qualified individual also must receive training in food defense awareness. Additionally, the qualified individual who prepares the food defense plan (including the vulnerability assessment, mitigation strategies and periodic reanalysis) must either complete training under a standardized curriculum recognized as adequate by FDA or have equivalent knowledge from work experience. FDA is in the initial stages of establishing an Intentional Adulteration subcommittee within the Food Safety Preventive Controls Alliance operated out of the Institute for Food Safety and Health at the Illinois Institute for Technology. FDA plans for this subcommittee to develop training materials for industry and to use the same curriculum to train FDA inspectors who will be enforcing the new requirements.


The Food Defense Rule exempts businesses (including subsidiaries and affiliates) that average less than $10 million per year, during the preceding three-year period, in sales of human food plus the market value of food manufactured, processed, or held without sale. FDA’s statutory mandate is to focus on foods for which there is the highest risk of intentional adulteration, and for the purposes of the new rule, FDA has interpreted “high risk” to mean large manufacturers whose products reach the greatest number of people. According to FDA, the new requirements cover 3,400 firms that operate 9,800 food facilities, or 97 to 98 percent of the market share of all manufactured packaged foods. The final rule also does not apply to: (i) the “holding” of food, except for the holding of food in liquid storage tanks; (ii) the packing, repacking, labeling or relabeling of food where the container directly contacting the food remains intact; (iii) activities of a “farm” that are subject to the Produce Safety Rule; (iv) certain alcoholic beverages; (v) animal food; and (vi) on-farm manufacturing, processing, packing or holding of certain food for low-risk production practices by small businesses that conduct only such low-risk activities.

Compliance Dates

The Food Defense Rule is effective July 26, 2016. Most businesses will have three years after the effective date to comply. Small businesses with less than 500 employees will have four years to comply. Very small businesses not otherwise required to comply with the rule must still, upon request, provide documentation that they are eligible for the exemption, and will have five years to comply with the rule.


The Food Defense Rule is a unique rule that adds to the already extensive requirements imposed on domestic and foreign food facilities under FSMA. Firms that are covered by the new regulations should review the new requirements and integrate food defense mitigation strategies into their safety plans.

The Food and Beverage Industry Team at McGuireWoods LLP has extensive experience advising clients regarding regulatory and litigation matters. We assist companies who are threatened with potential litigation or regulatory enforcement, and we provide counsel about how to mitigate these threats and comply with the new FSMA regulations.