Developing a Food Defense Plan

Learn how to meet compliance requirements in the Food Safety Modernization Act (FSMA) rule on preventing intentional contamination.
Developing a Food Defense Plan - Articles


The Food Safety Modernization Act, or FSMA, has 7 primary rules that have been enacted with a goal of improving food safety in the US. The next FSMA rule with compliance dates on the horizon is the food defense rule which focuses on the prevention of intentional contamination. This FDA rule, “Mitigation Strategies to Protect Against Intentional Adulteration”, or ‘IA’ rule, was finalized in May of 2016 with compliance is slated to begin in 2019. The IA rule applies to food companies registered with the FDA who are involved in the production, transport, storage, or distribution of food for sale to the public. Large companies, defined as having 500 or more employees, must comply by July 26, 2019, while small companies’ compliance date is a year later, July 2020. Very small businesses, having less than $10,000,000 in annual sales, are exempt, but have to be able to demonstrate that they are classified as a very small company.

The goal of this rule is for companies to establish control measures to prevent or minimize the risk that a person or group intentionally contaminates food with the intent of public harm. Intentional contamination includes:

  1. Tampering, the intentional modification of a product in a way that would be harmful to the consumer
  2. Terrorism, contamination by domestic or foreign aggressors for political or ideological reasons
  3. Contamination by disgruntled employees who may have a personal vendetta or have been bribed or manipulated by an outside source

In order to prevent these types of intentional contamination, companies are required by the IA rule to develop a Food Defense Plan. As components of this plan, companies must assess their operation to determine vulnerable points where product or ingredients are accessible to becoming contaminated and then develop and implement mitigation strategies to eliminate or reduce the risk at those vulnerable points. As part of these mitigation strategies, written procedures for monitoring, verification, and corrective actions are required. Record keeping is essential part of the program and is required for the written vulnerability assessment, the mitigation strategies components as well as training.

Penn State Extension’s Food Safety and Quality Team has been involved with supporting food defense initiatives with our industry partners for over a decade. While this new rule may seem complicated, it can be easily accomplished by following this roadmap.

If you are familiar with Hazard Analysis Critical Control Point (HACCP) development and implementation, you will see that this approach is similar, however with food defense, we focus on controlling vulnerabilities of the operation to an attacker who attempts to contaminate food rather than controlling known food safety risks associated with the ingredients and process.

Assemble the Food Defense Team

The Food Defense Team is responsible for development, implementation, and maintenance of the Food Defense Plan. Similar to a HACCP food safety team, a food defense team should be comprised of members from various functions within the organization. Membership should include people from human resources, maintenance, sanitation, purchasing, quality, distribution and production. It is important that the knowledge base cover all shifts and all major facets of the operation.

Appoint a Food Defense Coordinator

The Food Defense Coordinator leads the Food Defense Team and has overall responsibility for the development, implementation, and maintenance of the Food Defense Plan. The selected person should have an overall knowledge of the operation as well as the authority to enact policies and procedures.


The IA rule requires all individuals who are performing activities under the rule to be qualified to perform those functions. As stated in the regulation, this ‘Qualified Individual’, or ‘QI’ is “a person who has the education, training, or experience (or a combination thereof) necessary to perform their assigned activities”. In addition, workers assigned to actionable process steps and their supervisors must complete food defense awareness training. In fact, every worker should be trained on the issue of food defense, most importantly to notify management when something does not seem right. Records must be kept on training activities.

Conduct an initial assessment

Before conducting the more formalized vulnerability assessment, it is good to have an understanding of many of the controls that are already be in place. Many of these controls are considered broad-based controls, or mitigations, because these are not particular to a given process within the facility, but rather impact the overall facility. Broad-based mitigations can include procedures for employee and visitor access to the facility, hiring practices, loading and unloading of transport vehicles, exterior facility conditions such as building exterior lighting or fences, interior conditions (layout, lighting), and policies on employee access within facility. In this evaluation, it is important to consider mitigations that are part of other programs such as HACCP, SSOPs (standard sanitation operating procedures), or base GMPs. Facilities normally find that there are many controls already in place that can be considered mitigations against intentional contamination.

Determine and address gaps within the broad based controls

When assessing broad-based controls, it is important to evaluate whether these controls are being properly managed. For example, your company may have a requirement for visitors to sign in before entering the facility, but you find that ID’s are not being checked as required, or that some ‘frequent’ visitors don’t sign in at all. Your company may have a requirement that non-access doors remain shut, but you find that employees open these doors during production to allow fresh air into their working area.

It is also important to ask whether additional procedures are needed. The team may find that the company does not have a procedure for controlling the entrances associated with the loading docks. In this case, a keyed entry may be needed or a procedure for drivers to call the dock manager to gain entrance.

Conduct the vulnerability assessment

The goal of the vulnerability assessment is to evaluate the process steps used within the facility and determine which points in the process offer risk for contamination. The process steps that are most vulnerable are ones which offer greater accessibility or can create uniform distribution of a contaminant throughout a product batch. These points of highest risk are called our Actionable Points – points where significant vulnerability exists and where mitigation strategies will be needed to reduce this risk.

There are a number of assessment tools available from FDA and USDA, although the FSMA IA rule doesn’t have a requirement as to which specific assessment tool must be used. An accurate flow diagram of each process or processes must be available. Beginning at the point of receipt, the assessment looks at each step in the process evaluating:

  1. The public impact at that point if a contamination event would occur
  2. The degree of physical access – can the attacker get access to that food
  3. The ability of the attacker to successfully contaminate the product – can they add sufficient amount of a contaminate without being detected

The goal is to find the points with the biggest risk. The assessment tool will provide a numerical score, and with this, a facility can rank the process steps in order of most vulnerable.

It is important to take broad-based controls into account when completing the assessment. Also, when conducting the vulnerability assessment, the regulation requires that we take an ‘insider attack’ into account. An ‘insider attack’ often represents a worse-case scenario.

The vulnerability assessment is a required document for compliance. It must be written and must include an explanation as to why the step was considered, or not considered, an actionable point.

In general, these are some points that have normally been found to be considered actionable points:

  • Bulk liquid receiving and loading
  • Liquid storage and handling
  • Secondary ingredient handling
  • Mixing and blending activities

Determine Mitigation Strategies

For each of the actionable points identified, mitigation strategies must be determined that will significantly minimize or prevent intentional contamination, and thus reduce the level of vulnerability. Controls can be a single mitigation strategy or a combination of strategies.

On its website, FDA offers a Mitigation Strategies Database to assist with identifying preventive measures that can be used. Within the database, there are a variety of measures listed for numerous different types of process steps. Some of the listed mitigations for a given process step type will be more appropriate than others and it is up to the Food Defense Team to determine what will work best depending on their specific situation.

Develop Management Components for Each Mitigation Strategy

For each mitigation strategy determined for an actionable point, monitoring, corrective actions, and verification procedures must be developed. These form the system that ensures that the given mitigation strategy is being properly implemented and is capable of reducing significant vulnerabilities.

For the food defense monitoring requirement, facilities must have written procedures, including the frequency they are to be performed. Monitoring must be documented so that these records can be verified. There must also be written corrective action procedures when mitigation strategies are not properly implemented. Food defense verification procedures ensure that monitoring activities are being completed as planned, that appropriate corrective actions decisions are being made, and that records are reviewed.

Like HACCP based systems, food defense plans need to be verified though a periodic reassessment. At a minimum, reanalysis should be conducted every three years, but should be done immediately if there are significant changes to the operation, when new information becomes available about a new vulnerability, when the mitigation strategies are found to be inadequate, or new information becomes available about a given threat.

Maintain Required Records

The following records are required to be maintained:

  1. The food defense plan including the vulnerability assessment and determination of actionable steps
  2. Food defense monitoring records, corrective action and verification records, as well as reanalysis activity records
  3. Training documentation

In summary, a Food Defense Plan can be easily developed through careful and thoughtful analysis of the operation with an eye towards identifying the most vulnerable points in the operation. From this assessment, mitigation strategies are put in place for these vulnerable points. In many cases, these mitigation strategies should not require an extensive capital outlay, but rather, may just be adjustments or added procedures that result in in reducing how accessible these vulnerable points are.

FDA has a website dedicated to providing information on Food Defense and the IA rule. The process of writing a Food Defense Plan can be facilitated by attending a food defense workshop such as the one periodically offered by Penn State Extension.

External Resources

FDA FSMA food defense website contains a Food Defense Plan Builder, recent FDA education and outreach activities, and links to the regulation and guidance documents.

Penn State's Food Defense Workshop contains information about upcoming sessions, and provides details on who should attend and what you will learn.