The Food and Drug Administration’s (FDA) Intentional Adulteration (IA) Rule aims to prevent acts targeting the food supply that are intended to cause wide-scale harm to public health. The IA Rule requires food businesses to assess and identify vulnerabilities in their processes, operations, and facilities; implement strategies to reduce those vulnerabilities; and then regularly monitor and verify the effectiveness of those strategies to reduce the occurrence of IA acts. A food defense “challenge” (also known as an intrusion test) is then used to assess how well those strategies are implemented throughout the organization.

What is the purpose of the IA intrusion test?

The purpose of an intrusion test is to evaluate a company’s existing food defense programs for proper implementation across the company by “challenging” the system’s efficacy. In an unannounced intrusion test, a food safety expert scopes out the facility and its vulnerabilities, attempts to gain access to sensitive areas, and tests how the food defense system works in practice.

The test helps facilities to:

• Assess whether food defense procedures are effectively implemented throughout the facility—and are being followed by personnel.
• Highlight facility strengths and implementation failures.  
• Close identified gaps and reinforce programs, where needed.
• Meet FDA regulatory and Global Food Safety Initiative (GFSI) certification standard requirements. 

Am I required to do one of these challenges?

To truly ensure food safety and defense programs work, they need to be challenged. The GFSI benchmarked certification standards all require some version of testing:

• SQF: The food defense program must be tested to ensure food defense strategies are effective, appropriate, and documented. This test can be based on a fictitious scenario that allows an intruder to enter the building and challenge the system.
• FSSC 22000: Organizations must conduct and document a food defense threat assessment based on defined methodology to identify and evaluate potential threats linked to processes and products.
• BRCGS: A documented risk assessment must be conducted to identify potential risks to the security of product and to ensure appropriate controls implemented to reduce the risk.
• IFS: The food defense plan must be tested for effectiveness and reviewed at least annually or whenever significant changes occur.

What does the process look like?

An important part of these tests is that they are unannounced, so personnel continue to operate as usual versus being on heightened alert. Tests are typically coordinated and scheduled with company leadership to take place at a time/date that is undisclosed to plant employees. Company leadership provides the food safety expert with documentation that confirms the test and outlines who to contact when/if “apprehended” to help keep the food safety expert safe.

Prior to conducting the test, the food safety expert will generally tour the facility to identify sensitive areas to target and opportunities to enter the facility. This is important since the first critical step in conducting the test involves gaining access to the building, whether through finding unlocked doors, pretending to be plant personnel, or even creating a cover story and walking through the front door.

Once the food safety expert is in the facility, the objective becomes to try to access as many sensitive areas as possible to truly “test” the system. The intrusion test is followed up with a detailed findings report that provides recommendations for closing gaps and strengthening the facility’s food defense program.

What does the IA intrusion test include?

An IA internal intrusion test evaluates company preparedness for intentional trespassing and internal attacks on sensitive areas inside the facility. The intruder will take advantage of employee movement (e.g., arrivals, breaks, lunches, departures); focus on physical controls of building access (e.g., employee entrances, garage doors, receiving/loading areas); and target sensitive internal areas within the building. The challenge will involve testing facility procedures and employee implementation, as well as the following food defense mechanisms:

• Card access/badge system/key protocol
• Reception area
• Visitor control/sign-in program
• Security guards
• Camera system
• Exterior door security
• Lighting
• Shipping/receiving areas
• Fencing
• Parking lot

What are common missteps identified in intrusion tests?

In many cases, the issues encountered are seemingly small things; however, the small issues can quickly result in very big problems if an intruder is able to access sensitive areas. Some of these include the following:

• Employees forget to ensure the door is shut and fully latched when leaving an area.
• Employees do not question the presence of visitors and, in some cases, will even open the door for an unknown individual.
• Badges and uniforms are left unattended throughout the facility for intruders to steal and use as identification. With this identification, interior areas are relatively easy to access and contaminate.
• Doors are not locked—either inadvertently or because locking mechanisms are not repaired—or are propped open for ease of access.
• Equipment on the exterior of the facility (e.g., ladders, company vehicles, tools, etc.) is not adequately controlled.

What can facilities do to prevent IA?

Training staff to understand food defense risks, identify suspicious activities and individuals, and implement preventive measures is key to reducing IA risk. FDA and the Department of Homeland Security’s (DHS) See Something, Say Something Campaign reminds front-line employees of what to look for and how to respond if suspicious activity occurs.

Importantly, staff must feel empowered to notify management if they notice anything suspicious. This might include someone taking notes or videos in the plant; an individual attempting to gain access to restricted areas; theft of employee uniforms, badges, or packaging labels; unattended vehicles illegally parked near the facility; unattended items near the business (e.g., boxes, bags); and suspicious work behaviors/hours from employees.

Best practices to prevent this suspicious activity from causing wide-scale harm include the following:

• Post security personnel to serve as a deterrent for intruders.
• Properly maintain exterior doors, parking lots, and outside lighting.
• Keep doors locked and closed, including entrance, break room, and loading docks.
• Ensure visitor stickers are removed and disposed of upon checkout.
• Secure open containers of food/food ingredients.
• Control access of all employees, visitors, contractors, delivery personnel, etc. to sensitive areas.
• Make sure visitors to the facility are accompanied by an employee.
• Monitor products for evidence of tampering (i.e., seals, labels, packaging).
• Complete background checks on employees.
• Train personnel to report suspicious individuals or activities.