FDA Issues Final Rule Under Food Safety Modernization Act

Food and Agriculture Law  

June 16, 2016


On May 27, 2016, the FDA published the seventh and final rule under the Food Safety Modernization Act (“FSMA”), building on several previously issued food defense measures.  The FSMA, signed into law on January 4, 2011, marked a shift towards a more proactive approach to protecting public health by improving the safety and security of the food supply.  The FSMA’s seven foundational rules focus on several facets of the food supply chain, including preventive controls for human and animal foods, standards for growing, harvesting, packing, and holding produce, and foreign supplier verification programs.

The newest addition, Mitigation Strategies to Protect Food Against Intentional Adulteration (“Mitigation Strategies Rule”), contains a comprehensive set of requirements that apply to the owner, operator or agent in charge of a domestic or foreign food facility that manufactures/processes, packs, or holds food for consumption in the United states and is required to register under section 415 of the Federal Food, Drug, and Cosmetic Act (“FDCA”).  The definition of “food” casts a wide net for entities potentially subject to this rule.  Defined to include any raw materials and ingredients used in food or drink designed for “man or other animals,” the Rule covers the practices of food processors and manufacturers, and may even reach grocers and wineries in certain limited circumstances.

The stated purpose of the Mitigation Strategies Rule is to protect food from intentional acts of adulteration where the intent is to cause wide scale harm to public health, including acts of terrorism.  Rather than targeting specific foods or hazards, the Mitigation Strategies Rule requires registered food facilities (referred to herein as “Registrants”) to identify and implement focused mitigation strategies to minimize or eliminate significant vulnerabilities at certain ‘process steps’ in their operation.  Specifically, non-exempt Registrants are required to:  a) prepare written food defense plans, b) train supervisors and personnel involved at actionable process steps, and c) prepare and retain records.

Exempted from the Mitigation Strategies Rule

  1. A very small business. While exempt, the business would be required to provide to FDA, upon request, documentation to demonstrate that the business is very small.

  2. The holding of food, except the holding of food in liquid storage tanks.

  3. The packing, re-packing, labeling or re-labeling of food where the container that directly contacts the food remains intact.

  4. Activities that fall within the definition of “farm.”

  5. Manufacturing, processing, packing, or holding of food for animals.

  6. Alcoholic beverages, under certain conditions.

    • This exemption applies to Facilities permitted under the Federal Alcohol Administration Act and registered under the FDCA.  Non-alcoholic food at such facilities are also exempt so long as the food is in prepackaged form, and constitutes not more than 5 percent of the facility’s overall sales.

  7. On-farm manufacturing, processing, packing, or holding by a small or very small business of certain foods identified as having low-risk production practices. The exemption applies if such activities are the only activities conducted by the business subject to the rule.  These foods include certain types of eggs, and certain types of game meats.

Written Food Defense Plan

The heart of the Mitigation Strategies Rule is its ‘food defense plan’ requirement.  Each registered food facility is required to prepare a written food defense plan which includes the following components:  (1) a vulnerability assessment—with explanations—identifying significant vulnerabilities and actionable process steps, (2) written mitigation strategies, with explanations, (3) procedures for food defense monitoring of mitigation strategies implementation, (4) procedures for food defense corrective action, and (5) procedures for food defense verification.  Additionally, there are associated requirements for training and qualifications of personnel, and retaining records.  Several of these requirements deserve some unpacking.

  1. Vulnerability Assessment:  This is the identification of vulnerabilities and actionable process steps1  for each type of food manufactured, processed, packed or held at the food facility.  At a minimum, the regulations provide that an assessment must evaluate:  the potential public health impact, the degree of physical access to the product, and the ability of an attacker to successfully contaminate the product.  Notably, the assessment must also consider the possibility of an inside attacker.

  2. Mitigation Strategies:  These should be identified and implemented at each actionable process step to provide assurances that vulnerabilities will be minimized or prevented.

  3. Mitigation Strategy Management:  Steps must be taken to ensure the proper implementation of each mitigation strategy, including:

    • a) Monitoring;

    • b) Corrective actions; and

    • c) Verification.

  4. Training and Recordkeeping:  Facilities must ensure that all personnel are qualified and trained for their respective role; those responsible for the food defense plan, and supervisors are subject to additional training and qualification requirements.  The recordkeeping requirement includes that:  a) the records be created concurrently with performance of the activity documented; b) the records be retained at the facility for at least two years after the date they were prepared; c) the records be made promptly available to a duly authorized representative of the secretary of Health and Human Services for official review and copying upon oral or written request.

In sum, the Mitigation Strategies Rule provides a broad set of rules designed to assess and address food defense vulnerabilities, and mechanisms to monitor, detect, and correct shortcomings.  These regulations are then reinforced, almost redundantly, by a verification requirement that ensures that the mitigation strategies are effectively implemented.

The Mitigation Strategies Rule is effective July 26, 2016.  Facilities, other than small and very small businesses, have 3 years after the effective date to comply.  Small businesses (i.e., those employing fewer than 500 full-time equivalent employees) have 4 years after the effective date to comply.  Very small businesses (i.e., businesses that have less than $10,000,000 in sales, etc.) have 5 years after the effective date to comply.


1“Actionable process step” is defined as:  “a point, step, or procedure in a food process where a significant vulnerability exists and at which mitigation strategies can be applied and are essential to significantly minimize or prevent the significant vulnerability.”