Sinoj Idnani

The first major compliance date for importers covered by the Foreign Supplier Verification Programs (FSVP) rule arrives on May 30, 2017. FSVP is mandated by the FDA Food Safety Modernization Act (FSMA).   A central tenet of that law is that the same preventive food safety standards apply to food consumed in the U.S., regardless of where the food is produced.

FSVP requires importers to verify that their foreign suppliers of food for human and animal consumption meet applicable FDA safety standards.  More specifically, FSVP requires that importers verify that their suppliers are producing food using processes and procedures that offer the same level of public health protection as the preventive controls (PC) requirements in the preventive controls and current good manufacturing practices rules for human food and animal food and produce safety FSMA rules, and that the food is not adulterated and properly labeled with respect to allergens.

Sharon Mayl, Senior Advisor for Policy in the Office of Foods and Veterinary Medicine at FDA, explains what importers need to know when facing this May compliance date and what lies ahead for FSVP implementation.

Q: When are the compliance dates for the FSVP rule?

It is important to note the compliance dates for FSVP are not based on the size of the importer. Instead, the compliance dates are staggered based on the size of the foreign supplier and the regulations that apply to the foreign supplier. The first compliance date is eighteen months after the FSVP final rule was published in the Federal Register. This date gives importers sufficient time to understand the rule and develop their FSVPs. After that, importers generally have to comply six months after their foreign supplier has to be in compliance with the PC or produce safety rules. We linked the FSVP compliance dates to the other FSMA rules because we wanted to minimize the likelihood that an importer would be required to comply with the FSVP regulation before its supplier is required to comply with other FSMA food safety regulations.

Q: Who must be in compliance with the FSVP requirements by May 30, 2017?

U.S. importers subject to this first compliance date have foreign suppliers that fall into one of three categories:

For ease of viewing, we have a chart on fda.gov titled “Am I Subject to FSVP?” that importers can refer to if they are unsure if the rule applies to them.

Q: What do importers have to verify on May 30, 2017?

Importers covered by the FSVP rule will have to verify that their suppliers meet applicable FDA food safety requirements, including that the food is not adulterated or misbranded with respect to allergens.

The largest foreign suppliers subject to the PC for Human Food rule had to be in compliance in September 2016 with both the PC provisions and the CGMP requirements of that rule, but the largest suppliers subject to the PC for Animal Food rule only had to be in compliance with the CGMP requirements by that date. Therefore, importers of foods from those facilities will only need to consider those provisions of the PC rules that their suppliers have had to come in compliance with by May 30, as well as verify that the food is not adulterated or misbranded with respect to allergens.

And I want to clarify that importers have some flexibility with respect to the PC and produce safety rules. Importers will need to have a program that allows them to demonstrate that their foreign suppliers are producing food in a manner that provides the same level of public health protection as the PC or produce rules.

As noted above, importers will have additional time to develop and implement FSVPs for foods from smaller suppliers that are considered qualified facilities or small businesses under the PC rules, as well for food subject to the produce safety rule.

Q: When the first compliance dates arrived in September 2016 for the preventive controls rules, FDA indicated that it would focus on education, training, and technical assistance. Is that also true for this FSVP compliance date?

Yes, we have done a lot of outreach already to help importers understand the regulations and what they have to do. However, we understand that this is new to a lot of importers, so our approach will be to educate while we regulate to create a culture of compliance. Importers can expect interactive FDA inspections with opportunities to explain how their programs meet our requirements and how they will take corrective actions if we observe deficiencies. Good communication is key. Our initial enforcement priorities will be, as they are now, on food safety problems that pose an imminent public health risk. But the FDA’s mandate is to protect public health and, when appropriate, the agency will act swiftly.

Q: Will FSVP change the admission process?

All foods regulated by the FDA will see changes to the entry process as of May 30, 2017. When food is offered for entry into the United States, the Customs and Border Patrol (CBP) Automated Commercial Environment (ACE) system will require the filer to enter at least one additional code as part of the required data elements. An FSVP importer subject to the May 30 compliance date should use the entity role code “FSV,” indicating the entry is subject to the FSVP regulation. This will then prompt the ACE system to ask for the importer’s name, email address, and unique facility identifier (UFI) recognized as acceptable by FDA. We recently issued guidance formally recognizing the Data Universal Numbering System (DUNS) number as an acceptable UFI for FSVP.

Conversely, if the food entry line is exempt from the requirements of FSVP, or not yet subject to the rule because it has a later compliance date, the filer should use one of two Affirmation of Compliance codes, either “FSX” (designating that the food is exempt from FSVP or that compliance with FSVP is not yet required) or “RNE” (designating, more specifically, that the food is exempt from FSVP because it will be used for research or evaluation in accordance with 21 CFR 1.501(c) of the FSVP regulation). If one of these codes is not transmitted for an imported food product under FDA jurisdiction, the entry line will be rejected.

We have heard that there is some concern within the importing community that not everyone will be able to obtain a DUNS number in time for the first compliance date on May 30. While we expect all FSVP importers to provide their UFI starting on the applicable compliance date, because this is a new rule, we have provided a temporary solution. For a limited time, importers can submit the value “UNK” (to represent “unknown”) in the entry data field where the DUNS number would have been provided for the FSVP importer. This will give importers extra time to obtain their DUNS numbers and will provide us with a list of FSVP importers whom we can contact to ensure they understand and are taking the necessary steps to meet the FSVP requirements. But, remember, the submission of the “UNK” option is temporary. Therefore, FSVP importers should work now to ensure they have accurate and complete entry data (including their DUNS numbers) and understand the process for filing to avoid any future delays in the entry of their products.

It is important to note that while importers will be required to provide their importer identification information through the ACE system, we will not be enforcing overall compliance with this rule on a shipment-by-shipment basis at the port of entry. Rather, our general approach to enforcing compliance will be to inspect U.S. importers and review their records to make sure they are in compliance.

Q: What can importers expect when an investigator reviews their FSVPs?

Remember that, unlike traditional facility inspections, FSVP inspections are based on the review of records, rather than observations of food production. While most of the FSVP inspections will be at the importer’s place of business, we are also going to request that some importers provide FSVP records to FDA electronically, or through other means that delivers the records promptly, as part of a pilot program. In either case, the investigator will ask to view the importer’s FSVP records to determine if there are deficiencies. In most cases, if any deficiencies are found, the importer will be provided an opportunity to correct them. Our focus right now is on supporting compliance, except for problems that pose a danger to health or reflect intentional disregard for legal responsibilities.

I also want to emphasize that we are investing significant resources in training FDA personnel on how to conduct these inspections. Importers can expect an approach that is interactive, and by that I mean that our investigators will be asking questions about what they see and there will be the opportunity for a real dialogue. We encourage importers to keep the lines of communication open with FDA if problems are found. If a corrective action is needed, the importer should communicate clearly what actions will be taken and by what date the corrections will be completed. If problems arise in meeting deadlines, the importer should let us know.

Q: I already audit my supplier. Can I use that audit as a verification activity?

There are many different types of verification activities that can be used to meet the requirements in the rule. The rule mentions review of the supplier’s relevant food safety records, sampling and testing, and onsite auditing as examples of verification activities that may be appropriate, either individually or in combination. Which activity importers choose should be based on their evaluation of the risk of the food and their supplier’s performance.

If importers determine that an audit is the appropriate verification activity, they must make sure the audit meets the requirements in the rule, namely that the audit considers the FDA food safety requirements that apply, and that the auditor is qualified to perform the audit (e.g., education, training, experience). These requirements are designed to be flexible and there are a variety of audits currently being used within the industry that may meet our requirements.

We are aware of several organizations, such as the USDA’s Agricultural Marketing Service (AMS) and the Global Food Safety Initiative (GFSI), that are working to ensure their audits meet our requirements. We have stated our intention to build on current private and public audit activity and we applaud the efforts of external organizations to align their standards and practices with FDA food safety requirements.

That said, the agency would encourage all importers to ensure the scope of the audits they currently use consider all applicable FDA food safety regulations, including the PC and produce safety rules if they apply to their supplier. In addition, they should ensure that the auditors performing the audits are qualified auditors in accordance with the FSVP rule.

Q: For importers whose compliance date hasn’t arrived yet, what should they be doing to prepare for FSVP compliance?

I mentioned earlier that all importers subject to the FSVP rule should obtain a DUNS number. I would urge importers subject to the rule to obtain a DUNS number prior to their compliance date if they do not already have one.

Of course, they should also be working to ensure that they know the requirements of the FSVP rule, beginning to put together their FSVPs, and, if appropriate, conducting verification activities prior to their compliance dates. There is a lot of information on our website that can help importers comply, including fact sheets and other materials. Questions about how the rule may apply to you can also be submitted to our Technical Assistance Network (TAN) for a response by experts here at FDA. They can find information about the network online, and I would encourage them to be very specific about their circumstances when they submit questions to help the FDA experts give them the best advice on how the rule applies to them.

There is also training for importers available through the Food Safety Preventive Controls Alliance (FSPCA) designed to provide the knowledge required to meet the FSVP requirements. The training is also available to others who have an interest in ensuring that FSVP requirements are met, such as brokers, foreign suppliers, and representatives of foreign governments.

“One trick I tell clients is to warm the compress first Put the sterile wash bottle into a sink filled with hot water for a couple minutes The

Caribbean Food Delights is the largest manufacture of Jamaican Frozen Food Products in the United States We produce flaky, Jamaican Patties ,

executive chef: arnulfo gonzalez | ; chef/ owner : jurg munch

That's possible with an online assessment tool But what is an assessment , and what's the importance of assessing students ?

In the settings app, tap "Network & Internet" and "Wi-fi." The gear icon is next to the student network. The button at the top of the screen is calledForget. To connect to the network, tap the student from the "Wi-Fi" list.

Click on the symbol at the bottom right of the screen to access the network.

From the drop-down menu, click "Forget." Click the button to connect.

Click "Network" in the system preferences.

Click "Advanced" in the bottom right if you want to know more about the wi-fi.

The network is highlighted in blue when you click on it in the wi-fi pane. The network can be removed by clicking the minus button at the bottom.

Cross-site request forgery is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user's web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because the browser requests include all cookies. The site cannot distinguish between legitimate requests and forged requests if the user isauthenticated. This attack is stopped when proper authorization is used, which means that a challenge-response mechanism is required that verify the identity and authority of the requester.

The capabilities exposed by the vulnerable application and privileges of the user are the only ones that can be impacted by a successful CSRF attack.

This attack can result in a transfer of funds, changing a password, or making a purchase with the user's credentials. CSRF attacks can be used by an attacker to make a target system perform a function without the victim's knowledge, at least until the unauthorized transaction has been committed.

The following principles should be followed when defending against CSRF.

The synchronizer token pattern is one of the most popular methods to mitigate CSRF.

There are many frameworks that have been built with synchronized token defenses in mind.

If the framework you are using has an option to achieve CSRF protection by default, it is a good idea to research it. .NET has built-in protection that adds a token to CSRF vulnerable resources.

CSRF protections that generate token to guard CSRF vulnerable resources are built in, so you are responsible for proper configuration before using them.

CSRF token should be generated on the server side.

They can be generated once per user session or multiple times. The time range for an attacker to exploit the stolen token is very small, so per-request token are more secure. However, this could result in issues with the user. The "back" button browser capability is often hidden as the previous page may contain a token that is no longer valid. A CSRF false positive security event will occur when you interact with this previous page.

After initial token generation, the value is stored in the session and used for subsequent requests until the session ends.

The server-side component must verify the validity of the token in the request compared to the token found in the user session. The request should be aborted if the token was not found within the request or the value provided was not in line with the user session. The event should be recorded as a potential CSRF attack in progress.

CSRF should be a token.

CSRF is prevented because an attacker cannot create valid requests without a token.

CSRF token should not be transmitted using cookies.

The CSRF token can be sent to the client as part of a response.

It can be sent back to the server as a hidden field on a form submission, or as a part of a JSON message. Make sure the token is not leaked in the logs or URL.

The browser history, log files, network appliances that log the first line of an HTTP request, and Referer headers are some of the places where CSRF token in GET requests can be leaked.

For example:

The CSRF token can be inserted in the custom HTTP request headers via Javascript, which is considered more secure than adding the token in the hidden field form.

The double submit cookie technique is an alternative defense if CSRF token is problematic. This technique is easy to implement.

The server will verify if the cookie value and request value match when we send a random value in both a cookie and a request parameter. When a user visits, the site should generate a pseudorandom value and set it as a cookie on the user's machine separate from the session identifier. The site requires that every transaction request include a hidden form value.

If both of them match at the server side, the server accepts the request and if they don't, it rejects it.

To enhance the security of this solution include the token in an encrypted cookie - other than the authentication cookie (since they are often shared within subdomains) - and then at the server side match it (after decrypting the encrypted cookie) with the token in hidden form field or parameter/header for AJAX calls. This works because a sub domain has no way of over-writing a properly crafted cookie without the necessary information such as an encryption key.

A simpler alternative to an encrypting cookie is to place the token with a secret key in a cookie, and then use HMAC.

This is similar to an encouared cookie, but is less intensive. An attacker won't be able to recreate the cookie value from the plain token without knowing the server secrets, whether or not HMAC is used.

Samesite is a cookie attribute that aims to mitigate CSRF attacks.

It's defined in a document. This attribute helps the browser decide whether to send cookies.

The possible values for this attribute are Lax, Strict, and None.

The Strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context. If a user follows a link to a private project on a corporate discussion forum or email, the user won't be able to access the project because the session cookie won't be sent to the website. The Strict flag would be most appropriate since a bank website doesn't want transactional pages to be linked from external sites.

The default Lax value provides a balance between security and ease of use for websites that want to maintain user's log-in session after they arrive from an external link.

The session cookie can be used when following a regular link from an external website while blocking it in CSRF-prone request methods. Only cross-site-requests that have top-level navigations and are also safe are allowed in Lax mode.

The following section contains more information on the SameSite values.

This attribute is used in a cookie example.

The SameSite attribute is now supported by almost all browsers. Refer to the following service to keep track of the browsers implementing it and the usage of the attribute.

In February 2020, Chrome will mark cookies as SameSite-Lax by default, as well as Firefox and Edge, which will follow suit. The Secure flag will be required for cookies that are marked as Samesite.

This attribute should be implemented as a layer defense in depth concept. The attribute protects the user through the browsers that support it, and it contains 2 ways to circumvent it. This attribute should not be used to replace a CSRF token.

It should co-exist with the token in order to protect the user.

The first and second steps rely on examining the request's request headers value.

At the server side, we check if they match. If they don't, we discard the request, meaning that the request originated from a different domain.

The reliability of these headers comes from the fact that they can't be changedprogrammatically as they fall under the forbidden list of headers.

If the origin is present, verify that the value matches the origin. The Origin will be present in the requests that originate from an HTTPS URL.

If the Origin headers is not present, you can use the Referer headers to verify the origin. This method of CSRF mitigation is used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.

Make sure the target origin check is strong.

If your site is example.org, make sure example.org.attacker.com does not pass your origin check.

You can either accept or block the request if neither of the above are present. blocking is what we recommend. You could log all instances, monitor their use cases, and then block requests after you get enough confidence.

It's not easy to determine the target origin.

The first thought is to simply grab the target origin from the URL in the request. The original URL is different from the one the app server actually receives when the application server sits behind one or more proxies. If your application server is accessed directly by its users, then you can use the origin in the URL.

There are a number of options to consider if you are behind a proxy.

When the origin or referrer is present, the mitigation works well.

Most of the time, these headers are included, but there are a few use cases where they are not. Some use cases are listed.

No enterprise would want to lose traffic that falls under the categories.

If the Origin/referrer matches your configured list of domains "OR", you can accept the request. The null value is used to cover the edge cases where the headers are not sent. People prefer to use this technique as a defense in depth measure because of the small amount of effort involved in deployment.

Cookie Prefixes for cookie with CSRF token is a solution for this problem.

If the cookie has a path and a token, then it's safe.

All major browsers except Internet Explorer support cookie prefixes.

There is more information about cookie prefixes in the draft of the IETF.

Adding CSRF token, a double submit cookie and value, and an encrypted token can be complex or problematic.

The use of a custom request header is an alternate defense that is well suited for the use of an AJAX or anAPI. This defense relies on the same-origin policy that only Javascript can be used to add a custom headers. JavaScript can't make cross origin requests with custom headers.

If this is the case for your system, you can simply verify the presence of this value on all your endpoints in order to protect against CSRF attacks.

This approach usually requires noUI changes and not introducing any server side state, which is attractive to REST services. If you prefer, you can always add your own custom value andheader.

You still need to protect form> tags with approaches described in this document, even though this technique works for AJAX calls. The solution should work effectively if the CORS configuration is robust and the custom headers for requests coming from other domains are also configured.

Sometimes it's more appropriate to involve the user in the transaction to prevent unauthorized operations, since all the techniques referenced here do not require any user interaction. Some techniques can act as strong CSRF defense.

These are very strong CSRF defense, but they can create a significant impact on the user experience. Password changes, money transfers, and other security critical operations would be the only uses for them.

Most developers assume that CSRF won't be applicable on login forms because the user is not verified at that stage, however this is not always true. CSRF vulnerabilities can still occur on login forms where the user is not verified, but the impact and risk is different.

If an attacker uses CSRF to assume an identity of a target victim on a shopping website using the attacker's account, the victim's credit card information can be used to purchase items. Section 3 of the paper contains more information about login CSRF.

Pre-sessions and including token in login form can be used to mitigate Login CSRF. You can use any of the techniques mentioned.

Pre-sessions can't be transitioned to real sessions once the user is signed in, so a new one should be made to avoid session fixation attacks. This technique is described in a book.

CSRF is a new type of attack where the attacker tricks the client-side Javascript code to send a forged request to a vulnerable site by manipulating the program's input parameters.

CSRF begins when the Javascript program uses attacker-controlled inputs for the generation of asynchronous requests.

The variants of CSRF are important because they can circumvent some of the common anti-CSRF measures.

The Javascript program will include the custom request headers in the asynchronous requests. The same-site cookie policies will be circumvented by the web browsers.

The server-side program can't distinguish whether the incoming request was performed intentionally or not, which is known as the confused proxy problem. The vulnerable component in the CSRF is the client-side JavaScript program, which allows an attacker to generate arbitrary requests by manipulating the request endpoint and/or its parameters. The server-side won't be able to distinguish if the request was performed intentionally or not if it's exploited.

Sections 2 and 5 of this paper, the CSRF chapter of the SameSite wiki, and the post by the Facebook Whitehat program can be found here.

A simple example of a CSRF vulnerability can be seen in the code snippets.

The program invokes a function on the page load which is responsible for loading various webpage elements. The function reads the value of the URL hash fragment and extracts two pieces of information from it to generate an asynchronous request.

The vulnerability occurs when the JavaScript program uses URL fragments to get the server-side endpoint for the request method. Both inputs can be controlled by web attackers, who can pick the value of their choosing, and craft a malicious URL.

The malicious URL can be shared with the victim to trick them into clicking on it, because the URL belongs to a legitimate website. Alternatively, they can use it as a part of an attack page they control and abuse browser APIs (e.g., the window.open() API) to trick the vulnerable JavaScript of the target page to send the HTTP request, which closely resembles the attack model of the classical CSRF attacks.

This USENIX Security paper and the Facebook Whitehat program are examples of client-side CSRF.

The CSRF can be prevented if the requests are not generated via attacker controllable inputs, such as the URL, window name, document referrer, and postMessages.

Depending on the context and the function, it may not be possible to achieve complete isolation between inputs and request parameters. The input validation checks have to be implemented.

The format and choice of the values of the request parameters should be assessed by these checks to see if they can only be used in non-state-changing operations.

Predefined Request Data is a technique that stores a list of safe request data in the Javascript code. The program can use a switch to decide which entry of the list to use.

An example reference for some of the concepts described in the cheatsheet is provided by the following JEE web filter. It implements stateless mitigations.

It only acts a reference sample and is not complete, for example, it doesn't have a block to direct the control flow when origin and referrer check succeeds, or it has a port/host/protocol level validation for referrer headers. Developers are advised to build their complete mitigation on top of this sample. Before checking for CSRF is considered effective, developers should implement authorization mechanisms.