I. INTRODUCTION
In October 2023, President Biden issued a landmark Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (“Executive Order”). In section 4.4(b), the Executive Order directs the federal government to reduce the risks of misuse of synthetic nucleic acids and improve associated biosecurity measures. The Executive Order requires that OSTP develop a framework to encourage providers of synthetic nucleic acid sequences to implement comprehensive, scalable, and verifiable synthetic nucleic acid procurement screening mechanisms. As the building blocks for life, nucleic acids underpin much of research and development in the life sciences, thereby serving as a critical control point allowing industry to ensure beneficial usage and minimize the risk of misuse. This framework outlines a unified process for screening purchases of synthetic nucleic acids and benchtop nucleic acid synthesis equipment. While the framework will be incorporated into requirements for recipients of federal research funding, including through domestic and international funding documents, broader use of the framework is encouraged. This approach guides providers of synthetic nucleic acids (“Providers”) and manufacturers of benchtop nucleic acid synthesis equipment (“Manufacturers”) to screen purchase orders to identify sequences of concern (SOCs) and assess customer legitimacy.
In support of this framework, as directed by section 4.4.(b)(ii) of the Executive Order, the National Institute of Standards and Technology (NIST) will engage with industry and relevant stakeholders to further develop and refine specifications for effective nucleic acid synthesis procurement screening; best practices for managing SOC databases to support such screening; technical implementation guides for effective screening; and conformity-assessment best practices and mechanisms.
This framework incorporates and supplements portions of the Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids, U.S. Department of Health and Human Services, October 2023, and its accompanying Companion Guide (collectively, “2023 HHS Guidance”).
As described in Section II, federal funding agencies will, as appropriate and consistent with applicable law, require that procurement of synthetic nucleic acids and benchtop nucleic acid synthesis equipment using federal life sciences funding be conducted through Providers and Manufacturers that adhere to this framework. To adhere to this framework, Providers and Manufacturers should take the following six actions for such procurement, consistent with the 2023 HHS Guidance and the Executive Order section 4.4(b)(iii):
1. Attest to implementing this screening framework through a statement that either is posted on a public website or provided to both the federally funded customer and federal funding agency;
2. Screen purchase orders for synthetic nucleic acids to identify SOCs;
3. Screen customers submitting purchase orders of synthetic nucleic acids with SOCs, and purchase orders of benchtop nucleic acid synthesis equipment, to verify legitimacy;
II.
1. Report potentially illegitimate purchase orders of synthetic nucleic acids involving SOCs or of benchtop nucleic acid synthesis equipment;
2. Retain records relating to purchase orders for synthetic nucleic acids and benchtop nucleic acid synthesis equipment; and
3. Take steps to ensure cybersecurity and information security. II. ROLE OF FEDERAL FUNDING AGENCIES
The Executive Order requires that, within 180 days of the publication of this framework, all agencies that fund life sciences research will, as appropriate and consistent with applicable law, establish that, as a requirement of funding, synthetic nucleic acid procurement for federally funded research is conducted through Providers or Manufacturers that adhere to the framework.1
Federal funding agencies will establish these requirements under statutory and regulatory authorities applicable to them, such as through terms and conditions of awards. Federal funding agencies will work with the Assistant to the President for National Security Affairs (APNSA) and the Director of OSTP to coordinate the process of reviewing such funding requirements to facilitate consistency in implementation of the framework across funding agencies.
This framework complements existing federal statutes, regulations, and policies, and does not supersede any federal statutory or regulatory authority. Nothing in this framework impairs or otherwise affects the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals. In rare cases, federal funding agencies may encounter circumstances that require an exception to this framework. The heads of federal funding agencies may issue exceptions to the requirements in this framework on a case-by-case basis when needed to address health or national security priorities, in consultation with the Director of OSTP and the Federal Bureau of Investigation.III. SCOPE
This framework applies to federally funded life sciences research involving the procurement of all types of synthetic nucleic acids – including but not limited to DNA and RNA, whether single- or double- stranded, as well as whole organism genomes (e.g., viruses, bacteria) – containing any synthetic SOC. It also applies to federally funded life sciences research involving the procurement of any benchtop equipment capable of synthesizing nucleic acids.
This framework applies to the distribution by Providers of synthetic nucleic acids, including by biofoundries, cloud labs, institutions with core nucleic acid synthesis facilities, and contract research organizations (CROs) or laboratories with integrated nucleic acid synthesis capabilities. This framework also applies to the distribution by Manufacturers of benchtop equipment to synthesize nucleic acids. To be adherent to this framework, Providers and Manufacturers should also ensure the framework is followed when a third-party vendor or other intermediary is involved.IV. DEFINITIONS
The 2023 HHS Guidance provides definitions for the following terms, which are reproduced or adapted here:
Table 1: Basic Definitions Used in the Framework for Nucleic Acid Synthesis Screening 
Term Definition
Benchtop nucleic acid synthesis equipment: Benchtop nucleic acid synthesis equipment sold by Manufacturers that is intended to be used to synthesize nucleic acids for use within a research laboratory or within an institution. While this nucleic acid synthesis equipment may not be small enough to be placed on a benchtop (e.g., it sits on the laboratory floor), it is still considered benchtop equipment if it is sold with the intent that it will be used by researchers individually or in a core facility in an institution.
Customer: The individual or entity (such as an institution) that orders or requests synthetic nucleic acids from a Provider, or that purchases nucleic acid synthesis equipment from a Manufacturer.
Manufacturer: An entity that produces and distributes benchtop equipment for synthesizing nucleic acids. Manufacturers may provide equipment to a customer or third- party vendor.
Provider: An entity that synthesizes and distributes synthetic nucleic acids. Providers may provide nucleic acids to a customer or third-party vendor. A Provider is understood to be synthesizing and distributing nucleic acids as a transactional service, rather than as a research scientist collaborating with a colleague.
Sequence of Concern (SOC): At the time of this framework’s issuance, a nucleotide sequence or its corresponding amino acid sequence that is a Best Match to a sequence of federally regulated agents (i.e., the Biological Select Agents and Toxins List (BSAT), or the Commerce Control List (CCL)), except when the sequence is also found in an unregulated organism or toxin. As of and after October 13, 2026, this definition will include sequences known to contribute to pathogenicity or toxicity, even when not derived from or encoding regulated biological agents (see Screening Framework below).
Synthetic nucleic acids subject to screening: at a minimum, DNA or RNA, single- or double-stranded, 200 nucleotides (including the corresponding amino acid sequence, if applicable) or longer should be screened for SOCs. As of October 13, 2026, this screening window will be decreased to 50 nucleotides, and Providers should implement screening mechanisms that detect the potential for shorter nucleotides to be assembled into SOCs when multiple synthetic nucleic acids are ordered by the same customer in a bulk order or for multiple orders over time (see Screening Framework below).
Third-party vendor: An entity that orders synthetic nucleic acids from Providers and distributes them or their constructs, with or without reformulation. Also, an entity that orders benchtop equipment for synthesizing nucleic acids from Manufacturers and distributes them.
Verifying legitimacy: Review of information that would allow Providers and Manufacturers to authenticate the recipient of synthetic nucleic acids containing SOCs or benchtop nucleic acid synthesis equipment as a legitimate member of the scientific community.
This framework additionally specifies that the term Provider includes the following non-traditional types of providers:
Table 2: Definitions of Non-Traditional Providers of Synthetic Nucleic Acids: Non-Traditional Definition Types of Providers
Biofoundry: A centralized facility that provides a high degree of automation and infrastructure to support the engineering and scalable manufacturing of biological systems including nucleic acid sequences or that utilizes biological systems to produce molecules and nucleic acid sequences.
Cloud Lab: A highly automated research laboratory possessing a diversity of analytical and synthesis capabilities across the life sciences and that can be remotely operated by specifying experimental protocols via software.
Core Facility / Academic Core Facility: An institution-based capability that either facilitates orders to third parties or that has in-house equipment intended to provide services to faculty and research staff at that university or others and not otherwise to customers from the general public (e.g., the ability to create nucleic acid sequences de novo from benchtop synthesizers).
Contract Research Organization (CRO): An organization that provides research and development services to companies in the life sciences, typically related to clinical trials and drug- development.V. SCREENING FRAMEWORK
To adhere to this screening framework, Providers and Manufacturers should meet the following criteria:1. Attest to implementing this screening framework through a statement that is either posted on a public website or provided to both the federally funded customer and federal funding agency
As indicated above, per the requirements of the Executive Order, federal funding agencies will require that procurement of synthetic nucleic acids and benchtop nucleic acid synthesis equipment using federal life sciences funding be conducted through Providers and Manufacturers that attest to adhering to this screening framework. To adhere to this framework, a Provider and Manufacturer should either post on a public webpage a statement that self-attests to following each of the criteria in this framework, or provide such a statement to both the federally funded customer and the federal funding agency. Following the release of this framework, OSTP anticipates coordinating development of a standardized template statement that Providers and Manufacturers may use for this purpose, if they wish.2. Screen purchase orders for synthetic nucleic acids to identify any sequences of concern (SOCs)
To adhere to this screening framework, a Provider screens purchase orders for synthetic nucleic acids to identify any SOC pursuant to the 2023 HHS Guidance. All nucleotide sequences or corresponding amino acid sequences that are Best Matches to a sequence of federally regulated agents – i.e., the Biological Select Agents and Toxins (BSAT) list or, for international orders, the Commerce Control List (CCL)2 – are SOCs, except when the sequence is identical to a sequence found in an unregulated organism or toxin.3 Synthetic nucleic acids should be screened over each 200 nucleotide window within their sequences for SOCs (see below for changes that will take effect on October 13, 2026).4,5 Providers or Manufacturers conducting this screening may determine which commercial services, open source solutions, or in-house developed algorithms and software systems to use to make this determination. Where available, standards from the National Institute of Standards and Technology (NIST) should be applied to determine that the mechanism used by each entity is sufficient.
To adhere to this screening framework on and after October 13, 2026 (three years after the 2023 HHS Guidance was issued), Providers should implement the following additional practices. First, Providers should reduce the size of the screening window and screen each 50 nucleotide window for SOCs.6 Second, Providers should apply screening methods that detect the potential for shorter nucleotide sequences to be assembled into SOCs when multiple synthetic nucleic acids are ordered by the same customer in a bulk order or in multiple orders over time.7 Third, Providers should make efforts to implement a mechanism to screen additional SOCs known to contribute to pathogenicity or toxicity, even when not derived from or encoding regulated biological agents.8 Providers and Manufacturers conducting screening may determine which commercial services, open-source solutions, or in-house developed algorithms and software systems to use to make this determination, and should undertake efforts to measure the effectiveness of this new screening criteria and improve screening over time. As part of ongoing review and updates to this framework, an OSTP-designated interagency group will assess the scientific state of the art before October 13, 2026 and recommend any updates to this framework if necessary.
The following criteria may inform which sequences should be designated as SOCs:
• Scientific evidence establishing that the sequence contributes to pathogenicity or toxicity in humans and animals.
• Degree to which this sequence is likely to be recognized as a candidate for misuse, based on the extent to which its function is widely known.
• Ease with which this sequence could be misused, for example through de novo assembly of a pathogen or insertion into a backbone.
To adhere to this screening framework on and after October 13, 2026, Manufacturers should integrate into benchtop nucleic acid synthesizers the capability to screen sequences for SOCs, meeting the standards as outlined in the 2023 HHS Guidance. As described in the 2023 HHS Guidance, this level of screening should be on par with the SOC screening best practices recommended for Providers in this framework, including screening against SOC databases, when available, that are updated regularly as new SOCs are identified as a required step before synthesizing the sequence, in a verifiable manner.
Following the release of this framework, NIST will support the development of technical standards10 that will inform an OSTP-designated interagency group that will consider and recommend updates to this framework every two years, or as appropriate. This group will work to provide additional guidance, as needed, to support implementation of an expanded SOC definition prior to October 13, 2026. These updates will be informed by advances in the state of the art including:
• Scientific evidence of sequences contributing to pathogenicity.
• Improvements in ability to identify sequences that are functionally equivalent to SOCs.
• Advances in predictive modeling that allow for assessments of novel or unknown sequences.
• Algorithmic approaches for sequence screening that do not explicitly utilize a pathogen reference database or sequentially evaluate multiple reading frames.3. Screen customers who submit purchase orders of synthetic nucleic acids with SOCs, and of benchtop nucleic acid synthesis equipment, to verify legitimacy
To adhere to this screening framework, Providers and Manufacturers should assess customer risk by following the 2023 HHS Guidance and industry standard “know your customer” practices.
To adhere to this screening framework, Providers should develop and implement a process to assess the legitimacy of orders that have been identified by the sequence screening protocol as containing a SOC. The legitimacy of an order is determined by verifying the legitimacy of both the individual customer placing the order and their institution.
To adhere to this screening framework, Providers and Manufacturers should confirm the legitimacy of the individual customer by ensuring that the person (or customer) placing an order has no red flags,11 is affiliated with a legitimate institution, and has a legitimate need for using synthetic nucleic acids.
To adhere to this screening framework, Providers and Manufacturers should confirm the legitimacy of the institution by verifying its legal standing and that it has a life sciences oriented mission and purpose, or uses synthetic nucleic acids for other relevant applications,12 and ensuring there are no red flags.
To adhere to this screening framework, at a minimum, Providers should include a field or mechanism in their ordering system where customers can self-identify that an order contains a SOC. When an order does contain a SOC, Providers should also include a mechanism for customers to provide information that will be useful for verifying the customer’s legitimacy.14 In addition, Providers should ask customers if they are the end user for the SOCs or if the order will be passed along to a third party(s), in which case the legitimacy of the third party(s) should also be assessed.
To adhere to this screening framework, Manufacturers should develop and implement a process to assess the legitimacy of orders for their equipment, such as through verified user accounts. As stated above, the legitimacy of an order is determined by verifying the legitimacy of both the individual customer placing the order and their institution—which should include verification that the institution will cooperate in ensuring that benchtop synthesizers are only accessed by legitimate end users. Manufacturers should implement mechanisms to track legitimate use of their equipment, including when it is potentially transferred to a new user during the lifecycle of these equipment. Ensuring that benchtop nucleic acid synthesis equipment is only sold to legitimate customers and end users in this context also includes ensuring that proprietary and sole-use reagents for their benchtop synthesizers15 are only sold to legitimate customers and end users, even if they were not screened for legitimacy when initially obtaining their benchtop nucleic acid synthesizer (e.g., if they acquired their equipment prior to the time this framework comes into effect).4. Report potentially illegitimate purchase orders of synthetic nucleic acids involving SOCs or of benchtop nucleic acid synthesis equipment
To adhere to this screening framework, Providers and Manufacturers should develop criteria to determine when not to fill an order, based on this framework and as informed by the results of sequence and/or customer screening. In such cases, Providers and Manufacturers should follow the 2023 HHS Guidance and report flagged orders to relevant authorities, including, where appropriate, to an FBI Field Office. There are 56 FBI Field Offices across the United States and Puerto Rico. Each FBI Field Office has a WMD Coordinator. Providers can identify FBI Field Offices using the above link. Flagged orders can be reported to a Field Office or through FBI’s general hotline for reporting suspicious WMD-related activity, 855-TELL-FBI (855-835-5324). Providers and Manufacturers may contact the WMD Coordinator at their respective Field Office to establish a relationship even before a flagged order occurs.
In cases where Providers and Manufacturers suspect that customers may be attempting to violate federal export control laws, Providers and Manufacturers are encouraged to report such violations to the U.S. Department of Commerce Bureau of Industry and Security through its website or by calling the Enforcement Hotline at 800-424-2980. Cyber incidents can be reported to the Cybersecurity Infrastructure Security Agency of the U.S. Department of Homeland Security under the Cyber Incident Reporting for Critical Infrastructure Act.5. Retain records relating to purchase orders for synthetic nucleic acids and benchtop nucleic acid synthesis equipment
To adhere to this screening framework, Providers and Manufacturers should follow the 2023 HHS Guidance and retain for at least three years all screening records, including flagged orders; customer screening interactions, including when the orders were deemed acceptable; documentation of further action taken in response to flagged orders; and rationale for decisions about the legitimacy of customers whose orders were flagged, including where orders contained SOCs. Retained records may help identify attempts to order components of SOCs from multiple entities for reassembly, and to support industry-wide collaborations to identify such orders. Such efforts may become part of future adherence standards.6. Take steps to ensure cybersecurity and information security
To adhere to this screening framework, Providers and Manufacturers should follow the practices outlined in the 2023 HHS Guidance regarding cybersecurity, information security, and securing SOC databases. As part of screening protocols, Providers and Manufacturers may consult internally or externally developed SOC databases. SOC databases compiling sequences that have been experimentally determined to contribute to pathogenicity or toxicity from unregulated agents may pose potential biosecurity risks, including from entities with malign intent that may attempt to exfiltrate data for illicit purposes. Therefore, Providers and Manufacturers that develop or maintain a SOC database with information on sequences from unregulated agents or that aggregate information that could pose biosecurity risks should implement appropriate cybersecurity safeguards to protect the information in it, both in transit and at rest, consistent with relevant cybersecurity Executive Orders, standards, and frameworks.16,17,18,19,20To adhere to this screening framework, Providers and Manufacturers should also take appropriate measures to protect their customers’ identities and proprietary information.21 In addition, it is recommended that Providers and Manufacturers closely examine the security of their supply chains, following NIST SP 800-161.
To adhere to this screening framework, Providers and Manufacturers that suspect they have been the victim of a network intrusion, data breach, or ransomware attack should contact their FBI Field Office, per instructions given above.
To adhere to this screening framework, Manufacturers should design their benchtop nucleic acid synthesis equipment with security and safety in mind. Manufacturers are encouraged to adhere to the Cybersecurity and Infrastructure Security Agency’s Secure by Design principles, which are intended to encourage the design and manufacturing of products that reasonably protect against exploitation of product defects.22VI. UPDATING THE SCREENING FRAMEWORK
This screening framework will be updated based on advances in technologies and screening mechanisms. OSTP will continue to explore additional ways to promote consistent screening practices and verification mechanisms, including through the use of independent audits, and will update this framework as necessary.