Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids

Issuing agencies

Abstract

The Administration for Strategic Preparedness and Response is issuing this screening framework guidance, which sets forth baseline standards for the gene and genome synthesis industry, as well as best practices for all entities involved in the provision, use, and transfer of synthetic nucleic acids, regarding screening orders and recipients and maintaining records. In addition, this guidance seeks to encourage best practices to address biosecurity concerns associated with the potential misuse of synthetic nucleic acids in order to bypass existing regulatory controls and commit unlawful acts.

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 197 (Friday, October 13, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 197 (Friday, October 13, 2023)]
[Notices]
[Pages 70998-71003]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-22540]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Screening Framework Guidance for Providers and Users of Synthetic 
Nucleic Acids

AGENCY: Administration for Strategic Preparedness and Response (ASPR), 
Department of Health and Human Services (HHS).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Administration for Strategic Preparedness and Response is 
issuing this screening framework guidance, which sets forth baseline 
standards for the gene and genome synthesis industry, as well as best 
practices for all entities involved in the provision, use, and transfer 
of synthetic nucleic acids, regarding screening orders and recipients 
and maintaining records. In addition, this guidance seeks to encourage 
best practices to address biosecurity concerns associated with the 
potential misuse of synthetic nucleic acids in order to bypass existing 
regulatory controls and commit unlawful acts.

FOR FURTHER INFORMATION CONTACT: C. Matthew Sharkey, Administration for 
Strategic Preparedness and Response, Department of Health and Human 
Services, 400 7th St. SW, Washington, DC 20024; 202-868-9224, 
<a href="/cdn-cgi/l/email-protection#7d0e041319131c1a0814191c131e183d15150e531a120b"><span class="__cf_email__" data-cfemail="4e3d37202a202f293b272a2f202d2b0e26263d60292138">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: A request for public comments on the issues 
covered in this Notice was published in the Federal Register (85 FR 
52611 [Aug. 26, 2020]; 85 FR 69630 [Nov. 3, 2020], Review and Revision 
of the Screening Framework Guidance for Providers of Synthetic Double-
Stranded DNA) with a comment period of more than 120 days. Following 
consideration of the comments received in response to this Notice, HHS 
issued proposed draft revised guidance as a Federal Register Notice (87 
FR 25495 [Apr. 29, 2022], Screening Framework Guidance for Providers 
and Users of Synthetic Oligonucleotides) and solicited additional 
comments for a period of 60 days. This Guidance was drafted through a 
deliberative interagency process to address the topics raised in public 
comments received in response to these prior Notices as well as other 
considerations. Responses received from these prior Notices and 
summaries of updates contained in this Guidance are available for 
public review at the following website <a href="https://aspr.hhs.gov/legal/synna">https://aspr.hhs.gov/legal/synna</a>.

Screening Framework Guidance for Providers and Users of Synthetic 
Nucleic Acids

I. Introduction

    Synthetic biology is an interdisciplinary field that focuses on the 
design and fabrication of novel biological components and systems as 
well as the redesign and fabrication of existing biological systems. 
Modern biotechnologies have made the conversion of different types of 
nucleic acids possible (e.g., RNA to DNA), and longer genomic sequences 
can now be constructed from very short nucleic acids with higher 
fidelity. Additionally, synthetic biology is not limited to naturally 
derived genetic material. Thus, this scientific field has the potential 
to generate existing or novel components, systems, or organisms 
directly, using only genetic sequence data.
    Advances in nucleic acid synthesis technology and the open-source 
availability of genetic sequence data have significantly contributed to 
discovery and innovation in areas such as health and agriculture 
research and development. However, there are concerns among the 
scientific community, the nucleic acid synthesis industry, the U.S. 
government, and the public that individuals with ill intent could 
exploit biotechnology for harmful purposes. The U.S. government has 
acted to minimize risks to public health, agriculture, plants, animals, 
animal or plant products, and the environment due to biological 
pathogens and toxins. For instance, it has issued the Federal Select 
Agent Regulations, which regulate a subset of microbial organisms and 
toxins determined to have the potential to pose a severe threat to 
public health and safety, animal health, plant health, animal or plant 
products, or the environment. These regulations are administered 
jointly by the CDC, Division of Select Agents and Toxins and the Animal 
and Plant Health Inspection Service, Division of Agricultural Select 
Agents and Toxins, through the Federal Select Agent Program (FSAP),\1\ 
which sets forth requirements for the possession, use, and transfer of 
biological select agents and toxins. A second layer of regulation is 
provided by the Bureau of Industry and Security (BIS) Export 
Administration Regulations' Commerce Control List (CCL),\2\ which 
identifies agents and genetic sequences that require licenses before 
export from the United States. However, these regulated pathogens and 
toxins do not represent the entirety of the potential risks to public 
health, agriculture, plants, animals, animal or plant products, or the 
environment that could arise from the misuse of synthetic nucleic 
acids. Non-regulated pathogens and toxins, as well as other novel types 
of nucleic acid sequences, may also pose significant risks if they are 
misused. To minimize these risks, a shift is needed from relying solely 
on lists of regulated pathogens and toxins to also assessing the risks 
associated with other nucleic acid sequences that may contribute to 
pathogenicity or harm if introduced into new genetic frameworks (i.e., 
Sequences of Concern [SOCs]). Also, modern molecular biological 
techniques allow the conversion between different types of nucleic 
acids (e.g., RNA to DNA, and

[[Page 70999]]

vice versa), so it has become necessary to treat all types of synthetic 
genetic materials with equal care. Additionally, benchtop nucleic acid 
synthesis equipment is increasingly common in modern laboratories, 
which changes the commercial landscape for synthetic nucleic acids. 
These advances and others motivated the U.S. government to review and 
revise the 2010 Screening Framework Guidance for Providers of Synthetic 
Double-Stranded DNA.\3\
---------------------------------------------------------------------------

    \1\ <a href="https://www.selectagents.gov/sat/list.htm">https://www.selectagents.gov/sat/list.htm</a>.
    \2\ <a href="https://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl">https://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl</a>.
    \3\ 75 FR 62820 (Oct. 13, 2010).
---------------------------------------------------------------------------

    Individuals with no legitimate, bona fide, and peaceful purpose 
should be prevented from accessing genetic materials that could 
contribute to pathogenicity or toxicity, even when those materials do 
not contain sequences from FSAP- or CCL-listed pathogens or toxins, and 
nucleic acid synthesis equipment. Purchasing or synthesizing nucleic 
acids could enable individuals without a legitimate and peaceful 
purpose to possess genetic material that would pose risks if misused. 
Synthetic nucleic acids ordered from Providers can be used to 
synthesize pathogens de novo or may be used to modify non-pathogenic 
strains or create higher risk pathogens or toxins. Nucleic acid 
synthesis has removed the need to directly access the naturally 
occurring agents or naturally occurring genetic material from these 
agents for those who may wish to do harm with them. The potential 
availability of high-risk agents has thereby been greatly expanded due 
to this changing commercial landscape. The Screening Framework Guidance 
for Providers and Users of Synthetic Nucleic Acids (Guidance) reaffirms 
the recommendation to screen for genetic sequences from regulated 
organisms and toxins but also recognizes that screening should evolve 
to encompass all sequences that are recognized to contribute to 
pathogenicity or toxicity as information regarding these sequences and 
their verified functions and improved screening methods become 
available (or as feasible).
    This Guidance is intended to assist all entities involved in the 
provision and use of synthetic nucleic acids in establishing and 
operating a screening framework for synthetic nucleic acid orders, 
including mechanisms to identify sequences designed to circumvent lists 
of regulated organisms or toxins or sequences that are not Best Matches 
to any sequences in GenBank.\4\ This Guidance sets forth recommended 
baseline standards for the nucleic acid synthesis industry (Providers) 
and for Manufacturers of benchtop nucleic acid synthesis devices, as 
well as best practices for Customers of synthetic nucleic acids (i.e., 
institutions, Principal Users, End Users, and Third-Party Vendors) 
regarding screening orders for SOCs. In addition, this Guidance seeks 
to encourage best practices to address biosecurity concerns associated 
with the potential misuse of synthetic nucleic acids to bypass existing 
regulatory controls.
---------------------------------------------------------------------------

    \4\ <a href="https://www.ncbi.nlm.nih.gov/genbank/">https://www.ncbi.nlm.nih.gov/genbank/</a>.
---------------------------------------------------------------------------

    This Guidance recommends that (1) upon receiving an order for 
synthetic nucleic acids, Providers and Third-Party Vendors perform 
sequence screening, verify the identity of their Customers, and follow 
up to verify the legitimacy of the order when SOCs are identified; (2) 
institutions, Third-Party Vendors, Principal Users, and End Users keep 
records of synthetic nucleic acid orders containing SOCs; (3) 
institutions and/or Principal Users record any transfers involving 
synthetic nucleic acids containing SOCs beyond the Principal User and 
manage those transfers responsibly to limit the possibility of misuse; 
and (4) Manufacturers only distribute equipment capable of synthesizing 
nucleic acids containing SOCs to Customers whose legitimacy has been 
verified and implement mechanisms to track legitimate use of their 
equipment.
    If sequence screening identifies SOCs, Providers should perform 
further validation steps and follow-up screening of the Customer to 
verify the legitimacy of the order. Open communication between 
Customers and Providers will facilitate the screening and validation of 
orders that contain SOCs. Institutions, Principal Users, or End Users 
are best positioned to know if they are ordering SOCs and are 
encouraged to provide information with their order to preemptively 
demonstrate legitimacy of the order when they are aware that it 
contains SOCs. Providers can facilitate this information-sharing by 
including a mechanism for self-reporting and verification of legitimacy 
in their ordering process. If follow-up screening does not resolve 
concerns about the order, or if there is reason to believe a customer 
may intentionally or inadvertently violate U.S. laws or regulations, 
Providers should not fulfill the order and should contact designated 
entities within the U.S. government (i.e., U.S. Department of Commerce, 
Federal Bureau of Investigation [FBI]) for further information and 
assistance.
    This Guidance also provides recommendations regarding proper 
records retention protocols and sequence screening methodologies. 
Additionally, this Guidance recommends that institutions, Principal 
Users, and End Users develop and follow best practices in biosafety, 
biosecurity, and responsible conduct regarding the possession, use, and 
transfer of SOCs. Institutional policies and procedures already in 
place for safe possession, use, and transfer of these materials, as 
well as federal and international guidance, such as HHS's Centers for 
Disease Control and Prevention (CDC) and National Institutes of 
Health's Biosafety in Microbiological & Biomedical Laboratories 
(BMBL),\5\ the World Health Organization's Laboratory Biosafety 
Manual,\6\ and Global Guidance Framework for the Responsible Use of the 
Life Sciences: Mitigating Biorisks and Governing Dual-Use Research \7\ 
should be used wherever possible to complement the measures suggested 
in this Guidance to maximize safe and secure practices while seeking to 
minimize the burden on legitimate life science research.
---------------------------------------------------------------------------

    \5\ <a href="https://www.cdc.gov/labs/BMBL.html">https://www.cdc.gov/labs/BMBL.html</a>.
    \6\ <a href="https://www.who.int/publications/i/item/9789240011311">https://www.who.int/publications/i/item/9789240011311</a>.
    \7\ <a href="https://www.who.int/publications/i/item/9789240056107">https://www.who.int/publications/i/item/9789240056107</a>.
---------------------------------------------------------------------------

II. Definitions

    The following definitions are applicable for the purpose of this 
Guidance:
    Customer: The individual or entity (such as an institution) that 
orders or requests synthetic nucleic acids from a Provider, or that 
purchases synthesis equipment from a Manufacturer.
    Principal User: The individual who originates an order or request 
for synthetic nucleic acids or synthesizes nucleic acids and oversees 
the use of ordered or synthesized nucleic acids in the laboratory. The 
Principal User may also be the End User.
    End User: The individual who possesses and uses synthetic nucleic 
acids that they have received from a Customer, Principal User, or 
another End User.
    Provider: The entity that synthesizes and distributes synthetic 
nucleic acids to a customer. A Provider is understood to be 
synthesizing nucleic acids as a transactional service, rather than a 
research scientist collaborating with a colleague (for such transfers 
between collaborators, see End User in this section of the Guidance).
    Third-Party Vendor: An entity that orders synthetic nucleic acids 
from Providers and sells them or their constructs, with or without 
reformulation, or resells benchtop equipment for synthesizing nucleic 
acids.

[[Page 71000]]

    Manufacturer: An entity that produces and sells benchtop equipment 
for synthesizing nucleic acids. Manufacturers may provide equipment to 
individuals, entities, Principal Users, or Third-Party Vendors.
    Sequence of Concern (SOC): A nucleotide sequence that is a Best 
Match (see the SEQUENCE SCREENING METHODOLOGY section of this Guidance) 
to a sequence of federally regulated agents (i.e., the Biological 
Select Agents and Toxins List, or the CCL), except when the sequence is 
also found in an unregulated organism or toxin. As soon as it is 
practical to do so, it is also recommended that sequences known to 
contribute to pathogenicity or toxicity, even when not derived from or 
encoding regulated biological agents, be treated as SOCs.\8\ Follow-up 
customer screening to verify legitimacy should take place when a SOC is 
identified (see Verifying Legitimacy in this section of the 
Guidance).\9\
---------------------------------------------------------------------------

    \8\ Pathogenicity or toxicity that threatens public health, 
agriculture, plants, animals, animal or plant products, or the 
environment. SOCs include sequences for which a direct and harmful 
impact on a host has been verified based on published experimental 
data; and, where experimental data do not exist, based on homology 
to a sequence encoding a verified function.
    \9\ Organizations should define and document their criteria for 
determining whether a sequence is of concern. In order to ensure 
compliance with the FSAP and CCL regulations, sequences of concern 
should include sequences derived from their listed agents--except 
when they are also found in unregulated agents.
---------------------------------------------------------------------------

    Synthetic Nucleic Acids Subject to Screening: At a minimum, DNA or 
RNA, single- or double-stranded, 200 nucleotides (nt) or longer should 
be screened for SOCs. This Guidance recommends that this length for 
screening be decreased to 50 nt within three years of the issuance of 
the Guidance, and that all entities consider the potential for shorter 
nucleotides to be assembled into SOCs when multiple synthetic nucleic 
acids are ordered by the same Customer in a bulk order or for multiple 
orders over time (see the SEQUENCE SCREENING METHODOLOGY section of 
this Guidance).
    Benchtop Nucleic Acid Synthesis Equipment: Benchtop nucleic acid 
synthesis equipment sold by Manufacturers that is intended to be used 
to synthesize nucleic acids for use within a research laboratory or 
within an institution. While this nucleic acid synthesis equipment may 
not be small enough to be placed on a benchtop (e.g., it sits on the 
laboratory floor), it is still considered benchtop equipment if it is 
sold with the intent that it will be used by researchers individually 
or in a core facility in an institution.
    Verifying Legitimacy: Review of information that would allow 
Providers, Manufacturers, Principal Users, or End Users to authenticate 
the recipient of synthetic nucleic acids containing SOCs or benchtop 
nucleic acid synthesis equipment as a legitimate member of the 
scientific community. Information such as proposed end-use of the 
order, institutional or corporate affiliation (if applicable), the name 
of a biosafety officer (if available), documentation of internal review 
and approval of the research, evidence provided by the recipient's 
Responsible Official that the recipient is registered with FSAP \1\ or 
Statement by Ultimate Consignee and Purchaser (i.e., a completed BIS-
711 form \10\) (if applicable), or other evidence of a legitimate 
research or training program (e.g., publication history, researcher 
persistent identifiers such as Open Researcher and Contributor 
Identifier [ORCID],\11\ business licenses, grant numbers, research 
plan) or other legitimate use (e.g., diagnostic test development or 
manufacture) may be helpful for such verification. In Verifying 
Legitimacy, providers should avoid the violation of personal privacy. 
Providers should focus on professional not personal information, except 
for personal information that is necessary to establish a unique 
individual user identity to authenticate each recipient.
---------------------------------------------------------------------------

    \10\ <a href="https://www.bis.doc.gov/index.php/documents/just-licensing-forms/803-bis-711-statement-by-ultimate-consignee-and-purchaser-1/file">https://www.bis.doc.gov/index.php/documents/just-licensing-forms/803-bis-711-statement-by-ultimate-consignee-and-purchaser-1/file</a>.
    \11\ Open Researcher and Contributor Identifier (<a href="https://orcid.org/">https://orcid.org/</a>).
---------------------------------------------------------------------------

III. Goals and Scope of the Guidance

    Goals: This Guidance has three parallel goals. A primary goal is to 
minimize the risk that individuals without a legitimate need or 
individuals with malicious intent will use nucleic acid synthesis 
technologies to obtain organisms for which possession, use, and 
transfer is regulated by FSAP and CCL.<SUP>1 2</SUP> Another goal is to 
limit the potential for individuals with malicious intent to use 
synthetic nucleic acids to create high-risk pathogens or toxins using 
nucleic acid sequences from unregulated organisms. A third goal is to 
minimize disruption of legitimate research, commerce, and educational 
activities.
    Scope: The Guidance pertains to the sale or transfer of all types 
of synthetic nucleic acids, i.e., DNA and RNA, whether single- or 
double-stranded. The Guidance recommends that Providers develop and/or 
consult a database of known SOCs to determine if the purchase or 
transfer includes SOCs. It also recommends methods that aim to ensure 
the legitimacy of Customers, Principal Users, and End Users of 
synthetic nucleic acids. The Guidance also aims to ensure that entities 
maintain records of transfers for synthetic nucleic acids containing 
SOCs.
    The Guidance was developed to align with Providers' and Customers' 
existing protocols and business practices, to be implemented without 
unnecessary cost, and to minimize any negative impacts on the conduct 
of research and business operations. Where practical to do so, entities 
can use existing business practices to verify the legitimacy of 
Principal Users and End Users and to track the transfer of materials 
containing SOCs. Many Providers have already instituted measures to 
address these concerns. The ongoing development of best practices in 
this area is commendable and encouraged, particularly considering the 
continued advances in nucleic acid sequencing and synthesis 
technologies.

IV. Recommendations for Providers, Users, Institutions, and 
Manufacturers

    This Guidance encourages the establishment of mechanisms that aim 
to ensure that Customers, Principal Users, and End Users ordering SOCs 
are legitimate. It also recommends that Manufacturers install 
safeguards in nucleic acid synthesis equipment that aim to ensure only 
legitimate Customers can synthesize SOCs. This Guidance encourages 
entities transferring synthetic nucleic acids containing SOCs (i.e., 
the Third-Party Vendor, Principal User, End User, or institution) to 
know to whom they are transferring and to conduct screening to verify 
that the recipients have a legitimate, bona fide, and peaceful purpose 
to use the synthetic nucleic acids. This Guidance recommends that the 
Customers who place these orders use responsible business practices to 
maintain records of transfers.
    Principal Users and End Users are best positioned to understand the 
nature of their synthetic nucleic acids and oversee and shepherd their 
responsible use. Principal Users and End Users may also transfer these 
synthetic nucleic acids to other End Users, such as colleagues, and 
certain recommendations are made for this case in this Guidance. 
Principal Users and End Users are encouraged to streamline the 
screening of their synthetic nucleic acid orders by providing 
verification of their legitimacy to Providers and Third-Party Vendors, 
if they know that their order contains SOCs.

[[Page 71001]]

    Information described in the Verifying Legitimacy definition will 
be helpful to the Provider or Third-Party Vendor of the synthetic 
nucleic acids in Verifying Legitimacy. Preemptively providing this 
information is likely to limit the time and expense for Providers in 
fulfilling these orders in a manner that ensures safety and security.
    Providers and Third-Party Vendors of synthetic nucleic acids are 
encouraged to do the following in this context:
    <bullet> Know and document to whom they are distributing a product.
    <bullet> Know if the product that they are synthesizing and/or 
distributing contains identified SOCs.
    <bullet> Notify Customers and Principal Users when their order 
contains SOCs.
    <bullet> Implement adequate security and cybersecurity measures to 
protect the intellectual property and identity of Customers.\12\
---------------------------------------------------------------------------

    \12\ Providers and Third-Party Vendors are encouraged to follow 
the ISA/IEC 27032:2012 & ISO/IEC 62443 standards for cybersecurity 
and information security.
---------------------------------------------------------------------------

    <bullet> Do not fulfill the order and report an order to the FBI 
when follow-up screening does not resolve concerns.
    <bullet> Archive the following information for orders containing 
SOCs for at least three years: Customer information (point-of-contact 
name, organization, address, email, and phone number), order sequence 
information (nucleotide sequences ordered, vector used), and order 
information (date placed and shipped, shipping address, receiver name). 
Archive this information for longer (e.g., eight years) if it does not 
pose an undue burden on business operations.
    Customers, Principal Users, and End Users of synthetic nucleic 
acids are encouraged to develop best practices in five main areas in 
this context:
    <bullet> Customers, Principal Users, and End Users who know that 
their synthetic nucleic acid order contains SOCs are encouraged to 
preemptively provide information that will assist the Provider or 
Third-Party Vendor in verifying their legitimacy.
    <bullet> Customers, Principal Users, and End Users are encouraged 
to only transfer synthetic nucleic acids containing SOCs to verified 
individuals with a legitimate use for these synthetic nucleic acids.
    <bullet> Customers, Principal Users, and End Users are also 
encouraged to maintain records of these transfers and to communicate 
them to their biosafety officer, or equivalent, using the responsible 
business practices in place in their organizations.
    <bullet> Principal Users and End Users are encouraged to record 
transfers of synthetic nucleic acids containing SOCs to any other 
individuals not listed in the original order through a Material 
Transfer Agreement (MTA), a contract that governs the transfer of 
materials between entities for use in research, or another sample 
tracking process. Principal Users, End Users, and institutions are 
encouraged to retain records of SOC transfers for at least three years, 
or longer (e.g., eight years) if it does not pose an undue burden on 
their operations. Business practices already in place at institutions 
may be used to fulfill this recommendation.
    <bullet> Institutions with in-house nucleic acid synthesis 
capabilities, including synthesis equipment, are also encouraged to 
apply these recommendations for use or transfers of synthetic nucleic 
acids containing SOCs.
    Manufacturers of benchtop nucleic acid synthesis equipment, 
Customers using the equipment, and institutions where the equipment is 
used are encouraged to consider these areas for developing best 
practices:
    <bullet> Manufacturers should screen all Customers purchasing 
benchtop nucleic acid synthesizers to validate customer legitimacy and 
that the equipment is appropriate for their needs. Manufacturers should 
only provide nucleic acid synthesizers to Customers that have 
mechanisms in place that aim to ensure that the devices are only 
operated by legitimate users.
    <bullet> Institutions should aim to ensure, as soon as it is 
possible to do so, that benchtop nucleic acid synthesizers--including 
those that were acquired prior to this Guidance--are only accessed by 
users with a legitimate need, such as through validated user accounts. 
If this equipment is housed in a core facility for an institution, or 
in other cases when the equipment is being operated by an authorized 
user on the behalf of another individual, then the institution should 
aim to ensure that the legitimacy of the individual receiving any 
synthetic nucleic acids containing SOCs from the authorized user or 
core facility is also verified. If misuse or unauthorized access to 
benchtop nucleic acid synthesizers with the intent of obtaining SOCs is 
suspected, institutions should notify their FBI Field Office Weapons of 
Mass Destruction (WMD) Coordinator.
    <bullet> Manufacturers whose benchtop nucleic acid synthesizers 
require the use of proprietary and sole-use reagents (i.e., reagents 
that can only be obtained from the manufacturer of their devices and do 
not have common applications other than the operation of their devices) 
should screen Customers purchasing those reagents to verify their 
legitimacy, even when they were not screened when obtaining their 
nucleic acid synthesizer (i.e., when they acquired their device prior 
to the issuance of this Guidance).
    <bullet> Manufacturers and their Customers should implement 
mechanisms to track legitimate use of their equipment, including when 
it is potentially transferred to a new Principal User or End User 
during the lifecycle of these equipment (see the definition of 
Verifying Legitimacy for criteria to verify the legitimacy of a User). 
Manufacturers may use methods not prescribed within this Guidance to 
achieve this recommendation, such as by having a closed loop system in 
which operation of their devices relies upon obtaining reagents only 
available from the Manufacturers (who establish the legitimacy of 
Customers whenever they obtain these reagents), asking Customers to 
report the transfer of their benchtop synthesizers to new users, or 
requiring new user accounts to be verified by the Manufacturer as 
legitimate.
    <bullet> Manufacturers should integrate into benchtop nucleic acid 
synthesizers the capability to screen sequences for SOCs and to 
authenticate legitimate users. This level of screening should be on par 
with the SOC screening best practices recommended for Providers in this 
Guidance, including screening against SOC databases, when available, 
that are updated regularly as new SOCs are identified as a required 
step before synthesizing the sequence, in a verifiable manner.\13\ 
Manufacturers should implement this recommendation using measures that 
ensure cybersecurity considerations are addressed to guard against 
malign use and to protect both the intellectual property and identity 
of users.\14\
---------------------------------------------------------------------------

    \13\ Here, verifiability means the ability to confirm that: 
every prospective sequence has been screened for SOCs against an up-
to-date database, and screening is up to date and performant; when 
users input sequences of concern, this is flagged and reported in 
real time; and attempts to tamper with the device to avoid screening 
are flagged and reported in real time.
    \14\ Manufacturers are encouraged to follow the ISO/IEC 
27032:2012 & ISO ISA/IEC 62443 standards for cybersecurity and 
information security.
---------------------------------------------------------------------------

    <bullet> Manufacturers should not store databases of SOCs that 
include sequences from unregulated pathogens or toxins on the device 
itself in an unencrypted manner or a manner that could allow users to 
extract the database. The aggregation of all sequences that contribute 
to pathogenicity or toxicity poses a biosecurity risk that may endanger 
public health, agriculture, plants, animals, animal or plant products, 
or

[[Page 71002]]

the environment if disclosed to entities or individuals with malintent.
    <bullet> Manufacturers should consider using cryptographic methods 
of screening that protect the contents of the order from disclosure.
    <bullet> Manufacturers are encouraged to include mechanisms to 
ensure the integrity of the synthesis process to prevent circumvention 
of the SOC screening methodology through physical or logical 
manipulation of the devices or reagents.
    <bullet> Manufacturers are also encouraged to include a data 
logging function to maintain a record of the nucleic acids synthesized 
on their equipment.
    <bullet> Manufacturers are encouraged to formulate a reference 
architecture prescribing guidance for the secure implementation, 
configuration, and operation of devices.

V. Sequence Screening Methodology

    Providers should screen orders to determine whether they contain 
SOCs. Appropriate sequence screening software should be selected by 
Providers of synthetic nucleic acids. This Guidance recommends that 
Providers use either Best Match with a local sequence alignment 
technique (such as the Basic Local Alignment Search Tool [BLAST] family 
of tools \15\) or another screening approach that they assess to be 
equivalent or superior to the Best Match approach. Providers are 
encouraged to determine whether synthetic nucleic acid orders contain 
sequences that are Best Matches over the appropriate windows to any 
SOC. By using the Best Match approach, the sequence with the greatest 
percent identity over each 66 amino acid or 200 nt window (or within 
three years of the publication of this Guidance, over each 16 amino 
acid or 50 nt window), in all six reading frames, should be considered 
the Best Match, regardless of the statistical significance or percent 
identity. The Best Match approach is intended to minimize the number of 
sequence hits due to sequences that are shared among both SOCs and non-
SOCs.
---------------------------------------------------------------------------

    \15\ <a href="https://blast.ncbi.nlm.nih.gov/Blast.cgi">https://blast.ncbi.nlm.nih.gov/Blast.cgi</a>.
---------------------------------------------------------------------------

    Some synthetic nucleic acid orders may be appropriate for screening 
even if all components of the order are nucleic acids shorter than the 
screening window length. In some cases, orders of short nucleic acids 
may be intended to construct longer nucleic acids that themselves may 
constitute SOCs. To minimize the risk of this scenario, this Guidance 
encourages screening all sequences ordered by an individual customer, 
using a short sequence alignment software package. If the resulting 
ungapped alignment of any constituents of a customer's order is a Best 
Match to any SOC, and if these sequences are constructed to allow their 
ligation to form these SOCs (i.e., overlaps are present to support the 
construction of a larger nucleic acid, which itself is a SOC), 
Providers should consider those orders as containing SOCs and perform 
standard follow-up Customer screening to establish legitimacy (see 
Verifying Legitimacy in the DEFINITIONS section of the Guidance).
    These sequence screening recommendations do not preclude the use by 
Providers of a curated database of sequences that may directly 
contribute to pathogenicity or toxicity to identify SOCs. This Guidance 
recognizes that a database of known sequences that contribute to 
pathogenicity and toxicity in humans, animals, and plants, and that 
have a direct and harmful impact on a host, may not yet exist or may 
not yet be fully developed and encourages industry consortia and/or any 
other interested parties in the continued development of such a 
database for screening SOCs--provided that measures are taken to 
prevent such a database from being misused. These measures should 
include establishing a security office, security protocols, and a 
personnel reliability program--based on a risk assessment--to guide 
selection, implementation, and monitoring of cybersecurity and 
information security capabilities and protection. These measures should 
aim to ensure database confidentiality and integrity (including user 
access controls and sequence encryption, both in transit and at rest) 
and compliance with applicable laws such that data on SOCs are 
protected against unauthorized access, exfiltration, or other use. 
Providers may also choose to use other screening approaches that they 
assess to be equivalent or superior to the Best Match approach or 
supplement it, including a customized database or approaches that 
evaluate the biological risk associated with sequences from unregulated 
agents (i.e., not FSAP- or CCL-listed pathogens or toxins). This 
Guidance encourages the continued development of best practices to 
address risks associated with nucleic acid synthesis technologies.
    Providers, Third-Party Vendors, and professional consortia are 
encouraged to develop secure mechanisms--designed to respect privacy, 
security, commercial, intellectual property, and other concerns--to 
detect SOCs that may be broken up among multiple Providers or Vendors, 
or among multiple orders at a single Provider or Vendor over a period 
of time, to evade screening.
    In addition, Providers may wish to consider developing solutions 
for determining which sequences from pathogens should not cause concern 
(i.e., pass list of genes that pose no pathogenic or toxicity risk).

VI. Customer Screening

    In addition to verifying the Customer identity for all orders, 
Verifying Legitimacy of Customers and Users is recommended when orders 
contain SOCs, and for orders of nucleic acid synthesis equipment. 
Customers and Users are encouraged to streamline the Customer screening 
process by providing verification of their legitimacy when submitting 
an order containing SOCs. Information described in the definition of 
Verifying Legitimacy may be helpful for such verification (See also Red 
Flags for Verifying Legitimacy in the Companion Guide to Assist in 
Implementing the Recommendations of the Screening Framework Guidance 
for Providers and Users of Synthetic Nucleic Acids).
    This Guidance encourages Customers and Principal Users to also 
Verify Legitimacy of End Users receiving SOCs. Records of such 
verification and transfer can be created and maintained by using 
business practices that document such transfers (e.g., MTAs). The 
Principal User is best positioned to determine the legitimacy of any 
End User to whom SOCs are transferred. Keeping a record of such 
transfers should not cause undue burden on the essential research 
carried out across the biotechnology enterprise and may therefore 
entail only a minor adaptation of responsible business practices 
already in place. This Guidance does not include recommendations for 
reporting transfers to new End Users back to the original Provider. It 
would be sufficient for each Principal User or End User transferring 
the materials to verify the legitimacy of the recipient during each 
transfer and for all parties to retain a record of it for at least 
three years, and longer (e.g., eight years) if this does not pose an 
undue burden on their operations.
    Providers should be aware of regulatory and statutory prohibitions 
related to U.S. persons dealing with certain foreign persons, entities, 
and companies. Providers are encouraged to check the Customer against 
the International Trade Administration consolidated list of individuals 
and entities for which the U.S. government maintains restrictions on 
certain exports, re-exports, or transfers of

[[Page 71003]]

items.\16\ In the event that a company, entity, or person on the list 
appears to match that of a customer or other recipient, additional due 
diligence should be conducted before proceeding. There may be a strict 
export prohibition, a requirement for seeking a license application, or 
other evaluation of the Customer or other recipient necessary to ensure 
it does not result in an activity prohibited by any U.S. export 
regulations, or other restrictions. Before fulfilling the order, to 
ensure full compliance with all the terms and conditions of the 
restrictions placed on the parties on this list, the Provider must 
check the official publication of restricted parties in the Federal 
Register.
---------------------------------------------------------------------------

    \16\ <a href="https://www.trade.gov/consolidated-screening-list">https://www.trade.gov/consolidated-screening-list</a>.
---------------------------------------------------------------------------

VII. Following Up With the U.S. Government in Cases Where Malintent is 
Suspected by Providers, Third-Party Vendors, or Manufacturers

    If sequence or Customer screening raises concerns that are not 
alleviated through follow-up screening, Providers, Third-Party Vendors, 
and Manufacturers should not fulfill the order and are strongly 
encouraged to contact their nearest FBI Field Office's WMD Coordinator. 
Institutions are encouraged to work with their Principal Users and End 
Users to help them understand that only individuals with legitimate, 
bona fide, and peaceful purpose should obtain synthetic nucleic acids 
containing SOCs.

VIII. Records Retention

    The Guidance recommends that Providers, Third-Party Vendors, and 
Manufacturers retain the following types of records for at least three 
years, and longer (e.g., eight years) if this does not pose an undue 
burden on their operations:
    <bullet> Records of Customer orders including the following 
information: Customer information (point-of contact name, organization, 
address, email, and phone number), order sequence information 
(nucleotide sequences ordered, vector used), and order information 
(date placed and shipped, shipping address, receiver name);
    <bullet> Records of protocols for sequence screening and for 
determining whether a sequence hit qualifies as a SOC;
    <bullet> Records of screening documentation of all hits, even if 
the order was deemed acceptable;
    <bullet> Records of any follow-up screening, even if the order was 
ultimately filled; and
    <bullet> The ultimate disposition of any SOC orders, with 
documentation of reasoning for final decision (fulfill versus deny).

IX. Periodic Review, Evaluation, and Improvement of This Guidance

    This Guidance addresses biosecurity risks that have emerged in a 
dynamic and rapidly developing technological landscape. It is likely 
that new risks will emerge and that new technological approaches will 
also appear to address them. As such, this Guidance encourages the 
further development of mechanisms to detect SOCs and screening 
strategies for sequences that contribute directly to pathogenicity and 
toxicity. For instance, strategies may be used by malicious Customers 
to obfuscate SOCs, including engineering pathogenic or toxic proteins 
with completely novel sequences. In such cases, synthetic nucleic acid 
orders may contain 50 nt windows that are not a match to any known 
sequence. Although there are likely legitimate explanations for orders 
of sequences with no matches in existing databases (e.g., nucleic acids 
ordered to populate microarrays or to store digital information), in 
such cases, it may be possible to use predictive bioinformatic 
algorithms to screen sequences that are not a match to any known 
sequences to determine if they could produce proteins that are 
structurally and functionally identical to SOCs. This Guidance 
encourages Providers to continue to develop these methods to best 
ensure the safety and security of the synthetic nucleic acid research 
enterprise.
    This Guidance will be periodically revisited, including by 
soliciting stakeholder input, and feedback is encouraged from the 
nucleic acid synthesis industry as well as from their customers as they 
implement the Guidance. Furthermore, implementation of this Guidance 
will be supported through the publication of a Companion Guide.

Dawn O'Connell,
Assistant Secretary for Preparedness and Response.
[FR Doc. 2023-22540 Filed 10-12-23; 8:45 am]
BILLING CODE 4150-37-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>