Frequently Asked Questions

Yes, updates to the Framework may be made in the future. The National Institute of Standards and Technology (NIST) is supporting the development of technical standards that will inform an Office of Science and Technology Policy (OSTP)-designated interagency group that will consider and recommend updates to the Framework every 2 years, or as appropriate. This interagency group plans to provide additional guidance, as needed, to support implementation of an expanded definition of sequences of concern (SOCs) prior to October 13, 2026. 

These updates will be informed by advances in the state of the art, including: 

• Scientific evidence of sequences contributing to pathogenicity. 
• Improvements in ability to identify sequences that are functionally equivalent to SOCs. 
• Advances in predictive modeling that allow for assessments of novel or unknown sequences. 
• Algorithmic approaches for sequence screening that do not explicitly utilize a pathogen reference database or sequentially evaluate multiple reading frames.   

OSTP will continue to explore additional ways to promote consistent screening practices and verification mechanisms, including through independent audits, and will update the Framework as necessary.

NIST has partnered with the Engineering Biology Research Consortium (EBRC) to engage with industry and other relevant stakeholders to develop standards, best practices, and compliance resources for adherence to the Framework. Additional information for Providers and Manufacturers can be found at https://www.nist.gov/programs-projects/biosecurity-synthetic-nucleic-acid-sequences and https://ebrc.org/focus-areas/security/enabling-quality-measurable-synthetic-dna-sequence-screening/.

Before October 13, 2026: 

• A Provider must screen purchase orders for synthetic nucleic acids to identify any SOC pursuant to the 2023 HHS Guidance. All nucleotide sequences or corresponding amino acid sequences that are Best Matches to a sequence of federally regulated agents—ie, the Biological Select Agents and Toxins (BSAT) list or, for international orders, the Commerce Control List (CCL)—are SOCs, except when the sequence is identical to a sequence found in an unregulated organism or toxin.
• At a minimum, DNA or RNA, single- or double-stranded, 200 nucleotides (including the corresponding amino acid sequence, if applicable) or longer should be screened for SOCs. Screening should take place over each 66 amino acid and/or 200 nucleotide window. Nucleic acid sequences that encode proteins should be screened across all applicable reading frames (ie, 3 for single-stranded nucleic acids and 6 for double-stranded nucleic acids). 

On or After October 13, 2026: 

• Providers should: 
  • Reduce the size of the screening window and screen each 50 nucleotide window for SOCs. Screening should take place over each 16 amino acid and/or 50 nucleotide window. The screening should be applied across all applicable reading frames for nucleotide sequences that encode proteins (ie, 3 for single-stranded nucleic acids and 6 for double-stranded nucleic acids).
  • Apply screening methods that detect the potential for shorter nucleotide sequences to be assembled into SOCs when multiple synthetic nucleic acids are ordered by the same customer in a bulk order or in multiple orders over time.
  • Make efforts to implement a mechanism to screen additional SOCs known to contribute to pathogenicity or toxicity, even when not derived from or encoding regulated biological agents. 
• Manufacturers should integrate into benchtop nucleic acid synthesizers the capability to screen sequences for SOCs, meeting the standards as outlined in the 2023 HHS Guidance. As described in the 2023 HHS Guidance, this level of screening should be on par with the SOC screening best practices recommended for Providers in the framework, including screening against SOC databases, when available, that are updated regularly as new SOCs are identified as a required step before synthesizing the sequence, in a verifiable manner. 

Prior to October 13, 2026, an OSTP-designated interagency group will assess the scientific state of the art, recommend any updates to the definition of SOCs, and update the Framework after October 13, 2026, if necessary. The following criteria may inform which sequences should be designated as SOCs:

• Scientific evidence establishing that a sequence contributes to pathogenicity or toxicity in humans and animals. 
• Degree to which this sequence is likely to be recognized as a candidate for misuse, based on the extent to which its function is widely known. 
• Ease with which this sequence could be misused, for example through de novo assembly of a pathogen or insertion into a backbone.

The Framework does not stipulate the use of specific databases. However, the Framework does provide a definition of SOCs, as do the 2023 HHS Guidance and its associated Companion Guide.

Please see the Framework and the 2023 HHS Guidance and its associated Companion Guide, which include various “red flags” for verifying Customer legitimacy, including:

• A recipient whose identity is not clear, who appears evasive about their identity or affiliations, or whose information cannot be confirmed or verified (eg, addresses do not match, company name given is not that of a legitimate company, no information can be found about the company, cannot be located in trade directories, etc.). 
• A recipient who would not be expected, in the course of their normal business, to place such an order (eg, no connection to life sciences research or biotechnology, or no requirement for nucleic acid synthesis services). 
• A recipient whose proposed use of the materials does not match their reported job or institutional affiliation. 
• A recipient that requests unusual labeling or shipping procedures (eg, requests to misidentify the goods on the packaging, or requests to change the recipient’s name after the order is placed but before it is shipped). 
• A recipient proposing an unusual method of payment (eg, arranging payment in cash, personal credit card, or through a non-bank third party) or offering to pay using unusually favorable payment terms, such as a willingness to pay a higher-than-expected price. 
• A recipient that requests unusual confidentiality conditions regarding the order, particularly with respect to the final destination or the destruction of transaction records. 
• A recipient that requests the order be sent to what appears to be an address without a legitimate biomedical business or research justification for the location (eg, a residential address). 

Providers and Manufacturers should develop criteria to determine when not to fill an order, based on the Framework and as informed by the results of sequence and/or customer screening. If suspicions of legitimacy or other security-related concerns arise:

• Follow the 2023 HHS Guidance and report flagged orders to relevant authorities, including, where appropriate, to the WMD coordinator at the nearest FBI Field Office or through the FBI’s general hotline (1-800-CALL-FBI [1-800-225-5324]). 
• If there is suspicion that customers may be attempting to violate federal export control laws, Providers and Manufacturers are encouraged to report such violations to the US Department of Commerce Bureau of Industry and Security or by calling its Enforcement Hotline (1-800-424-2980).
• Report any cyber-related incidents to the Cybersecurity Infrastructure Security Agency of the US Department of Homeland Security under the Cyber Incident Reporting for Critical Infrastructure Act. If there is suspicion of a network intrusion, data breach, or ransomware attack, contact the nearest FBI Field Office, as per the instructions above.

Federal agencies will release funding requirements by October 26, 2024. 

Customers will be required to comply with the funding terms and conditions set by federal funding agencies by October 26, 2024, when submitting a new grant application. Federal funding agencies may create different requirements around existing grants across agencies.

More clarity around this question likely will be provided on or after October 26, 2024, when federal funding agencies implement the funding requirements outlined by the AI EO. Please email OSTP directly at the email address listed at the bottom of OSTP’s Framework page to provide feedback on interpreting/implementing this question. Feedback will be used for policy evaluation purposes and may result in FAQs that include a more detailed answer to this question.

For the sake of biosecurity and simplicity, entities receiving federal funding in life sciences research should consider purchasing synthetic nucleic acids only from Providers or Manufacturers that self-attest to the Framework, regardless of whether those synthetic nucleic acids are purchased using federal funds or private funds.

No, the Framework only applies to federally funded entities conducting life sciences research.

More clarity around this question likely will be provided on or after October 26, 2024, when federal funding agencies implement the funding requirements outlined by the AI EO. Please email OSTP directly at the email address listed at the bottom of OSTP’s Framework page to provide feedback on interpreting/implementing this question. Feedback will be used for policy evaluation purposes and may result in FAQs that include a more detailed answer to this question.