Sequence DNA strands By PikePicture | Adobe Stock

For Providers & Benchtop Manufacturers

This page provides information for providers of synthetic nucleic acids (Providers) and manufacturers of benchtop nucleic acid synthesis equipment (Manufacturers) that need to screen purchase orders to identify sequences of concern (SOCs) and assess customer legitimacy to comply with the US Framework for Nucleic Acid Synthesis Screening (Framework).

Update:

  1. The Framework is the result of Executive Order 14110 (October 30, 2023) (EO 14110), which was rescinded on January 25, 2025. EO 14110 tasked federal funding agencies with setting a funding requirement for federally funded entities that synthetic nucleic acid is purchased only from providers or manufacturers who adhere to the Framework. According to the Biden administration, federal funding agencies met that requirement, and at least one public funding document from the NIH confirms that. This document explicitly references the Framework, which is still live on the ASPR website as of April 2025.

Please note: If you are a biofoundry, cloud lab, core facility/academic core facility, or contract research organization (CRO) that does not “synthesize and distribute synthetic nucleic acids as a transactional service,” you are considered a Customer under the Framework. Please see the For Customers page instead.

Section IV of the Framework provides definitions for many of the terms below. For more information, visit the FAQs. This page is for informational purposes only and does not constitute legal advice. Users should not rely on the information provided as a substitute for consultation with qualified counsel.

Nucleic Acid Synthesis Providers

Who is a Provider? 

The Framework defines Provider as “an entity that synthesizes and distributes synthetic nucleic acids. Providers may provide nucleic acids to a customer or third-party vendor. A Provider is understood to be synthesizing and distributing nucleic acids as a transactional service, rather than as a research scientist collaborating with a colleague.”

The Framework “applies to the distribution by Providers of synthetic nucleic acids ('Provider'), including biofoundries, cloud labs, institutions with core nucleic acid synthesis facilities, and contract research organizations (CROs) or laboratories with integrated nucleic acid synthesis capabilities” (each of these terms is defined in Section IV of the Framework). 
 

 

What does a Provider have to do to comply with the Framework? 

For a printable version of the following information, see:

Providers: 6 Key Compliance Actions (PDF)

In order to be able to sell nucleic acid sequences to federally funded entities, Providers must comply with the Framework. Most of the following language is pulled directly from the Framework and reformatted for ease of use. 

Providers should take the following 6 actions for such compliance:

(1) Attest to implementing the Framework through a statement that is either posted on a public website or provided to both the federally funded customer and federal funding agency.
  • To adhere to the Framework:
    1. ensure that the attestation is signed by an individual with the authority to respond on behalf of the organization;
    2. provide point-of-contact information;
    3. update the attestation by January 1st of each year, or more frequently if point-of-contact information changes; and
    4. expressly commit in the attestation that, if Providers cease to adhere to the framework, they will notify, within 72 hours, any federally funded customers and federal funding agencies to which they previously submitted an attestation.
  • Here is a sample version (developed by the Johns Hopkins Center for Health Security based on the University of California attestation form) that can be adapted by Providers for individual purposes: Sample Attestation Form (PDF)
(2) Screen purchase orders for synthetic nucleic acids to identify sequences of concern (SOCs).
  • Before October 13, 2026:
    • A Provider must screen purchase orders for synthetic nucleic acids to identify any SOC pursuant to the 2023 HHS Guidance. All nucleotide sequences or corresponding amino acid sequences that are Best Matches to a sequence of federally regulated agents—ie, the Biological Select Agents and Toxins (BSAT) list or, for international orders, the Commerce Control List (CCL)—are SOCs, except when the sequence is identical to a sequence found in an unregulated organism or toxin.
    • Orders of synthetic nucleic acids should be screened over each 200 nucleotide window within their sequences for SOCs (see below for changes that will take effect on October 13, 2026).
    • Providers conducting this screening may determine which commercial services, open-source solutions, or in-house developed algorithms and software systems to use to make this determination. Where available, standards from the National Institute of Standards and Technology (NIST) should be applied to determine that the mechanism used by each entity is sufficient.
    • Providers may still be adherent to the Framework if they identify “exempted sequences” that qualify as SOCs but pose no known pathogenic or toxicity risk. Providers are not required to verify customer legitimacy for such exempted sequences. Providers should only exempt sequences from genes from non-viral agents with functions that cannot reasonably be construed as contributing to pathogenicity or toxicity (eg, sequences from genes that encode bacterial or fungal DNA gyrase, ribosomal RNA, or hexokinase). Exempted SOCs should not include any sequences from federally regulated viruses. In addition, the exempted SOCs should not include sequences that could restore or enhance the virulence of an attenuated excluded strain of a regulated agent on the BSAT list. Providers should refer to the Export Administration Regulations, administered by the Department of Commerce, Bureau of Industry and Security, to determine if a SOC requires a license for export. Providers may also contact the Export Counseling Division of the Office of Exporter Services (ECDOEXS@bis.doc.gov) for additional information.
    • Please see the Framework for more details.
    • Please see our non-exhaustive list of available screening companies and tools.
       
  • On or After October 13, 2026:
    • Reduce the size of the screening window and screen each 50 nucleotide window for SOCs.
    • Apply screening methods that detect the potential for shorter nucleotide sequences to be assembled into SOCs when multiple synthetic nucleic acids are ordered by the same customer in a bulk order or in multiple orders over time.
    • Make efforts to implement a mechanism to screen additional SOCs known to contribute to pathogenicity or toxicity, even when not derived from or encoding regulated biological agents.
      • The following criteria may inform which sequences should be designated as SOCs:
        • Scientific evidence establishing that the sequence contributes to pathogenicity or toxicity in humans and animals.
        • Degree to which this sequence is likely to be recognized as a candidate for misuse, based on the extent to which its function is widely known.
        • Ease with which this sequence could be misused, for example through de novo assembly of a pathogen or insertion into a backbone.
    • Providers conducting screening may determine which commercial services, open-source solutions, or in-house developed algorithms and software systems to use to make this determination, and they should undertake efforts to measure the effectiveness of this new screening criteria and improve screening over time.
    • Please see the Framework for more details.
    • Please see our non-exhaustive list of available screening companies and tools.
(3) Screen customers who submit purchase orders of synthetic nucleic acids with SOCs to verify legitimacy.
  • Assess customer risk by following the 2023 HHS Guidance and industry standard “know your customer” practices. This includes assessing customer identity for all orders, such as point-of-contact name, institution, address, and contact information, and verifying customer legitimacy for orders containing SOCs. Notwithstanding the previous sentence, the Provider may still be adherent to this Framework without verifying customer legitimacy for exempted SOCs.
  • Develop and implement a process to assess the legitimacy of orders that have been identified by the sequence screening protocol as containing an SOC. The legitimacy of an order is determined by verifying the legitimacy of both the individual customer placing the order and their institution.
  • Confirm the legitimacy of the individual customer by ensuring that the person (or customer) placing an order has no red flags, is affiliated with a legitimate institution, and has a legitimate need for using synthetic nucleic acids.
  • Confirm the legitimacy of the institution by verifying its legal standing and that it has a life sciences-oriented mission and purpose, or uses synthetic nucleic acids for other relevant applications, and ensuring there are no red flags.
  • At minimum, include a field or mechanism in ordering systems where customers can self-identify that an order contains an SOC. When an order does contain an SOC, Providers should also include a mechanism for customers to provide information that is useful for verifying the customer’s legitimacy.
  • Ask customers if they are the end user for the SOCs or if the order will be passed along to a third party(s), in which case the legitimacy of the third party(s) should also be assessed.
(4) Report potentially illegitimate purchase orders of synthetic nucleic acids involving SOCs.
  • Develop criteria to determine when not to fill an order, based on the Framework and as informed by the results of sequence and/or customer screening. In such cases:
  • Cyber incidents can be reported to the Cybersecurity Infrastructure Security Agency of the US Department of Homeland Security under the Cyber Incident Reporting for Critical Infrastructure Act. 
(5) Retain records relating to purchase orders for synthetic nucleic acids.
  • Follow the 2023 HHS Guidance.
  • Retain for at least 3 years all screening records, including:
    • Flagged orders;
    • Customer screening interactions, including when the orders were deemed acceptable;
    • Documentation of further action taken in response to flagged orders; and
    • Rationale for decisions about the legitimacy of customers whose orders were flagged, including where orders contained SOCs.
(6) Take steps to ensure cybersecurity and information security.
  • Follow the practices outlined in the 2023 HHS Guidance regarding cybersecurity, information security, and securing SOC databases.
  • As part of screening protocols, Providers may consult SOC databases developed internally or externally.
  • Providers that develop or maintain a SOC database with information on sequences from unregulated agents or that aggregate information that could pose biosecurity risks should implement appropriate cybersecurity safeguards to protect the information in it, both in transit and at rest, consistent with relevant cybersecurity Executive Orders, standards, and frameworks.
  • Take appropriate measures to protect customers’ identities and proprietary information.
  • Closely examine the security of supply chains, following NIST SP 800-161 Rev. 1.
  • If there is suspicion of a network intrusion, data breach, or ransomware attack, contact the nearest FBI Field Office, per instructions given above.
  • Please see the Framework for more details.

What are a Provider’s duties to third parties? 

To be adherent to the Framework, Providers “should ensure the Framework is followed when a third-party vendor or other intermediary is involved.” A third-party vendor is “[a]n entity that orders synthetic nucleic acids from Providers and distributes them or their constructs, with or without reformulation.” The customer screening requirements of the Framework say that Providers “should ask customers if they are the end user for the SOCs or if the order will be passed along to a third party(s), in which case the legitimacy of the third party(s) should also be assessed.” 

Benchtop Nucleic Acid Synthesis Manufacturers

Who is a Manufacturer?

The Framework defines a Manufacturer as “[a]n entity that produces and distributes benchtop equipment for synthesizing nucleic acids,” which is equipment “intended to be used to synthesize nucleic acids for use within a research laboratory or within an institution” (ie, not for commercial-scale synthesis). “Manufacturers may provide equipment to a customer or third-party vendor.” The Framework applies to the distribution by Manufacturers of benchtop nucleic acid synthesis equipment.

 

 

What does a Manufacturer have to do to comply with the Framework? 

For a printable version of the following information, see:

Manufacturers: 6 Key Compliance Actions (PDF) 

In order to be able to sell nucleic acid sequences to federally funded entities, Manufacturers must comply with the Framework. Most of the following language is pulled directly from the Framework and reformatted for ease of use.

Manufacturers should take the following 6 actions for such compliance: 

(1) Attest to implementing the Framework through a statement that either is posted on a public website or provided to both the federally funded customer and federal funding agency.
  • To adhere to the Framework:
    1. ensure that the attestation is signed by an individual with the authority to respond on behalf of the organization;
    2. provide point-of-contact information;
    3. update the attestation by January 1st of each year, or more frequently if point-of-contact information changes; and
    4. expressly commit in the attestation that, if Manufacturers cease to adhere to the framework, they will notify, within 72 hours, any federally funded customers and federal funding agencies to which they previously submitted an attestation.
  • Here is a sample version (developed by the Johns Hopkins Center for Health Security based on the University of California attestation form) that can be adapted by Manufacturers for individual purposes: Sample Attestation Form (PDF)
(2) Screen purchase orders for synthetic nucleic acids to identify sequences of concern (SOCs).
  • On or After October 13, 2026:
    • Integrate into benchtop nucleic acid synthesizers the capability to screen sequences for SOCs, meeting the standards as outlined in the 2023 HHS Guidance. As described in the guidance, this level of screening should be on par with the SOC screening best practices recommended for Providers in the Framework, including screening against SOC databases, when available, that are updated regularly as new SOCs are identified as a required step before synthesizing the sequence, in a verifiable manner.
    • Please see the Framework for more details.
    • Please see our non-exhaustive list of available screening companies and tools. 
(3) Screen customers who submit purchase orders of benchtop nucleic acid synthesis equipment to verify legitimacy.
  • Assess customer risk by following the 2023 HHS Guidance and industry standard “know your customer” practices. This includes assessing customer identity for all orders, such as point-of-contact name, institution, address, and contact information, and verifying customer legitimacy for orders containing SOCs. Notwithstanding the previous sentence, the Provider may still be adherent to this Framework without verifying customer legitimacy for exempted SOCs.
  • Confirm the legitimacy of the individual customer by ensuring that the person (or customer) placing an order has no red flags, is affiliated with a legitimate institution, and has a legitimate need for using synthetic nucleic acids.
  • Confirm the legitimacy of the institution by verifying its legal standing and that it has a life sciences-oriented mission and purpose, or uses synthetic nucleic acids for other relevant applications, and ensuring there are no red flags.
  • Develop and implement a process to assess the legitimacy of orders for their equipment, such as through verified user accounts. As stated above, the legitimacy of an order is determined by verifying the legitimacy of both the individual customer placing the order and their institution—which should include verification that the institution will cooperate in ensuring that benchtop synthesizers are only accessed by legitimate end users.
  • Implement mechanisms to track legitimate use of their equipment, including when it is potentially transferred to a new user during the lifecycle of these equipment.
  • Ensure that proprietary and sole-use reagents for benchtop synthesizers are only sold to legitimate customers and end users, even if they were not screened for legitimacy when initially obtaining their benchtop nucleic acid synthesizer (eg, if they acquired their equipment prior to the time this framework comes into effect).
(4) Report potentially illegitimate orders of benchtop nucleic acid synthesis equipment.
  • Develop criteria to determine when not to fill an order, based on the Framework and as informed by the results of sequence and/or customer screening. In such cases:
  • Cyber incidents can be reported to the Cybersecurity Infrastructure Security Agency of the US Department of Homeland Security under the Cyber Incident Reporting for Critical Infrastructure Act. 
(5) Retain records relating to orders for benchtop nucleic acid synthesis equipment.
  • Follow the 2023 HHS Guidance.
  • Retain for at least 3 years all screening records, including:
    • Flagged orders;
    • Customer screening interactions, including when the orders were deemed acceptable;
    • Documentation of further action taken in response to flagged orders; and
    • Rationale for decisions about the legitimacy of customers whose orders were flagged, including where orders contained SOCs.
(6) Take steps to ensure cybersecurity and information security.
  • Follow the practices outlined in the 2023 HHS Guidance regarding cybersecurity, information security, and securing SOC databases.
  • As part of screening protocols, Manufacturers may consult SOC databases developed internally or externally.
  • Manufacturers that develop or maintain a SOC database with information on sequences from unregulated agents or that aggregate information that could pose biosecurity risks should implement appropriate cybersecurity safeguards to protect the information in it, both in transit and at rest, consistent with relevant cybersecurity Executive Orders, standards, and frameworks.
  • Take appropriate measures to protect customers’ identities and proprietary information.
  • Closely examine the security of their supply chains, following NIST SP 800-161 Rev. 1.
  • If there is suspicion of a network intrusion, data breach, or ransomware attack, contact the nearest FBI Field Office, per instructions given above.
  • Design benchtop nucleic acid synthesis equipment with security and safety in mind. Manufacturers are encouraged to adhere to the Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design principles, which are intended to encourage the design and manufacturing of products that reasonably protect against exploitation of product defects.
  • Please see the Framework for more details.

What are a Manufacturer’s duties to third parties?

To be adherent to the Framework, Manufacturers “should ensure the Framework is followed when a third-party vendor or other intermediary is involved.” “Manufacturers may provide equipment to a customer or third-party vendor.”

 

 

Compliance Table for Nucleic Acid Synthesis Providers & Benchtop Manufacturers

For a side-by-side comparison of the differences between Provider and Manufacturer requirements in the Framework, please see the Compliance Table for Providers & Manufacturers.

Compliance Table for Providers & Manufacturers