[Federal Register Volume 88, Number 197 (Friday, October 13, 2023)] [Notices] [Pages 70998-71003] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2023-22540] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids AGENCY: Administration for Strategic Preparedness and Response (ASPR), Department of Health and Human Services (HHS). ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The Administration for Strategic Preparedness and Response is issuing this screening framework guidance, which sets forth baseline standards for the gene and genome synthesis industry, as well as best practices for all entities involved in the provision, use, and transfer of synthetic nucleic acids, regarding screening orders and recipients and maintaining records. In addition, this guidance seeks to encourage best practices to address biosecurity concerns associated with the potential misuse of synthetic nucleic acids in order to bypass existing regulatory controls and commit unlawful acts. FOR FURTHER INFORMATION CONTACT: C. Matthew Sharkey, Administration for Strategic Preparedness and Response, Department of Health and Human Services, 400 7th St. SW, Washington, DC 20024; 202-868-9224, [email protected]. SUPPLEMENTARY INFORMATION: A request for public comments on the issues covered in this Notice was published in the Federal Register (85 FR 52611 [Aug. 26, 2020]; 85 FR 69630 [Nov. 3, 2020], Review and Revision of the Screening Framework Guidance for Providers of Synthetic Double- Stranded DNA) with a comment period of more than 120 days. Following consideration of the comments received in response to this Notice, HHS issued proposed draft revised guidance as a Federal Register Notice (87 FR 25495 [Apr. 29, 2022], Screening Framework Guidance for Providers and Users of Synthetic Oligonucleotides) and solicited additional comments for a period of 60 days. This Guidance was drafted through a deliberative interagency process to address the topics raised in public comments received in response to these prior Notices as well as other considerations. Responses received from these prior Notices and summaries of updates contained in this Guidance are available for public review at the following website https://aspr.hhs.gov/legal/synna. Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids I. Introduction Synthetic biology is an interdisciplinary field that focuses on the design and fabrication of novel biological components and systems as well as the redesign and fabrication of existing biological systems. Modern biotechnologies have made the conversion of different types of nucleic acids possible (e.g., RNA to DNA), and longer genomic sequences can now be constructed from very short nucleic acids with higher fidelity. Additionally, synthetic biology is not limited to naturally derived genetic material. Thus, this scientific field has the potential to generate existing or novel components, systems, or organisms directly, using only genetic sequence data. Advances in nucleic acid synthesis technology and the open-source availability of genetic sequence data have significantly contributed to discovery and innovation in areas such as health and agriculture research and development. However, there are concerns among the scientific community, the nucleic acid synthesis industry, the U.S. government, and the public that individuals with ill intent could exploit biotechnology for harmful purposes. The U.S. government has acted to minimize risks to public health, agriculture, plants, animals, animal or plant products, and the environment due to biological pathogens and toxins. For instance, it has issued the Federal Select Agent Regulations, which regulate a subset of microbial organisms and toxins determined to have the potential to pose a severe threat to public health and safety, animal health, plant health, animal or plant products, or the environment. These regulations are administered jointly by the CDC, Division of Select Agents and Toxins and the Animal and Plant Health Inspection Service, Division of Agricultural Select Agents and Toxins, through the Federal Select Agent Program (FSAP),\1\ which sets forth requirements for the possession, use, and transfer of biological select agents and toxins. A second layer of regulation is provided by the Bureau of Industry and Security (BIS) Export Administration Regulations' Commerce Control List (CCL),\2\ which identifies agents and genetic sequences that require licenses before export from the United States. However, these regulated pathogens and toxins do not represent the entirety of the potential risks to public health, agriculture, plants, animals, animal or plant products, or the environment that could arise from the misuse of synthetic nucleic acids. Non-regulated pathogens and toxins, as well as other novel types of nucleic acid sequences, may also pose significant risks if they are misused. To minimize these risks, a shift is needed from relying solely on lists of regulated pathogens and toxins to also assessing the risks associated with other nucleic acid sequences that may contribute to pathogenicity or harm if introduced into new genetic frameworks (i.e., Sequences of Concern [SOCs]). Also, modern molecular biological techniques allow the conversion between different types of nucleic acids (e.g., RNA to DNA, and [[Page 70999]] vice versa), so it has become necessary to treat all types of synthetic genetic materials with equal care. Additionally, benchtop nucleic acid synthesis equipment is increasingly common in modern laboratories, which changes the commercial landscape for synthetic nucleic acids. These advances and others motivated the U.S. government to review and revise the 2010 Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA.\3\ --------------------------------------------------------------------------- \1\ https://www.selectagents.gov/sat/list.htm. \2\ https://www.bis.doc.gov/index.php/regulations/commerce-control-list-ccl. \3\ 75 FR 62820 (Oct. 13, 2010). --------------------------------------------------------------------------- Individuals with no legitimate, bona fide, and peaceful purpose should be prevented from accessing genetic materials that could contribute to pathogenicity or toxicity, even when those materials do not contain sequences from FSAP- or CCL-listed pathogens or toxins, and nucleic acid synthesis equipment. Purchasing or synthesizing nucleic acids could enable individuals without a legitimate and peaceful purpose to possess genetic material that would pose risks if misused. Synthetic nucleic acids ordered from Providers can be used to synthesize pathogens de novo or may be used to modify non-pathogenic strains or create higher risk pathogens or toxins. Nucleic acid synthesis has removed the need to directly access the naturally occurring agents or naturally occurring genetic material from these agents for those who may wish to do harm with them. The potential availability of high-risk agents has thereby been greatly expanded due to this changing commercial landscape. The Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids (Guidance) reaffirms the recommendation to screen for genetic sequences from regulated organisms and toxins but also recognizes that screening should evolve to encompass all sequences that are recognized to contribute to pathogenicity or toxicity as information regarding these sequences and their verified functions and improved screening methods become available (or as feasible). This Guidance is intended to assist all entities involved in the provision and use of synthetic nucleic acids in establishing and operating a screening framework for synthetic nucleic acid orders, including mechanisms to identify sequences designed to circumvent lists of regulated organisms or toxins or sequences that are not Best Matches to any sequences in GenBank.\4\ This Guidance sets forth recommended baseline standards for the nucleic acid synthesis industry (Providers) and for Manufacturers of benchtop nucleic acid synthesis devices, as well as best practices for Customers of synthetic nucleic acids (i.e., institutions, Principal Users, End Users, and Third-Party Vendors) regarding screening orders for SOCs. In addition, this Guidance seeks to encourage best practices to address biosecurity concerns associated with the potential misuse of synthetic nucleic acids to bypass existing regulatory controls. --------------------------------------------------------------------------- \4\ https://www.ncbi.nlm.nih.gov/genbank/. --------------------------------------------------------------------------- This Guidance recommends that (1) upon receiving an order for synthetic nucleic acids, Providers and Third-Party Vendors perform sequence screening, verify the identity of their Customers, and follow up to verify the legitimacy of the order when SOCs are identified; (2) institutions, Third-Party Vendors, Principal Users, and End Users keep records of synthetic nucleic acid orders containing SOCs; (3) institutions and/or Principal Users record any transfers involving synthetic nucleic acids containing SOCs beyond the Principal User and manage those transfers responsibly to limit the possibility of misuse; and (4) Manufacturers only distribute equipment capable of synthesizing nucleic acids containing SOCs to Customers whose legitimacy has been verified and implement mechanisms to track legitimate use of their equipment. If sequence screening identifies SOCs, Providers should perform further validation steps and follow-up screening of the Customer to verify the legitimacy of the order. Open communication between Customers and Providers will facilitate the screening and validation of orders that contain SOCs. Institutions, Principal Users, or End Users are best positioned to know if they are ordering SOCs and are encouraged to provide information with their order to preemptively demonstrate legitimacy of the order when they are aware that it contains SOCs. Providers can facilitate this information-sharing by including a mechanism for self-reporting and verification of legitimacy in their ordering process. If follow-up screening does not resolve concerns about the order, or if there is reason to believe a customer may intentionally or inadvertently violate U.S. laws or regulations, Providers should not fulfill the order and should contact designated entities within the U.S. government (i.e., U.S. Department of Commerce, Federal Bureau of Investigation [FBI]) for further information and assistance. This Guidance also provides recommendations regarding proper records retention protocols and sequence screening methodologies. Additionally, this Guidance recommends that institutions, Principal Users, and End Users develop and follow best practices in biosafety, biosecurity, and responsible conduct regarding the possession, use, and transfer of SOCs. Institutional policies and procedures already in place for safe possession, use, and transfer of these materials, as well as federal and international guidance, such as HHS's Centers for Disease Control and Prevention (CDC) and National Institutes of Health's Biosafety in Microbiological & Biomedical Laboratories (BMBL),\5\ the World Health Organization's Laboratory Biosafety Manual,\6\ and Global Guidance Framework for the Responsible Use of the Life Sciences: Mitigating Biorisks and Governing Dual-Use Research \7\ should be used wherever possible to complement the measures suggested in this Guidance to maximize safe and secure practices while seeking to minimize the burden on legitimate life science research. --------------------------------------------------------------------------- \5\ https://www.cdc.gov/labs/BMBL.html. \6\ https://www.who.int/publications/i/item/9789240011311. \7\ https://www.who.int/publications/i/item/9789240056107. --------------------------------------------------------------------------- II. Definitions The following definitions are applicable for the purpose of this Guidance: Customer: The individual or entity (such as an institution) that orders or requests synthetic nucleic acids from a Provider, or that purchases synthesis equipment from a Manufacturer. Principal User: The individual who originates an order or request for synthetic nucleic acids or synthesizes nucleic acids and oversees the use of ordered or synthesized nucleic acids in the laboratory. The Principal User may also be the End User. End User: The individual who possesses and uses synthetic nucleic acids that they have received from a Customer, Principal User, or another End User. Provider: The entity that synthesizes and distributes synthetic nucleic acids to a customer. A Provider is understood to be synthesizing nucleic acids as a transactional service, rather than a research scientist collaborating with a colleague (for such transfers between collaborators, see End User in this section of the Guidance). Third-Party Vendor: An entity that orders synthetic nucleic acids from Providers and sells them or their constructs, with or without reformulation, or resells benchtop equipment for synthesizing nucleic acids. [[Page 71000]] Manufacturer: An entity that produces and sells benchtop equipment for synthesizing nucleic acids. Manufacturers may provide equipment to individuals, entities, Principal Users, or Third-Party Vendors. Sequence of Concern (SOC): A nucleotide sequence that is a Best Match (see the SEQUENCE SCREENING METHODOLOGY section of this Guidance) to a sequence of federally regulated agents (i.e., the Biological Select Agents and Toxins List, or the CCL), except when the sequence is also found in an unregulated organism or toxin. As soon as it is practical to do so, it is also recommended that sequences known to contribute to pathogenicity or toxicity, even when not derived from or encoding regulated biological agents, be treated as SOCs.\8\ Follow-up customer screening to verify legitimacy should take place when a SOC is identified (see Verifying Legitimacy in this section of the Guidance).\9\ --------------------------------------------------------------------------- \8\ Pathogenicity or toxicity that threatens public health, agriculture, plants, animals, animal or plant products, or the environment. SOCs include sequences for which a direct and harmful impact on a host has been verified based on published experimental data; and, where experimental data do not exist, based on homology to a sequence encoding a verified function. \9\ Organizations should define and document their criteria for determining whether a sequence is of concern. In order to ensure compliance with the FSAP and CCL regulations, sequences of concern should include sequences derived from their listed agents--except when they are also found in unregulated agents. --------------------------------------------------------------------------- Synthetic Nucleic Acids Subject to Screening: At a minimum, DNA or RNA, single- or double-stranded, 200 nucleotides (nt) or longer should be screened for SOCs. This Guidance recommends that this length for screening be decreased to 50 nt within three years of the issuance of the Guidance, and that all entities consider the potential for shorter nucleotides to be assembled into SOCs when multiple synthetic nucleic acids are ordered by the same Customer in a bulk order or for multiple orders over time (see the SEQUENCE SCREENING METHODOLOGY section of this Guidance). Benchtop Nucleic Acid Synthesis Equipment: Benchtop nucleic acid synthesis equipment sold by Manufacturers that is intended to be used to synthesize nucleic acids for use within a research laboratory or within an institution. While this nucleic acid synthesis equipment may not be small enough to be placed on a benchtop (e.g., it sits on the laboratory floor), it is still considered benchtop equipment if it is sold with the intent that it will be used by researchers individually or in a core facility in an institution. Verifying Legitimacy: Review of information that would allow Providers, Manufacturers, Principal Users, or End Users to authenticate the recipient of synthetic nucleic acids containing SOCs or benchtop nucleic acid synthesis equipment as a legitimate member of the scientific community. Information such as proposed end-use of the order, institutional or corporate affiliation (if applicable), the name of a biosafety officer (if available), documentation of internal review and approval of the research, evidence provided by the recipient's Responsible Official that the recipient is registered with FSAP \1\ or Statement by Ultimate Consignee and Purchaser (i.e., a completed BIS- 711 form \10\) (if applicable), or other evidence of a legitimate research or training program (e.g., publication history, researcher persistent identifiers such as Open Researcher and Contributor Identifier [ORCID],\11\ business licenses, grant numbers, research plan) or other legitimate use (e.g., diagnostic test development or manufacture) may be helpful for such verification. In Verifying Legitimacy, providers should avoid the violation of personal privacy. Providers should focus on professional not personal information, except for personal information that is necessary to establish a unique individual user identity to authenticate each recipient. --------------------------------------------------------------------------- \10\ https://www.bis.doc.gov/index.php/documents/just-licensing-forms/803-bis-711-statement-by-ultimate-consignee-and-purchaser-1/file. \11\ Open Researcher and Contributor Identifier (https://orcid.org/). --------------------------------------------------------------------------- III. Goals and Scope of the Guidance Goals: This Guidance has three parallel goals. A primary goal is to minimize the risk that individuals without a legitimate need or individuals with malicious intent will use nucleic acid synthesis technologies to obtain organisms for which possession, use, and transfer is regulated by FSAP and CCL.1 2 Another goal is to limit the potential for individuals with malicious intent to use synthetic nucleic acids to create high-risk pathogens or toxins using nucleic acid sequences from unregulated organisms. A third goal is to minimize disruption of legitimate research, commerce, and educational activities. Scope: The Guidance pertains to the sale or transfer of all types of synthetic nucleic acids, i.e., DNA and RNA, whether single- or double-stranded. The Guidance recommends that Providers develop and/or consult a database of known SOCs to determine if the purchase or transfer includes SOCs. It also recommends methods that aim to ensure the legitimacy of Customers, Principal Users, and End Users of synthetic nucleic acids. The Guidance also aims to ensure that entities maintain records of transfers for synthetic nucleic acids containing SOCs. The Guidance was developed to align with Providers' and Customers' existing protocols and business practices, to be implemented without unnecessary cost, and to minimize any negative impacts on the conduct of research and business operations. Where practical to do so, entities can use existing business practices to verify the legitimacy of Principal Users and End Users and to track the transfer of materials containing SOCs. Many Providers have already instituted measures to address these concerns. The ongoing development of best practices in this area is commendable and encouraged, particularly considering the continued advances in nucleic acid sequencing and synthesis technologies. IV. Recommendations for Providers, Users, Institutions, and Manufacturers This Guidance encourages the establishment of mechanisms that aim to ensure that Customers, Principal Users, and End Users ordering SOCs are legitimate. It also recommends that Manufacturers install safeguards in nucleic acid synthesis equipment that aim to ensure only legitimate Customers can synthesize SOCs. This Guidance encourages entities transferring synthetic nucleic acids containing SOCs (i.e., the Third-Party Vendor, Principal User, End User, or institution) to know to whom they are transferring and to conduct screening to verify that the recipients have a legitimate, bona fide, and peaceful purpose to use the synthetic nucleic acids. This Guidance recommends that the Customers who place these orders use responsible business practices to maintain records of transfers. Principal Users and End Users are best positioned to understand the nature of their synthetic nucleic acids and oversee and shepherd their responsible use. Principal Users and End Users may also transfer these synthetic nucleic acids to other End Users, such as colleagues, and certain recommendations are made for this case in this Guidance. Principal Users and End Users are encouraged to streamline the screening of their synthetic nucleic acid orders by providing verification of their legitimacy to Providers and Third-Party Vendors, if they know that their order contains SOCs. [[Page 71001]] Information described in the Verifying Legitimacy definition will be helpful to the Provider or Third-Party Vendor of the synthetic nucleic acids in Verifying Legitimacy. Preemptively providing this information is likely to limit the time and expense for Providers in fulfilling these orders in a manner that ensures safety and security. Providers and Third-Party Vendors of synthetic nucleic acids are encouraged to do the following in this context:Know and document to whom they are distributing a product. Know if the product that they are synthesizing and/or distributing contains identified SOCs. Notify Customers and Principal Users when their order contains SOCs. Implement adequate security and cybersecurity measures to protect the intellectual property and identity of Customers.\12\ --------------------------------------------------------------------------- \12\ Providers and Third-Party Vendors are encouraged to follow the ISA/IEC 27032:2012 & ISO/IEC 62443 standards for cybersecurity and information security. --------------------------------------------------------------------------- Do not fulfill the order and report an order to the FBI when follow-up screening does not resolve concerns. Archive the following information for orders containing SOCs for at least three years: Customer information (point-of-contact name, organization, address, email, and phone number), order sequence information (nucleotide sequences ordered, vector used), and order information (date placed and shipped, shipping address, receiver name). Archive this information for longer (e.g., eight years) if it does not pose an undue burden on business operations. Customers, Principal Users, and End Users of synthetic nucleic acids are encouraged to develop best practices in five main areas in this context: Customers, Principal Users, and End Users who know that their synthetic nucleic acid order contains SOCs are encouraged to preemptively provide information that will assist the Provider or Third-Party Vendor in verifying their legitimacy. Customers, Principal Users, and End Users are encouraged to only transfer synthetic nucleic acids containing SOCs to verified individuals with a legitimate use for these synthetic nucleic acids. Customers, Principal Users, and End Users are also encouraged to maintain records of these transfers and to communicate them to their biosafety officer, or equivalent, using the responsible business practices in place in their organizations. Principal Users and End Users are encouraged to record transfers of synthetic nucleic acids containing SOCs to any other individuals not listed in the original order through a Material Transfer Agreement (MTA), a contract that governs the transfer of materials between entities for use in research, or another sample tracking process. Principal Users, End Users, and institutions are encouraged to retain records of SOC transfers for at least three years, or longer (e.g., eight years) if it does not pose an undue burden on their operations. Business practices already in place at institutions may be used to fulfill this recommendation. Institutions with in-house nucleic acid synthesis capabilities, including synthesis equipment, are also encouraged to apply these recommendations for use or transfers of synthetic nucleic acids containing SOCs. Manufacturers of benchtop nucleic acid synthesis equipment, Customers using the equipment, and institutions where the equipment is used are encouraged to consider these areas for developing best practices: Manufacturers should screen all Customers purchasing benchtop nucleic acid synthesizers to validate customer legitimacy and that the equipment is appropriate for their needs. Manufacturers should only provide nucleic acid synthesizers to Customers that have mechanisms in place that aim to ensure that the devices are only operated by legitimate users. Institutions should aim to ensure, as soon as it is possible to do so, that benchtop nucleic acid synthesizers--including those that were acquired prior to this Guidance--are only accessed by users with a legitimate need, such as through validated user accounts. If this equipment is housed in a core facility for an institution, or in other cases when the equipment is being operated by an authorized user on the behalf of another individual, then the institution should aim to ensure that the legitimacy of the individual receiving any synthetic nucleic acids containing SOCs from the authorized user or core facility is also verified. If misuse or unauthorized access to benchtop nucleic acid synthesizers with the intent of obtaining SOCs is suspected, institutions should notify their FBI Field Office Weapons of Mass Destruction (WMD) Coordinator. Manufacturers whose benchtop nucleic acid synthesizers require the use of proprietary and sole-use reagents (i.e., reagents that can only be obtained from the manufacturer of their devices and do not have common applications other than the operation of their devices) should screen Customers purchasing those reagents to verify their legitimacy, even when they were not screened when obtaining their nucleic acid synthesizer (i.e., when they acquired their device prior to the issuance of this Guidance). Manufacturers and their Customers should implement mechanisms to track legitimate use of their equipment, including when it is potentially transferred to a new Principal User or End User during the lifecycle of these equipment (see the definition of Verifying Legitimacy for criteria to verify the legitimacy of a User). Manufacturers may use methods not prescribed within this Guidance to achieve this recommendation, such as by having a closed loop system in which operation of their devices relies upon obtaining reagents only available from the Manufacturers (who establish the legitimacy of Customers whenever they obtain these reagents), asking Customers to report the transfer of their benchtop synthesizers to new users, or requiring new user accounts to be verified by the Manufacturer as legitimate. Manufacturers should integrate into benchtop nucleic acid synthesizers the capability to screen sequences for SOCs and to authenticate legitimate users. This level of screening should be on par with the SOC screening best practices recommended for Providers in this Guidance, including screening against SOC databases, when available, that are updated regularly as new SOCs are identified as a required step before synthesizing the sequence, in a verifiable manner.\13\ Manufacturers should implement this recommendation using measures that ensure cybersecurity considerations are addressed to guard against malign use and to protect both the intellectual property and identity of users.\14\ --------------------------------------------------------------------------- \13\ Here, verifiability means the ability to confirm that: every prospective sequence has been screened for SOCs against an up- to-date database, and screening is up to date and performant; when users input sequences of concern, this is flagged and reported in real time; and attempts to tamper with the device to avoid screening are flagged and reported in real time. \14\ Manufacturers are encouraged to follow the ISO/IEC 27032:2012 & ISO ISA/IEC 62443 standards for cybersecurity and information security. --------------------------------------------------------------------------- Manufacturers should not store databases of SOCs that include sequences from unregulated pathogens or toxins on the device itself in an unencrypted manner or a manner that could allow users to extract the database. The aggregation of all sequences that contribute to pathogenicity or toxicity poses a biosecurity risk that may endanger public health, agriculture, plants, animals, animal or plant products, or [[Page 71002]] the environment if disclosed to entities or individuals with malintent. Manufacturers should consider using cryptographic methods of screening that protect the contents of the order from disclosure. Manufacturers are encouraged to include mechanisms to ensure the integrity of the synthesis process to prevent circumvention of the SOC screening methodology through physical or logical manipulation of the devices or reagents. Manufacturers are also encouraged to include a data logging function to maintain a record of the nucleic acids synthesized on their equipment. Manufacturers are encouraged to formulate a reference architecture prescribing guidance for the secure implementation, configuration, and operation of devices. V. Sequence Screening Methodology Providers should screen orders to determine whether they contain SOCs. Appropriate sequence screening software should be selected by Providers of synthetic nucleic acids. This Guidance recommends that Providers use either Best Match with a local sequence alignment technique (such as the Basic Local Alignment Search Tool [BLAST] family of tools \15\) or another screening approach that they assess to be equivalent or superior to the Best Match approach. Providers are encouraged to determine whether synthetic nucleic acid orders contain sequences that are Best Matches over the appropriate windows to any SOC. By using the Best Match approach, the sequence with the greatest percent identity over each 66 amino acid or 200 nt window (or within three years of the publication of this Guidance, over each 16 amino acid or 50 nt window), in all six reading frames, should be considered the Best Match, regardless of the statistical significance or percent identity. The Best Match approach is intended to minimize the number of sequence hits due to sequences that are shared among both SOCs and non- SOCs. --------------------------------------------------------------------------- \15\ https://blast.ncbi.nlm.nih.gov/Blast.cgi. --------------------------------------------------------------------------- Some synthetic nucleic acid orders may be appropriate for screening even if all components of the order are nucleic acids shorter than the screening window length. In some cases, orders of short nucleic acids may be intended to construct longer nucleic acids that themselves may constitute SOCs. To minimize the risk of this scenario, this Guidance encourages screening all sequences ordered by an individual customer, using a short sequence alignment software package. If the resulting ungapped alignment of any constituents of a customer's order is a Best Match to any SOC, and if these sequences are constructed to allow their ligation to form these SOCs (i.e., overlaps are present to support the construction of a larger nucleic acid, which itself is a SOC), Providers should consider those orders as containing SOCs and perform standard follow-up Customer screening to establish legitimacy (see Verifying Legitimacy in the DEFINITIONS section of the Guidance). These sequence screening recommendations do not preclude the use by Providers of a curated database of sequences that may directly contribute to pathogenicity or toxicity to identify SOCs. This Guidance recognizes that a database of known sequences that contribute to pathogenicity and toxicity in humans, animals, and plants, and that have a direct and harmful impact on a host, may not yet exist or may not yet be fully developed and encourages industry consortia and/or any other interested parties in the continued development of such a database for screening SOCs--provided that measures are taken to prevent such a database from being misused. These measures should include establishing a security office, security protocols, and a personnel reliability program--based on a risk assessment--to guide selection, implementation, and monitoring of cybersecurity and information security capabilities and protection. These measures should aim to ensure database confidentiality and integrity (including user access controls and sequence encryption, both in transit and at rest) and compliance with applicable laws such that data on SOCs are protected against unauthorized access, exfiltration, or other use. Providers may also choose to use other screening approaches that they assess to be equivalent or superior to the Best Match approach or supplement it, including a customized database or approaches that evaluate the biological risk associated with sequences from unregulated agents (i.e., not FSAP- or CCL-listed pathogens or toxins). This Guidance encourages the continued development of best practices to address risks associated with nucleic acid synthesis technologies. Providers, Third-Party Vendors, and professional consortia are encouraged to develop secure mechanisms--designed to respect privacy, security, commercial, intellectual property, and other concerns--to detect SOCs that may be broken up among multiple Providers or Vendors, or among multiple orders at a single Provider or Vendor over a period of time, to evade screening. In addition, Providers may wish to consider developing solutions for determining which sequences from pathogens should not cause concern (i.e., pass list of genes that pose no pathogenic or toxicity risk). VI. Customer Screening In addition to verifying the Customer identity for all orders, Verifying Legitimacy of Customers and Users is recommended when orders contain SOCs, and for orders of nucleic acid synthesis equipment. Customers and Users are encouraged to streamline the Customer screening process by providing verification of their legitimacy when submitting an order containing SOCs. Information described in the definition of Verifying Legitimacy may be helpful for such verification (See also Red Flags for Verifying Legitimacy in the Companion Guide to Assist in Implementing the Recommendations of the Screening Framework Guidance for Providers and Users of Synthetic Nucleic Acids). This Guidance encourages Customers and Principal Users to also Verify Legitimacy of End Users receiving SOCs. Records of such verification and transfer can be created and maintained by using business practices that document such transfers (e.g., MTAs). The Principal User is best positioned to determine the legitimacy of any End User to whom SOCs are transferred. Keeping a record of such transfers should not cause undue burden on the essential research carried out across the biotechnology enterprise and may therefore entail only a minor adaptation of responsible business practices already in place. This Guidance does not include recommendations for reporting transfers to new End Users back to the original Provider. It would be sufficient for each Principal User or End User transferring the materials to verify the legitimacy of the recipient during each transfer and for all parties to retain a record of it for at least three years, and longer (e.g., eight years) if this does not pose an undue burden on their operations. Providers should be aware of regulatory and statutory prohibitions related to U.S. persons dealing with certain foreign persons, entities, and companies. Providers are encouraged to check the Customer against the International Trade Administration consolidated list of individuals and entities for which the U.S. government maintains restrictions on certain exports, re-exports, or transfers of [[Page 71003]] items.\16\ In the event that a company, entity, or person on the list appears to match that of a customer or other recipient, additional due diligence should be conducted before proceeding. There may be a strict export prohibition, a requirement for seeking a license application, or other evaluation of the Customer or other recipient necessary to ensure it does not result in an activity prohibited by any U.S. export regulations, or other restrictions. Before fulfilling the order, to ensure full compliance with all the terms and conditions of the restrictions placed on the parties on this list, the Provider must check the official publication of restricted parties in the Federal Register. --------------------------------------------------------------------------- \16\ https://www.trade.gov/consolidated-screening-list. --------------------------------------------------------------------------- VII. Following Up With the U.S. Government in Cases Where Malintent is Suspected by Providers, Third-Party Vendors, or Manufacturers If sequence or Customer screening raises concerns that are not alleviated through follow-up screening, Providers, Third-Party Vendors, and Manufacturers should not fulfill the order and are strongly encouraged to contact their nearest FBI Field Office's WMD Coordinator. Institutions are encouraged to work with their Principal Users and End Users to help them understand that only individuals with legitimate, bona fide, and peaceful purpose should obtain synthetic nucleic acids containing SOCs. VIII. Records Retention The Guidance recommends that Providers, Third-Party Vendors, and Manufacturers retain the following types of records for at least three years, and longer (e.g., eight years) if this does not pose an undue burden on their operations: Records of Customer orders including the following information: Customer information (point-of contact name, organization, address, email, and phone number), order sequence information (nucleotide sequences ordered, vector used), and order information (date placed and shipped, shipping address, receiver name); Records of protocols for sequence screening and for determining whether a sequence hit qualifies as a SOC; Records of screening documentation of all hits, even if the order was deemed acceptable; Records of any follow-up screening, even if the order was ultimately filled; and The ultimate disposition of any SOC orders, with documentation of reasoning for final decision (fulfill versus deny). IX. Periodic Review, Evaluation, and Improvement of This Guidance This Guidance addresses biosecurity risks that have emerged in a dynamic and rapidly developing technological landscape. It is likely that new risks will emerge and that new technological approaches will also appear to address them. As such, this Guidance encourages the further development of mechanisms to detect SOCs and screening strategies for sequences that contribute directly to pathogenicity and toxicity. For instance, strategies may be used by malicious Customers to obfuscate SOCs, including engineering pathogenic or toxic proteins with completely novel sequences. In such cases, synthetic nucleic acid orders may contain 50 nt windows that are not a match to any known sequence. Although there are likely legitimate explanations for orders of sequences with no matches in existing databases (e.g., nucleic acids ordered to populate microarrays or to store digital information), in such cases, it may be possible to use predictive bioinformatic algorithms to screen sequences that are not a match to any known sequences to determine if they could produce proteins that are structurally and functionally identical to SOCs. This Guidance encourages Providers to continue to develop these methods to best ensure the safety and security of the synthetic nucleic acid research enterprise. This Guidance will be periodically revisited, including by soliciting stakeholder input, and feedback is encouraged from the nucleic acid synthesis industry as well as from their customers as they implement the Guidance. Furthermore, implementation of this Guidance will be supported through the publication of a Companion Guide. Dawn O'Connell, Assistant Secretary for Preparedness and Response. [FR Doc. 2023-22540 Filed 10-12-23; 8:45 am] BILLING CODE 4150-37-P