The June memo that decides the BIOSECURE Act

This Summer, the OMB will release a memo that will provide critical depth to the BIOSECURE Act. This memo is more important than the list of names expected in December.

Instead of entities, the June memo will focus on language: “use”, “equipment”, “service”, “subject to the jurisdiction of”. These terms all require specific definitions and frameworks in order for federally funded institutions to act accordingly in preparation for the FAR council investigations in 2027. They are the deciding factors between a small cell-therapy startup being considered compliant or radioactive. Here is what topics the memo will cover, ranked by how much damage each call will do to the life sciences sector:

1. “Use” will cascade past Tier-1.

The Act explicitly prohibits institutions from working with an entity that “uses” BCC equipment or services. A broad reading of this command is that if your CDMO sources a plasmid from a CRO using a Wu-Xi derived cell line, you “use” it.

The BIOSECURE Act is a matter of National Security. NDAA Section 889 (the Huawei precedent), was determined to be applied through the subcontractor-level after initial agency confusion, and BIOSECURE was drafted with that history in mind. Indirect access to genomic data has already been identified as a leading cause for harm, and every law firm alert published since December (Arnold & Porter, MoFo, Ropes & Gray) has identified tier-2 exposure as a threat to company compliance.

This will be detrimental to any firm that has only audited its direct vendor list. The OMB will be as broad as possible when looking at potential security risks, and companies should look at their reagents with the highest degree of scrutiny: if “use” could be applied, then it will be.

2. The audit standard will be “reasonable inquiry” with a documentation floor.

Compliance officers hoping for a checklist will be met with a standard framework instead. Expect language modeled on OFAC’s “risk-based approach”: certainty won’t be required, but documentation and a repeatable diligence process will be. Without documentation, it will be impossible to defend against losing an NIH or BARDA grant.

This will hurt unprepared firms and help prepared ones. A prepared compliance officer will have a vendor map, watchlist screening cadence, and an audit trail.

3. “Equipment” will be tiered by data sensitivity

The memo will provide distinction between “equipment” and “services”, two terms that were lumped together in the Act. Expect a functional taxonomy that places sequencers, automated synthesis platforms, and high-throughput screening robotics in a high-risk tier regardless of price. Meanwhile, commodity hardware such as pipettes, centrifuges, and plate-readers will be considered low-risk even when a BCC manufactures them.

This signal comes from bipartisan congressional language that treats genomic data as a national security priority (see the DOJ bulk data rule under EO 14117 for the parallel framework)

What most people will miss: waivers will be narrow and time-limited.

Industry has been lobbying hard for a broad waiver system. They will get something, but it will likely look like the Section 889 waiver system: agency-by-agency, with a 12-24 month time-box, and conditioned on a documented transition plan. WuXi Biologics won’t get a permanent carve-out, and any firm treating waivers as a long-term strategy is mis-interpreting the political climate.

Institutions treating December as their hard deadline will be caught off-guard when the June memo comes out. The OMB update will provide the sector with a rubric to determine whether they will be on the hook or not, regardless of the companies named in December.

I’ll be publishing a clause-by-clause read of the memo within 48 hours of release. If you work in biotech compliance, regulatory affairs, or life sciences law, that’s the document worth bookmarking.

— Evaristo at biogate