BIOSECURE Act Included in the National Defense Authorization Act of 2026

A revised version of the BIOSECURE Act is included in the Senate-passed version of the National Defense Authorization Act of 2026 (NDAA). It was considered but did not move forward in the last Congress.

The Senate passed the NDAA on Oct. 10, 2025, but differences with the House need to be reconciled. It is unclear if the BIOSECURE Act will appear in the final version that must be passed by both bodies.

In general, the BIOSECURE Act would make changes concerning with whom the federal government, contracts, makes loan and restricts grants in relation to companies designated “biotechnology companies of concern that provide biotechnology equipment or services.

Biotechnology Equipment includes:

• Genetic sequencers, or any other instrument, apparatus, machine or device, with components and accessories, that is designed for use in the research, development, production or analysis of biological materials. Additionally, it includes any software, firmware or other digital components specifically designed for use in and necessary for the operation of such equipment. This encompasses:
  • Genetic sequencers.
  • Mass spectrometers, which is explicitly mentioned in the original BIOSECURE Act.
  • Polymerase chain reaction (PCR) machines, which is explicitly mentioned in the original BIOSECURE Act.
  • Any other instruments, apparatus, machines or devices designed for biological research, development, production or analysis.
  • Components and accessories for such equipment.
  • Software, firmware or other digital components specifically designed for and necessary for the operation of such equipment.

Biotechnology Services include:

• Any service for the research, development, production, analysis, detection or provision of information. This includes data storage and transmission related to biological materials, advising, consulting, or support services with respect to the use or implementation of such equipment, disease detection, genealogical information. and related services. As well as any other service, instrument, apparatus, machine, component, accessory, device, software or firmware that the Director of the Office of Management and Budget determines appropriate in the interest of national security. This encompasses:
  • Research, development, production, analysis or detection services related to biological materials.
  • Data storage and transmission services related to biological materials.
  • Advising, consulting or support services regarding the use or implementation of biotechnology equipment.
  • Disease detection services.
  • Genealogical information services.
  • Contract research organization (CRO) services involving biotechnology.
  • Laboratory testing services.
  • Any other services that the Director of OMB determines appropriate in the interest of national security.

The term “biotechnology equipment or services produced or provided by a biotechnology company of concern” is not construed to refer to any biotechnology equipment or services that were formerly, but are no longer, produced or provided by biotechnology companies of concern.

Current Version vs BIOSECURE Act in the Last Congress

The version accepted as an amendment to the NDAA, is different than the proposal in the last Congress. It is similar in that it would:

• Prohibit federal agencies from procuring or otherwise obtaining biotechnology equipment or services produced or provided by a “biotechnology company of concern.”
• Prohibit federal agencies from entering into, extending or renewing government contracts with an entity that uses, in performance of that federal contract, biotechnology equipment or services from a biotechnology company of concern, directly or indirectly.
• Prohibit federal agencies from issuing grants or loans to purchase, obtain or use biotechnology equipment or services produced by a “biotechnology company of concern.”

• Prohibit government loan and grant recipients from using those funds to enter into contracts with entities that use equipment from companies of concern, in performance of any federal prime or sub-contract.

However, there are significant differences from the previous version.

• The previous version defines “biotechnology companies of concern” as biotechnology companies that are headquartered in or subject to the jurisdiction of a foreign adversary’s government and pose a threat to national security. The current version would implement a process-based identification system through which biotechnology companies of concern will be identified based on a whether the companies meet certain statutorily defined criteria.
• The previous version explicitly identified four Chinese companies as biotechnology companies of concern, including their subsidiaries, parent company, affiliates and successor. The current version does not.
• The previous version allowed the federal government to designate other companies as biotechnology companies of concern in the future.

The current text provides due process protections for companies facing designation. A notice of designation as a “biotechnology company of concern” must be issued to any company named in the designation, advise that a designation has been made, identify the criteria relied upon and the information forming the basis for the designation to the extent consistent with national security. The notice must also include that the company may submit information and arguments in opposition within 90 days, describe the review procedures, and where practicable, identify mitigation steps that could result in rescission of the designation.

While the current version does not name explicitly any companies, it establishes two categories for identifying biotechnology companies of concern:

1) Entities identified in the Department of Defense’s annual list of Chinese military companies operating in the United States pursuant to section 1260H of the NDAA for 2021, otherwise known as the “1260H List”.

2) Entities determined via a designation process to be subject to the administrative governance structure, direction, control or operation of the government of a foreign adversary (i.e. China) and is to any extent involved in the manufacturing, distribution, provision or procurement of biotechnology equipment or service and poses a risk to national security based on specific criteria.

It also includes any subsidiary, parent, affiliate or successor entity of one of these entities.

The 1260H list, also known as the 1260H CMC List, is a roster of “Chinese military companies” operating, directly or indirectly, in the United States. The Department of Defense publishes the 1260H List annually in the Federal Register. Entities that are on the 1260H list are:

• Directly or indirectly owned, controlled by or acting on behalf of the Chinese military or related authorities (e.g., PLA, Central Military Commission).
• Contributing to the Chinese military civil fusion and engaging in commercial services, manufacturing, production or export in the U.S. or its territories.

Any newly identified “Chinese military companies” that are added to the 1260 H list will automatically be designated a “biotechnology company of concern” and become subject to the prohibitions of the act. Upon enactment, all entities currently on the 1260H list, last updated on Jan. 27, 2025, will immediately be designated as “biotechnology companies of concern.”

The designation process identifying other companies of concern involves multiple steps:

• The Secretary of Defense, in coordination with the Attorney General, the Secretary of Health and Human Services, the Secretary of Commerce, the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of State, and the National Cyber Director, suggest entities to be considered to the Director of the Office of Management and Budget.
• The Director of the Office of Management and Budget then evaluates whether each entity is subject to the administrative governance structure, direction, control or operates on behalf of the government of a foreign adversary; is involved in the manufacturing, distribution, provision or procurement of biotechnology equipment or services and poses a risk to national security.

The national security risk criteria include engaging in joint research with, being supported by, or being affiliated with a foreign adversary’s military, internal security forces or intelligence agencies; providing multiomic data obtained via biotechnology equipment or services to the government of a foreign adversary; or obtaining human multiomic data via biotechnology equipment or services without express and informed consent. The term “multiomic” means data types include genomics, epigenomics, transcriptomics, proteomics and metabolomics.

• If a company is designated a biotechnology company of concern, a notice of must be issued to any company named in the designation. The company may submit information and arguments in opposition within 90 days.

• The Director of the Office of Management and Budget reviews all information submitted in opposition and issues a final determination before the designation is made publicly available.

The Director of Office of Management and Budget, in coordination with multiple agency heads, shall periodically, though not less than annually, review and, as appropriate, modify the list of “biotechnology companies” of concern.

Implementation of the legislation if enacted would be:

• Not later than one year after the date of enactment, the Director of the Office of Management and Budget will publish a list of entities that constitute biotechnology companies of concern.
• Not later than 180 days after publication of the list of biotechnology companies of concern, and any update to the list, the Director of the Office of Management and Budget, in coordination with multiple agency heads, will establish guidance as necessary to implement the requirements of this section.
• Not later than one year after the date of establishment of guidance, and as necessary for subsequent updates, the Federal Acquisition Regulatory Council will revise the Federal Acquisition Regulation (FAR) as necessary to implement the requirements.
• Prohibitions Take Effect
  • For 1260H List companies – the prohibitions take effect 60 days after the FAR is revised.
  • For other biotechnology companies of concern determined through the evaluation process, the prohibitions take effect 180 days after the FAR is revised.

Should the final version of the NDAA include the current version of the BIOSECURE Act, the earliest the prohibitions would take effect is approximately two to three years from enactment. This is longer than the original version of the legislation.

The question of how to handle current contracts should a company receive a designation the current version treats differently than the proposal considered by the last Congress. The previous version would have provided companies until Jan. 1, 2032, to wind-down relationships with the named Chinese biotech entity. The current version would have restrictions go into effect immediately for contracts with entities on the 1260H List.

For contracts with entities that are named in the future, the new legislation provides a five year transition period.

This means existing contracts entered into before the effective date of the prohibitions are effectively grandfathered for five years after an entity is named and FARs are revised. This includes previously negotiated contract options and means that protection lasts for up to five years after an entity in named and FARs revised. This gives entities time to complete existing contracts, identify alternative suppliers transition to compliant companies and minimize business disruption

Conclusion

The U.S. Intelligence Community will have to complete a comprehensive risk assessment addressing how foreign adversaries collect, store or exploit multiomic data and submit a report to Congress as well as provide ongoing reporting about “nefarious activities” by biotechnology companies, including selling, licensing, transferring or sharing Americans’ multiomic data with foreign governments and others.