Biosecure Act Article
Executive Summary: The BIOSECURE Act (Sec. 851 of the FY2026 NDAA, P.L. 119-60[1]) creates new national-security restrictions on U.S. federal procurement and funding. It bars agencies (and thus contractors and sub-contractors) from using biotechnology equipment or services from designated “Biotechnology Companies of Concern” (BCCs)[2]. In practice, every federal contractor – primes and subs alike – must map its supply chain, vet vendors, and certify that no banned biotech components are used in contract performance[3][2]. Although enforcement is phased in over time (final rules expected by 2028[4][5]), small subcontractors should start planning now. Early steps include auditing biotech-related processes (even in non-biotech firms), building policies and training on compliance, and inserting flow-down clauses in subcontracts. Failure to comply could jeopardize contracts (akin to prior Huawei/Kaspersky restrictions) and even trigger penalties like contract termination or False Claims liability if violations occur.
Biosecure Act Briefing
The Act’s core prohibition is straightforward: No federal agency may procure biotech equipment/services from a BCC, nor contract (or extend/renew contracts) with any entity that uses BCC-supplied biotech in performing federal work[2][6]. In effect, all levels of federal contracting and funding are in scope, including grants and loans (so academic and research awardees are covered)[7][8]. Notably, “biotechnology equipment or services” is defined very broadly – anything used in research, development, production, analysis or storage of biological materials, including hardware (e.g. sequencers, lab instruments), components, software/firmware, data systems, analytics, and related consulting[9][10]. In short, even a defense tech sub-contractor might be affected if, say, it uses a blood-analysis cloud service or lab platform that turns out to involve a BCC.
Which entities count as a Biotechnology Company of Concern (BCC)? Under the law, there are two paths to designation[2][11]:
- Existing 1260H List: Any entity on DoD’s list of Chinese Military Companies (the “1260H list”) that “is to any extent involved” in biotech equipment/services[11]. (Several Chinese firms like BGI Genomics have already been flagged in practice.)
- OMB-Designated List: An interagency process led by OMB will name other BCCs based on criteria like foreign adversary control and national-security risk[2][12]. This includes any company (or successor/subsidiary) with ties to a foreign adversary that handles genetic/multiomic data without consent or partners with adversary military/intel agencies[13].
OMB must publish the initial BCC list within 1 year of enactment (by Dec. 18, 2026)[14][15]. After that, federal agencies cannot use items or services from any listed company. In practice, this means prime contractors, subcontractors, suppliers, and grant recipients all share responsibility[7][8]. A small sub that provides biotech-capable hardware or cloud analysis, for example, must ensure none of its upstream components or third-party data services are from a BCC.
| Entity/Function | BIOSECURE Act Requirements |
| Federal Executive Agencies | Prohibit procurement of biotech equipment/services from any BCC; no new contracts (or extensions) with companies using BCC-sourced biotech. Applies to contracts, grants, loans[7][16]. |
| Prime Federal Contractors (all sizes) | Must vet entire supply chain for BCC risk. Map where biotech “touches” your work (lab tools, software, data services) and ensure none come from listed BCCs[17][8]. Will need to add FAR clauses/certifications and flow compliance obligations to subs. |
| Small Subcontractors and Suppliers | Similar obligations flow down. Even if you supply ancillary equipment or services, check that no BCC gear/data is embedded in your products. Provide information to primes for their compliance. Be ready to include Biosecure clauses in your subcontracts. |
| Federal Grantees and Research Institutions | May not use grant funds for biotech equipment/services from a BCC, including via subawards or collaborations[18]. Must certify in applications that costs don’t involve BCCs[19]. (E.g., a university using $ from NIH grants must ensure no BCC is involved in sequencing services.) |
Practical Compliance Steps
To get ahead of these requirements, small subs should take these concrete steps:
- Inventory biotech usage. Catalog any equipment, materials or data processes you use that involve biology/genetics (even healthcare wearables, lab analytics modules, etc.). Remember the definition includes software, firmware and data services[9][10]. If your project is purely IT/defense, double-check hidden uses (e.g. the FedNews example where maintenance software had a health module outsourcing blood data[17]).
- Map your supply chain. Identify all vendors and subcontractors who provide or support biotech-related items. This includes third-party cloud services, analytics, lab testing, and any hardware components. Create a supply-chain map that traces biotech touchpoints (from lab equipment to data storage) across all tiers[20].
- Vet vendors against known lists. Immediately check your suppliers against the current DoD 1260H list (available from DOD websites). In particular, any Chinese-origin firm with biotech activity (BGI Genomics, etc.) will be on it[21][11]. Set up a process to re-check against the forthcoming OMB list when it’s issued (by Dec 2026)[14]. For high-risk vendors (e.g. those with foreign ties), consider enhanced due diligence such as requesting supply-chain certificates or alternate sourcing.
- Update contracts and clauses. When available, flow down the new FAR clause to subcontract language. Until then, insert broad terms requiring subs to notify you of any BCC involvement, and reserving the right to require replacements. Include termination rights and compliance certifications (similar to existing clauses for anti-terrorism or export controls)[22]. Also, revise your proposals and bids to highlight awareness of Biosecure requirements.
- Train and document. Educate key staff (contracts, procurement, technical leads) about the Act and the definition of covered biotech. Develop a policy or SOP for ongoing supply-chain monitoring. Keep records of vendor checks and decisions (this will be important for any audit or certification).
- Coordinate with the prime. Engage the prime contractor in your projects. Ask how they plan to comply and where your work fits in their supply chain mapping. Offer to provide your vetting results or sign any certifications they require. If you’re a small sub supplying biotech components, expect the prime to ask for assurances on this topic.
Risk, Enforcement and Overlaps
Noncompliance carries serious risk. Although the Act itself doesn’t add criminal penalties, using banned biotech can void contracts and lead to debarment or False Claims Act exposure if a company falsely certifies compliance[17][22]. For example, if a contractor knowingly uses a BCC-sourced lab instrument in a Navy project, the agency can cancel the contract and may bar the company from future awards. Additionally, primes may withhold payments or terminate subcontracts that violate the new rules. (A five-year “grandfathering” applies only to contracts predating implementation; no grandfathering applies for BCCs on the 1260H list[23].)
The BIOSECURE Act also intersects with cybersecurity and export-control regimes. Like the existing restrictions on Huawei or ransomware, it’s about protecting sensitive data and tech platforms from foreign influence. Companies already managing IT security under NIST or CMMC should add biotech data to their risk assessments. In particular, genomic and multi-omic data (medical or environmental DNA data) must be safeguarded much like classified information (the law even references “bulk sensitive personal data” as a national-security concern[24]). Likewise, firms that comply with Chinese military end-use restrictions (ECCN 1E001, etc.) should prepare to apply that same scrutiny to biotech suppliers under Biosecure.
Timeline & Checklist
The BIOSECURE Act’s requirements will phase in over the next few years[4][15]. Below is a suggested timeline of actions:
| Action Item | Deadline/Timing |
| Conduct initial biotech audit: Inventory all biotech-related equipment, services, and data your company uses. | Now (Q1–Q2 2026) – Assign responsibility and finish inventory ASAP. |
| Map supply chain: Identify and document all vendors/subcontractors providing biotech items or support services (including software/firmware). | By late 2026 – Complete initial supply-chain map. |
| Vet against 1260H list: Check current suppliers against DOD’s 1260H Chinese military list (available now). | Ongoing (start 2026) – Immediately flag any matches for mitigation. |
| Update policies & training: Develop compliance policies/SOPs; train staff on Biosecure obligations. | By end 2026 – Establish written procedures and complete training. |
| Monitor OMB list: Watch for the OMB-designated BCC list (due Dec 18, 2026) and related guidance (due ~June 2027). | Through 2027 – When list is released, re-screen all suppliers/vendors immediately. |
| Prepare contracts: Draft (or update) contract clauses requiring vendor compliance and carve-outs for emergencies/intel, based on FAR rules (expected mid-2028). | 2027–2028 – Work clauses into bids and subcontracts; negotiate with primes on new terms. |
| Implement FAR changes: FAR is to be revised by mid-2028; new prohibitions become effective ~60–90 days after (Aug/Sep 2028). Ensure all new and ongoing contracts comply by this date. | By Sep 2028 – No new contracts can involve BCC-linked biotech. Final compliance deadlines. |
Procura Resources
Procura’s federal contracting platform is designed to help small businesses navigate exactly these emerging requirements. Our tools scan RFPs and regulatory updates to flag relevant clauses and obligations (including Biosecure Act compliance) and highlight key timeline milestones. Using Procura, a subcontractor can quickly identify if a solicitation involves biotech supply chains or new FAR rules, and stay ahead with our compliance checklists – making it easier to respond confidently and fulfill flow-down requirements.
Sources: This summary draws on official legislation (FY2026 NDAA Sec. 851) and expert analyses[2][14][16], including Federal News Network insights[25], law firm client alerts[2][16], and relevant guidance (e.g. DoD’s 1260H list). It is accurate as of early 2026; for the latest updates check OMB/FAR announcements and agency guidance.
Meet with the Procura Team to See How We Can Help
[1] [5] [6] [10] [11] [12] [13] [15] [16] [22] [23] The US BIOSECURE Act Becomes Law: Implications for Collaborations with “Biotechnology Companies of Concern” – Global Sanctions and Export Controls Blog
[2] [4] [19] BIOSECURE Act Update
https://www.mofo.com/resources/insights/251218-biosecure-act-update
[3] [9] [17] [20] [21] [25] The BIOSECURE Act is coming, and no contractor is as “biotech‑free” as they think | Federal News Network https://federalnewsnetwork.com/contracting/2026/02/the-biosecure-act-is-coming-and-no-contractor-is-as-biotech%E2%80%91free-as-they-think/
[7] [14] [18] [24] BIOSECURE Act: What You Need to Know | HUB | K&L Gates
https://www.klgates.com/BIOSECURE-Act-What-You-Need-to-Know-1-20-2026
[8] BIOSECURE Act: What You Need to Know | K&L Gates LLP – JDSupra
https://www.jdsupra.com/legalnews/biosecure-act-what-you-need-to-know-3799091