The United States’ biosecurity governance system is structurally incapable of detecting and responding to certain classes of threats. U.S. biosecurity tools have not kept pace with technological advancements or a changing threat landscape. The National Security Commission on Emerging Biotechnology (NSCEB) unanimously recommended creating a consolidated, dedicated capability to address this structural failure. Section 6 of the Biosecurity Modernization and Innovation Act of 2026 (BMIA) represents the first legislative step toward implementing that recommendation. This paper presents the diagnostic case for why piecemeal reform is not sufficient and sets out seven design requirements that any viable institutional solution must satisfy.
I. The Current Paradigm is the Problem
The United States lacks a government body with a primary mandate to detect and prevent biological threats to the homeland. Decades of reports and white papers have recommended reforms. In 2025, the National Security Commission on Emerging Biotechnology (NSCEB)—a bipartisan, bicameral body of eleven Commissioners including four sitting members of Congress—concluded unanimously that the problem is structural, not managerial, and that the United States needs a consolidated, dedicated institutional capability to ensure responsible innovation and protect against misuse.
This is not a story about bureaucratic dysfunction. The dedicated professionals working inside today’s agencies are faithfully executing their jobs. The problem is that those agencies are organized around a set of governing assumptions that do not match today’s technology and threat environment, and those agencies were not designed to evolve to meet new threats or capabilities. Piecemeal fixes applied to a paradigm-level problem produce the illusion of progress; meanwhile, the underlying failures continue to compound.
The recently introduced Biosecurity Modernization and Innovation Act of 2026 (BMIA) acknowledges this in its Sense of Congress: “the current landscape of biosecurity and biosafety authorities is spread among multiple agencies, contributing to slow policymaking, which, coupled with the rapid advancement of biotechnology, becomes outdated quickly.” Section 6 of the BMIA requires the White House to identify gaps and opportunities for consolidating biosecurity and biosafety governance and develop an implementation plan for making oversight more effective. This may involve condensing many capabilities into a new agency. This briefing paper is intended to provide a framework for creating a federal agency for biosafety, biosecurity, and bioresponsibility that addresses the structural challenges endemic in the current system.
II. A System Designed for a Different World
The “Whoops Then Fix” (WTF) Cycle
The United States’ current biosecurity system operates on a reactive, “whoops then fix” (WTF), cycle. Under the WTF cycle, the government waits for something to go wrong, reaches for the nearest available solution, and places responsibility wherever in government is most expedient. Over time, this has meant that responsibilities for biosecurity are scattered across dozens of agencies, with little to no central coordination. When new challenges arise—for example, gene drives, cloud labs, or AI-enabled biosecurity threats—the WTF cycle means that implementation is usually haphazard, with few checks on whether the solutions actually solve the fundamental problems. Each time the cycle repeats, we end up with a slower biosecurity system than we had before.
If the United States had an agency based on this briefing paper’s design requirements, the security of gene synthesis—the process of moving from digital biology to physical biology—would look different. Instead of taking two decades for basic oversight, synthetic DNA screening capabilities would have been rolled out in 18 months because senior U.S. leaders would have had a single body to task with developing a solution. A no-fault reporting system for suspicious orders would have been prototyped within two years. Regular signals on the effectiveness of the system would have allowed for modulating oversight at pace with technical advances. We would have security across the whole digital-to-physical barrier, instead of just the narrow sequence screening slice. The IP threats from cheap Chinese synthesis providers would have been rapidly identified and countered. Instead, meaningful solutions to even limited screening measures are only just gathering steam in Congress.
The Streetlight Effect
The deeper structural failure is that each mechanism in the United States’ current biosecurity system only recognizes and acts on concerns that its existing tools can address. This is the streetlight effect—searching for answers where it is easiest to look. For examples:
- NIH Guidelines only place biosafety conditions on institutions with federal funding, so the growing share of research conducted with non-federal funding, and non-health biotechnology, is outside of the mandate.
- The Federal Select Agent Program controls who can possess and perform research on a small list of deadly pathogens, resulting in a mindset of, “because I’m not using a select agent, I don’t have to worry about the security concerns of my research.”
- The Bureau of Industry and Security uses export controls, so biosecurity concerns that are not export-controllable are functionally invisible.
- U.S. Implementation of the Biological Weapons Convention focuses on state actors and intentions to create and possess biological weapons. Dual use civilian research is structurally out of scope.
Senior U.S. Leaders Have Nowhere to Go
The U.S. biosecurity system’s deference to a WTF cycle and streetlight effect mean that when the U.S. government—including White House and National Security Council leadership—recognizes a new technology-related biosecurity or biosafety issue, there is no one agency to task that has the authority to drive solutions across the federal enterprise. Meanwhile, the threat landscape is expanding rapidly: DNA synthesis companies are enabling wider availability of novel biological constructs; engineering biology is making biological design and construction easier; automated and cloud labs are reducing the need for hands-on experimentation and facility access; and AI advancements are ushering in a new, novel agent threat paradigm with rapid integration across the biotechnology landscape. At the same time, the United States is quickly losing its technological lead as other nations build industrial-scale biological manufacturing capacity.
To chart a better path forward for U.S. biosecurity, we must challenge the current paradigm. Is today’s system able to address novel biosecurity and biosafety concerns? If not, how do we rapidly change that system to address those concerns on an ongoing basis? And finally, how do we balance national security considerations with those of economic vitality and American values when it comes to biosecurity and bioresponsibility? The answers to these questions will define U.S. biosecurity posture and preparedness for generations to come.
III. The Paradigm Contrast
What would a new paradigm for biosecurity look like? The below table summarizes the governing assumptions that have produced today’s system for biosecurity innovation, alongside the assumptions required for developing an updated system that can govern biotechnology at pace with its development.
The most important distinction between the current and proposed paradigms is the relationship between the problems we face and the tools we have to address them. The legacy paradigm treats that relationship as fixed: tools are a given, and the job of governance is to deploy them better. The new paradigm treats that relationship as variable: problems define what tools are needed, and new instruments can be built and deployed when existing ones prove inadequate.
A governing institution operating on this logic does not just issue regulations; it maintains the institutional capacity to develop or discard governing instruments to meet the current biosecurity environment, at the pace that environment demands. Governing instruments are treated as prototypes subject to testing and revision, not inherited structures to be defended.
IV. Design Requirements for Any Viable Solution
The NSCEB assessed in its April 2025 report that the United States needs a consolidated, dedicated capability that integrates leading-edge science with adaptive governance. This necessitates seven functional requirements across four key stages: 1) assess the concern; 2) innovate the solution; 3) test before deployment; and 4) deploy and iterate. Any institutional option that satisfies all seven functional requirements embedded under those stages represents a viable expression of the new paradigm. Any options that satisfy only some functional requirements leave specific failure modes intact.
These requirements are stated as functional capabilities, not organizational prescriptions. Where the consolidated capability sits within government, how its authorities are distributed, and the specific statutory vehicle necessary to establish such a capability are questions for political and policy negotiation. The design requirements constrain but do not resolve those questions.
Assess the Concern
Requirement 1. Concern identification must precede and remain structurally independent of tool selection.
The streetlight effect allows existing tools (e.g. export controls, secrecy classification) to define what counts as a governable problem. The United States must be able to identify and understand concerns that do not fit under any existing tool and design new tools when needed.
Requirement 2. U.S. biosecurity architecture must be multi-sector and risk-based, with concern identification insulated from any single sector’s undue influence
When closed expert communities produce threat assessments, they are often systematically biased by those communities’ institutional incentives. Similarly, the stagnated lists of known concerns underpinning existing U.S. biosecurity policies, such as the Select Agent Program, prevent more risk-based assessments that can dynamically balance competing national priorities. Multi-sector participation in concern identification is therefore critical for accuracy, not a democratic courtesy.
Requirement 3. Oversight must span the full innovation lifecycle and research funding landscape.
Any viable institution needs jurisdictional reach that matches the current and future landscape: privately funded research, cloud lab access, AI-enabled design pathways, and the full innovation lifecycle from early-stage research through deployment. Without this, oversight will be largely performative, not substantive.
Innovate the Solution
Requirement 4. The United States must create new governing instruments.
The United States’ existing toolkit is blunt and reactive: moratoria are a heavy hammer and hazard lists are appropriate when the level of concern is already known. A viable institution must have the statutory authority and operational capacity to design and rapidly build and adapt new regulatory, technical, and organizational instruments when existing ones prove inadequate. A development mandate, not just a coordination mandate, is essential.
Test Before Deployment
Requirement 5. Governing instruments must be testable before full deployment.
New governing tools need a formal testing mechanism, i.e. a defined legal structure in which participants are protected and performance is measured against substantive outcomes. This mechanism should be scalable as required, from informal policy pilots to full regulatory sandboxes. This is a structural requirement for knowing whether an instrument works before you scale it.
Deploy and Iterate
Requirement 6. The institution must see solutions through to implementation.
It has taken thirteen years to update gene synthesis screening guidance, ten years to modernize DURC oversight, and FSAP reform calls continue to go unresolved. Without accountability to ensure that solutions are developed and actually deployed, we cannot expect biosecurity to advance. This requires a clear lead for biosecurity innovation across the interagency, checking to ensure solutions are deployed and building in a system for evaluating efficacy.
Requirement 7. The institution must treat oversight like software, with version control.
The cybersecurity community provides a model for good governance in a rapidly evolving landscape. By systematically updating tools and capabilities for oversight, the norm becomes evolution, not stasis. Biosecurity architects must build institutional design with an understanding that the tools must continue to change as the technology and threat landscapes evolve.
VI. Conclusion: The Cost of Insufficient Reform
The world took far too long to understand how safety and security changed with the advent of the internet. Equivalent delays in biotechnology will lead to consequences we will either have to live with, or will not survive. The question before policymakers now is not whether to reform U.S. biosecurity governance; the current system’s failures make that case. The question is whether those reforms will sufficiently address the paradigm-level problem. Biosecurity is a bipartisan issue, and now is the moment to lay the foundation for a secure age of biotechnology.
This briefing paper is produced by the Federation of American Scientists. It presents analytical frameworks and design criteria for policymakers considering biosecurity governance reform. For a full treatment of the theoretical argument, evidentiary base, literature foundations, and institutional design options, see the BioSTAR anchor paper: BioSTAR: Innovating on Governing — A New Paradigm for U.S. Biosecurity (FAS, 2026). Contact: Sam Weiss Evans sevans@fas.org
The United States’ biosecurity governance system is structurally incapable of detecting and responding to certain classes of threats. U.S. biosecurity tools have not kept pace with technological advancements or a changing threat landscape.
FAS and FLI partnered to build a series of convenings and reports across the intersections of artificial intelligence (AI) with biosecurity, cybersecurity, nuclear command and control, military integration, and frontier AI governance. This project brought together leaders across these areas and created a space that was rigorous, transpartisan, and solutions-oriented to approach how we should think about how AI is rapidly changing global risks.
AI is already consequential, but its future trajectory remains contested. Policymakers should make their assumptions explicit, focus on what can be shaped rather than what can be perfectly predicted, and build institutions that can learn and respond as evidence changes.
From grassroots community impacts to global geopolitical dynamics, understanding developing data center capacities is emerging as a critical analytical challenge.