The Gap Between DURC Policy and DURC Practice: How Dual-Use Research Actually Gets Reviewed

The phrase 'dual-use research of concern' entered federal vocabulary formally in 2012, when the Obama administration's NSABB deliberations over H5N1 gain-of-function manuscripts forced a policy structure into existence. What emerged was a tiered framework: DURC policy at the institutional level, enhanced potential pandemic pathogen (ePPP) oversight at the federal level, and a patchwork of funding-agency requirements sitting between them. Fourteen years later, that structure remains largely intact. So do most of its original gaps.

The first gap is definitional. The federal DURC policy covers research with fifteen listed agents and toxins that meets one of seven specified experimental criteria, including enhancing transmissibility, pathogenicity, or immune evasion. The criteria were written with a specific category of experiment in mind: the kind that produces a dramatically more dangerous pathogen in a legible, measurable way. What they do not cleanly capture is incremental dual-use risk, the research that edges a capability forward without crossing a bright line in a single step. Any biosecurity analyst reading the primary policy documents will notice that the threshold question, whether an experiment 'reasonably be anticipated to create, transfer, or use' a covered agent in a concerning way, is a judgment call that the policy assigns to institutions without giving institutions much scaffolding for making it.

The second gap is coverage. Federal DURC oversight applies to research funded by the fifteen signatory agencies. Research funded by private industry, by non-signatory foreign governments through academic partnerships, or by venture-backed synthetic biology companies operates under a different and thinner regime. Biosafety committee review at the institutional level may still apply, depending on the agents involved, but the enhanced scrutiny layer that attaches to federal funding is simply absent. This is a structural condition, not a compliance failure. No regulation currently requires it to be otherwise.

The third gap is capacity. Institutional Biosafety Committees, the IBCs, are the point-of-entry review bodies for most covered research. IBC membership requirements specify biological safety expertise but do not mandate DURC-specific training. The federal DURC policy encourages but does not require institutions to create dedicated DURC review processes separate from standard IBC review. In practice, at most research universities, DURC review happens inside the IBC workflow, handled by committees whose primary orientation is biosafety, not biosecurity. The distinction matters. Biosafety asks whether researchers are protected. Biosecurity asks whether the knowledge produced could be extracted, misused, or published in ways that transfer capability to actors outside the original research context.

The fourth gap is the prepublication review question. When research clears institutional and federal review and reaches a journal, editors and peer reviewers become an informal last line of oversight. The NSABB has no binding authority over journals. Voluntary norms exist, most notably through the journals that joined the biosecurity principles framework after the 2014 moratorium discussions, but voluntary norms are not evenly applied and they do not follow preprints.

None of this means the system produces no value. Federal ePPP review, when triggered, involves a multi-agency policy review that is genuinely rigorous. The problem is that most dual-use research does not rise to the ePPP threshold, and in the space below that threshold, the review quality is highly variable and largely invisible to outside auditors.

Assessment confidence on the severity of the resulting risk is moderate at best. What is demonstrable, at high confidence, is that the coverage map has edges that are both wide and poorly documented. Researchers, funders, and institutions operating near those edges deserve to know where they are standing.