Foreign Disclosure and Risk Management
In the SBIR and STTR Extension Act of 2022, signed into law by President Biden on September 30, 2022, Congress requires Federal agencies to establish a due diligence program to assess security risks posed by applicants. Read below to learn more about foreign disclosure requirements, the due diligence program, and review foreign risk case studies.
The SBIR and STTR Extension Act of 2022 includes major changes to the SBIR and STTR programs, including:
- disclosure requirements regarding ties to foreign countries,
- a requirement for federal agencies that manage SBIR and STTR programs to establish a due diligence program to assess security risks posed by applicants, and
- denial of award and recovery authority provisions when ties to foreign countries of concern pose a significant security risk.
Details of the SBIR and STTR Foreign Disclosure and Risk Management Pre-award and Post-Award Requirements can be found in NOT-OD-24-029.
Disclosure Requirements Regarding Ties to Foreign Countries
Applicants to the SBIR and STTR programs are required to disclose all funded and unfunded relationships with foreign countries, using the Required Disclosures of Foreign Affiliations or Relationships to Foreign Countries Form (hereafter referred to as the SBIR STTR Foreign Disclosure Form), for all owners and covered individuals.
Submission is Required!
Applicants who do not submit the completed SBIR STTR Foreign Disclosure Form during the JIT process will not be considered for funding.
A “covered individual” is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way).
Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, upon request, applicants will submit the completed disclosure form via the Just-In-Time (JIT) process. Applicants to the Omnibus Solicitations with primary assignments to CDC and FDA will follow each agency’s policies for submitting additional documents during the pre-award process.
Due Diligence Program to Assess Security Risks
HHS has implemented a due diligence program designed to assess security risks by applicants.
NOTE: The review of the security risks is separate from the merit review process.
Applicants and recipients are encouraged to consider whether their entity’s relationships with foreign countries of concern will pose a security risk. Prior to issuing an award, HHS will conduct a foreign risk assessment to determine whether the small business submitting the application has at least one affiliation in a due diligence dimension and that affiliation corresponds to at least one unallowable risk category from the Act.
Assessment will include:
| Legislative Requirement | Due Diligence Dimension | Foreign Involvement Determination | No Foreign Involvement Determination |
|---|---|---|---|
| Foreign Ownership | Foreign Ownership and Control | Confirmed indicators of active (ongoing) partnership or a controlling equity, joint venture, and/or subsidiary in a foreign country of concern | No confirmed indicators of active (within 1 year) partnership or a controlling equity, joint venture, and/or subsidiary in a country of concern |
| Financial Ties & Obligations to a Foreign Country of Concern | Financial Obligations | Confirmed indicators of active (ongoing) foreign financial obligations with a foreign country of concern, person residing in a foreign country of concern, or an entity affiliated with a country of concern | No confirmed indicators of active (within 1 year) foreign financial obligations with a foreign country of concern, person residing in a foreign country of concern, or an entity affiliated with a country of concern |
| Employee Analysis |
Foreign Talent Program | Confirmed indictors of current or past participation in a malign foreign talent recruitment program (defined by section 10638 of the Research and Development, Competition, and Innovation Act; Public Law 117-167) | No confirmed indictors of current or past (within 1 year) participation in a malign foreign talent recruitment program (defined by section 10638 of the Research and Development, Competition, and Innovation Act; Public Law 117-167) |
Foreign Affiliations | Confirmed indictors of a recent affiliation (within 1 year) with an entity or research institution affiliated with a foreign country of concern | No confirmed indicators of recent affiliation (within 1 year) with an entity or research institution affiliated with a foreign country of concern | |
| Cybersecurity Practices | Cybersecurity Concerns | Confirmed foreign IP activity (within 1 year) indicative of business operations in a foreign country of concern or using IT software, hardware, and/or services from a U.S.G. prohibited vendor or from an IT vendor from a foreign country of concern | No confirmed foreign IP activity (within 1 year) indicative of business operations in a foreign country of concern or using IT software, hardware, and/or services from a U.S.G. prohibited vendor or from an IT vendor from a foreign country of concern |
| Patent Analysis | Foreign Patents | Confirmed patent application(s) or patent(s) based on research funded by the U.S. Government that were filed within the last 5 years in a foreign country of concern prior to filing in the U.S. or filed on behalf of a foreign country of concern connected entity | No confirmed patent application(s) or patent(s) based on research funded by the U.S. Government that were filed within the last 5 years in a foreign country of concern prior to filing in the U.S. or filed on behalf of a foreign country of concern connected entity |
NIH, CDC, FDA, ACL, and ARPA-H may decline to move forward with an award based on security risks determined during the assessment. An award will not be issued prior to completing the assessment process.
Denial of Awards
Foreign involvement with countries of concern will not necessarily disqualify an applicant. Final award determinations will be based on whether the applicant's involvement falls within any of the following risk criteria:
- interfere with the capacity for activities supported by the award to be carried out;
- create duplication with the proposed award activities;
- present concerns about conflicts of interest;
- were not appropriately disclosed;
- violate Federal law or terms and conditions; or
- pose a risk to national security.
Small business concern (SBC) applicants or offerors and covered individuals are responsible for monitoring their involvement with foreign countries of concern for affiliations that fall in these risk categories. NIH, CDC, FDA, ACL, and ARPA-H will not issue an award under the SBIR or STTR program if the relationship with a foreign country of concern identified in this guidance is determined to fall under any of the criteria provided above.
Applications and proposals under consideration will undergo foreign risk assessment. SBCs will be notified if their application or proposal cannot be funded due to foreign risk. NIH, CDC, FDA, ACL, and ARPA-H will not provide information regarding the sources and methods of the foreign risk assessment or specific details of identified risks. SBCs will not have the opportunity to modify an application or address foreign security risks identified in the pre-award process. **NIH, CDC, FDA, ACL, and ARPA-H program staff do not receive information on identified security risks.**
Foreign Risk Case Studies
NIH has observed several concerns regarding foreign research security risks in previous grant applications and contract proposals. The scenarios below have been developed using observations from real cases.
Case 1 - Denial of Award: Malign talent recruitment program and affiliation with a research institution in a foreign country of concern
- A U.S. company applied for an SBIR grant with Dr. Smith as a Principal Investigator. Upon request from NIH program staff, the company submitted the SBIR STTR Foreign Disclosure Form as part of the Just-in-Time materials. The Form declared that none of the covered individuals in the company were applicants or recipients of any malign talent recruitment program.
- However, the foreign risk assessment found that Dr. Smith was currently part of a malign talent recruitment program, which included a paid faculty position at a research institution in a foreign country of concern.
Result: The award was denied because the company had a covered individual who is party to a malign foreign talent recruitment program and held an affiliation with a research institution located in a foreign country of concern AND the involvement falls within the following risk criteria:
- presented concerns about conflicts of interest;
- was not appropriately disclosed.
Case 2 - No Denial of Award: Foreign affiliation with a foreign country of concern
- A US company submits an SBIR application with Dr. Lee as Principal Investigator on the topic of skin grafts. The company submits the SBIR STTR Foreign Disclosure Form and declares that Dr. Lee holds a visiting professor position at a university located in a foreign country of concern, conducting the bulk of the work virtually from the US. The position involves consultation on research focused on decontamination of toxic wastewater. No other disclosures are included in the SBIR STTR Foreign Disclosure Form.
- Dr. Lee received a PhD in 2001 from an institution located in a foreign country of concern.
- Dr. Lee is a citizen of a foreign country of concern and a US Permanent Resident.
- The foreign risk assessment found confirmation of Dr. Lee’s visiting professor position and responsibilities.
Result: The award can be made because Dr. Lee disclosed his appointment with an institution in a foreign country of concern and the relationship:
- did not interfere with the ability for the SBIR work to be carried out;
- did not create concerns of duplication with proposed activities;
- did not present concerns about conflicts of interest;
- did not violate Federal law or terms and conditions; and
- did not represent a national security concern.
Case 3 - Denial of Award: Subsidiary located in a foreign country of concern
- Dr. Jones is a co-founder of a U.S. company that is applying for an NIH SBIR grant. Dr. Jones is an NIH-supported faculty member at a U.S. university and a co-investigator on the application.
- The SBIR STTR Foreign Disclosure Form submitted for the SBIR application disclosed that Dr. Jones' company has a subsidiary located in a country of concern. The foreign risk assessment found confirmation of the subsidiary.
Result: The award was denied because the company had a subsidiary located in a foreign country of concern AND the involvement falls within the following risk criteria:
- presented concerns about conflicts of interest; and
- posed a risk to national security.
Case 4 - No Denial of Award: Citizenship and no foreign affiliation with a foreign country of concern
- A U.S. company submits an SBIR application with Dr. Ross as Principal Investigator.
- Dr. Ross received a PhD in 2003 from an institution located in a country of concern, is a citizen and former resident of the foreign country of concern, and regularly visits family that still resides in the foreign country of concern.
- Dr. Ross does not have any current affiliations with institutions or companies located in the foreign country of concern.
- The company submits the SBIR STTR Foreign Disclosure Form and does not disclose any current foreign affiliations.
- The foreign risk assessment confirmed that neither the company nor Dr. Ross have any current foreign affiliations.
Result: The SBIR award can be made as neither the company nor Dr. Ross have any current foreign affiliations.
Case 5 - Denial of Award: Foreign affiliation with a research institution located in a foreign country of concern
- A U.S. company has been very successful in securing SBIR/STTR funding from U.S. government agencies.
- Dr. Johnson, a researcher at a U.S. institution partnering with the U.S. company, is senior key personnel on the company's latest SBIR application to NIH.
- The company submits the SBIR STTR Foreign Disclosure Form and declares that their covered individuals, which includes Dr. Johnson, have no affiliations with a research institution in a foreign country of concern.
- On the annual internal disclosure form from the U.S. university, Dr. Johnson checks no other affiliations of financial interests.
- The foreign risk assessment finds that Dr. Johnson is also a visiting professor at a university in a country of concern known to have close ties with military organizations in the foreign country.
Result: The award was denied because the covered individual has a foreign affiliation with a research institution located in a foreign country of concern, AND the involvement falls within the following risk criteria:
- was not appropriately disclosed;
- posed a risk to national security.
Case 6 - Denial of Award: Foreign affiliation with a research institution located in a foreign country of concern
- A U.S. company has been awarded several SBIR grants from multiple U.S. government agencies. Dr. Anderson, the vice president of the company, is an inventor on patents developed with the research funded by the U.S. Government.
- Dr. Anderson is also a co-owner of a foreign company in a foreign country of concern. This foreign company is not a business entity, parent company, or subsidiary of the U.S. company.
- The company submits the SBIR STTR Foreign Disclosure Form. It declares that Dr. Anderson has an affiliation with a company in a foreign country of concern. The company also declares that they have neither licensed technology nor sold/transferred any intellectual property to a foreign country of concern in the previous 5-year period.
- The foreign risk assessment finds that some of Dr. Anderson's recent patents related to work funded by the U.S. Government have been filed in a foreign country of concern with the foreign company as the assignee prior to being filed in the U.S.;
- The patents and collaborations of the foreign company, on technologies developed with funding from the U.S. Government, were not disclosed in any communications with U.S. government funding agencies. It was determined Dr. Anderson used U.S. Government funds to develop technology in a foreign country.
Result: The award was denied because the U.S company transferred intellectual property to a company located in a foreign country of concern AND the involvement falls within the following risk criteria:
- was not appropriately disclosed;
- violate Federal law or terms and conditions; or
- posed a risk to national security.
Case 7 - Denial of Award: Affiliation with a research institution in a foreign country of concern and foreign research funding
- A U.S. company included an academic researcher, Dr. Miller, as a senior/key person on their grant application. Dr. Miller is a U.S. citizen primarily employed by a U.S. academic research institution.
- The SBIR STTR Foreign Disclosure Form was submitted by the applicant company on behalf of the small business and all covered individuals on the application. No affiliations with foreign institutions or businesses were disclosed for Dr. Miller, and Dr. Miller did not disclose other support from a foreign country of concern.
- However, Dr. Miller had an appointment with a research institute located in a foreign county of concern.
- Additionally, several of Dr. Miller’s recent academic publications were funded by the research institute located in a foreign country of concern.
Result: The award was denied because the covered individual has a foreign affiliation and financial ties with a research institution located in a foreign country of concern, AND the involvement falls within the following risk criteria:
- was not appropriately disclosed;
- presented concerns about conflicts of interest;
- posed a risk to national security.
Case 8 - Denial of Award: Subcontract with a subsidiary of a business in a foreign country of concern
- A small business applicant has no ownership or investments from foreign countries of concern. The applicant business submits the SBIR STTR Foreign Disclosure Form vouching that the small business has no affiliations with foreign countries of concern.
- However, in the application, the small business proposed a subcontract with a company, ABC Company, to provide services for their research project.
- ABC Company is a subsidiary of a business owned by an entity in a foreign country of concern with known ties to the military.
Result: The award was denied because the small business proposed a subcontract to a subsidiary of a company with known ties to the military and government of a foreign country of concern AND the involvement falls within the following risk criteria:
- was not appropriately disclosed;
- posed a risk to national security.
Case 9 - No Denial of Award: Affiliation with a large global company
- A small business applicant submits an application that includes matching funding and resources from a large multinational pharmaceutical company.
- The large multinational company is not organized in a foreign country of concern, nor is most of its business based in a foreign country of concern. The small business investigated the ownership and affiliations of the company and verified that the large multinational company was not affiliated with a foreign government or known agent of a foreign country of concern.
- The small business discloses the partnership and support in the Just In Time (JIT) Other Support documentation, including clear justification for why the support does not overlap with what is requested in the application.
Result: The award can be made because the support did not overlap with the work proposed in the application and the affiliated business was not based, predominately based, nor affiliated with foreign government in a foreign country of concern, AND the relationship:
- did not interfere with the ability for the SBIR work to be carried out;
- did not create concerns of duplication with proposed activities;
- did not present concerns about conflicts of interest;
- did not violate Federal law or terms and conditions; and
- did not represent a national security concern.
Case 10 - Denial of Award: Research collaborations with institution in foreign country of concern
- A small business, Ultrasound Technology LLC, proposes to collaborate with U.S.-based academic researcher, Dr. Moher, as a subject matter expert as part of their small business application requesting funds to develop a novel ultrasound technology.
- Dr. Moher does not have a teaching or research appointment with any academic institutions in countries of concern; however, she has a research collaboration relating to the application of novel diagnostic testing using ultrasound devices with researchers at an institution in a foreign country of concern.
- Dr. Moher has been a coauthor on academic papers with her research collaborators within the last year, which were funded by the institution in a foreign country of concern.
- As a collaborator on Ultrasound Technology LLC’s application, Dr. Moher would have access to proprietary, U.S. Government-funded small business research that could benefit her academic collaborations. Foreign risk assessment determined that there are concerns about a conflict of interest.
- It is known that the government of the foreign country of concern has, in the past, accessed the contents of emails sent to academics at institutions within the country of concern in order to gain information about innovations, technologies, and other discoveries.
Result: The award was denied because covered individual has a foreign affiliation and financial ties with a research institution located in a foreign country of concern, AND the involvement falls within the following risk criteria:
- presented concerns about conflicts of interest;
- posed a risk to national security.
Case 11 - Denial of Award: Financial obligation with entity in foreign country of concern disclosed
- An applicant small business concern received an investment from a large company headquartered in a foreign country of concern as part of an early-stage venture capital deal and continued to receive investments from the foreign company over time.
- The applicant included the investments on their SBIR STTR Foreign Disclosure Form.
- During foreign risk assessment, it was confirmed that these investments had taken place and that the affiliation between the small business concern and the foreign company was ongoing.
- The large company in a foreign county of concern has had previous concerns raised regarding concerns around user privacy and U.S. national security.
Result: The award was denied because the small business concern had financial ties or obligations with a company located in a foreign country of concern AND the involvement falls within the following risk criteria:
- presented concerns about conflicts of interest;
- posed a risk to national security.
Post-Award Monitoring and Reporting Requirements
Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, recipients are responsible for monitoring their relationships with foreign countries of concern post-award, for any changes that may impact previous disclosures. Companies receiving an award under the SBIR or STTR program are required to submit an updated SBIR STTR Foreign Disclosure Form to report any of the following changes throughout the duration of the award:
- any change to a disclosure on the SBIR STTR Foreign Disclosure Form;
- any material misstatement that poses a risk to national security; and
- any change of ownership, change to entity structure, or other substantial change in circumstances that may pose a risk to national security.
Regular, annual updates are required at the time of all SBIR/STTR annual, interim, and final Research Performance Progress Reports (RPPRs). For changes that occur between RPPR submissions, updated disclosure forms are required within 30 days of any change in ownership, entity structure, covered individual, or other substantive changes in circumstance, as described above.
Recipients are encouraged to monitor their foreign relationships post-award and avoid entering into relationships, both funded and unfunded, that may pose a security risk and jeopardize their ability to retain their award.
Agency Recovery Authority and Repayment of Funds
A company will be required to repay all amounts received from an award if either of the following determinations are made upon assessment of a change to their disclosure:
- the company makes a material misstatement that NIH, CDC, FDA, ACL, ARPA-H determine poses a risk to national security; or
- there is a change in ownership, change in entity structure, or other substantial change in circumstances of the small business that NIH, CDC, FDA, ACL, or ARPA-H determine poses a risk to national security.
For more information about Foreign Disclosure and Risk Management, please see our Foreign Disclosure and Risk Management FAQs.
