decorative image
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
decorative image
Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
seed logo

Foreign Disclosure and Risk Management

In the SBIR and STTR Extension Act of 2022, signed into law by President Biden on September 30, 2022, Congress requires Federal agencies to establish a due diligence program to assess security risks posed by applicants. Read below to learn more about foreign disclosure requirements, the due diligence program, and review foreign risk case studies.

The SBIR and STTR Extension Act of 2022 includes major changes to the SBIR and STTR programs, including:

  • disclosure requirements regarding ties to foreign countries,
  • a requirement for federal agencies that manage SBIR and STTR programs to establish a due diligence program to assess security risks posed by applicants, and
  • denial of award and recovery authority provisions when ties to foreign countries of concern pose a significant security risk.

Details of the SBIR and STTR Foreign Disclosure and Risk Management Pre-award and Post-Award Requirements can be found in NOT-OD-24-029.

Disclosure Requirements Regarding Ties to Foreign Countries

Applicants to the SBIR and STTR programs are required to disclose all funded and unfunded relationships with foreign countries, using the Required Disclosures of Foreign Affiliations or Relationships to Foreign Countries Form (hereafter referred to as the SBIR STTR Foreign Disclosure Form), for all owners and covered individuals.

Submission is Required!

Applicants who do not submit the completed SBIR STTR Foreign Disclosure Form during the JIT process will not be considered for funding.

A “covered individual” is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way).

Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, upon request, applicants will submit the completed disclosure form via the Just-In-Time (JIT) process. Applicants to the Omnibus Solicitations with primary assignments to CDC and FDA will follow each agency’s policies for submitting additional documents during the pre-award process.

Due Diligence Program to Assess Security Risks

HHS has implemented a due diligence program designed to assess security risks by applicants.  
NOTE: The review of the security risks is separate from the merit review process. 

Applicants and recipients are encouraged to consider whether their entity’s relationships with foreign countries of concern will pose a security risk. Prior to issuing an award, NIH, The Centers for Disease Control (CDC), The Food & Drug Administration (FDA), the Administration for Community Living (ACL), and The Advanced Research Projects Agency for Health (ARPA-H) will conduct a foreign risk assessment to determine whether the small business submitting the application:

Assessment will include:

Legislative RequirementDue Diligence DimensionDue Diligence Review Areas
Foreign OwnershipForeign Ownership and ControlPartnership or a controlling equity, joint venture, and/or subsidiary in a foreign country of concern
Financial Ties & Obligations to a Foreign Country of ConcernFinancial ObligationsForeign financial obligations with a foreign country of concern, person residing in a foreign country of concern, or a foreign entity within a foreign country of concern
Employee Analysis

Foreign Talent Program


Foreign Affiliations

Participation in a malign foreign talent recruitment program


Recent affiliation with an entity or research institution from a foreign country of concern

Cybersecurity PracticesCybersecurity Concerns A foreign IP activity indicative of business operations in a foreign country of concern or using IT software, hardware, and/or services from a U.S.G. prohibited vendor or from an IT vendor from a foreign country of concern
Patent AnalysisForeign PatentsPatent application(s) or patent(s) based on research funded by the U.S. Government that were filed in a foreign country of concern prior to filing in the U.S. or filed on behalf of a foreign country of concern connected entity

NIH, CDC, FDA, ACL, and ARPA-H may decline to move forward with an award based on security risks determined during the assessment. An award will not be issued prior to completing the assessment process.

Denial of Awards

Foreign involvement with countries of concern will not necessarily disqualify an applicant. Final award determinations will be based on whether the applicant's involvement falls within any of the following risk criteria:

  • interfere with the capacity for activities supported by the award to be carried out;
  • create duplication with the proposed award activities;
  • present concerns about conflicts of interest; 
  • were not appropriately disclosed;
  • violate Federal law or terms and conditions; or
  • pose a risk to national security.

NIH, CDC, FDA, ACL, and ARPA-H will not provide SBC applicants the opportunity to address any identified security risks prior to award. NIH, CDC, FDA, ACL, and ARPA-H will not issue an award under the SBIR or STTR program if the relationship with a foreign country of concern identified in this guidance is determined to fall under any of the criteria provided above.

Foreign Risk Case Studies

NIH has observed several concerns regarding foreign research security risks in previous grant applications and contract proposals. The scenarios below have been developed using observations from real cases.

  • A U.S. company applied for an SBIR grant with Dr. Smith as a Principal Investigator. Upon request from NIH program staff, the company submitted the SBIR STTR Foreign Disclosure Form as part of the Just-in-Time materials. The Form declared that none of the covered individuals in the company were applicants or recipients of any malign talent recruitment program.
  • However, the foreign risk assessment found that Dr. Smith was currently part of a malign talent recruitment program, which included a paid faculty position at a research institution in a foreign country of concern.

Result: The award was denied because the company had a covered individual who is party to a malign foreign talent recruitment program and held an affiliation with a research institution located in a foreign country of concern AND the involvement falls within the following risk criteria:

  • presented concerns about conflicts of interest;
  • was not appropriately disclosed.

  • A US company submits an SBIR application with Dr. Lee as Principal Investigator on the topic of skin grafts. The company submits the SBIR STTR Foreign Disclosure Form and declares that Dr. Lee holds a visiting professor position at a university located in a foreign country of concern, conducting the bulk of the work virtually from the US. The position involves consultation on research focused on decontamination of toxic wastewater. No other disclosures are included in the SBIR STTR Foreign Disclosure Form.
  • Dr. Lee received a PhD in 2001 from an institution located in a foreign country of concern.
  • Dr. Lee is a citizen of a foreign country of concern and a US Permanent Resident. 
  • The foreign risk assessment found confirmation of Dr. Lee’s visiting professor position and responsibilities.

Result: The award can be made because Dr. Lee disclosed his appointment with an institution in a foreign country of concern and the relationship:

  • did not interfere with the ability for the SBIR work to be carried out;
  • did not create concerns of duplication with proposed activities; 
  • did not present concerns about conflicts of interest;
  • did not violate Federal law or terms and conditions; and 
  • did not represent a national security concern.

  • Dr. Jones is an NIH-supported faculty member at a U.S. university and co-founder of a U.S. company that received an NIH SBIR grant with Dr. Jones as co-investigator. 
  • The SBIR STTR Foreign Disclosure Form submitted for the SBIR grant disclosed that Dr. Jones' company had a foreign subsidiary in a country of concern.
  • The foreign risk assessment found that the foreign subsidiary works on related research to the U.S. company, including a dangerous pathogen, and is directly linked to a military in a foreign country of concern.
  • In addition, the U.S. university informed NIH that Dr. Jones kept NIH, university, and company research records on cloud servers that were shared with and accessed by the foreign subsidiary.

Result: The award was denied because the company had a subsidiary located in a foreign country of concern AND the involvement falls within the following risk criteria:

  • presented concerns about conflicts of interest; and
  • posed a risk to national security.

  • A U.S. company submits an SBIR application with Dr. Ross as Principal Investigator. 
  • Dr. Ross received a PhD in 2003 from an institution located in a country of concern and regularly visits family that still reside in the foreign country of concern.
  • Dr. Ross does not have any current affiliations with institutions or companies located in the foreign country of concern
  • The company submits the SBIR STTR Foreign Disclosure Form and does not disclose any current foreign affiliations.
  • The foreign risk assessment confirmed that neither the company nor Dr. Ross have any current foreign affiliations. 

Result: The SBIR award can be made as neither the company nor Dr. Ross have any current foreign affiliations. 

  • A U.S. company has been very successful in securing SBIR/STTR funding from U.S. government agencies.
  • Dr. Johnson, a researcher at a U.S. institution partnering with the U.S. company, is senior key personnel on the company's latest SBIR application to NIH.
  • The company submits the SBIR STTR Foreign Disclosure Form and declares that their covered individuals, which includes Dr. Johnson, have no affiliations with a research institution in a foreign country of concern.
  • On the annual internal disclosure form from the U.S. university, Dr. Johnson checks no other affiliations of financial interests.
  • The foreign risk assessment finds that Dr. Johnson is also a visiting professor at a university in a country of concern known to have close ties with military organizations in the foreign country.

Result: The award was denied because the covered individual has a foreign affiliation with a research institution located in a foreign country of concern AND the involvement falls within the following risk criteria:

  • was not appropriately disclosed;
  • posed a risk to national security.

  • A U.S. company has been awarded several SBIR grants from multiple U.S. government agencies. Dr. Anderson, the vice president of the company, is an inventor on patents developed with the research funded by the U.S. Government.
  • Dr. Anderson is also a co-owner of a foreign company in a foreign country of concern. This foreign company is not a business entity, parent company, or subsidiary of the U.S. company.
  • The company submits the SBIR STTR Foreign Disclosure Form. It declares that Dr. Anderson has an affiliation with a company in a foreign country of concern. The company also declares that they have neither licensed technology nor sold/transferred any intellectual property to a foreign country of concern in the previous 5-year period.
  • The foreign risk assessment finds that some of Dr. Anderson's recent patents related to work funded by the U.S. Government have been filed in a foreign country of concern with the foreign company as the assignee prior to being filed in the U.S.;
  • The patents and collaborations of the foreign company, on technologies developed with funding from the U.S. Government, were not disclosed in any communications with U.S. government funding agencies. It was determined Dr. Anderson used U.S. Government funds to develop technology in a foreign country.

Result: The award was denied because the U.S company transferred intellectual property to a company located in a foreign country of concern AND the involvement falls within the following risk criteria:

  • was not appropriately disclosed;
  • violate Federal law or terms and conditions; or
  • posed a risk to national security.

Post-Award Monitoring and Reporting Requirements

Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, recipients are responsible for monitoring their relationships with foreign countries of concern post-award, for any changes that may impact previous disclosures. Companies receiving an award under the SBIR or STTR program are required to submit an updated SBIR STTR Foreign Disclosure Form to report any of the following changes throughout the duration of the award:

  • any change to a disclosure on the SBIR STTR Foreign Disclosure Form;
  • any material misstatement that poses a risk to national security; and
  • any change of ownership, change to entity structure, or other substantial change in circumstances that may pose a risk to national security.

Regular, annual updates are required at the time of all SBIR/STTR annual, interim, and final Research Performance Progress Reports (RPPRs). For changes that occur between RPPR submissions, updated disclosure forms are required within 30 days of any change in ownership, entity structure, covered individual, or other substantive changes in circumstance, as described above.

Recipients are encouraged to monitor their foreign relationships post-award and avoid entering into relationships, both funded and unfunded, that may pose a security risk and jeopardize their ability to retain their award.

Agency Recovery Authority and Repayment of Funds

A company will be required to repay all amounts received from an award if either of the following determinations are made upon assessment of a change to their disclosure:

  • the company makes a material misstatement that NIH, CDC, FDA, ACL, ARPA-H determine poses a risk to national security; or
  • there is a change in ownership, change in entity structure, or other substantial change in circumstances of the small business that NIH, CDC, FDA, ACL, or ARPA-H determine poses a risk to national security.