Foreign Disclosure and Risk Management
In the SBIR and STTR Extension Act of 2022 (the Act), signed into law by President Biden on September 30, 2022, Congress requires Federal agencies to establish a due diligence program to assess security risks posed by applicants. Read below to learn more about foreign disclosure requirements and the due diligence program.
The SBIR and STTR Extension Act of 2022 includes major changes to the SBIR and STTR programs, including:
- disclosure requirements regarding ties to foreign countries,
- a requirement for federal agencies that manage SBIR and STTR programs to establish a due diligence program to assess security risks posed by applicants, and
- denial of award and recovery authority provisions when ties to foreign countries of concern pose a significant risk.
Details of the SBIR and STTR Foreign Disclosure and Risk Management Pre-award and Post-Award Requirements can be found in NOT-OD-23-139.
Disclosure Requirements Regarding Ties to Foreign Countries
Applicants to the SBIR and STTR programs are required to disclose all funded and unfunded relationships with foreign countries, using the disclosure form, for all owners and covered individuals.
Submission is Required!
Applicants that do not submit the completed disclosure form during the JIT process will not be considered for funding.
A “covered individual” is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way).
Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, upon request, applicants will submit the completed disclosure form via the Just-In-Time (JIT) process. Applicants with primary assignments to CDC and FDA will follow each agency’s policies for submitting additional documents during the pre-award process.
Due Diligence Program to Assess Security Risks
HHS has implemented a due diligence program designed to assess security risks by applicants. The review of risk is separate from the merit review process. The due diligence program will assess the following:
Legislative Requirement | Due Diligence Dimension | Due Diligence Review Areas |
---|---|---|
Foreign Ownership | Foreign Ownership and Control | Partnership or a controlling equity, joint venture, and/or subsidiary in a foreign country of concern
|
Financial Ties & Obligations to a Foreign Country of Concern | Financial Obligations | Foreign financial obligations with an entity or research institute from a foreign country of concern |
Employee Analysis |
Foreign Talent Program Foreign Affiliations |
Participation in a talent recruitment program of any foreign country of concern Active or past affiliation with an entity or research institution from a foreign country of concern |
Cybersecurity Practices | Cybersecurity Concerns | Foreign IP activity, not implemented information systems and information safeguarding training for covered individuals, information technology (IT) security protocols, or is using IT software, hardware, and/or services from a USG prohibited vendor or from a vendor from a country of concern |
Patent Analysis | Foreign Patents | Patent application(s) or patent(s) from research funded by the U.S. Government that were filed in a foreign country of concern prior to filing in the U.S. or filed on behalf of an FCOC-connected entity |
NIH, The Centers for Disease Control (CDC), The Food & Drug Administration (FDA), and the Administration for Community Living (ACL) may decline to move forward with an award based on security risks determined during the assessment. An award will not be issued prior to completing the assessment process.
Denial of Awards
Applicants and recipients are encouraged to consider whether their entity’s relationships with foreign countries of concern will pose a security risk. Prior to issuing an award, NIH, CDC, FDA, or ACL will determine whether the small business submitting the application:
- has an owner or covered individual that is party to a malign foreign talent recruitment program;
- has a business entity, parent company, or subsidiary located in a foreign country of concern; or
- has an owner or covered individual that has a foreign affiliation with a research institution located in a foreign country of concern.
A finding of foreign involvement with countries of concern will not necessarily disqualify an applicant. When possible, applicants will have the opportunity to address any identified security risks prior to award. Final award determinations will be based on whether the applicant’s involvement falls within any of the following risk criteria:
- interfere with the capacity for activities supported by the award to be carried out;
- create duplication with the proposed award activities;
- present concerns about conflicts of interest;
- were not appropriately disclosed;
- violate Federal law or terms and conditions; or
- pose a risk to national security.
NIH, CDC, FDA, and ACL will not issue an award under the SBIR or STTR program if the relationship with a foreign country of concern identified in this guidance is determined to fall under any of the criteria provided above, and the risk cannot be resolved.
Post-Award Monitoring and Reporting Requirements
Effective for competing SBIR and STTR applications submitted for due dates on or after September 5, 2023, recipients are responsible for monitoring their relationships with foreign countries of concern post-award, for any changes that may impact previous disclosures. Companies receiving an award under the SBIR or STTR program are required to submit an updated disclosure form to report any of the following changes throughout the duration of the award:
- any change to a disclosure on the disclosure form;
- any material misstatement that poses a risk to national security; and
- any change of ownership, change to entity structure, or other substantial change in circumstances that may pose a risk to national security.
Updated disclosure forms are required within 30 days of any change in ownership, entity structure, covered individual, or other substantive changes in circumstance, as described above. In addition, regular updates are required at the time of all annual, interim, and final Research Performance Progress Reports (RPPRs).
Recipients are encouraged to monitor their foreign relationships post-award and avoid entering into relationships, both funded and unfunded, that may pose a security risk and jeopardize their ability to retain their award.
Agency Recovery Authority and Repayment of Funds
A company will be required to repay all amounts received from an award if either of the following determinations are made upon assessment of a change to their disclosure:
- the company makes a material misstatement that NIH, CDC, FDA or ACL determine poses a risk to national security; or
- there is a change in ownership, change in entity structure, or other substantial change in circumstances of the small business that NIH, CDC, FDA, or ACL determine poses a risk to national security.
Questions? Contact SEEDinfo@nih.gov.