top of page

FAQS for SBIR/STTR Research Security Requirements

These FAQs are specifically designed to support the compliance considerations for Small and Medium Sized Businesses (SMBs) related to SBIR/STTR Requirements related to research security.  SMBs should always consult their own legal counsel and may also need to be cognizant of state level research security requirements.  If you have any questions about state level research security requirements that may apply to you, consider reaching out to the SECURE Center leads for your region.  

This material is based upon work supported by the U.S. National Science Foundation under Cooperative Agreement No. 2403771. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the U.S. National Science Foundation or the University of Washington.

Foreign Disclosures

  • SMBs should consider any and all funded or unfunded relationships with foreign countries.  The disclosure form asks about sources of funding and support, but it also asks about other types of contractual relationships, including pending contractual relationships that could implicate the sharing of resources, IP, and data, such as joint ventures or teaming agreements. 

  • Yes.  The origin of the funds is foreign, so you should report it.

  • You should disclose this separately in both the biosketch, as well as the SBIR/STTR disclosure form

  • You should go as far as you need to in order to determine the source of the funds.  In some cases, this may be as simple as looking at a single 10-K or other audit report.  In other cases, you may need to do deeper compliance due diligence to understand parent companies and subsidiaries by using more complex assessment tools.  See the next question for more details.

  • The NSF SECURE Center offers the Risk Assessment Framework and Summary Template to support compliance due diligence assessments.  The Risk Assessment Framework outlines key questions to ask, as well as what kinds of paid and free tools are available.  The Summary Template helps you to document your efforts in a clear and consistent manner.

  • Document your compliance due diligence.  There is an adage in the government that if it isn’t in writing, it didn’t happen.  Make sure you have all efforts documented in a backed up and secure system.  Remember, the SECURE Center’s Summary Template is a great way to record your work.

     

    Consider developing a compliance due diligence SOP to ensure that you do not miss any steps in the process.  The Framework itself will form much of the SOP, but having expectations for communications and timeliness can help to build a culture of compliance from the start.

  • No.  The SBIR/STTR Guidelines outline compliance due diligence in 5 key areas:

    Screenshot 2026-05-18 at 12.05.14 PM.png

    Shaping your initial compliance due diligence around these parameters should help to ensure you are meeting government requirements.

  • You should perform compliance due diligence prior to engaging any new business partner or taking on new employees or contractual arrangements, such as vendors.  However, this is an ongoing obligation.  

     

    Screening, assessment & ongoing monitoring are the responsibility of the recipient and within 30 days of a change, such as an investor being taken over by a foreign organization, you need to make a report using the required Form within 30 days.  However, if a progress report falls during this period, the Form may be included in the report.

    ​

    Failure to report something that is considered a risk to national security may require repayment of all funds received from the award.

Place of Performance

  • This will vary by funding agency.  Some funding agencies will permit a foreign subrecipient to perform a small portion of the work, but in other cases, it is prohibited.  In all cases, foreign engagements should be clearly communicated and receive written approval from the funding agency. 

  • This recent case highlighted by the Department of Justice shows how seriously the US Government takes the place of performance.  It is considered a violation of the False Claims Act to perform research under the SBIR/STTR program outside of the US because the program requirements explicitly require US-based performance.

  • The expectations of the US Government are clear that SBIR/STTR funds are to support US-based research efforts while protecting US national security efforts.  This means that SBIR/STTR program activities should be performed in the US.  

     

    Remote work within the US should be allowable, but careful consideration and legal guidance are needed before hiring remote employees in a foreign country, allowing short-term digital nomad work from abroad, or otherwise performing SBIR/STTR program activities outside of the US.  

     

    It is recommended that you consult an attorney to help you outline a clear and consistent set of expectations for remote work that considers both short and long-term remote work options.

Use of Foreign Subrecipients and Consultants

  • Per the SBIR.GOV site, for SBIR programs, “the sub-awardee does not have to be located in the United States. However, all of the R&D work performed by the sub-awardee must be done in the U.S., so an SBIR application involving a foreign sub-awardee needs to address how that person or entity will be able to fulfill the ‘all R&D done in the US’ requirement.”  The allowability of foreign subrecipient rules varies by funding agency and some will not permit any activities by foreign subrecipients, even if the work is performed in the US.  Read the solicitation carefully and consult with the program officer if any questions remain. 

Evaluation by Agencies

  • No.  You should be aware of the foreign countries of concern (COC), which are currently Russia, China, Iran & North Korea, but per the SBIR/STTR guidance, involvement with a country of concern does not automatically disqualify an applicant from participation.

    ​

    However you should be proactive in disclosing and explaining professional ties to a country of concern.

  • Funding agencies evaluating foreign ties on SBIR/STTR programs are looking for the same things that they do when evaluating other grants and contracts.  Primarily they are looking to ensure that such ties will not:

    • Interfere with the capacity for activities supported by the award to be carried out;

    • Create duplication with the proposed award activities;

    • Present concerns about conflicts of interest; 

    • Present concerns about transparency;

    • Violate Federal law or award terms and conditions; or

    • Pose a risk to national security

Case Studies

    • An SMB submits an application that includes matching funding and resources from a large, multi-national pharmaceutical company.

    • The multi-national company is not organized in a foreign country of concern, nor are most of its business operations based in a foreign country of concern.

    • The small business investigated the ownership and affiliations of the company and verified that the multi-national company was not affiliated with a foreign government or known agent of a foreign country of concern.

    • The small business disclosed the partnership and support in the Just In Time (JIT) Other Support documentation, including clear justification for why the support does not overlap with the proposed project.

    • Result: The award can be made because the support did not overlap with the work proposed and the multi-national company was not based, predominately based, nor affiliated with foreign government in a foreign country of concern, AND the relationship:

      • Did not interfere with the ability for the SBIR work to be carried out;

      • Did not create concerns of duplication with proposed activities;  

      • Did not present concerns about conflicts of interest;

      • Did not violate Federal law or terms and conditions; and  

      • Did not represent a national security concern.

    • An SMB has no ownership or investments from foreign countries of concern.

    • The business submits the Foreign Disclosure Form attesting it has no affiliations with foreign countries of concern.

    • However, in the application, the small business proposed a subcontract with ABC Company to provide services for their research project.

    • ABC Company is a subsidiary of a business owned by an entity in a foreign country of concern with known ties to the military.

    • Result: The award was denied because the small business proposed a subcontract to a subsidiary of a company with known ties to the military and government of a foreign country of concern AND the involvement falls within the following risk criteria: 

      • Was not appropriately disclosed; and

      • Posed a risk to national security.

Ownership Requirements

  • Yes, according to the SBIR/STTR basics program, “The small business must be primarily U.S. owned. This is defined as having at least 51% of its ownership by U.S. citizens and/or permanent resident aliens.”  

     

    However, the picture can get more complicated when venture capital investors are involved because you will need to consider who is funding the firm investing in your business.  If your SMB has funding from a venture capital firm, it is best to consult both the program guidelines and an attorney to ensure compliance with this requirement.

bottom of page