Managing Foreign Risk in SBIR/STTR Awards: Due Diligence, Disclosures, and What “Phase III” Still Means

Congress materially tightened the national-security lens on the SBIR (Small Business Innovation Research) and STTR (Small Business Technology Transfer) programs in the SBIR/STTR Extension Act of 2022 (Public Law 117–183). Among other changes, the Act amended the Small Business Act (15 U.S.C. § 638) to require participating agencies to establish and implement a “due diligence program to assess security risks” presented by applicants, and to require structured disclosures regarding foreign ties and investment relationships. (U.S. Code)

For contractors, the policy shift is best understood as a two-part compliance architecture. First, applicants and awardees must make standardized foreign relationship disclosures (including certain owners and “covered individuals,” and both funded and unfunded foreign relationships). Second, agencies must use those disclosures—along with broader diligence tools—to determine whether foreign ties, particularly those implicating “countries of concern,” present a security risk that warrants denial, additional controls, or other remedies.

NIH’s implementation illustrates how these requirements can reach both forward and backward in time. NIH has explained that some recipients with active awards that did not undergo foreign risk assessment during the original application process may be required to submit foreign disclosures using the required form, even if they applied before the September 2023 implementation milestone. (Grants.gov) In practical terms, this means program participants should treat foreign disclosure as an ongoing obligation—not a one-time application artifact—because post-award changes can trigger updated reporting duties and compliance consequences.

These due diligence requirements sit alongside the SBIR program’s familiar three-phase structure: Phase I (proof of concept) and Phase II (development) generally require a small business awardee, while Phase III is the commercialization or follow-on stage and can be funded with non-SBIR dollars. That funding distinction matters, especially after the statutory authority for SBIR/STTR expired on October 1, 2025. NIH, for example, publicly noted that while active awards can continue, it would not issue certain continuation actions absent reauthorization—an indicator of the operational disruption for early-phase work.

Phase III, however, has proven more durable in practice during the lapse. Multiple government-facing updates have emphasized that Phase III activity may continue when it “derives from, extends, or completes” prior SBIR/STTR work (often abbreviated as the “DEC” nexus), because Phase III generally relies on other appropriations and contracting pathways rather than the set-aside funding streams that underpin Phases I and II.

The Government Accountability Office’s decision in Digital Force Technologies, Inc., B-423319 (May 19, 2025) provides a concrete compliance and protest roadmap. GAO rejected arguments that the solicitation’s requirements had to be drafted as an overt “SBIR-derived” statement of work; instead, GAO focused on whether the proposed Phase III effort, as supported by the agency record, reasonably met the DEC standard. GAO also signaled that a Phase III procurement can be justified even when only part of a larger system is SBIR-derived, so long as the record supports the DEC linkage. (Government Accountability Office)

The combined message is clear: foreign risk assessments are now a first-order eligibility and lifecycle issue in SBIR/STTR, and Phase III authority remains strategically powerful—but only when contractors can document (1) compliant foreign disclosures and (2) a defensible DEC nexus to prior SBIR/STTR work.

Disclaimer: This post is for general informational purposes only and does not constitute legal advice. SBIR/STTR foreign disclosure and due diligence requirements are agency-specific and fact-dependent; consult counsel and the relevant agency guidance before acting, and verify all requirements against the current statute, regulations, and solicitations.