Foreign Risk Management
In the SBIR and STTR Extension Act of 2022, Congress required Federal agencies to create a due diligence program to address foreign risks in the SBIR/STTR programs. The foreign risks are primarily directed at the following foreign countries of concern: the People’s Republic of China, Islamic Republic of Iran, the People’s Democratic People’s Republic of Korea, and the Russian Federation.
The chart summarizes the risks being addressed by the DOE’s due diligence program.
| RISK | APPLICANT DISCLOSURE REQUIREMENT | SMALL BUSINESS VULNERABILITY | DOE DUE DILIGENCE FOCUS | EDUCATIONAL FOCUS |
|---|---|---|---|---|
|
Insider Theft |
Disclosure of Foreign Relationships (required for all applicants beginning in FY 2023) |
Failure to vet employees, owners/investors |
Identification of foreign risks related to ownership, personnel, patents, and business partners |
Past cases of intellectual property loss to foreign countries of concern; the need for due diligence by the small business |
|
Licensing or Sale of Intellectual Property |
Licensees/customers have undisclosed ties to foreign countries of concern |
|||
|
Acquisition of the Small Business |
Businesses seeking to acquire them have undisclosed ties to foreign countries of concern |
|||
|
Cybertheft |
Cybersecurity Self-Assessment (required for Phase II applicants beginning in FY 2024) |
Lack of IT/cybersecurity expertise at small businesses |
Assessment of small business cybersecurity posture |
Leveraging available Federal cybersecurity resources and training; utilization of SBIR/STTR funding to improve cybersecurity |
Examples of Intellectual Property Theft
ASMC: A former SBIR awardee, ASMC, suffered severe economic damages as the result of an employee stealing source code related to wind energy technology. A Chinese firm, Sinovel, paid an employee of an ASMC subsidiary to steal the source code and subsequently provided him with employment. The economic impact to ASMC was a loss of $1B in shareholder value and 700 jobs. Sinovel was found guilty and was ordered to pay restitution in addition to a fine.
https://www.justice.gov/opa/pr/court-imposes-maximum-fine-sinovel-wind-group-theft-trade-secrets
Phillips 66: A scientist at Phillips 66 stole $1B in trade secrets related to flow battery technology used for large scale energy storage. He was a participant in China’s Thousand Talents Plan, through which lucrative incentives are offered to recruit individuals with expertise in high-priority fields. The scientist had planned to leave the company and return to China to work for a company that developed battery materials. He was arrested, sentenced, and fined for the trade secret theft.
https://www.justice.gov/opa/pr/chinese-national-sentenced-stealing-trade-secrets-worth-1-billion
DOE Due Diligence
DOE conducts a review of risk separately from the merit review and can elect not to fund applications that present unacceptably high foreign risks. DOE has implemented the following changes as part of its implementation of its due diligence program.
- In FY 2023, DOE amended its review of risk in its SBIR/STTR Funding Opportunity Announcements to address the new requirements associated with evaluation of foreign risks.In addition, it required all applicants to include a disclosure of foreign relationships in their applications.
- In FY 2024, DOE will extend the scope of its review of risk to include cybersecurity practices of Phase II applicants.Phase II applicants will be required to submit a cybersecurity self-assessment.More details on this cybersecurity self-assessment will be included in the Phase II Funding Opportunity Announcement. Phase I awardees are encouraged to prepare for this self-assessment by leveraging available resources to improve their cybersecurity practices in advance of submitting a Phase II application.Many of the practices needed for a small business to meet a passing threshold of a cyber checklist are free or provided in the costs of commercial-grade IT services. Examples of services and training include, but are not limited to:
- CISA has an excellent Cyber essentials guide aimed at small businesses: https://www.cisa.gov/resources-tools/resources/cyber-essentials
- NIST has a useful publication that discusses the Fundamentals of Small Business Information Security:https://www.nist.gov/publications/fundamentals-small-business-information-security
- The NM FBI Office of Counter Intelligence offers a free, daily newsletter on cyber security breaches and trends.
- The main Federal SBIR website, https://www.sbir.gov, offers a lot of information and training.
- The Federal Trade Commission has a good reference page dedicated to small businesses and cybersecurity https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
- USAF SBIR cybersecurity page: (https://www.safcn.af.mil/CISO/Small-Business-Cybersecurity-Information/)
Small Business Due Diligence
Small businesses are encouraged to carry out their own due diligence to address risks associated with loss of their intellection property. These activities can include proper vetting of employees, investors, and business partners in addition to adherence to good cybersecurity practices.
