Foreign Risk Management

In the SBIR and STTR Extension Act of 2022, Congress required Federal agencies to create a due diligence program to address foreign risks in the SBIR/STTR programs. The foreign risks are primarily directed at the following foreign countries of concern: the People’s Republic of China, Islamic Republic of Iran, the People’s Democratic People’s Republic of Korea, and the Russian Federation.

The chart summarizes the risks being addressed by the DOE’s due diligence program.


Insider Theft

Disclosure of Foreign Relationships (required for all applicants beginning in FY 2023)

Failure to vet employees, owners/investors

Identification of foreign risks related to ownership, personnel, patents, and business partners

Past cases of intellectual property loss to foreign countries of concern; the need for due diligence by the small business

Licensing or Sale of Intellectual Property

Licensees/customers have undisclosed ties to foreign countries of concern

Acquisition of the Small Business

Businesses seeking to acquire them have undisclosed ties to foreign countries of concern


Cybersecurity Self-Assessment (required for Phase II applicants beginning in FY 2024)

Lack of IT/cybersecurity expertise at small businesses

Assessment of small business cybersecurity posture

Leveraging available Federal cybersecurity resources and training; utilization of SBIR/STTR funding to improve cybersecurity

Examples of Intellectual Property Theft

ASMC: A former SBIR awardee, ASMC, suffered severe economic damages as the result of an employee stealing source code related to wind energy technology. A Chinese firm, Sinovel, paid an employee of an ASMC subsidiary to steal the source code and subsequently provided him with employment. The economic impact to ASMC was a loss of $1B in shareholder value and 700 jobs. Sinovel was found guilty and was ordered to pay restitution in addition to a fine.

Phillips 66: A scientist at Phillips 66 stole $1B in trade secrets related to flow battery technology used for large scale energy storage. He was a participant in China’s Thousand Talents Plan, through which lucrative incentives are offered to recruit individuals with expertise in high-priority fields. The scientist had planned to leave the company and return to China to work for a company that developed battery materials. He was arrested, sentenced, and fined for the trade secret theft.

DOE Due Diligence

DOE conducts a review of risk separately from the merit review and can elect not to fund applications that present unacceptably high foreign risks. DOE has implemented the following changes as part of its implementation of its due diligence program.

  • In FY 2023, DOE amended its review of risk in its SBIR/STTR Funding Opportunity Announcements to address the new requirements associated with evaluation of foreign risks.In addition, it required all applicants to include a disclosure of foreign relationships in their applications.
  • In FY 2024, DOE will extend the scope of its review of risk to include cybersecurity practices of Phase II applicants.Phase II applicants will be required to submit a cybersecurity self-assessment.More details on this cybersecurity self-assessment will be included in the Phase II Funding Opportunity Announcement. Phase I awardees are encouraged to prepare for this self-assessment by leveraging available resources to improve their cybersecurity practices in advance of submitting a Phase II application.Many of the practices needed for a small business to meet a passing threshold of a cyber checklist are free or provided in the costs of commercial-grade IT services. Examples of services and training include, but are not limited to:

Small Business Due Diligence

Small businesses are encouraged to carry out their own due diligence to address risks associated with loss of their intellection property. These activities can include proper vetting of employees, investors, and business partners in addition to adherence to good cybersecurity practices.