GAO Report Highlights Ongoing Foreign Risk in SBIR/STTR Programs

Overview

Federal research funding programs like SBIR (Small Business Innovation Research) and STTR (Small Business Technology Transfer) are designed to fuel innovation by helping small businesses develop cutting-edge technology. But there’s a growing concern that foreign adversaries may exploit vulnerabilities in these programs to access sensitive research, steal proprietary data, or gain a strategic advantage in emerging technologies.

A recent report from the U.S. Government Accountability Office (GAO) titled “Additional Actions Needed to Incorporate Best Practices for Addressing Foreign Risks” highlights the progress agencies have made and the gaps that still remain.

This is the third GAO report in a series evaluating how well federal agencies are implementing best practices to reduce foreign risks in SBIR/STTR awards.

Why This Matters

In fiscal year 2023 alone, federal agencies issued more than 6,300 SBIR/STTR awards across high-impact fields such as defense, environmental protection, and advanced R&D.

At the same time, Congress and U.S. intelligence agencies have repeatedly warned that foreign adversaries may target entrepreneurial and early-stage small businesses because they often:

• Lack a robust cybersecurity infrastructure.
• Have fewer compliance resources.
• Hold valuable emerging IP and proprietary research.

SBIR/STTR programs are critical, but they also create an opportunity for exploitation when safeguards are inconsistent.

SBA’s 12 Best Practices: Progress, But Not Consistency

In March 2023, the Small Business Administration (SBA) established 12 best practices intended to help agencies manage foreign risk in SBIR/STTR due diligence.

GAO found that agencies have incorporated some of these practices, but not all, and not consistently.

As of August 2025:

• All agencies incorporated 3 of the 12 best practices.
• Most agencies incorporated additional practices.
• Some agencies still have major gaps, especially around who must disclose foreign ties and how cybersecurity is assessed.

One example of progress is that agencies increasingly use standardized foreign-affiliation disclosures, which improve consistency and help capture comparable information across programs.

However, GAO found that several agencies still lack clarity or full implementation around key concepts, especially identifying which individuals qualify as “covered individuals” required to submit disclosures.

A Key Gap: Who Counts as a “Covered Individual”?

One of the most important findings in the report is that not all agencies have clearly defined or communicated:

• Who must submit disclosures?
• Which individuals are “covered” under the law?
• How that designation is shared with both applicants and program staff.

This is not a small issue. If agencies don’t consistently define who must disclose foreign affiliations or investments, it creates an uneven system and an opening for risk to slip through.

Cybersecurity Due Diligence: Two Agencies Still Not Assessing Everyone

The SBIR and STTR Extension Act of 2022 requires agencies to assess applicants’ cybersecurity practices as part of due diligence.

GAO found that 9 of 11 agencies/components reviewed are assessing cybersecurity using tools such as:

• Business intelligence tools
• Self-assessment forms
• Other structured screening mechanisms

But two agencies, NSF and USDA, are not assessing all applicants. GAO noted:

• NSF believed its applicants were small, nascent companies with limited systems to protect
• USDA previously believed training would be enough

GAO’s conclusion was direct: without cybersecurity assessments for all applicants, agencies increase the risk of funding companies that may be vulnerable to cyberattacks.

SBA’s Role: Meetings Are Happening, But More Guidance Is Needed

SBA facilitates interagency meetings where agencies can discuss due diligence and implementation challenges. GAO found those meetings are useful, but not enough.

Some agencies are not implementing certain best practices because:

• They lack clarity on what SBA intended.
• They are unsure how to incorporate the practices effectively.
• They need additional guidance, examples, or refinements.

GAO also reported that SBA officials acknowledged that additional opportunities exist for SBA to engage agencies more deeply, especially regarding the challenges and impacts of implementation.

GAO Recommendations: 26 Total (Here Are the Most Important Themes)

GAO issued 26 recommendations in total: 25 recommendations to 10 agencies and 1 recommendation to SBA. Rather than listing every recommendation here, the most important takeaways fall into a few clear themes:

Require Updated Foreign Disclosures

Multiple agencies were urged to ensure awardees submit updated disclosures within 30 days of substantive project changes. This is important because foreign affiliations or investments can change during the lifecycle of an award.

Clarify and Publicize “Covered Individuals”

Several agencies were told to clearly define which individuals must submit disclosures and ensure both staff and applicants have consistent access to that definition.

Make Cybersecurity Assessments Standard

GAO strongly emphasized that cybersecurity due diligence should apply to all applicants, focusing on basic safeguarding protocols and aligning with federal cybersecurity frameworks.

Strengthen Risk-Based Due Diligence Plans

Some agencies were encouraged to update their due diligence plans to reflect a clear, documented risk-based approach, including tiered risk screening and the identification of higher-risk topics before posting.

SBA Should Use Meetings More Strategically

GAO’s recommendation to SBA focuses on leveraging its interagency meetings to:

• Clarify the intent behind best practices.
• Share implementation strategies.
• Help agencies close remaining gaps.

For the complete list of all 26 recommendations by the agency, see the original summary.

Final Takeaway

GAO’s report shows that agencies are moving in the right direction, but implementation is still uneven.

SBIR and STTR are essential programs for U.S. innovation, but without consistent due diligence, they may unintentionally expose emerging technologies to foreign risk. The report makes it clear that strengthening disclosure requirements, cybersecurity assessments, and interagency coordination is part of protecting U.S. research leadership.