Small Business Research Programs: Additional Actions Needed to Incorporate Best Practices for Addressing Foreign Risks
Fast Facts
Many federal agencies provide funding to small businesses for research and development. But foreign adversaries may exploit vulnerabilities in these funding programs to target emerging technology companies—for instance, to steal proprietary data.
This report is the third in a series looking at how agencies have incorporated best practices to address these risks. Agencies have, for example, used multiple information sources to screen applicants. But not all agencies have clarified which individuals are required to submit disclosures of foreign investments.
Our 26 recommendations address the gaps in agencies' implementation of best practices.
A group of people in a business setting with one person standing next to a poster board that says Foreign Adversaries.
Highlights
What GAO Found
In March 2023, the Small Business Administration (SBA) established 12 best practices to help participating agencies manage risks posed by small business applicants in their Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs. GAO found that participating agencies and selected components have incorporated some best practices in their due diligence efforts, but gaps remain. For example, as of August 2025 all agencies had incorporated three of the 12 best practices, such as leveraging standardized foreign affiliation disclosures to capture consistent information. Most agencies incorporated additional practices, such as documenting a risk-based approach to their due diligence processes, and some incorporated practices such as determining “covered individuals” required to submit disclosures (see figure). The SBIR and STTR Extension Act of 2022 (Extension Act) requires participating agencies to incorporate the applicable best practices in their due diligence programs to the extent practicable. Doing so may improve agencies’ ability to manage potential foreign risks.
The Extension Act also requires participating agencies to assess SBIR and STTR applicants’ cybersecurity practices. GAO found that nine of the 11 participating agencies and selected components did so using a variety of mechanisms, including business intelligence tools and self-assessment forms. However, two of the agencies GAO reviewed—the National Science Foundation (NSF) and the U.S. Department of Agriculture (USDA)—are not assessing all applicants’ cybersecurity practices. NSF officials told GAO that its applicants are small and nascent companies with limited electronic assets or systems to protect. USDA officials stated they previously understood training applicants on cybersecurity would suffice as an assessment. Until NSF and USDA incorporate cybersecurity assessments into their due diligence programs, they are at an increased risk of making awards to applicants that are vulnerable to cyberattacks.
SBA conducts information sharing meetings for agencies to discuss due diligence efforts, but GAO found agencies have gaps in how they have incorporated SBA’s best practices to manage and reduce foreign risks. For example, GAO found some agencies are not incorporating certain best practices because, in part, they lack clarity on the intent of the practice or the best means to incorporate it. In August 2025, SBA officials acknowledged that based on the gaps and agency needs we identified in this report, additional opportunities may exist for SBA to engage with agencies on the challenges and impacts of incorporating the best practices and due diligence programs. The SBA-facilitated meetings could provide a discussion forum on agencies’ challenges in incorporating the best practices, potential for additional guidance, and possible revisions.
Why GAO Did This Study
The SBIR and STTR programs fund research and development (R&D) performed by U.S. small businesses. In fiscal year 2023, federal agencies issued more than 6,300 such awards in areas such as defense and environmental protection. However, Congress and U.S. intelligence agencies have expressed concerns about foreign adversaries exploiting potential vulnerabilities in these programs and in entrepreneurial small businesses.
The Extension Act requires the 11 participating agencies to implement due diligence programs to assess the security risks posed by small business applicants. It includes a provision for GAO to issue a series of reports on the implementation and best practices of agencies’ due diligence. This report is the third in this series and examines (1) agencies’ incorporation of the best practices, (2) their assessments of applicants’ cybersecurity practices, and (3) interagency mechanisms for sharing information on due diligence programs.
To determine the extent to which agencies have incorporated SBA’s best practices, GAO reviewed agencies’ policies and procedures for conducting due diligence and assessing applicants’ cybersecurity practices. GAO also interviewed SBA and SBIR and STTR program officials at the participating agencies and selected components on the best practices.
Recommendations
GAO is making a total of 26 recommendations: 25 to 10 agencies on incorporating SBA’s best practices on due diligence programs and one to SBA on leveraging its interagency meetings to discuss the practices and help agencies address them. The agencies agreed with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of the Air Force | The Secretary of Air Force should ensure the SBIR and STTR programs inform awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Agriculture | The Secretary of Agriculture should ensure the agency consistently communicates that disclosure does not mean denial to all its SBIR and STTR applicants through mechanisms such as disclosure form itself, the agency solicitation, or on a website as part of the application process. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Agriculture | The Secretary of Agriculture should ensure the agency clearly outlines its designation of "covered individuals" that is available to SBIR and STTR applicants and program staff to ensure consistent access and understanding. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Agriculture | The Secretary of Agriculture should ensure the SBIR and STTR programs inform awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Agriculture | The Secretary of Agriculture should assess SBIR and STTR applicants' cybersecurity practices, ensuring these assessments focus on basic small business safeguarding protocols and remain consistent with federal cybersecurity frameworks. (Recommendations 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should ensure the SBIR program informs awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Energy | The Secretary of Energy should update its current SBIR and STTR due diligence plan—DOE Approach to SBIR/STTR Due Diligence—to include the agency's risk-based approach for conducting due diligence, such as tiered levels of risk based on award phase and the process for identifying higher-risk topics before they are posted. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure the agency consistently communicates that disclosure does not mean denial to all its SBIR applicants through mechanisms such as disclosure form itself, the agency solicitation, or on a website as part of the application process. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure the SBIR program informs awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Transportation | The Secretary of Transportation should ensure the agency clearly outlines its designation of "covered individuals" that is available to SBIR and STTR applicants and program staff to ensure consistent access and understanding. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should update its current SBIR due diligence plan—EPA's SBIR Program Overview and Guidance Manual—to reflect the factors considered in documenting the agency's risk-based approach. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should ensure the agency clearly outlines its designation of "covered individuals" that is available to SBIR applicants and program staff to ensure consistent access and understanding. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should ensure the SBIR program informs awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should ensure its SBIR and STTR programs inform awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should compile and track metrics on the impact of the SBIR and STTR due diligence requirements on award timeliness. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should conduct due diligence on applicant cybersecurity practices for all new SBIR and STTR awards and develop a consistent method to track its due diligence activities. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should ensure the agency consistently communicates that disclosure does not mean denial to all its SBIR and STTR applicants through mechanisms such as the disclosure form itself, the agency solicitation, or on a website as part of the application process. (Recommendation 17) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should update its current SBIR and STTR due diligence plan—NSF Updated Procedures for Risk-Based Due Diligence—to include its risk-based approach and procedures for conducting risk assessment in the four Extension Act areas (patent analysis, foreign ownership, employee affiliations, and cybersecurity. (Recommendation 18) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should ensure the agency clearly outlines its designation of "covered individuals" that is available to SBIR and STTR applicants and program staff to ensure consistent access and understanding. (Recommendation 19) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should ensure the SBIR and STTR program informs awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 20) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Science Foundation | The Director of the National Science Foundation should assess SBIR and STTR applicants' cybersecurity practices, ensuring these assessments focus on basic small business safeguarding protocols and remain consistent with federal cybersecurity frameworks. (Recommendations 21) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of the Under Secretary for Oceans and Atmosphere | The Under Secretary for Oceans and Atmosphere should direct the National Oceanic and Atmospheric Administration to encourage SBIR award recipients and applicants to leverage available federal research security training. (Recommendation 22) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of the Under Secretary for Oceans and Atmosphere | The Under Secretary for Oceans and Atmosphere should ensure the National Oceanic and Atmospheric Administration consistently communicates that disclosure does not mean denial to all its SBIR applicants through mechanisms such as disclosure form itself, the agency solicitation, or on a website as part of the application process. (Recommendation 23) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of the Under Secretary for Oceans and Atmosphere | The Under Secretary for Oceans and Atmosphere should ensure the National Oceanic and Atmospheric Administration SBIR program clearly outlines its designation of "covered individuals" that is available to applicants and program staff to ensure consistent access and understanding. (Recommendation 24) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of the Under Secretary for Oceans and Atmosphere | The Under Secretary for Oceans and Atmosphere should ensure the National Oceanic and Atmospheric Administration informs SBIR awardees in a written statement that updated disclosures must be provided within 30 days of any substantive changes to the project. (Recommendation 25) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of the Small Business Administration should further leverage its SBIR and STTR interagency meetings and communications to facilitate discussions on due diligence best practices, including clarifying the intent of the practices and discussing implementation methods to help agencies address their gaps in incorporating the practices. (Recommendation 26) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|