Notice of Information: Policy Changes to SBIR and STTR Foreign Disclosure and Risk Management
Notice Number:
NOT-OD-26-074

Key Dates

Release Date:
April 20, 2026

Related Announcements

  • April 29, 2025 - Notice of Information: NIH SBIR and STTR Foreign Disclosure Post-Award Requirements for Active SBIR and STTR Awardees. See Notice NOT-OD-25-102.
  • November 14, 2023 - Clarification of Implementation of the NIH SBIR and STTR Foreign Disclosure Pre-award and Post-Award Requirements. See Notice NOT-OD-24-029.
  • June 12, 2023 - Implementation of the NIH SBIR and STTR Foreign Disclosure Pre-award and Post-Award Requirements. See Notice NOT-OD-23-139.

Issued by

Office of The Director, National Institutes of Health (OD)

Purpose

The purpose of this notice is to inform HHS Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) applicants of recent policy changes to Foreign Disclosure and Risk Management. The policies described in this Notice are reflected in Section 18 of the FY26 NIH Grants Policy Statement (GPS); this notice provides additional statutory specificity and implementation detail.

Background

The Small Business Innovation and Economic Security Act (the Act), signed into law by President Trump on April 13, 2026, reauthorized the SBIR, STTR and related pilot programs through September 30, 2031. The Act includes changes to the SBIR and STTR Foreign Risk Due Diligence program.

Applicability

This policy applies to all competing applications and proposals submitted to HHS SBIR and STTR programs and all active awards.

Policy

Covered Individual Definition

“Covered individual” means an individual who-

(A) contributes in a substantive, meaningful way to the scientific development or execution of a research and development project proposed to be carried out with a research and development award from a Federal research agency; or

(B) is identified by the small business in the application as senior key personnel  (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way).

Due Diligence Program to Assess Security Risks

HHS has implemented a due diligence program designed to assess security risks posed by applicants. The due diligence program will assess-

  • The cybersecurity practices of a small business concern
  • Patent analysis
  • Employee analysis
  • Foreign ownership of a small business concern seeking an award, including the financial ties and obligations (which shall include surety, equity, and debt obligations) of the small business concern and employees of the small business concern to a foreign country, foreign person, or foreign entity
  • Foreign affiliations of a covered individual, owner, or other key personnel of a small business concern with an entity in a foreign country of concern
  • Investment relationships of a small business concern with an individual or entity in a foreign country of concern
  • Technology licensing agreements or joint ventures (including joint venture-like agreements) with an individual or entity in a foreign country of concern
  • Business relationships between a covered individual, owner, or other key personnel of a small business concern and an individual or entity in a foreign country of concern.

Denial of Awards

Applicants and recipients are encouraged to consider whether their entity’s relationships with foreign countries of concern will pose a security risk. Per the Act, HHS cannot make an award under the SBIR or STTR program if it is determined the small business concern submitting the proposal or application has any of the following-

  • an owner or covered individual that is party to a malign foreign talent recruitment program
  • a business entity, parent company, or subsidiary located in the People's Republic of China or another foreign country of concern 
  • an owner or covered individual that has a foreign affiliation with a research institution located in the People's Republic of China or another foreign country of concern
  • a security risk connecting the small business concern to an entity, including any affiliates of the entity, or individual on—
    • the UFLPA Entity List maintained by the Department of Homeland Security;
    • the Non-SDN Chinese Military-Industrial Complex Companies List of the Office of Foreign Assets Control maintained by the Department of the Treasury;
    • the Section 889 Prohibition List established under section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (Public Law 115–232; 132 Stat. 1917) and maintained by the Department of Defense;
    • the list of Chinese Military companies required under section 1260H of the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 (10 U.S.C. 113 note) and maintained by the Department of Defense;
    • the Military End User List maintained by the Bureau of Industry and Security of the Department of Commerce;
    • the Entity List maintained by the Bureau of Industry and Security of the Department of Commerce;
    • the List of Equipment and Services maintained by the Federal Communications Commission; or
    • the Withhold Release Orders and Findings List maintained by U.S. Customs and Border Protection;
  • a security risk with a primary source that is classified
  • a security risk that the federal agency determines warrants a denial

If an award cannot be made due to a security risk, HHS will advise the small business concern that a security risk was found that required denial of award and indicate which category listed above necessitated the denial.

HHS will not provide applicants the opportunity to address any identified security risks prior to award. Receipt of an award decision denying an application due to an identified security risk does not prohibit the small business concern from being eligible for an award in a subsequent award cycle.

Post-Award Reporting Requirements

Recipients are responsible for monitoring their relationships with foreign countries of concern post-award, for any changes that may impact previous disclosures. Small business concerns receiving an award under the SBIR or STTR program are required to submit an updated disclosure form to report any of the following changes to NIH, CDC, and FDA throughout the duration of the award:

  • any change to a disclosure on the disclosure form;
  • any material misstatement that poses a risk to national security; and
  • any change of ownership, change to entity structure, or other substantial change in circumstances of the small business concern that NIH, CDC, and FDA determine poses a risk to national security.

Regular, annual updates are required at the time of all SBIR or STTR annual, interim, and final Research Performance Progress Reports (RPPRs). For changes that occur between RPPR submissions, updated disclosure forms are required within 30 days of any change in ownership, entity structure, covered individual, or other substantive changes in circumstance, as described above. Recipients will be required to upload these updated disclosures using the Additional Materials (AM) tool in eRA Commons.

Agency Recovery Authority and Repayment of Funds

A small business concern will be required to repay all amounts received from NIH, CDC, and FDA under the award if either of the following determinations are made upon assessment of a change to their disclosure:

  • the small business concern makes a material misstatement that NIH, CDC, and FDA determine poses a risk to national security; or
  • there is a change in ownership, change in entity structure, or other substantial change in circumstances of the small business concern that NIH, CDC, and FDA determine poses a risk to national security.

If the recipient reports a covered foreign relationship that meets any of the risk criteria prohibiting funding described in this guidance, NIH, CDC, and FDA may deem it necessary to terminate the award for material failure to comply with the federal statutes, regulations, or terms and conditions of the federal award. Refer to Section 8.5.2 Remedies for Noncompliance or Enforcement Actions: Suspension, Termination, and Withholding of Support for more information. Recipients are encouraged to monitor their covered foreign relationships post-award and avoid entering into relationships, both funded and unfunded, that may pose a security risk and jeopardize their ability to retain their award.

For more information please see the Foreign Disclosure and Risk Management webpage.

Inquiries

Please direct all inquiries to:

SEED (Small business Education and Entrepreneurial Development)
Office of Extramural Research
[email protected]

Weekly TOC for this Announcement
NIH Funding Opportunities and Notices
NIH Office of Extramural Research Logo
Department of Health and Human Services (HHS) - Home Page
Department of Health
and Human Services (HHS)
USA.gov - Government Made Easy
NIH... Turning Discovery Into Health®