SBIR Foreign Disclosure Requirements: What NIH, NSF, and Department of Defense Applicants Need to Know

Learn how SBIR/STTR foreign disclosure and foreign risk review requirements affect NIH, NSF, and Department of Defense applicants, including what to disclose and when to prepare.

SBIR and STTR applicants used to treat “foreign disclosure” as a back-office compliance item. That is no longer safe.

Across federal SBIR/STTR programs, agencies are now expected to assess foreign ownership, foreign affiliations, certain investment relationships, IP transfers, cybersecurity practices, and other risk factors before making awards. For startups, this means foreign disclosure is not just a form. It can affect whether an otherwise strong proposal is considered fundable.

This is especially important for companies applying to NIH, NSF, or the Department of Defense, where the rules may appear similar at a high level but play out differently in the application process.

Why Foreign Disclosure Matters in SBIR/STTR

The SBIR and STTR Extension Act of 2022 required small businesses applying for SBIR/STTR awards to disclose information about foreign ties and investment relationships. SBA then updated SBIR/STTR policy guidance and created a common disclosure framework for participating agencies.

SBIR.gov explains that the disclosure requirement is intended to capture information about an applicant’s “investment and foreign ties.” It also identifies the current SBIR/STTR “foreign countries of concern” as:

• People’s Republic of China

• Democratic People’s Republic of Korea

• Russian Federation

• Islamic Republic of Iran

As of the SBIR.gov foreign disclosures page, no additional countries have been designated for SBIR/STTR purposes.

The practical lesson: applicants should review foreign relationships early, not after a notice of award appears likely.

What Types of Relationships Can Trigger Review?

Foreign disclosure does not only mean foreign ownership. Agencies may look at a broader set of relationships, including:

• Owners or covered individuals involved in malign foreign talent recruitment programs

• Parent companies, subsidiaries, or joint ventures tied to a foreign country of concern

• Foreign business arrangements, contractual obligations, or joint venture-like relationships

• Venture capital or institutional investment with leadership ties to a foreign country of concern

• Technology licensing, IP sales, or IP transfers to a foreign country of concern

• Foreign business entities or offshore entities related to the applicant

• Foreign research institution affiliations involving owners, officers, or key personnel

NIH’s 2026 guidance also states that HHS due diligence may assess cybersecurity practices, patent history, employee analysis, foreign ownership, investment relationships, technology licensing agreements, joint ventures, and business relationships involving foreign countries of concern.

NIH SBIR/STTR: Disclosure Often Happens During Just-in-Time

For NIH, foreign disclosure has become a major pre-award and post-award issue.

NIH SEED says SBIR/STTR applicants are required to disclose funded and unfunded relationships with foreign countries using the SBIR/STTR Foreign Disclosure Form for all owners and covered individuals. NIH defines a covered individual as someone who contributes in a substantive, meaningful way to the scientific development or execution of the project, or someone identified as senior/key personnel.

A key NIH-specific point: applicants submit the form when requested through the Just-in-Time process. NIH also says applicants who do not submit the completed form during JIT will not be considered for funding.

That means companies should not wait until JIT to start gathering information. By then, timing can be tight, and incomplete disclosure can slow or jeopardize an award.

NIH’s April 20, 2026 notice also clarifies that HHS cannot make an SBIR/STTR award if certain security-risk criteria are met. NIH states that if an award cannot be made because of a security risk, HHS will identify the denial category, but it will not provide applicants an opportunity to address the risk before award.

NIH Post-Award Monitoring: The Obligation Does Not End at Award

NIH’s rules also extend beyond the application.

Recipients must monitor covered foreign relationships after award. NIH says updated disclosure forms are required for changes to disclosures, material misstatements that pose national security risk, changes in ownership, changes in entity structure, covered individual changes, or other substantial changes in circumstances.

For changes between regular reports, NIH states that updated disclosures are required within 30 days. Regular updates are also required with annual, interim, and final RPPRs.

For founders, the message is straightforward: treat foreign disclosure as an ongoing compliance system, not a one-time submission.

NSF SBIR/STTR: Due Diligence Is Part of the Review Environment

NSF’s current SBIR/STTR solicitation says NSF follows federal guidance on assessing and mitigating foreign risk related to countries of concern during the required due diligence process. Importantly, NSF also notes that receiving due diligence-related questions is not, by itself, a negative indicator of award probability.

NSF’s Seed Fund eligibility guidance also includes several related requirements:

• The company must have fewer than 500 employees, including affiliates.

• The company must meet U.S. ownership and control requirements.

• All R&D must be performed in the United States.

• No senior/key personnel on an SBIR/STTR proposal may be party to a malign foreign talent recruitment program.

This makes NSF somewhat different from NIH in workflow. NSF applicants should be prepared for foreign risk questions as part of due diligence, while also ensuring that basic eligibility, ownership, personnel, and work-location requirements are clean before submission.

Department of Defense SBIR/STTR: Missing Forms Can Make a Proposal Noncompliant

For Department of Defense SBIR/STTR applicants, foreign disclosure can be especially consequential at submission.

Department of Defense SBIR/STTR guidance has incorporated mandatory foreign disclosure requirements into solicitations. A Department of Defense SBIR BAA preface stated that proposals missing the required completed and signed foreign disclosure attachment would be deemed noncompliant and would not receive an evaluation.

A Department of Defense release also stated that all proposals submitted through the Defense SBIR/STTR Innovation Portal must include forms that assess security risks, and proposals without those forms are noncompliant.

That makes the Department of Defense process less forgiving from a submission-readiness standpoint. Applicants should verify the exact required volume, attachment, signature, and component-specific instructions before submission.

Practical Checklist Before You Apply

Before submitting an SBIR/STTR proposal, companies should review:

1. Ownership and control
   Confirm whether any ownership, parent/subsidiary structure, or investor relationship creates a disclosure issue.

2. Key personnel affiliations
   Ask founders, technical leads, consultants, and senior/key personnel about foreign appointments, research affiliations, talent programs, and institutional relationships.

3. Investors and financing
   Review venture capital, institutional investment, debt, and other financing relationships for foreign ties, especially involving countries of concern.

4. IP and licensing history
   Identify any technology licensing, IP transfer, patent activity, or sales involving foreign entities or countries of concern.

5. Contractors and research partners
   For STTR and university-linked work, clarify who is performing the work, where the work is performed, and whether any foreign affiliations need to be disclosed.

6. Post-award change monitoring
   Create an internal process to review ownership changes, personnel changes, investor changes, and new foreign relationships during the award.

What Applicants Should Not Assume

Do not assume that a foreign relationship is automatically disqualifying. Many disclosures may simply require explanation and review.

Do not assume that only countries of concern matter. Some forms and agency questions may ask about broader foreign relationships, even when risk criteria focus heavily on countries of concern.

Do not assume that a “no” answer is safer if the facts are unclear. NIH specifically encourages applicants to disclose affiliations if they are uncertain whether disclosure is required.

And do not assume the same workflow applies across agencies. NIH, NSF, and Department of Defense all operate under the broader SBIR/STTR framework, but submission timing and consequences can differ.

Conclusion

Foreign disclosure is now a core SBIR/STTR readiness issue. For NIH applicants, it can affect Just-in-Time and post-award reporting. For NSF applicants, it is part of the due diligence environment and intersects with eligibility, ownership, personnel, and U.S.-based work requirements. For Department of Defense applicants, missing or incomplete disclosure materials can make a proposal noncompliant before it is ever evaluated.

The best strategy is to review foreign ties before choosing an agency, before assembling the proposal team, and well before the submission deadline. A strong technical proposal still matters, but today, fundability also depends on whether the company can clearly explain who owns it, who supports the work, where the relationships are, and whether any of those relationships create a security risk.

Sources Used

• SBIR.gov: Required Disclosures of Foreign Affiliations or Relationships

• NIH SEED: Foreign Disclosure and Risk Management

• NIH Grants: NOT-OD-26-074

• NIH Grants: Required Disclosures Form Guidance

• NSF: NSF 26-510 SBIR/STTR Solicitation

• NSF Seed Fund: SBIR/STTR Eligibility and Requirements

• Department of Defense: SBIR/STTR Due Diligence Policy Release