Skip to main content

Small Business Research Programs: Agencies Are Implementing Programs to Manage Foreign Risks and Plan Further Refinement

GAO-24-106400 Published: Nov 16, 2023. Publicly Released: Nov 16, 2023.
Jump To:

Fast Facts

Federal agencies award research and development funds to small businesses through small business research programs. However, foreign governments sometimes try to steal such U.S.-funded research and technology.

The Small Business Administration issued best practices in 2023 to guide agencies' efforts to manage foreign risks—e.g., ensuring that agencies conduct due diligence regarding foreign affiliations when awarding funds. We found that the 11 agencies participating in these programs are taking various approaches to assess risks using the best practices. Agencies plan to refine these approaches based on their experience.

Skip to Highlights


What GAO Found

The Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs face risks of foreign governments seeking to illicitly acquire U.S.-funded research and technologies. To help address such risks, the SBIR and STTR Extension Act of 2022 (Extension Act) required participating agencies to develop a due diligence program to assess aspects of small businesses seeking a federally funded award. In March 2023, the Small Business Administration (SBA) issued a set of 12 best practices that provide general guidance on what agencies should consider in developing their programs. The best practices, which were developed in collaboration with other agencies, cover different types of risks, such as foreign ownership, employee affiliations, and cybersecurity practices. SBA also developed a set of standardized disclosure questions about foreign affiliations or relationships to foreign countries that SBIR/STTR applicants must answer to help participating agencies assess foreign influence.

Examples of Best Practices SBA Issued for SBIR/STTR Participating Agencies' Due Diligence Programs to Address Foreign Risks

Examples of Best Practices SBA Issued for SBIR/STTR Participating Agencies' Due Diligence Programs to Address Foreign Risks

All 11 agencies participating in the SBIR and STTR programs established their due diligence programs by June 27, 2023, as required by the Extension Act. GAO found that agencies plan to assess all new proposals or applications that lead to SBIR/STTR awards using a documented risk-based approach—as called for by SBA best practices. These approaches vary. Some agencies plan to adapt existing due diligence review processes. Others plan to apply reviews based on different phases of technology development or require disclosures from a wider range of individuals who can significantly influence the research on a particular project. Regardless of these differences, each participating agency plans to assess, among other things, the cybersecurity practices and foreign ownership (e.g., financial ties and obligations) of small business award applicants.

All 11 participating agencies plan to refine their due diligence programs through implementation experience. Agency officials identified several potential areas of refinement, such as hiring additional staff, supporting additional training, acquiring vetting tools, and addressing any effects of due diligence reviews on the timeliness of award issuance.

Why GAO Did This Study

Small businesses are important drivers of economic growth and innovation, but they can face challenges accessing capital to fund research and development. Through the SBIR and STTR programs, participating agencies award funding to small businesses that helps bring important technologies to market. However, certain foreign governments are actively working to illicitly acquire such technologies.

The federal government has taken a number of recent actions to help agencies, universities, and businesses counter foreign influence on federally funded research by implementing due diligence activities to identify and mitigate risks. The Extension Act builds on these actions by requiring each relevant federal agency to establish and implement a due diligence program to manage foreign risks.

The Extension Act also includes a provision for GAO to issue a series of reports on the implementation of and best practices for these programs. This report, the first in the series, examines (1) SBA's efforts to develop best practices for participating agencies' due diligence programs, in collaboration with others; and (2) participating agencies' efforts to design and implement their due diligence programs.

GAO interviewed officials from SBA, the 11 participating agencies, and other relevant federal entities. GAO also analyzed information related to the development of SBA's SBIR/STTR due diligence best practices and individual agencies' due diligence programs.

For more information, contact Candice N. Wright at (202) 512-6888 or

Full Report

Office of Public Affairs


Best practicesFederal agenciesFederally funded researchResearch and developmentResearch programsScience and technologySmall businessSmall business innovationTechnology transferCybersecurity