Foreign Risk Management
In the SBIR and STTR Extension Act of 2022, Congress required Federal agencies to create a due diligence program to address foreign risks in the SBIR/STTR programs. The foreign risks are primarily directed at the following foreign countries of concern: the People’s Republic of China, Islamic Republic of Iran, the People’s Democratic People’s Republic of Korea, and the Russian Federation.
The chart summarizes the risks being addressed by the DOE’s due diligence program.
| RISK | APPLICANT DISCLOSURE REQUIREMENT | SMALL BUSINESS VULNERABILITY | DOE DUE DILIGENCE FOCUS | EDUCATIONAL FOCUS |
|---|---|---|---|---|
|
Insider Theft |
Disclosure of Foreign Relationships (required for all applicants beginning in FY 2023) |
Failure to vet employees, owners/investors |
Identification of foreign risks related to ownership, personnel, patents, and business partners |
Past cases of intellectual property loss to foreign countries of concern; the need for due diligence by the small business |
|
Licensing or Sale of Intellectual Property |
Licensees/customers have undisclosed ties to foreign countries of concern |
|||
|
Acquisition of the Small Business |
Businesses seeking to acquire them have undisclosed ties to foreign countries of concern |
|||
|
Cybertheft |
Cybersecurity Self-Assessment (required for Phase II applicants beginning in FY 2024) |
Lack of IT/cybersecurity expertise at small businesses |
Assessment of small business cybersecurity posture |
Leveraging available Federal cybersecurity resources and training; utilization of SBIR/STTR funding to improve cybersecurity |
Examples of Intellectual Property Theft
ASMC: A former SBIR awardee, ASMC, suffered severe economic damages as the result of an employee stealing source code related to wind energy technology. A Chinese firm, Sinovel, paid an employee of an ASMC subsidiary to steal the source code and subsequently provided him with employment. The economic impact to ASMC was a loss of $1B in shareholder value and 700 jobs. Sinovel was found guilty and was ordered to pay restitution in addition to a fine.
https://www.justice.gov/opa/pr/court-imposes-maximum-fine-sinovel-wind-group-theft-trade-secrets
Phillips 66: A scientist at Phillips 66 stole $1B in trade secrets related to flow battery technology used for large scale energy storage. He was a participant in China’s Thousand Talents Plan, through which lucrative incentives are offered to recruit individuals with expertise in high-priority fields. The scientist had planned to leave the company and return to China to work for a company that developed battery materials. He was arrested, sentenced, and fined for the trade secret theft.
https://www.justice.gov/opa/pr/chinese-national-sentenced-stealing-trade-secrets-worth-1-billion
DOE Due Diligence
DOE conducts a review of risk separately from the merit review and can elect not to fund applications that present unacceptably high foreign risks. DOE has implemented the following changes as part of its implementation of its due diligence program.
- In FY 2023, DOE amended its review of risk in its SBIR/STTR Funding Opportunity Announcements to address the new requirements associated with evaluation of foreign risks.In addition, it required all applicants to include a disclosure of foreign relationships in their applications.
- In FY 2024, DOE extended the scope of its review of risk to include cybersecurity practices of Phase II applicants.Phase II applicants will be required to submit a cybersecurity self-assessment.More details on this cybersecurity self-assessment will be included in the Phase II Funding Opportunity Announcement. Phase I awardees are encouraged to prepare for this self-assessment by leveraging available resources to improve their cybersecurity practices in advance of submitting a Phase II application.Many of the practices needed for a small business to meet a passing threshold of a cyber checklist are free or provided in the costs of commercial-grade IT services. Examples of services and training are included below and can also be found on the Cybersecurity Resources for Small Business Web page.
- The Global Cybersecurity Alliance (GCA) provides free and effective tools that small business can use to take action to reduce cyber risk: https://gcatoolkit.org
- CISA has an excellent Cyber essentials guide aimed at small businesses: https://www.cisa.gov/resources-tools/resources/cyber-essentials
- NIST has a useful publication that discusses the Fundamentals of Small Business Information Security: https://www.nist.gov/publications/fundamentals-small-business-information-security
- CISA Services Overview
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST Small Business Information Security: The Fundamentals
- NIST Cybersecurity Framework Small Business Quick Start Guide
- The FBI Internet Crime Complaint Center (IC3) provides information about the latest and most harmful cyber threats and scams: https://www.ic3.gov
- The main Federal SBIR website, https://www.sbir.gov, offers a lot of information and training.
- The Federal Trade Commission has a good reference page dedicated to small businesses and cybersecurity https://www.ftc.gov/business-guidance/small-businesses/cybersecurity
- USAF SBIR cybersecurity page: (https://www.safcn.af.mil/CISO/Small-Business-Cybersecurity-Information/)
Small Business Due Diligence
Small businesses are encouraged to carry out their own due diligence to address risks associated with loss of their intellection property. These activities can include proper vetting of employees, investors, and business partners in addition to adherence to good cybersecurity practices. The National Counterintelligence and Security Council has provided the following bulletinthat provides useful guidance for protecting emerging technologies from foreign risks.
