Risk-Based Analysis

Purpose

The intent of the AFWERX Risk-Based Analysis Program is to protect the Department of the Air Force’s (DAF) security, investments, and partnerships via the SBIR and STTR program against undue or otherwise adversarial influence as stipulated under the SBIR and STTR Extension Act of 2022. The AFWERX Capital Initiatives Division (RGI) conducts a risk-based assessment (i.e. due diligence review) of small business concerns (SBC) applying for SBIR/STTR funds. This requirement was established in the SBIR and STTR Extension Act of 2022 (PL 117-183) and focuses on four risk factors: cybersecurity practices, patent analysis, employee analysis, and foreign ownership. The law requires an evaluation of these factors and their connection to foreign countries of concern (FCOC): namely China, Russia, Iran, and North Korea. Denial of award can be determined if the small business possesses risk factors connected to FCOCs that threaten national security.

RGI Risk-Based Analysis Program

The AFWERX RGI risk-based analysis program (also known as “due diligence” as it relates to Foreign Owner, Control, and Influence (FOCI) screening), is an intra-Air Force process which includes the AFWERX Capital Initiatives Division (RGI), the Office of Economic Analysis (OCEA), and the Office of Special Investigation (OSI).

AFWERX RGI: Responsible for the overall process, timelines, and risk assessments. They collect data from OCEA and OSI to synthesize final risk-based assessment and make recommendations to award determination officials within AFWERX.

OCEA: Conducts business assessment of all applicants. This business assessment utilizes commercially available information and publicly available information to highlight risk indicators. OCEA undertakes in-depth analytic assessments to identify and assess geostrategic risks that challenge U.S. Department of Defense equities and threaten to undermine current foundations of U.S. global power, leadership and national security. OCEA’s action-oriented analysis aims to inform U.S. government decision makers of the full range of options available to counter these risks. https://www.afocea.com/

OSI: Conducts counterintelligence review of select high-risk companies based on risk indicators identified by OCEA. The Air Force Office of Special Investigations provides professional investigative service to commanders of all Air Force activities. AFOSI identifies, investigates and neutralizes criminal, terrorist, and espionage threats to Air Force and Department of Defense personnel and resources. https://www.af.mil/About-Us/Fact-Sheets/Display/Article/104502/air-force-office-of-special-investigations/

Note: RGI’s Due Diligence process makes recommendations, not determinations. Risk is evaluated by the award determination official (AFWERX Commanding Officer or their delegated officials).

Authorities and Policy Documents

Public Law 117-183, 30 Sep 2022, SBIR/STTR Extension Act of 2022

Policy Directive: SBIR and STTR Program

DTM 18-003 Prohibition on Providing Funds to the Enemy

DFAR 252.209.7002 - Disclosure or Ownership of Control by a Foreign Government

Policy for Risk-Based Security Reviews of Fundamental Research

USD(R&E) Letter to Universities on Research Protection (Oct 19)

Frequently Asked Questions

What are the key questions that must be answered for each category of due diligence as defined in the SBIR and STTR Extension Act of 2022?

Due diligence is the assessment of security risks presented by small business concerns seeking a federally-funded award using a risk-based approach, evaluating (1) the cybersecurity practices, (2) patent analysis, (3) employee analysis, and (4) foreign ownership of the small business concern.

Foreign Ownership
a. Does the level of foreign ownership or corporate governance structure allow for control and influence over the company’s key business decisions or provide access to key IP.
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?

Employee Analysis
a. So the personal and professional affiliations with foreign individuals and entities represent a risk?
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?

Patents
a. Do key personnel or does the company have a history of filing patents or transferring patents abroad?

Cyber
a. What is the company’s Security Scorecard score?
b. Is there a history of data and/or IT/IS breaches?

Do you have specific Indicators for assessing risk in SBIR/STTR proposals?

AFWERX uses the OSD R&E Risk Analysis Matrix to assign risk determinations for all proposals that complete the due diligence program.

What are the requirements for the Small Business when it comes to foreign disclosure?

Each small business applying for the SBIR and STTR programs under the DAF are required to disclose all funded and unfunded relationships with foreign countries, using the foreign disclosure form, for all owners and covered individuals. A covered individual is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way). Applicants must include the following information on the disclosure form:

the identity of all owners and covered individuals of the firm who are a party to any malign foreign talent recruitment program;
the existence of any parent company, joint venture, or subsidiary of the firm that is based in or receives funding from, any foreign country of concern;
any current or pending contractual or financial obligation or other agreement specific to a business arrangement, or joint venture-like arrangement with an enterprise owned by a foreign state or any foreign entity;
whether the firm is wholly owned in a foreign country;
any venture capital or institutional investment and if the investing entity has a general partner or any other individual holding a leadership role who has a foreign affiliation with any foreign country of concern;
any technology licensing or intellectual property sales or transfers to a foreign country of concern during the 5-year period preceding submission of the proposal;
any foreign business entity, offshore entity, or entity outside the United States related to the firm;
any owners, officers, or covered individuals that have a foreign affiliation with a research institution located in a foreign country of concern; and information technology and information safeguarding plans.

How can I get training on Foreign Ownership, Control or Influence (FOCI) for myself or for small businesses?

Go to and create an account at www.projectspectrum.io/#/signup
Login at www.projectspectrum.io/#/login
Go to www.projectspectrum.io/#/courses-encite
Take note of the Username and copy the Password listed on the page.
Search for “FOCI” and select/click on the course you want to take. (You are looking for “Understanding FOCI”)
That will take you to www.encite.io/login/index.php where you login with the Username and Password provided on the previous page.
Click on “Enroll me”.
Click on “Enter”.
You should now be in the course!

Do you maintain a "black list" of companies?

RGI does not maintain a black list of any companies. We evaluate every proposal separately and therefore the risk levels can change from proposal to proposal as RGI learns more about the companies, the markets, the supply chains, or the key management personnel and their foreign relations, associations, affiliations, or financial investors.

Contents