Risk-Based Analysis - AFWERX
^
AFWERX logo
Header banner

Contents

Purpose

The intent of the AFWERX Risk-Based Analysis Program is to protect the Department of the Air Force’s (DAF) security, investments, and partnerships via the SBIR and STTR program against undue or otherwise adversarial influence as stipulated under the SBIR and STTR Extension Act of 2022. The AFWERX Capital Initiatives Division (RGI) conducts a risk-based assessment (i.e. due diligence review) of small business concerns (SBC) applying for SBIR/STTR funds. This requirement was established in the SBIR and STTR Extension Act of 2022 (PL 117-183) and focuses on four risk factors: cybersecurity practices, patent analysis, employee analysis, and foreign ownership. The law requires an evaluation of these factors and their connection to foreign countries of concern (FCOC): namely China, Russia, Iran, and North Korea. Denial of award can be determined if the small business possesses risk factors connected to FCOCs that threaten national security.

RGI Risk-Based Analysis Program

The AFWERX RGI risk-based analysis program (also known as “due diligence” as it relates to Foreign Owner, Control, and Influence (FOCI) screening), is an intra-Air Force process which includes the AFWERX Capital Initiatives Division (RGI), the Office of Economic Analysis (OCEA), and the Office of Special Investigation (OSI).

  • AFWERX RGI: Responsible for the overall process, timelines, and risk assessments. They collect data from OCEA and OSI to synthesize final risk-based assessment and make recommendations to award determination officials within AFWERX.
  • OCEA: Conducts business assessment of all applicants. This business assessment utilizes commercially available information and publicly available information to highlight risk indicators. OCEA undertakes in-depth analytic assessments to identify and assess geostrategic risks that challenge U.S. Department of Defense equities and threaten to undermine current foundations of U.S. global power, leadership and national security. OCEA’s action-oriented analysis aims to inform U.S. government decision makers of the full range of options available to counter these risks.
  • OSI: Conducts counterintelligence review of select high-risk companies based on risk indicators identified by OCEA. The Air Force Office of Special Investigations provides professional investigative service to commanders of all Air Force activities. AFOSI identifies, investigates and neutralizes criminal, terrorist, and espionage threats to Air Force and Department of Defense personnel and resources.

Note: RGI’s Due Diligence process makes recommendations, not determinations. Risk is evaluated by the award determination official (AFWERX Commanding Officer or their delegated officials).

Key Points for FOCI Due Diligence Preparation

Here are 10 key points that companies should know to prepare themselves for a FOCI due diligence review:

  • Understand the Statutory Requirements: Familiarize yourself with the statutory requirements outlined in 15 U.S.C. § 638(g)(15)(B), which governs the denial of SBIR/STTR awards based on foreign connections.
  • Complete the Mandatory Disclosure Form Accurately: Ensure you accurately complete the mandatory disclosure form “Disclosures of Foreign Affiliations or Relationships to Foreign Countries,” including providing supporting documentation for any disclosures made.
  • Review Cybersecurity Practices: Assess your company’s cybersecurity practices and ensure they align with industry standards and best practices, as the DoD’s due diligence review will include an assessment of cybersecurity practices.
    Analyze Patent Activity: Conduct a thorough review of your company’s patent history, including any patents filed or granted in foreign countries of concern, paying close attention to patents resulting from USG-funded research.
  • Analyze Patent Activity: Conduct a thorough review of your company’s patent history, including any patents filed or granted in foreign countries of concern, paying close attention to patents resulting from USG-funded research.
  • Scrutinize Employee Affiliations: Carefully examine the affiliations of your employees, particularly those in leadership positions or with access to sensitive information, and identify any potential conflicts of interest or foreign affiliations that could raise concerns.
  • Disclose Foreign Ownership and Financial Ties: Be transparent about any foreign ownership, control, or influence over your company, and provide detailed information about financial ties and obligations to foreign countries, persons, or entities.
    Prepare for Open-Source Analysis: Recognize that the DoD will use open-source analysis and analytical tools to assess potential risks, and ensure consistency between public information and disclosures made on the mandatory form.
  • Prepare for Open-Source Analysis: Recognize that the DoD will use open-source analysis and analytical tools to assess potential risks, and ensure consistency between public information and disclosures made on the mandatory form.
  • Develop Mitigation Strategies: Be proactive in identifying potential mitigation strategies for any identified risks related to foreign connections, including demonstrating how you will address conflicts of interest, protect sensitive information, or limit foreign involvement in critical aspects of the project.
  • Be Prepared for a CI Review: Understand that the DoD may refer companies with potential FOCI to counterintelligence organizations for further review, and cooperate fully with any CI investigations.
  • Stay Informed About Policy Updates: Stay informed about policy updates and guidance issued by the Defense SBIR/STTR Program Office and relevant DoD Components, as the DoD’s FOCI due diligence program is subject to change.

Frequently Asked Questions

Due diligence is the assessment of security risks presented by small business concerns seeking a federally-funded award using a risk-based approach, evaluating (1) the cybersecurity practices, (2) patent analysis, (3) employee analysis, and (4) foreign ownership of the small business concern.

Foreign Ownership
a. Does the level of foreign ownership or corporate governance structure allow for control and influence over the company’s key business decisions or provide access to key IP.
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?

Employee Analysis
a. So the personal and professional affiliations with foreign individuals and entities represent a risk?
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?

Patents
a. Do key personnel or does the company have a history of filing patents or transferring patents abroad?

Cyber
a. What is the company’s Security Scorecard score?
b. Is there a history of data and/or IT/IS breaches?

AFWERX uses the OSD R&E Risk Analysis Matrix to assign risk determinations for all proposals that complete the due diligence program.

Each small business applying for the SBIR and STTR programs under the DAF are required to disclose all funded and unfunded relationships with foreign countries, using the foreign disclosure form, for all owners and covered individuals. A covered individual is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way). Applicants must include the following information on the disclosure form:

  • the identity of all owners and covered individuals of the firm who are a party to any malign foreign talent recruitment program;
  • the existence of any parent company, joint venture, or subsidiary of the firm that is based in or receives funding from, any foreign country of concern;
  • any current or pending contractual or financial obligation or other agreement specific to a business arrangement, or joint venture-like arrangement with an enterprise owned by a foreign state or any foreign entity;
  • whether the firm is wholly owned in a foreign country;
  • any venture capital or institutional investment and if the investing entity has a general partner or any other individual holding a leadership role who has a foreign affiliation with any foreign country of concern;
  • any technology licensing or intellectual property sales or transfers to a foreign country of concern during the 5-year period preceding submission of the proposal;
  • any foreign business entity, offshore entity, or entity outside the United States related to the firm;
  • any owners, officers, or covered individuals that have a foreign affiliation with a research institution located in a foreign country of concern; and information technology and information safeguarding plans.
  1. Go to and create an account at www.projectspectrum.io/#/signup
  2. Login at www.projectspectrum.io/#/login
  3. Go to www.projectspectrum.io/#/courses-encite
  4. Take note of the Username and copy the Password listed on the page.
  5. Search for “FOCI” and select/click on the course you want to take. (You are looking for “Understanding FOCI”)
  6. That will take you to www.encite.io/login/index.php where you login with the Username and Password provided on the previous page.
  7. Click on “Enroll me”.
  8. Click on “Enter”.
  9. You should now be in the course!

RGI does not maintain a black list of any companies. We evaluate every proposal separately and therefore the risk levels can change from proposal to proposal as RGI learns more about the companies, the markets, the supply chains, or the key management personnel and their foreign relations, associations, affiliations, or financial investors.

Looking to connect and collaborate to find innovative commercial solutions to accelerate U.S. defense capabilities?
Sign Up For IGNITE
Are you interested in learning about opportunities to collaborate and engage with AFWERX?
Join the AFWERX Portal Now!