Contents
Purpose
RGI Risk-Based Analysis Program
The AFWERX RGI risk-based analysis program (also known as “due diligence” as it relates to Foreign Owner, Control, and Influence (FOCI) screening), is an intra-Air Force process which includes the AFWERX Capital Initiatives Division (RGI), the Office of Economic Analysis (OCEA), and the Office of Special Investigation (OSI).
- AFWERX RGI: Responsible for the overall process, timelines, and risk assessments. They collect data from OCEA and OSI to synthesize final risk-based assessment and make recommendations to award determination officials within AFWERX.
- OCEA: Conducts business assessment of all applicants. This business assessment utilizes commercially available information and publicly available information to highlight risk indicators. OCEA undertakes in-depth analytic assessments to identify and assess geostrategic risks that challenge U.S. Department of Defense equities and threaten to undermine current foundations of U.S. global power, leadership and national security. OCEA’s action-oriented analysis aims to inform U.S. government decision makers of the full range of options available to counter these risks.
- OSI: Conducts counterintelligence review of select high-risk companies based on risk indicators identified by OCEA. The Air Force Office of Special Investigations provides professional investigative service to commanders of all Air Force activities. AFOSI identifies, investigates and neutralizes criminal, terrorist, and espionage threats to Air Force and Department of Defense personnel and resources.
Note: RGI’s Due Diligence process makes recommendations, not determinations. Risk is evaluated by the award determination official (AFWERX Commanding Officer or their delegated officials).
Key Points for FOCI Due Diligence Preparation
Here are 10 key points that companies should know to prepare themselves for a FOCI due diligence review:
- Understand the Statutory Requirements: Familiarize yourself with the statutory requirements outlined in 15 U.S.C. § 638(g)(15)(B), which governs the denial of SBIR/STTR awards based on foreign connections.
- Complete the Mandatory Disclosure Form Accurately: Ensure you accurately complete the mandatory disclosure form “Disclosures of Foreign Affiliations or Relationships to Foreign Countries,” including providing supporting documentation for any disclosures made.
- Review Cybersecurity Practices: Assess your company’s cybersecurity practices and ensure they align with industry standards and best practices, as the DoD’s due diligence review will include an assessment of cybersecurity practices.
Analyze Patent Activity: Conduct a thorough review of your company’s patent history, including any patents filed or granted in foreign countries of concern, paying close attention to patents resulting from USG-funded research. - Analyze Patent Activity: Conduct a thorough review of your company’s patent history, including any patents filed or granted in foreign countries of concern, paying close attention to patents resulting from USG-funded research.
- Scrutinize Employee Affiliations: Carefully examine the affiliations of your employees, particularly those in leadership positions or with access to sensitive information, and identify any potential conflicts of interest or foreign affiliations that could raise concerns.
- Disclose Foreign Ownership and Financial Ties: Be transparent about any foreign ownership, control, or influence over your company, and provide detailed information about financial ties and obligations to foreign countries, persons, or entities.
Prepare for Open-Source Analysis: Recognize that the DoD will use open-source analysis and analytical tools to assess potential risks, and ensure consistency between public information and disclosures made on the mandatory form. - Prepare for Open-Source Analysis: Recognize that the DoD will use open-source analysis and analytical tools to assess potential risks, and ensure consistency between public information and disclosures made on the mandatory form.
- Develop Mitigation Strategies: Be proactive in identifying potential mitigation strategies for any identified risks related to foreign connections, including demonstrating how you will address conflicts of interest, protect sensitive information, or limit foreign involvement in critical aspects of the project.
- Be Prepared for a CI Review: Understand that the DoD may refer companies with potential FOCI to counterintelligence organizations for further review, and cooperate fully with any CI investigations.
- Stay Informed About Policy Updates: Stay informed about policy updates and guidance issued by the Defense SBIR/STTR Program Office and relevant DoD Components, as the DoD’s FOCI due diligence program is subject to change.
Authorities and Policy Documents
Frequently Asked Questions
What are the key questions that must be answered for each category of due diligence as defined in the SBIR and STTR Extension Act of 2022?
Due diligence is the assessment of security risks presented by small business concerns seeking a federally-funded award using a risk-based approach, evaluating (1) the cybersecurity practices, (2) patent analysis, (3) employee analysis, and (4) foreign ownership of the small business concern.
Foreign Ownership
a. Does the level of foreign ownership or corporate governance structure allow for control and influence over the company’s key business decisions or provide access to key IP.
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?
Employee Analysis
a. So the personal and professional affiliations with foreign individuals and entities represent a risk?
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?
Patents
a. Do key personnel or does the company have a history of filing patents or transferring patents abroad?
Cyber
a. What is the company’s Security Scorecard score?
b. Is there a history of data and/or IT/IS breaches?
Do you have specific Indicators for assessing risk in SBIR/STTR proposals?
AFWERX uses the OSD R&E Risk Analysis Matrix to assign risk determinations for all proposals that complete the due diligence program.
What are the requirements for the Small Business when it comes to foreign disclosure?
Each small business applying for the SBIR and STTR programs under the DAF are required to disclose all funded and unfunded relationships with foreign countries, using the foreign disclosure form, for all owners and covered individuals. A covered individual is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way). Applicants must include the following information on the disclosure form:
- the identity of all owners and covered individuals of the firm who are a party to any malign foreign talent recruitment program;
- the existence of any parent company, joint venture, or subsidiary of the firm that is based in or receives funding from, any foreign country of concern;
- any current or pending contractual or financial obligation or other agreement specific to a business arrangement, or joint venture-like arrangement with an enterprise owned by a foreign state or any foreign entity;
- whether the firm is wholly owned in a foreign country;
- any venture capital or institutional investment and if the investing entity has a general partner or any other individual holding a leadership role who has a foreign affiliation with any foreign country of concern;
- any technology licensing or intellectual property sales or transfers to a foreign country of concern during the 5-year period preceding submission of the proposal;
- any foreign business entity, offshore entity, or entity outside the United States related to the firm;
- any owners, officers, or covered individuals that have a foreign affiliation with a research institution located in a foreign country of concern; and information technology and information safeguarding plans.
How can I get training on Foreign Ownership, Control or Influence (FOCI) for myself or for small businesses?
- Go to and create an account at www.projectspectrum.io/#/signup
- Login at www.projectspectrum.io/#/login
- Go to http://www.projectspectrum.io/#/courses-encitefoci
- Take note of the Username and copy the Password listed on the page.
- Search for “FOCI” and select/click on the course you want to take. (You are looking for “Understanding FOCI”)
- That will take you to www.encite.io/login/index.php where you login with the Username and Password provided on the previous page.
- Click on “Enroll me”.
- Click on “Enter”.
- You should now be in the course!
Do you maintain a "black list" of companies?
RGI does not maintain a black list of any companies. We evaluate every proposal separately and therefore the risk levels can change from proposal to proposal as RGI learns more about the companies, the markets, the supply chains, or the key management personnel and their foreign relations, associations, affiliations, or financial investors.