Risk-based Analysis Program
Protecting Innovation: Understanding Our Risk-Based Analysis Program
The Department of the Air Force (DAF) is committed to protecting its security, investments, and partnerships. As mandated by the SBIR and STTR Extension Act of 2022, we conduct a Risk-Based Analysis Program for small businesses applying for SBIR/STTR funds. This program assesses potential risks that could threaten national security, particularly those connected to foreign countries of concern (China, Russia, Iran, and North Korea).
Our goal is to ensure the integrity of our programs and safeguard critical technologies. If significant risk factors tied to these countries are identified, an award may be denied.
Contents
What We Evaluate
Our due diligence review focuses on four key risk factors:
- Cybersecurity Practices: Assessment of your company’s cybersecurity measures.
- Patent Analysis: Review of your patent history, especially those resulting from U.S. government-funded research or filed in foreign countries of concern.
- Employee Analysis: Scrutiny of employee affiliations, particularly those in leadership or with access to sensitive information.
- Foreign Ownership: Examination of any foreign ownership, control, or influence over your company.
How We Conduct Our Review
Our internal Air Force process involves a comprehensive assessment that may include:
- Business Assessment: Utilizing commercially and publicly available information to identify potential risk indicators.
- Counterintelligence Review: For select high-risk companies, a counterintelligence review may be conducted to further assess identified risks.
The findings from these assessments inform award determination officials within AFWERX, who make the final decision.
Key Steps for Due Diligence Preparation
To prepare your company for a risk-based review and ensure a smooth process, consider these key points:
- Understand Statutory Requirements: Familiarize yourself with 15 U.S.C. § 638(g)(15)(B) regarding denial of awards based on foreign connections.
- Complete Disclosure Forms Accurately: Precisely fill out the mandatory “Disclosures of Foreign Affiliations or Relationships to Foreign Countries” form, providing all necessary supporting documentation.
- Review Cybersecurity: Ensure your company’s cybersecurity practices align with industry standards and best practices.
- Analyze Patent Activity: Thoroughly review your patent portfolio, especially patents in or from foreign countries of concern.
- Scrutinize Employee Affiliations: Examine employee affiliations, particularly for leadership or those with sensitive access, to identify potential conflicts or foreign ties.
- Disclose Foreign Ties: Be transparent about any foreign ownership, control, influence, financial ties, or obligations.
- Prepare for Open-Source Analysis: Recognize that we use open-source information. Ensure consistency between public information and your disclosures.
- Develop Mitigation Strategies: Proactively identify how you’ll address potential risks, such as managing conflicts of interest or protecting sensitive information.
- Be Prepared for Review: Cooperate fully if a review by counterintelligence organizations is deemed necessary.
- Stay Informed: Keep up-to-date with policy changes and guidance from the Defense SBIR/STTR Program Office.
Authorities and Policy Documents
Frequently Asked Questions
What are the key questions that must be answered for each category of due diligence as defined in the SBIR and STTR Extension Act of 2022?
Due diligence is the assessment of security risks presented by small business concerns seeking a federally-funded award using a risk-based approach, evaluating (1) the cybersecurity practices, (2) patent analysis, (3) employee analysis, and (4) foreign ownership of the small business concern.
Foreign Ownership
a. Does the level of foreign ownership or corporate governance structure allow for control and influence over the company’s key business decisions or provide access to key IP.
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?
Employee Analysis
a. So the personal and professional affiliations with foreign individuals and entities represent a risk?
b. Is there, and what is the nature of, any connection to individuals or entities on any of the US Government’s Entity Lists?
Patents
a. Do key personnel or does the company have a history of filing patents or transferring patents abroad?
Cyber
a. What is the company’s Security Scorecard score?
b. Is there a history of data and/or IT/IS breaches?
Do you have specific Indicators for assessing risk in SBIR/STTR proposals?
AFWERX uses the OSD R&E Risk Analysis Matrix to assign risk determinations for all proposals that complete the due diligence program.
What are the requirements for the Small Business when it comes to foreign disclosure?
Each small business applying for the SBIR and STTR programs under the DAF are required to disclose all funded and unfunded relationships with foreign countries, using the foreign disclosure form, for all owners and covered individuals. A covered individual is defined as all senior key personnel identified by the small business in the application (i.e., individuals who contribute to the scientific development or execution of a project in a substantive, measurable way). Applicants must include the following information on the disclosure form:
- the identity of all owners and covered individuals of the firm who are a party to any malign foreign talent recruitment program;
- the existence of any parent company, joint venture, or subsidiary of the firm that is based in or receives funding from, any foreign country of concern;
- any current or pending contractual or financial obligation or other agreement specific to a business arrangement, or joint venture-like arrangement with an enterprise owned by a foreign state or any foreign entity;
- whether the firm is wholly owned in a foreign country;
- any venture capital or institutional investment and if the investing entity has a general partner or any other individual holding a leadership role who has a foreign affiliation with any foreign country of concern;
- any technology licensing or intellectual property sales or transfers to a foreign country of concern during the 5-year period preceding submission of the proposal;
- any foreign business entity, offshore entity, or entity outside the United States related to the firm;
- any owners, officers, or covered individuals that have a foreign affiliation with a research institution located in a foreign country of concern; and information technology and information safeguarding plans.
How can I get training on Foreign Ownership, Control or Influence (FOCI) for myself or for small businesses?
- Go to and create an account at www.projectspectrum.io/#/signup
- Login at www.projectspectrum.io/#/login
- Go to http://www.projectspectrum.io/#/courses-encitefoci
- Take note of the Username and copy the Password listed on the page.
- Search for “FOCI” and select/click on the course you want to take. (You are looking for “Understanding FOCI”)
- That will take you to www.encite.io/login/index.php where you login with the Username and Password provided on the previous page.
- Click on “Enroll me”.
- Click on “Enter”.
- You should now be in the course!
Do you maintain a "black list" of companies?
RGI does not maintain a black list of any companies. We evaluate every proposal separately and therefore the risk levels can change from proposal to proposal as RGI learns more about the companies, the markets, the supply chains, or the key management personnel and their foreign relations, associations, affiliations, or financial investors.