Government Accountability Office logo. GAO issued a new report on agency management of foreign adversary risks in SBIR/STTR
The Government Accountability Office has found that not all agencies implement the Small Business Administration's best practices for managing foreign adversary risks in federally funded small business research and development programs.
Logo: Government Accountability Office / Wikipedia
/

GAO Discovers Inconsistent Implementation of Practices for Managing Foreign Adversary Risks in SBIR/STTR

3 mins read

The Government Accountability Office has warned that agencies may be vulnerable to foreign adversaries seeking to steal proprietary data.

In a new report published Wednesday, the congressional watchdog looked at the implementation of 12 best practices the Small Business Administration established in March 2023 for agencies to manage risks associated with Small Business Innovation Research, or SBIR, and Small Business Technology Transfer, also known as STTR, programs.

GAO found that participating agencies applied only some of the best practices to their due diligence processes when screening small business applicants for research and development funding opportunities.  

GAO Discovers Inconsistent Implementation of Practices for Managing Foreign Adversary Risks in SBIR/STTR

Cyber as the primary attack surface for conflict is one of the key topics at the Potomac Officers Club’s 2026 Cyber Summit on May 21. Join government leaders as they discuss initiatives to strengthen federal cyber defenses. Register today.

Are Foreign Adversaries Targeting SBIR/STTR Programs?

Congress has previously raised concerns over the possibility that foreign adversaries are exploiting vulnerabilities in SBIR and STTR and in small businesses that participate in federally funded R&D programs.

In May 2025, Sen. Joni Ernst, R-Iowa, revealed that the National Institutes of Health flagged and denied SBIR/STTR applications of firms and people from China and Russia.

“The SBIR-STTR programs provide a valuable pipeline of technology that we cannot allow China and other foreign adversaries to steal,” Ernst, who serves as chair of the Small Business and Entrepreneurship Committee, said.

What Are the Gaps GAO Found in SBIR/STTR Programs?

In the report, GAO noted that the SBIR and STTR Extension Act of 2022 (Extension Act) requires agencies to incorporate applicable best practices into due diligence programs to manage potential foreign risks.

However, as of August 2025, all agencies assessed for the report incorporated three of the 12 best practices. Most agencies adopted additional practices, such as documenting their risk-based approach within their due diligence processes and disclosures of covered individuals or those associated with countries of concern.

GAO also pointed out that the Extension Act tasks agencies to assess applicant cybersecurity, but only nine of the 11 participating agencies have mechanisms in place for evaluating cyber practices.

The congressional watchdog provided 26 recommendations, most of which call on agencies to adopt all of SBA’s best practices on due diligence programs. One recommendation is urging the SBA to use interagency meetings to discuss the best practices.

Related Articles

Brian Geesaman. The defense tech leader has been named precision strike mission area executive at Johns Hopkins APL.
Johns Hopkins APL Names Brian Geesaman Precision Strike Mission Area Executive

The Johns Hopkins Applied Physics Laboratory has appointed Brian Geesaman, a defense technology leader, as mission area executive for precision strike within APL’s force projection sector. APL said Wednesday Geesaman oversees programs that develop kinetic and non-kinetic weapon systems, integrated strike warfare capabilities and end-to-end capability development for the U.S. Air Force, U.S. Navy and other agencies within the Department of War. “Brian’s significant technical accomplishments, strategic insight, and collaborative leadership style position him well to guide our teams working on many of the nation’s most complex national security challenges,” said APL Director Dave Van Wie. “His experience and vision

Emil Michael. The under secretary of war for research and engineering commented on DOW’s formation of the STIB.
Pentagon to Form Science, Technology & Innovation Board Through DIB-DSB Merger

The Department of War will merge the Defense Innovation Board and the Defense Science Board to establish a new advisory board to accelerate the development and delivery of capabilities to warfighters and address critical national security problems. DOW said Thursday War Secretary Pete Hegseth, a 2026 Wash100 awardee, approved the plan to reform the department’s legacy advisory boards through the formation of the Science, Technology and Innovation Board, or STIB. The STIB is awaiting formal establishment through publication in the Federal Register. What Are the STIB’s 2 Permanent Subcommittees? The STIB will operate with the Subcommittee on Strategic Options and

INL logo.The Department of Energy's Nuclear Science User Facilities program plans to activate the Teton supercomputer at INL.
DOE to Quadruple Nuclear Computing Capacity With Teton Supercomputer at INL

The Nuclear Science User Facilities, or NSUF, program within the Department of Energy’s Office of Nuclear Energy is set to activate the Teton supercomputer at Idaho National Laboratory, or INL, a move expected to significantly expand high-performance computing capacity and accelerate nuclear reactor and fuel research. What Is Teton Supercomputer? INL said Thursday, Teton is an HPE Cray EX 4000 system housed at the laboratory’s Collaborative Computing Center and operated under the NSUF program. The supercomputer was delivered in September 2025 and will be made available to NSUF users nationwide in January. It is ranked 85th on the TOP500 list of