SBIR/STTR Compliance Guide

SBIR National-Security Disclosures for FY2026: FOCI, Foreign Talent & Foreign Affiliations

The April 2026 SBIR/STTR reauthorization (S.3971) added a layer of due-diligence and disclosure requirements aimed at foreign influence. These aren't scoring factors you can be weak on — several are pass/fail. Get one wrong, incomplete, or omitted and your proposal can be found non-compliant or your firm ineligible, regardless of the technical merit.

Here's what each of the five disclosure areas actually asks for, in plain English, and how to avoid the common mistakes.

Why this matters now: reviewers no longer just weigh these risks — agencies screen for them. Program offices increasingly treat missing or inconsistent security disclosures the same way they treat a page-limit violation: an administrative reject before the science is read. The five areas below are where FY2026 proposals get caught.

1. FOCI — Foreign Ownership, Control, or Influence

FOCI asks a simple question with a wide net: can a foreign interest direct or influence your company's management, operations, or access to the funded work? It's not only about who owns shares. It includes foreign members on your board, foreign parent or affiliate companies, significant foreign debt or financing, contracts that give a foreign party leverage, and even a single foreign investor with veto rights.

Common mistake: treating FOCI as "we're a US company, so N/A." A US-incorporated firm can still be under FOCI through a convertible note, an overseas co-founder, or a foreign customer that funds a large share of revenue. Disclose the relationship and describe any mitigation (voting agreements, proxy boards, or simply that the interest is passive and non-controlling) rather than staying silent.

2. Malign Foreign Talent Recruitment Program certification

Every covered individual — typically the PI, co-PIs, and senior/key personnel — must certify they are not party to a Malign Foreign Talent Recruitment Program (MFTRP). These are foreign-government-linked programs that, in exchange for compensation, ask a researcher to do things like transfer intellectual property, recruit trainees, establish a duplicate ("shadow") lab abroad, or take on undisclosed obligations to a foreign institution.

Legitimate international collaboration, teaching, and conference activity are not MFTRP participation. The distinction is compensation plus an obligation that conflicts with your US commitments. Collect a signed certification from each covered person before submission — a missing certification for a single key person can sink the whole application.

3. Foreign affiliations, investment & licensing (countries of concern)

You must disclose the company's and key personnel's affiliations, investments, and technology-licensing arrangements tied to foreign entities — with particular scrutiny on countries of concern. This covers foreign subsidiaries or joint ventures, IP licensed to or from a foreign party, foreign venture or government funding, and research agreements with foreign universities or labs.

The trap here is inconsistency. Program offices cross-check what you write against your current & pending support, your biosketches, and public records. A licensing deal mentioned in one document but omitted from the disclosure form reads as a red flag. Build one master list of every foreign relationship and reuse it verbatim everywhere it's required.

4. Current & Pending (Other) Support — including foreign sources

Current & pending support must be complete and current for every senior/key person, and it must include foreign sources: foreign government grants, in-kind support (lab space, equipment, personnel), gifts, and startup packages. Under FY2026 rules, in-kind and foreign support that used to be overlooked are exactly what reviewers look for.

Common mistake: listing only funded, US, cash awards. If a key person has an unpaid appointment abroad or receives donated equipment, it belongs here. Omissions discovered later are treated as failures to disclose, which is more damaging than the support itself would have been.

5. Cybersecurity attestation

Many FY2026 solicitations require an attestation that your firm meets a baseline cybersecurity standard for protecting the funded research and any controlled information — often mapped to the NIST SP 800-171 family of controls. This is a certification, not an essay, but attesting to controls you haven't implemented is a compliance and legal risk.

Before you check the box, confirm you actually have the basics: access control, multi-factor authentication, an incident-response process, and a written information-security policy. If you're not there yet, close the gap before submission rather than over-attesting.

How to get the security disclosures right

  • Read the specific solicitation's security section line by line — requirements vary by agency (DoD, NIH, NSF, DOE, NASA) and by year.
  • Build one master list of every foreign affiliation, investment, and support source, and reuse it across all forms so nothing is inconsistent.
  • Collect signed MFTRP certifications from every covered individual before you submit.
  • Do a compliance pass separate from the science pass — ideally by someone who didn't write the proposal.
  • When in doubt, disclose and explain. Silence on a real relationship is riskier than a disclosed, mitigated one.

Check your proposal against the FY2026 rules — free

We built a free, private tool around exactly these checks. Pick your agency, paste your proposal, and get a submission-readiness score plus an itemized list of what would get you triaged out — including the FOCI, foreign talent, foreign affiliation, current & pending, and cybersecurity items above. It runs entirely in your browser; your proposal text never leaves your machine.

Stop getting triaged out. Fix the disclosure gaps before you submit — not in a rejection letter.

Related reading: The FY2026 SBIR Compliance Checklist — the full formatting, required-components, and eligibility list. This guide is general information, not legal advice; always follow your specific solicitation and agency guidance.