Hundreds of Proposals Written
Federal, State & Foundation Grants
SBIR/STTR, Grant Strategy

SBIR Foreign Ownership Screening 2026: A Founder Self-Assessment Before You Submit

Nalin

{/* Schema recommendation: BlogPosting + FAQPage. Set author to Nalin Vahil, datePublished and dateModified to 2026-06-26. The "Frequently asked questions" section maps to FAQPage entities. The "Gate 1 vs Gate 2" comparison table and the 20-question numbered self-assessment are strong AI-extraction targets and can be marked up as structured data. */}

By the Cada team. Cada has written 100+ grant proposals across 30+ agencies, including AFWERX, NIH, and DoD.

Last updated: June 26, 2026

You are eligible on paper. Your company is a US for-profit, you are more than 50% owned by US citizens, and you have a real prototype. So why are you worried?

Because you have a foreign investor on the cap table. Or a co-founder on an O-1 visa. Or a patent you filed in another country before you filed in the US. And somewhere you read that SBIR rules changed in 2026 and now agencies screen for exactly that.

You read right. SBIR foreign ownership screening in 2026 is a separate review from the basic eligibility test, and it is the one that quietly trips up otherwise-strong companies. This guide gives you a 20-question self-assessment, a founder-friendly SBIR due diligence checklist for 2026, mapped to the actual statutory provisions, so you know where you stand before you spend 40 to 80 hours on an application.

What is SBIR foreign ownership screening in 2026?

SBIR foreign ownership screening is a security-risk review federal agencies run on every SBIR and STTR applicant, separate from the merit review of your science. The SBIR/STTR Extension Act of 2022 created it; the Small Business Innovation and Economic Security Act of 2026 (S.3971, Public Law 119-83) reinforced it. It checks four areas: cybersecurity, patents, foreign ownership, and employee ties abroad.

Eleven federal agencies run a version of this due diligence program. The exact procedures differ by agency, and a 2025 GAO review (GAO-25-107402) found some agencies still lack documented processes, so expect implementation to keep shifting through 2026.

The two gates founders mix up: eligibility vs. screening

Most founders treat "foreign ownership" as one yes/no question. It is actually two separate gates, and you have to clear both.

Gate 1 is eligibility. This is the classic 51% rule: your company must be more than 50% owned and controlled by US citizens or permanent residents, by other qualifying US small businesses, or (at participating agencies) by multiple US venture capital, private equity, or hedge funds. This is binary. You either clear it or you do not.

Gate 2 is foreign-risk screening. Even if you clear the 51% rule, agencies still assess whether your company poses a security risk through foreign ties. This is where a minority foreign investor, an international advisor, or a patent filed abroad comes into play. None of those make you ineligible. All of them can trigger additional review.

Here is the distinction in one table.

Dimension Gate 1: Eligibility (51% rule) Gate 2: Foreign-risk screening
Question it answers Are you allowed to apply? Does your award survive a security review?
Created by Original SBIR statute 2022 Extension Act + 2026 Act (S.3971)
Looks at Majority ownership and control Cybersecurity, patents, foreign ties, key personnel
Outcome Eligible / ineligible (binary) Award / additional review / denial
Triggered by >49% foreign or non-individual ownership Any active tie to a country of concern

The trap: founders confirm they pass the 51% rule, assume they are clear, and never prepare for the screening. Then a disclosure form shows up late in the process and they scramble.

What the law actually requires: the four assessment areas

The 2022 Extension Act directs agencies to assess security risk across four areas before making an award. The GAO summarizes them as cybersecurity practices, patents, foreign ownership, and employee affiliations.

Some agencies go further. NIH, through its SEED office, expands the four areas into eight review categories: cybersecurity, patent analysis, employee analysis, foreign ownership, foreign financial obligations, investment relationships, technology licensing, and business relationships.

Assessment area What it covers What triggers extra review
Cybersecurity practices Your IT security and data safeguarding No documented security program; use of foreign-controlled systems
Patents and IP Where and when you filed Patents filed in a country of concern within 5 years, especially before your US filing
Foreign ownership and control Equity, board control, joint ventures Controlling equity or active joint ventures in a country of concern
Employee and key-personnel ties Affiliations of your covered individuals Participation in a malign foreign talent recruitment program

The point is not to scare you. The point is that "foreign ownership" is the headline, but the screen reaches into your patents, your IT setup, and your team. You need to check all four, not just your cap table.

Who counts as a "covered individual"?

This is the part founders get wrong most often. The screening does not stop at the founders.

A covered individual is anyone who contributes in a substantive, meaningful way to the scientific development or execution of the project, plus anyone listed as senior or key personnel on the application. Your part-time CTO, your lead scientist, and a named technical advisor can all be covered individuals.

Why it matters: if your fractional CTO holds an unpaid visiting appointment at a university in a country of concern, that is a disclosable foreign affiliation, even though that person owns zero equity. The screen follows the people doing the science, not just the people holding the shares.

Which countries trigger the screen?

Not every foreign tie matters equally. The screening escalates on ties to "countries of concern," which in current federal usage means China, Russia, Iran, and North Korea. The authoritative list is maintained at sbir.gov/foreign_disclosures, and agencies point applicants there.

Be honest with yourself here, but do not over-panic. A German investor or a Canadian co-founder is foreign, but ties to those countries do not carry the same statutory weight as ties to a country of concern. Disclose everything; the weight of each disclosure is not equal.

The 20-question SBIR foreign ownership screening self-assessment

Answer each question yes or no. Count every "yes" as a flag. Each question maps to a statutory assessment area so you can see exactly what it is testing.

A. Ownership and control (4 questions)

  1. Is any single foreign person or foreign entity holding 10% or more of your equity? (Foreign ownership. The 10% mark is a Cada triage heuristic to decide what is worth disclosing, not a legal line. The statute screens on "active" or "ongoing" relationships, not a fixed equity percentage, so do not assume you are clear just because you are under 10%.)
  2. Does any foreign investor have board control or protective provisions that let them block or direct major decisions? (Foreign ownership and control)
  3. Is your company a subsidiary of, or majority-owned by, an entity headquartered in a country of concern? (Foreign ownership -- usually blocking)
  4. Do you have an active joint venture or formal partnership with an entity based in a country of concern? (Business relationships)

B. Investors and financial ties (4 questions)

  1. Do any of your investors have limited partners or funding sources based in a country of concern that you cannot rule out? (Investment relationships)
  2. Does your company carry debt, a convertible note, or a financial obligation owed to a foreign person or entity? (Foreign financial obligations)
  3. Have you received grant funding, a prize, or a contract from a foreign government in the last 5 years? (Foreign financial obligations)
  4. Do you have a technology licensing agreement, inbound or outbound, with a foreign entity? (Technology licensing)

C. Patents and intellectual property (4 questions)

  1. Have you filed any patent in a country of concern? (Patent analysis)
  2. Did you file a patent abroad before filing the equivalent in the US? (Patent analysis -- a specific trigger)
  3. Is any of your core IP assigned to, co-owned with, or licensed from a foreign entity? (Patent analysis)
  4. Was any foundational research for your technology conducted at a foreign institution? (Patent and employee analysis)

D. People and affiliations (4 questions)

  1. Does any covered individual hold a funded or unfunded appointment (including adjunct, visiting, or honorary) at a foreign government or government-owned institution? (Employee analysis)
  2. Has any covered individual participated in a foreign talent recruitment program? (Employee analysis -- can be blocking)
  3. Is any covered individual a current employee or contractor of a foreign company or foreign government? (Employee analysis)
  4. Do you have key technical personnel located outside the US? (Employee analysis)

E. Cybersecurity practices (4 questions)

  1. Do you lack a written information-security or data-safeguarding policy? (Cybersecurity practices)
  2. Do you store source code, research data, or design files on systems hosted or controlled by a foreign provider? (Cybersecurity practices)
  3. Have you skipped a basic cybersecurity self-assessment (for example, the kind DOE now requires of Phase II applicants)? (Cybersecurity practices)
  4. Do remote team members in other countries have access to your core technical systems? (Cybersecurity practices)

How to score your SBIR foreign ownership risk

Add up your flags. The bands are a triage tool, not an eligibility verdict.

0 to 2 flags: low risk. You will still complete the disclosure form, but your profile is clean. Submit on your normal timeline and disclose accurately.

3 to 5 flags: build a disclosure package first. None of these are automatically fatal, but the agency will ask questions. Prepare written explanations for each flag before the Just-In-Time stage, not during it.

6 or more flags: get expert help, and consider restructuring. At this level, the risk of denial or long delay is real. Some flags (a controlling subsidiary in a country of concern, a covered individual in a talent recruitment program) may need to be resolved, not just disclosed, before you apply.

Two important caveats. First, a single blocking flag (questions 3, 4 in some cases, or 14) can outweigh a low total count. Second, scoring is qualitative by design: the statute uses "active" and "ongoing" relationships as the trigger, not dollar thresholds or fixed percentages, so judgment matters. The 10% equity figure in question 1 is a practical screening convention to flag what to disclose, not the legal standard.

What happens if you get flagged: the disclosure process

Disclosure runs through a form, usually titled the "Required Disclosures of Foreign Affiliations or Relationships to Foreign Countries Form," collected at or near the Just-In-Time stage. At NIH, if you do not submit it, you are not considered for funding. It is not optional.

The hard part: in most agency processes there is no opportunity to cure. If the agency decides your application presents a disqualifying risk, you typically receive notice of the denial category, not the specific finding. The 2026 Act (S.3971) does require agencies to notify you that a denial was based on a security determination and to identify the basis, which is more transparency than founders got before, but it is still not a negotiation.

One piece of good news: a denial on security grounds does not bar you from applying again. If you restructure or resolve the issue, you can come back.

After an award, the obligations continue. Recipients generally submit updated disclosures every year with their progress report, and report material changes (ownership, entity structure, covered individuals) within 30 days. Material misstatements can trigger repayment of funds, so accuracy at the front end protects you later.

What to do before you submit

Five steps, in order:

  1. Inventory your covered individuals. List everyone who touches the science, not just the founders. For each, note citizenship, visa status, and any foreign institutional appointments.
  2. Pull your patent filing history. Note every jurisdiction and every filing date. Flag anything filed abroad before its US equivalent.
  3. Map your cap table to countries. Identify every investor and, where you can, their funding sources. Mark any tie to a country of concern.
  4. Run a cybersecurity self-assessment. Write down where your data lives, who can access it, and what your safeguarding policy is. If you do not have a policy, that is itself a flag worth fixing.
  5. Draft your disclosures early. Write the explanation for each flag now, calmly, instead of under deadline pressure at Just-In-Time. A well-explained foreign tie reads very differently from a tie the agency discovers on its own.

Frequently asked questions

Does a foreign investor make me ineligible for SBIR?

No. A minority foreign investor does not break the 51% eligibility rule as long as US citizens or permanent residents still own and control more than half the company. A foreign investor is a disclosure item under the screening, not an automatic disqualifier. Ties to a country of concern carry more weight than ties to allied countries.

Can I get an SBIR on an H-1B or O-1 visa?

Eligibility centers on company ownership, not the founder's visa, and SBIR does not require the principal investigator to be a US citizen at most agencies (NSF is the notable exception, requiring a US citizen or permanent resident PI). Your visa status itself is not disqualifying. It can, however, be relevant to the screening if it connects to a country of concern.

Do I have to disclose a patent filed in another country?

Yes. Patent filings are one of the four statutory assessment areas. You disclose foreign filings, and filing in a country of concern, or filing abroad before filing in the US, is a specific trigger for additional review. Allied-country filings are still disclosed but carry less weight.

What counts as a "country of concern"?

In current federal practice the countries of concern are China, Russia, Iran, and North Korea. The authoritative, updatable list lives at sbir.gov/foreign_disclosures. Ties to other foreign countries are disclosed but do not escalate review the same way.

Will the screening delay my award?

It can. The screening runs separately from merit review, and a clean disclosure usually moves through without much friction. A profile with several flags can add review time. Preparing your disclosures before Just-In-Time is the single best way to avoid a last-minute scramble.

Can I fix a problem after I get flagged?

Usually not in the same cycle. Most agency processes do not offer a chance to cure within the review. But a security denial does not bar future applications, so resolving the issue and reapplying is a real path.

Where this leaves you

If you scored 0 to 2 flags, you mostly need to disclose accurately and move on. If you scored 3 or more, the question has shifted. It is no longer "am I eligible." It is "how do I present my disclosures so that a manageable risk does not read as a fatal one." That framing is the difference between a delayed award and a denied one.

That is the part Cada does for a living. We run the screening triage, build the disclosure package, and, where a flag needs to be resolved rather than explained, help you decide whether restructuring is worth it before you commit 40 to 80 hours to an application.

If you scored 3 or more flags on this self-assessment, book a free 15-minute eligibility and screening triage call. We will tell you which flags are disclosure items, which are real problems, and whether you are positioned to win. No pitch, no obligation.

Want the fillable version? Download the SBIR Foreign Ownership Screening Worksheet, the same 20 questions with a scoring sheet and a disclosure-prep template you can fill in before Just-In-Time.

This guide reflects the SBIR/STTR foreign-risk due diligence framework as implemented in 2026. Agency procedures are still evolving, and the authoritative source for any specific program is that agency's solicitation and the disclosure guidance at sbir.gov/foreign_disclosures. For a related breakdown of the baseline rules, see Cada's SBIR Eligibility Database.

Ready to explore your funding options?

We'll map your technology to the most relevant programs and tell you where to start. 15 minutes, no obligation.

Book Strategy Review

Related Articles

DOD SBIR vs. BAA vs. CSO: Defense Funding Vehicles Explained for Startup Founders
SBIR/STTR

DOD SBIR vs. BAA vs. CSO: Defense Funding Vehicles Explained for Startup Founders

Founders see 'DOD funding' as one thing. It is actually at least five vehicles -- SBIR, STTR, BAA, CSO, and the Other Transaction agreements CSOs produce -- each with different eligibility, award sizes, timelines, and competition levels. This guide breaks down all five with a comparison table, a map of which DOD component uses which vehicle, and a decision framework to pick the right entry point for your stage and technology.

Why STRATFI Packages Get Rejected: 7 Failure Modes and How to Avoid Them
SBIR/STTR

Why STRATFI Packages Get Rejected: 7 Failure Modes and How to Avoid Them

STRATFI puts $3M to $15M of matched SBIR funding behind an Air Force technology, but most rejected packages fail for reasons that have nothing to do with the tech. This guide breaks down the 7 failure modes, from a missing Government POC to soft matching capital, plus the sourcing dynamics no agency PDF explains.

SBIR Reauthorization 2026: What Changed and What Founders Must Do Now
SBIR/STTR

SBIR Reauthorization 2026: What Changed and What Founders Must Do Now

Congress reauthorized SBIR and STTR through September 30, 2031 with S.3971, signed into law April 13, 2026 -- but four things changed. This founder action guide breaks down the new $30M Strategic Breakthrough Award, the FY2027 proposal caps, the tougher foreign-risk reviews, and expanded TABA funding: what changed, who it affects, what to do, and by when.