Ensuring compliance with SBIR and STTR program requirements is crucial for small businesses to maintain eligibility and secure funding. Small businesses must primarily employ Principal Investigators, and most work must be conducted within the U.S., with foreign subcontractors requiring prior approval. Companies must protect data rights, submit timely certifications, adhere to federal cost principles, and ensure subcontractor compliance. Additionally, prioritizing American-made equipment, preparing for audits, reporting commercialization outcomes, and promptly reporting fraud are essential. Strict adherence to agency-specific rules further safeguards projects from funding disruptions and penalties.

Checklist Items

1. Eligibility and Size Standards: Maintain 500 or fewer employees (including affiliates) per 13 CFR Part 121. VC ownership may disqualify for some agencies (e.g., NSF). Non-compliance risks award termination.
2. Principal Investigator Employment: The PI must be primarily employed by the small business (SBIR) or the small business technology transfer (STTR) entity. Violations can suspend awards.
3. Work Performance Location: The majority of work must be U.S.-based; foreign subcontractors need approval. Non-compliance triggers audits.
4. Data Rights Protection: Protect SBIR/STTR Data for 4-5 years with proper markings. Errors risk IP loss.
5. Certifications and Reporting: Submit certifications at key milestones. Late or inaccurate submissions delay funding.
6. Cost Principles: Follow 2 CFR Part 200 for allowable costs. Misallocation leads to repayments.
7. Subcontractor Compliance: Ensure subcontractors meet federal rules (30% STTR work by research institution). Non-compliance risks findings.
8. American-Made Equipment: Prioritize U.S.-made products. Violations result in disallowed costs.
9. Audit Preparedness: Conduct audits if receiving over $750,000 annually. Poor records cause penalties.
10. Commercialization Reporting: Report outcomes post-award. Neglect affects future eligibility.
11. Fraud Reporting: Report fraud to OIG. Concealment risks debarment.
12. Agency-Specific Requirements: Comply with agency rules (e.g., DoD cybersecurity). Non-compliance halts funding.

These twelve items are just the beginning of an assessment of your compliance and audit readiness. Ultimately, compliance is transactional. It requires your organization to know what needs to be done and how to do it correctly. Additional resources and checklists are available from the DCAA.

References:

1. Small Business Administration. (2024). SBIR/STTR Policy Directive. https://www.sbir.gov/policy-directive
2. National Science Foundation. (2024). NSF SBIR/STTR Program Guidelines. https://www.nsf.gov/eng/iip/sbir/home.jsp
3. Code of Federal Regulations. (2024). 2 CFR Part 200 – Uniform Administrative Requirements. https://www.ecfr.gov/current/title-2/subtitle-A/chapter-II/part-200
4. National Aeronautics and Space Administration. (2025). NASA SBIR/STTR Program Solicitations. https://sbir.gsfc.nasa.gov/solicitations