NIH Turns Small Business Science Grants Into a Security Checkpoint, With Too Little Due Process

I read NIH’s latest notice the way you read a court docket in a quiet library: not for entertainment, but because it tells you who holds the keys. SBIR and STTR still promise non-dilutive funding for real science. Now they also come with a foreign-risk screening process that can end in a denial you cannot rebut before it is final.

What NIH changed, and when

On April 20, NIH issued a notice outlining changes to SBIR and STTR foreign disclosure and risk management. NIH ties the update to the Small Business Innovation and Economic Security Act, which NIH says President Trump signed on April 13, 2026. NIH says the law reauthorizes SBIR and STTR through September 30, 2031, and the notice spells out how the foreign-risk machinery will work for competing applications and proposals, and for active awards.

The new screen: broad, and aimed beyond the CEO

NIH emphasizes an HHS “due diligence program” that assesses security risks posed by applicants. As described, it can examine cybersecurity practices, patent analysis, employee analysis, foreign ownership and financial ties, foreign affiliations of key people, investment relationships involving a foreign country of concern, technology licensing or joint ventures with such parties, and other business relationships involving covered individuals and owners.

The notice also tightens who counts as a “covered individual”: anyone contributing in a substantive, meaningful way to the scientific development or execution of the project, or identified as senior key personnel. Translation: this can land on a principal investigator or scientist, not just executives.

The headline in the footnotes: denial without a chance to respond

NIH says HHS cannot make an SBIR or STTR award if it determines an applicant has certain relationships, including:

• An owner or covered individual involved with a malign foreign talent recruitment program.
• A business entity, parent company, or subsidiary located in the People’s Republic of China or another foreign country of concern.
• An owner or covered individual with a foreign affiliation with a research institution located in the PRC or another foreign country of concern.

NIH also describes denial triggers tied to entities or individuals on several government lists, and a category where the security risk has a primary source that is classified. NIH says HHS will not give applicants an opportunity to address identified security risks prior to award. You may be told which denial category applied, but not given a pre-award chance to argue your case.

After the award: monitoring, fast updates, and repayment risk

Recipients must monitor relationships with foreign countries of concern and submit updated disclosure forms for certain changes, including annual updates tied to research performance reporting. For certain changes between reports, NIH says updates are required within 30 days. NIH says if NIH, CDC, and FDA determine there was a material misstatement posing a national security risk, or a change in ownership or structure that poses such a risk, the small business concern can be required to repay all amounts received.

The tradeoff (and the Paine test)

Yes, public dollars and sensitive tech justify scrutiny. But the liberty ledger matters: a system that can deny funding without a pre-award response, including on classified-source risk, concentrates power behind a curtain. Guardrails NIH could pair with this approach are already obvious in plain text: an appeal lane with a real timeline, a process to cure fixable mistakes before denial, aggregate public reporting on denials and reversals, regular audits by inspectors general and Congress, and an independent reviewer when classified sources are involved.

We can defend the country without building a grants system that behaves like a secret proceeding. If this black box is acceptable here, where else will we install it next?