As of January 17, 2025, the Department of Defense’s data rights regulations and contract clauses look a little different, yet substantively very little has changed. The update is to formally incorporate changes the Small Business Administration made to its Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs in 2019. Previously, SBIR/STTR contractors could assert restrictions on the Government’s rights in SBIR/STTR data until five years after the final deliverable was submitted on the final contract for the relevant SBIR/STTR project – an SBIR/STTR protection period that could run indefinitely, as long as the contractor continued to win Phase III awards. Following SBA’s 2019 policy change, that protection period runs a fixed 20 years from the award of the specific SBIR/STTR contract under which data were developed or generated.
DoD has already been following this change for years through a class deviation, which was always intended as a stopgap until similar changes could be implemented into the DoD Federal Acquisition Regulation Supplement (DFARS). Although the final version of the regulatory update does not include any drastic changes, it provides clarity on some important issues and offers a good opportunity to revisit common questions related to SBIR/STTR data rights.
1. What are the SBIR and STTR programs?
The SBIR and STTR programs promote the award of federal funding to small businesses for early‑stage research and development efforts. They operate in three phases: Phase I contracts cover concept development and are relatively small in size; Phase II contracts move into prototype development and can be up to $2 million or more; and Phase III is for production and commercial application of the technology without any dollar limit.
Phase I and II contracts are funded out of portions of an agency’s budget that are specifically earmarked for the SBIR and STTR programs, and thus may only be awarded to eligible small business concerns.[1] Phase III contracts are funded by other sources and do not carry the same size or eligibility requirements. The only criterion for a Phase III contract is that the contractor must have been awarded a Phase I or Phase II contact itself or be a successor-in-interest to such an award.
Phase III contracts may be awarded on a sole-source basis for any work that derives from, extends, or completes efforts made under a Phase I or Phase II contract. And although SBIR/STTR Phase I and Phase II contracts may only be awarded by federal agencies that participate in the SBIR/STTR programs, Phase III contracts can be awarded by any government agency or even by a prime contractor as a directed subcontract. This sole-source authority makes Phase III contracts—and the potential to secure them by having a prior Phase I or Phase II contract—extremely valuable.
2. What are SBIR/STTR data rights?
In addition to sole-source Phase III contracts, another key benefit of the SBIR/STTR programs is the ability to assert SBIR/STTR data rights. This allows the SBIR/STTR contractor to restrict the Government from sharing proprietary data related to SBIR/STTR technologies outside of the Government until the expiration of the SBIR/STTR protection period. Although the statutory authority for sole-source Phase III awards is independent from these SBIR/STTR data rights—and thus extends perpetually beyond any SBIR/STTR protection period—the ability to assert SBIR/STTR data rights can further cement a contactor’s competitive advantage and sole-source posture for a given technology.
SBIR/STTR data rights apply to technical data and computer software developed or generated under an SBIR/STTR contract. (More on that point below.) They are the equivalent of “limited rights” in technical data and “restricted rights” in computer software for the duration of the applicable SBIR/STTR protection period, after which the Government obtains a broad “government purpose rights” or “unlimited rights” license. For SBIR/STTR contracts awarded prior to 2019, this protection period ran for up to four years (at civilian agencies) or five years (at DoD) after the last deliverable was delivered under the last contract for a particular SBIR/STTR project, at which point the Government obtained unlimited rights in the data. This practice of continually extending the protection period through successive SBIR/STTR contract awards was commonly known as “daisy-chaining” SBIR/STTR rights. For contracts awarded after the 2019 policy change, there is no such daisy-chaining; the protection period runs a set 20 years from the date of award (unless a different period is negotiated), after which the Government obtains government purpose rights.[2]
For the duration of the SBIR/STTR protection period, the Government may use technical data and computer software internally, but it may not release or disclose the data outside of the Government (with a few limited exceptions). Once the Government obtains government purpose rights in data, it can release or disclose the data to any third party for any government purpose—generally any purpose that is not commercial in nature. With unlimited rights, there are no restrictions on what the Government can do (or authorize third parties to do) for any purpose, including commercial purposes. In either case, the Government can release data to a contractor’s competitors for purposes of competitive reprocurement, undercutting the contractor’s ability to maintain its sole-source posture with respect to the technology. As mentioned above, there is still a statutory basis for the Government to make sole-source SBIR/STTR Phase III awards if it wants to, but it is more difficult for a contractor to prevent the Government from holding a competition.
3. How do I assert SBIR/STTR data rights?
As with all data rights assertions, there are three critical steps contractors must take to protect their rights: (1) timely assert data rights restrictions in proposals and make sure they are incorporated into the contract; (2) mark all data with the appropriate markings provided in the FAR or DFARS prior to delivery; and (3) maintain adequate written records demonstrating development at private expense or under a SBIR/STTR contract.
This brings us to the first noteworthy change in DoD’s new SBIR/STTR rule. Previously, SBIR/STTR data expected to be developed or generated under an SBIR/STTR contract were exempt from the requirement to assert data rights restrictions in proposals prior to award, on the understanding that all data generated or developed under the resulting SBIR/STTR contract would be subject to SBIR/STTR data rights. DoD has revised solicitation clause DFARS 252.227-7017, “Identification and Assertion of Use, Release, or Disclosure Restrictions,” to remove the exemption for SBIR data and replace it with an express requirement that contractors identify “SBIR/STTR data that will be generated under the resulting contract and will be delivered with SBIR/STTR data rights.”
Oddly, DoD did not make a similar change in DFARS 252.227-7018, “Rights in Other Than Commercial Technical Data and Computer Software—Small Business Innovation Research Program and Small Business Technology Transfer Program,” which continues to say the requirement to identify data rights assertions in the contract “does not apply to technical data or computer software that were or will be generated under this contract.” It is unclear whether this was an oversight or intentional, but in any case, contractors should err on the side of caution and identify forward-looking SBIR/STTR data rights assertions in their proposals and contract data rights assertions tables. The clauses permit additional assertions to be made later if based on new information or inadvertent omissions (as long as the inadvertent omissions would not have materially affected the source selection decision), but contractors should not rely too heavily on their right to do so as an excuse for not paying close enough attention on the front end.[3]
It is equally if not even more critical that SBIR/STTR contractors mark data prior to delivery using the specific legends prescribed in the FAR or DFARS, as applicable. It has long been established that DoD can and will presume it has unlimited rights in unmarked data. Contractors may request permission to fix inadvertently unmarked data; but they must do so within six months (or be granted an extension), and even then, the contracting officer is only encouraged, not required, to grant permission, and only if data have not been distributed outside of the Government or were distributed with restrictions on further use or disclosure. The contractor must also clear the Government of any liability for disclosure or use of the data prior to adding the marking or resulting from its omission. These rules and procedures have existed for years in the prescriptive provisions of the DFARS, and DoD’s new rule moves them into the DFARS data rights contract clauses themselves for added enforceability.
4. Which SBIR/STTR protection period applies?
Whether the old daisy-chaining protection period or the new 20-year rule applies is governed by the particular clause in the relevant SBIR/STTR contract. When SBA published its new rule in 2019, it was adamant that it did not intend to have any retroactive effect on SBIR/STTR contractor’s rights under existing SBIR/STTR contracts. Many questioned how this would operate practically for ongoing SBIR/STTR projects, which may involve contracts awarded with the old clause and contracts awarded with the new one. In its new rule, DoD admirably attempts some guidance in a new section added to its Procedures, Guidance, and Information (PGI).
As DoD explains in PGI 227.7104-2, the answer to this question lies in the first contract under which SBIR/STTR data are either developed or generated. DoD offers three illustrative examples. If SBIR/STTR data were first generated under a contract with the old daisy-chaining rule and then redelivered under a subsequent contract subject to the 20-year rule, the daisy-chaining rights that vested under the first contract still apply and may continue to extend indefinitely by way of subsequent SBIR/STTR awards. On the other hand, if SBIR/STTR data are delivered under a contract subject to the new 20-year rule and then redelivered under a subsequent contract also subject to the 20-year rule, there is no extension of the protection period—it expires 20 years after award of the first contract under which the data were generated. Finally, if SBIR/STTR data are generated under one contract and then modified before delivery under a subsequent contract, the portions of the SBIR/STTR data that were delivered under the prior contract will be subject to the protection period that applied to that contract, whereas the newly developed portions will be subject to the protection period that applies to the new contract under which they were developed and delivered.
A close reader will notice some ambiguities present in these examples, mostly arising out of the seemingly interchangeable use of the terms “developed” and “generated,” which, at least for IP lawyers and readers of the DFARS, do not mean the same thing. To be fair, this is not DoD’s fault—it is an unfortunate byproduct of Congress’s using “developed” when drafting the data rights statutes and “generated” when establishing the SBIR/STTR programs. For purposes of the data rights regulations, items, components, processes, and software are “developed”—i.e., constructed, practiced, or operated in a computer and sufficiently analyzed or tested to demonstrate to reasonable people skilled in the applicable art that there is a high probability that it will operate as intended—while data are “generated,” or “first created,” i.e., fixed in some medium like a spreadsheet or PDF. In most cases, the Government’s rights in data depend on when the item, component, process, or software that the data relate to was developed (and who paid to get it there), not when the data themselves were generated. That is, if a contractor constructs and tests a prototype for the hull of a ship with its own private expense and then draws up a blueprint for that hull under a government contract, the government does not have unlimited rights merely because it paid for the blueprint drafting; rather, the contractor can assert limited rights in those data based on its development of the underlying item—the hull—exclusively at private expense.
For SBIR/STTR contracts, SBA and DoD have been forced to incorporate the concept that rights instead are determined based on when data are generated. Fortunately, rather than scrap the fundamental data rights rules, they have elected to broaden the applicability of SBIR/STTR data rights to any data that are “developed or generated” under an SBIR/STTR contract. Although it is not clear what it means for data to be “developed” in this context, one may reasonably assume it means the underlying item, component, process, or software has been developed. Thus, to give the disjunctive “developed or generated” its full effect, the applicable SBIR/STTR protection period can be determined based on either the SBIR/STTR contract under which an item, component, process, or software was developed or the SBIR/STTR contract under which the data themselves were generated. So, if an item was developed under a contract subject to the old daisy-chaining rule, the contractor reasonably should be entitled to continue to assert SBIR/STTR restrictions on related data indefinitely through the full daisy-chaining period, even if data are subsequently generated under a contract subject to the new 20‑year rule. That is the only way to honor SBA’s assurance that its rule change did not have retroactive effect. But what if an item is developed under the new 20-year rule and the data are generated under a subsequent contract also subject to the 20-year rule? There is a good argument that those data are now subject to a renewed 20-year protection period. DoD’s rulemaking declines to take a position on either of these hypothetical scenarios.
In all events, for SBIR/STTR contracts and other government contracts alike, contractors should keep in mind that the Government’s rights in data are determined at the lowest practicable level and development often occurs well before an item, component, process, or software has reached the level of maturity necessary for commercial sales or full-rate production. Simply because the Government has funded some modification to an existing item, component, process, or software does not mean the Government will have greater rights in related data unless the modification constitutes its own segregable item, component, process, or software, or results in development of a new item, component, process, or software that achieves results beyond what a reasonable person skilled in the applicable art would expect with a high probability from the preexisting item, component, process, or software.
5. Do the SBIR/STTR data rights clauses apply to my SBIR Phase III contract or subcontract?
Yes. This has been clear from SBA’s SBIR Policy Directive for many years, and DoD’s new rule leaves no doubt in DFARS 227.7104-1(d). For purposes of SBIR Phase III subcontracts, the updated regulations further clarify that contracting officers should incorporate DFARS 252.227-7018 (along with other applicable data rights clauses) into the prime contract for purposes of flowdown to the SBIR/STTR Phase III subcontractor.
6. Can the Government require me to give up my SBIR/STTR rights as a condition of award?
No. DoD has reiterated in its new rule that, as with limited or restricted rights assertions, a contracting officer may not require contractors to forgo assertions of SBIR/STTR data rights as a condition of contract award. The new rule also clarifies that the Government and an SBIR/STTR contractor may not negotiate special license rights that deviate from SBIR/STTR data rights until after award, to ensure fair competition and prevent contracting officers from using their ability award contracts to coerce SBIR/STTR contractors to cough up greater rights.
[1] To be eligible, a concern generally must (1) have less than 500 employees, and (2) be at least 50% directly owned and controlled by U.S. citizens or permanent resident aliens, or by another small business concern that is in turn directly owned and controlled by such individuals. 13 C.F.R. § 121.702. For certain agencies that have opted in, the SBIR program provides an exception to the latter requirement for firms that are 50% owned by multiple venture capital operating companies, hedge funds, or private equity firms. See 13 C.F.R. § 121.702(a)(1)(ii).
[2] The primary difference between unlimited rights and government purpose rights is that the former permits any use for any purpose whatsoever, while the latter is limited to use for any government purpose (i.e., no commercial use). Under either, the Government can share data for the purpose of competitive procurement.
[3] Some misguided government officials have argued that the Government is entitled to demand consideration for any new assertions, even those based on new information. Not only is there no legal basis for such extortion, but it is a clear violation of the DFARS, which states unambiguously, in several places, that the data rights clauses permit the contractor to make new assertions in such circumstances. DFARS 227.7103-3(b), 227.7103-10(a)(3), 227.7203-3(b), 227.7203-10(a)(3), 252.227-7013(f)(3), 252.227-7014(f)(3), and 252.227-7018(f)(3). To prohibit assertions based on new information during performance results in illegal effects, such as precluding new subcontractors from making assertions as a condition of subcontract award. Contra 10 U.S.C. § 3771(b)(8); DFARS 227.7103-15(d).
[View source.]
