FAR SBIR Data Rights Clause Remains Unchanged After Overhaul – The SBIR/STTR 20-Year Protection Period Applies Anyway

     In its overhaul of FAR Part 27, the FAR Council, unfortunately, made no changes to the outdated 4-year SBIR/STTR protection period contained in the FAR SBIR data rights clause at 52.227-20.  The SBIR/STTR protection period is a unique and important aspect of the SBIR/STTR Program because it defines the period in which the federal government’s otherwise expansive rights in technical data and computer software generated under a government contract remain restricted.  The FAR Council’s failure to update FAR 52.227-20 to reflect the current 20-year minimum protection period in the SBIR/STTR policy directive - as DoD did to its SBIR data rights clause at DFARS 252.227-7018 - was a missed opportunity to dispel confusion and a persistent notion that there are two different protection periods under the SBIR/STTR Program.  But as explained below, notwithstanding the conflicting provisions in FAR and DFARS, there is only one protection period authorized for the SBIR/STTR Program - the 20-year protection period set out in SBA’s SBIR/STTR policy directive.

The SBA Has Exclusive Authority To Develop SBIR Program Rules

     When Congress creates a federal program it often delegates to a federal agency the authority to create rules for the program.  In Section (j) of the Small Business Act, Congress gave the SBA the exclusive authority to establish the general rules for the SBIR/STTR Program.  Consequently, no other federal agency including DoD, GSA, NASA, OFPP/OMB  - or, collectively, all of them as the FAR Council - has authority to set the rules for the SBA’s SBIR/STTR Program.

     Although Congress typically directs agencies to issue rules in federal regulations, with respect to the SBIR/STTR Program, Congress chose instead to require the SBA to issue “policy directives” that contain the program's general rules.  In other words, Congress made it clear that the definitive rules for the SBIR/STTR Program should be found in the SBA’s policy directives and, thus, not in any regulations, including those issued by other agencies.

The Policy Directive Sets The Definitive SBIR/STTR Protection Period

     Having required placement of the SBIR/STTR Program rules in the SBA’s policy directives, Congress went one step further and instructed the SBA to provide in its policy directives an SBIR/STTR  protection period of not less than 4 years.

     In 2019 the SBA revised its SBIR and STTR policy directives to state that the SBIR/STTR protection period begins on the award date and ends twenty years, or longer at the discretion of the SBIR/STTR agency, from that date.  The revised policy directives also provide that an alternative protection period can only apply if, after award, the SBIR/STTR agency and the SBIR/STTR small business negotiate a different protection period.  In sum, as of 2019, the only congressionally authorized SBIR/STTR protection period is the minimum 20-year protection period found in the SBA’s policy directives.

So What About The FAR & DFARS SBIR Data Rights Clauses?

     The FAR and DFARS SBIR data rights clauses issued by the FAR Council and DoD serve to provide notice to contractors and agencies of the SBIR/STTR protective period, but they do not establish the protective period for the SBIR/STTR program and they cannot change the protection period set in the SBIR/STTR policy directive by the SBA.   This is because, as mentioned, only the SBA has authority to establish the SBIR/STTR protection period and it must be set out in the SBA's policy directives.  To the extent any agency (or clause issued by an agency) that is not the SBA imposes a mandatory protection period that conflicts with the SBA's policy directive, the agency action is unauthorized and any conflicting protection period is susceptible to a challenge that it is unenforceable.

     In 2020, DoD issued a class deviation adopting the SBA policy directive’s 20-year protection period and requiring contracting officers to use that protection period in lieu of the protection period defined in the existing DFARS clause 252.227-7018.  At the time of the 2020 class deviation, the DFARS clause defined the protection period to begin upon contract award and to end 5 years after completion of the SBIR/STTR project.  More recently, in January 2025, DoD revised DFARS 252.227-7018 to adopt the policy directive’s definition of the SBIR/STTR protection period - i.e., at least 20-years unless negotiated by the SBIR/STTR agency and the small business after award.

     The FAR clause at 52.227-20, on the other hand, has not yet been updated to incorporate the SBA’s minimum 20-year protection period.  Rather, it still provides a mandatory 4-year protection period that commences after deliverables have been accepted.  Until 2019, this mandatory 4-year protection (and, for that matter, the now-rescinded 5-year protection period under DFARS) complied with the SBA’s policy directives because the pre-2019 policy directives instructed SBIR/STTR agencies to provide an SBIR/STTR protection period of not less than 4 years from the date of the last deliverable and gave SBIR/STTR agencies discretion to adopt protection periods longer than 4 years.  

     The 2019 revisions to the SBIR and STTR policy directives, however, removed any discretion on the part of SBIR/STTR agencies to impose their own protection periods and, instead, provide a uniform protection period that can be imposed by agencies under the SBIR/STTR Program – namely, a protection period of at least 20 years from the date of award.  In addition, addressing SBIR/STTR data rights specifically, the SBA's updated policy directive states explicitly that solicitation and funding agreement provisions and clauses must implement policy directive requirements.  It also states that solicitation clauses must reflect the key elements contained in the sample data rights clause that is attached to the updated policy directive and that specifies the 20-year protection period.  The SBA, in fact, is required under the policy directive to report to Congress any attempt by a federal agency to condition an SBIR/STTR award on lesser data rights or to exclude an appropriate data rights clause from an SBIR/STTR award.

So What Should SBIR Contractors Do?

     If a solicitation for an SBIR/STTR contract or funding agreement incorporates FAR 52.227-20 without explicitly identifying a mandatory protection period of at least 20 years, SBIR companies should consider submitting appropriate pre-bid questions in order to obtain agency clarifications or acknowledgments that the applicable SBIR/STTR protection period will be at least 20 years.

     As for contracts or funding agreements that have already been awarded, on its SBIR/STTR Program website, the SBA provided informal guidance addressing directly the conflict between FAR 52.227-20  and the 20-year protection period under the SBIR/STTR policy directive and gave instructions that SBIR/STTR agencies and awardees should follow:

• SBIR/STTR awardees should check their funding agreements before signing them to ensure the agency has included the 2019 revisions in the proposed agreement. 

• Agencies should include special language that acknowledges and affirms application of the sample policy directive data rights clause and the SBIR/STTR policy directive.

• SBIR/STTR awardees should report a failure of an SBIR/STTR agency to do so immediately to SBA.

     For more information and news about the SBIR/STTR Program, go to our GovCon SBIR Hub.