The 20-Year Shield: How SBIR Data Rights Protect Your Innovation From the Government That Funded It

A defense contractor called Night Vision Systems once delivered a prototype of infrared goggles it had built under a Phase II SBIR contract to the Air Force. The goggles worked. The Air Force was impressed. And then the Air Force handed the prototype to a competitor, who reverse-engineered the design and won a manufacturing contract to produce the goggles at scale. Night Vision Systems lost the technology it had created with its own engineering talent, on its own timeline, using SBIR funding that was supposed to protect exactly this kind of outcome.

The company's fatal mistake was not a failure of engineering or commercialization strategy. It was a failure to mark the prototype with the correct data rights legend -- a few lines of prescribed text that would have legally prevented the Air Force from sharing the design with anyone.

That case has become the canonical cautionary tale in SBIR intellectual property law, and it illustrates a tension that runs through the entire $4.7 billion SBIR/STTR ecosystem: the federal government funds your research, but you own the results. The catch is that ownership means nothing if you do not understand the rules that enforce it.

What "Data Rights" Actually Means in SBIR Contracts

SBIR data rights are not patents. They are not copyrights, although they share DNA with both. Data rights govern the government's license to use, reproduce, modify, release, and disclose the technical data and computer software you produce under an SBIR contract. They are, in practice, the primary mechanism that prevents a contracting officer from taking the schematics you developed under a Phase I award and handing them to Lockheed Martin.

The governing framework splits across two regulatory regimes. For Department of Defense contracts, the operative clause is DFARS 252.227-7018, most recently amended in a final rule effective January 17, 2025. For civilian agencies -- NIH, NSF, DOE, NASA -- the parallel clause is FAR 52.227-20, which has not yet been formally updated to match the current SBA policy directive, creating a regulatory gap that trips up contractors working across both defense and civilian portfolios.

During the SBIR data protection period, the government receives two categories of restricted access. For technical data -- drawings, specifications, manuals, reports -- the government gets "limited rights," meaning it can use the data internally for government purposes but cannot release it outside the government without your written permission. For computer software -- source code, algorithms, databases -- the government gets "restricted rights," an even narrower license that limits the government to using the software on a single computer at a time and prohibits modification without consent.

These restrictions exist by default. You do not need to negotiate them into your contract. They are statutory protections that attach automatically to any data or software generated under an SBIR or STTR award, provided you follow one non-negotiable requirement: you mark your deliverables.

The 20-Year Clock and What Starts It

Until 2019, the SBIR data protection period was five years, counted from the date of contract award. But that five-year window came with a valuable loophole: if the same technology was referenced in a subsequent SBIR contract awarded before the first protection period expired, the clock reset for another five years, with no limit on how many times it could roll over. Some contractors maintained protection for decades by daisy-chaining Phase I and Phase II awards.

The SBA's May 2, 2019 policy directive eliminated the rollover provision and replaced it with a single, non-extendable 20-year protection period beginning on the date of award. DoD codified this change in its December 2024 final rule (DFARS Case 2019-D043), effective January 17, 2025.

The trade-off was explicit. Contractors gained certainty -- 20 years is substantially longer than any single five-year term -- but lost the ability to extend protection indefinitely. For a startup developing a sensor technology in 2026 under a Phase I SBIR, the protection period runs until 2046. That is long enough to build a company, achieve commercial traction, and establish market position. It is also long enough that many founders will have moved on before the clock expires.

What happens at year 21 matters, too. Under the old rules, expiration of the protection period gave the government unlimited rights -- full freedom to use, disclose, and distribute the data for any purpose, including handing it to your competitors. The 2025 DFARS amendment changed this. After the 20-year period, the government now receives Government Purpose Rights (GPR), not unlimited rights. GPR allows the government to use the data and authorize third parties to use it, but only for government purposes -- not for commercial exploitation. The government gets unlimited rights only in "form, fit, and function" data, which describes what a component does and how it interfaces, but not how it works internally.

This distinction is significant. A defense contractor whose Phase II software enters the GPR period can still prevent the government from licensing the source code to a commercial competitor. The government can share it with another defense contractor working on a government project, but not with a private-sector firm pursuing a commercial market.

The Marking Requirement That Destroys Companies

Every SBIR data rights tutorial starts here, and for good reason. The single most common way contractors lose their IP protection is by failing to stamp deliverables with the correct restrictive legend. Unmarked data is treated as if the contractor has granted the government unlimited rights. There is no presumption of protection. There is no "reasonable person" standard. If you deliver a technical report to your contracting officer without the SBIR data rights legend printed on it, the government can do whatever it wants with the contents.

The required marking language is prescribed verbatim in DFARS 252.227-7018 for DoD contracts and FAR 52.227-20 for civilian contracts. The legend must include the contract number, the contractor name, the expiration date of the protection period, and the specific restriction language from the applicable clause. It must appear on every deliverable -- reports, briefing slides, prototypes, software media, emails containing technical data sent to the program office.

The marking requirement extends beyond formal deliverables. If you present preliminary results at a program review and hand out printed slides, those slides need the legend. If you ship a hardware prototype, the legend needs to be physically affixed to the device or its packaging. The Night Vision Systems case was not an anomaly; it was a predictable consequence of a company treating physical deliverables differently from written documents.

There is a grace period. Under the current DFARS rules, contractors who fail to mark or incorrectly mark SBIR data have six months from notification by the contracting officer to correct the markings. But this grace period requires the government to notify you of the deficiency, which it has no affirmative obligation to do. Relying on the grace period is like relying on a smoke detector with dead batteries -- the protection exists in theory but may not activate when you need it.

The practical takeaway: build marking into your workflow as a non-negotiable step. Every document that leaves your organization for delivery to the government should pass through a review that confirms the SBIR legend is present, complete, and current. Some firms designate a "data rights officer" -- typically someone in contracts or legal -- who signs off on every deliverable before submission.

Background IP: What the Government Cannot Touch

Not everything you bring to an SBIR project belongs to the SBIR data rights framework. Technology, data, and software that existed before the contract -- your "background IP" -- is not generated under the SBIR award and therefore is not subject to the SBIR data rights clause at all. The government has no automatic license to your background IP simply because you used it in performing an SBIR contract.

This distinction creates both a protection and a trap. The protection is that your pre-existing trade secrets, proprietary algorithms, and patented technologies remain entirely yours. The trap is that if you fail to clearly delineate what is background IP in your proposal and in your IP allocation agreement, the line between background and foreground can blur, and the government may claim that data you consider proprietary was actually generated under the contract.

Best practice is to include a background IP appendix in your proposal that lists every pre-existing technology, dataset, algorithm, or trade secret you plan to use in the project. Reference specific patent numbers, copyright registrations, or internal document identifiers. The more precise the inventory, the harder it is for a contracting officer to later argue that a particular piece of technology was developed with SBIR funds.

Subcontractor IP adds another layer. If your Phase II project involves a university lab or a specialized vendor, each subcontractor's background IP must be identified and protected separately. Federal law requires prime contractors to flow down data rights protections to subcontractors. Failing to do so does not just expose your subcontractor's IP -- it can compromise your own, because the government may gain broader rights to the integrated system than it would have to any individual component.

Patents, Trade Secrets, and the Disclosure Paradox

SBIR awardees retain title to any inventions they create under an SBIR contract, subject to the Bayh-Dole Act (35 U.S.C. 200-212). The government gets a non-exclusive, royalty-free license to practice the invention for government purposes, but the patent itself belongs to the contractor. This is one of the most favorable IP arrangements in federal contracting, and it applies automatically -- you do not need to negotiate for it.

But patent protection and data rights protection exist in tension. Filing a patent requires public disclosure of how the invention works. Once that disclosure is published, the technical data describing the invention is no longer secret, and the data rights protection -- which functions like a trade secret shield -- becomes less meaningful. A competitor who reads your published patent application can learn the same information that your SBIR data rights legend was designed to keep confidential.

This creates a genuine strategic choice for every SBIR awardee. Patent protection lasts 20 years from the filing date and is enforceable against anyone who practices the invention without a license. Data rights protection lasts 20 years from the contract award date and prevents only the government from disclosing your technical data. If your primary competitive threat is commercial -- other companies entering your market -- a patent is the stronger shield. If your primary threat is the government sharing your design with a large defense prime, data rights are more directly protective.

Many sophisticated SBIR firms pursue both, but carefully. They patent the broadest possible claims around their invention while keeping the most granular implementation details -- manufacturing processes, software architecture, calibration data -- as trade secrets protected by SBIR data rights. The patent tells the world what the invention does; the data rights prevent the government from showing anyone how your specific implementation achieves it.

March-In Rights: The Threat That Has Never Materialized

The Bayh-Dole Act gives federal agencies "march-in rights" -- the authority to require a contractor to license its SBIR-funded invention to third parties if the contractor fails to take effective steps to commercialize it, or if the invention is needed to address health or safety needs that the contractor is not reasonably satisfying. In theory, this is the government's nuclear option: fund your research, then take your patent if you sit on it.

In practice, the nuclear option has never been launched. In more than 40 years since Bayh-Dole's enactment, no federal agency has ever exercised march-in rights. NIH has received six formal march-in petitions and denied every one. The most prominent cases involved pharmaceutical pricing disputes -- activists arguing that drugs developed with federal funding should not be sold at prices that limit public access. Even in those emotionally charged cases, NIH declined to march in.

For SBIR contractors, this history is reassuring but not a license to ignore the provision. March-in rights are most likely to be invoked when a contractor receives an SBIR award, develops a technology with clear government applications, and then neither commercializes the technology nor makes it available to others who could. If you are actively pursuing commercialization -- selling products, licensing technology, or negotiating Phase III contracts -- march-in rights are a theoretical risk with no practical precedent.

Phase III and the Negotiation You Should Not Skip

Phase III of the SBIR program is where data rights become most contentious. Phase III contracts are follow-on production, commercialization, or deployment contracts that derive from, extend, or complete work performed under Phase I or Phase II. They can be funded with non-SBIR dollars, awarded without competition, and -- critically -- they must include the SBIR data rights clause.

That last point is statutory, but it is also the one most frequently violated. Contracting officers unfamiliar with SBIR rules sometimes draft Phase III contracts using standard procurement data rights clauses (DFARS 252.227-7013 or 252.227-7014) instead of the SBIR-specific clause at DFARS 252.227-7018. The standard clauses give the government broader rights, and a contractor who signs without catching the substitution may inadvertently surrender protections that took years of SBIR development to earn.

The DFARS also provides that no agency can require a contractor to relinquish SBIR data rights as a condition of award -- a protection codified in DFARS 227.7104-1. But the regulation permits post-award negotiation of "special license rights" by mutual agreement. This means a contracting officer can ask you to grant broader rights after the contract is signed, and you can agree if the terms are favorable -- say, additional funding in exchange for expanded government access to specific technical data.

The negotiation leverage in these conversations is real. If the government needs your technology for a mission-critical application and you are the only contractor who can provide it, you have significant bargaining power. Use it to secure favorable terms: longer protection periods beyond the statutory minimum, limitations on the government's ability to share data with competitors, or financial compensation for any expanded license rights. The statutory floor is 20 years of limited/restricted rights; anything above that floor is negotiable.

Seven Mistakes That Cost SBIR Contractors Their IP

Drawing from the regulatory record and practitioner guidance published by Martensen IP Law, Crowell & Moring, and the SBA's own tutorials, here are the errors that most commonly destroy SBIR IP positions:

Delivering unmarked prototypes. Hardware is data, too. If you hand a physical device to the government without a restrictive legend, you have disclosed the design.

Using the wrong legend version. The marking language changed with the May 2019 policy directive and again with the January 2025 DFARS amendment. Using the pre-2019 legend on a post-2019 contract may not provide the intended protection.

Failing to identify background IP in the proposal. If you do not affirmatively list your pre-existing technology, the government may later claim it was developed under the contract.

Disclosing technical details in unsolicited communications. Emails, informal briefings, and conference presentations to government personnel can constitute voluntary disclosure of SBIR data, potentially waiving protection.

Ignoring subcontractor data rights. Your subcontractor's IP must be protected under your contract. Failure to flow down data rights protections exposes both parties.

Accepting non-SBIR data rights clauses in Phase III contracts. Always verify that Phase III awards include DFARS 252.227-7018 (DoD) or FAR 52.227-20 (civilian), not the standard procurement data rights clauses.

Filing patents without a complementary trade secret strategy. Patenting everything discloses everything. Keep implementation details as trade secrets protected by SBIR data rights, and patent only the broadest inventive claims.

The Regulatory Gap That Still Has Not Closed

One lingering problem deserves attention. The FAR clause governing civilian agency SBIR data rights (FAR 52.227-20) still reflects the old four-year protection period, not the 20-year period established by the SBA's 2019 policy directive and codified in the 2025 DFARS amendment. As legal analysis from Amadeo Law has detailed, the SBA directive controls regardless of what the FAR clause says -- there is only one protection period authorized for the SBIR/STTR program, and it is 20 years -- but the textual mismatch creates confusion for contracting officers at NIH, NSF, and DOE who may not be aware that their own regulatory clause is outdated.

If you receive an SBIR award from a civilian agency and the contract references FAR 52.227-20 with a four-year protection period, do not panic, but do raise the issue with your contracting officer. Point to the SBA's SBIR/STTR Policy Directive, Section 8(b), which establishes the 20-year floor. Request a contract modification that explicitly references the 20-year period. Document the conversation. The law is on your side, but clear documentation prevents disputes later.

The SBIR program obligated $4.73 billion in fiscal year 2022 alone, funding innovations in defense, health, energy, and agriculture. Every dollar of that funding comes with IP protections that are among the most favorable in federal contracting -- but only for contractors who understand the rules well enough to enforce them.

Granted indexes thousands of open SBIR and STTR solicitations across all eleven participating agencies, so you can find the right opportunity before spending a single hour on the wrong one.