SBIR Data Rights and IP Protection: What You Own, What the Government Gets, and How to Negotiate

In 2009, a small defense contractor called Ervin & Associates delivered a set of technical drawings to the Army under a Phase II SBIR contract for an armored vehicle component. The drawings documented a design the company had spent three years refining -- geometry, materials specifications, tolerances, manufacturing processes. Eighteen months later, Ervin discovered those same drawings had been included in a competitive solicitation package sent to five large defense primes. The Army had treated the drawings as government property and distributed them freely, because the documents had been delivered without the required SBIR data rights legend.

Ervin sued. The Armed Services Board of Contract Appeals found that, in the absence of proper restrictive markings, the government had no obligation to treat the data as protected. The company lost not just the drawings but the competitive advantage those drawings represented in every future procurement involving that vehicle platform.

That case is not unusual. It is the predictable outcome of a system where $4.73 billion in annual SBIR/STTR funding comes with some of the strongest IP protections in federal contracting -- protections that evaporate the moment a contractor fails to follow the marking rules.

The Three Tiers of Government Access to Your SBIR Data

The SBIR data rights framework is not a single rule. It is a hierarchy of access levels, each defining how much the government can do with the technical data and software you produce under an SBIR contract. Understanding the hierarchy is the starting point for every IP decision you will make during and after your award.

Limited rights apply to technical data -- drawings, specifications, manuals, test results, manufacturing processes. During the SBIR data protection period, limited rights restrict the government to using your technical data internally for government purposes only. The government cannot release limited-rights data outside the government without your written consent. It cannot hand your schematics to a competitor. It cannot include your test data in a solicitation package. The data stays inside the government's walls.

Restricted rights apply to computer software -- source code, object code, algorithms, databases, documentation. Restricted rights are narrower than limited rights. The government can use restricted-rights software on one computer at one location. It cannot copy, modify, or distribute the software without your permission. If you deliver a prototype software tool under a Phase II SBIR, the government cannot install it on every workstation in the program office, let alone share the source code with a systems integrator.

Unlimited rights are what the government gets when no restrictions apply. Unlimited rights mean the government can use, reproduce, modify, release, and disclose the data or software to anyone, for any purpose, without your consent. This is the default for data that is not generated under an SBIR contract, data that has been publicly released, or -- critically -- data delivered without proper restrictive markings.

The governing regulations split across two frameworks. For Department of Defense contracts, the operative clause is DFARS 252.227-7018, last amended in a final rule effective January 17, 2025. For civilian agencies -- NIH, NSF, DOE, NASA -- the parallel clause is FAR 52.227-20. These two clauses should say the same thing. They do not, and that gap creates real problems for multi-agency contractors.

How the 20-Year Protection Clock Works

Before 2019, the SBIR data protection period was five years from the date of contract award. That five-year window came with a rolling extension mechanism: if the same technology appeared in a subsequent SBIR contract before the first protection period expired, the clock reset for another five years. There was no cap on rollovers. Some contractors maintained protection for 15 or 20 years by chaining Phase I and Phase II awards on related technology.

The SBA's May 2, 2019 policy directive eliminated the rollover and replaced it with a single 20-year protection period beginning on the date of contract award. DoD codified this in a December 2024 final rule (DFARS Case 2019-D043), effective January 17, 2025.

The arithmetic is straightforward. A startup that receives a Phase I SBIR award in March 2026 has its technical data and software protected through March 2046. Twenty years is enough time to build a company, establish commercial market position, license the technology, and pursue follow-on government contracts -- all without the government being able to share your proprietary data with anyone.

What happens after year 20 changed significantly under the 2025 DFARS amendment. Under the old rules, expiration of the protection period gave the government unlimited rights -- full freedom to use, copy, and distribute your data for any purpose. The new rule replaces unlimited rights with Government Purpose Rights (GPR) after the protection period ends. GPR allows the government to use the data and authorize third parties to use it for government purposes, but not for commercial exploitation. The government receives unlimited rights only in "form, fit, and function" data -- information describing what a component does and how it interfaces, but not how it works internally.

This is a meaningful improvement. A company whose SBIR-developed sensor technology enters the GPR period can still prevent the government from licensing its design specifications to a commercial competitor. The government can share the data with another contractor working on a government program, but not with a private-sector firm pursuing a commercial market.

The Marking Requirement That Destroys IP Positions

Every SBIR IP failure ultimately traces back to the same root cause: the contractor did not mark the deliverable. Unmarked data is treated as if the contractor granted the government unlimited rights. There is no intent analysis. There is no reasonableness standard. There is no presumption of protection. If you deliver a 200-page technical report to your contracting officer without the SBIR data rights legend, the government can distribute every page to anyone it chooses.

The required legend is not optional language you draft yourself. It is prescribed verbatim in DFARS 252.227-7018 for DoD contracts and FAR 52.227-20 for civilian contracts. The legend must include:

• The contract number under which the data was generated
• The name of the contractor
• The expiration date of the SBIR data protection period
• The specific restriction language from the applicable clause

The legend must appear on every deliverable. Technical reports. Briefing slides presented at program reviews. Software media. Hardware prototypes -- the legend must be physically affixed to the device or its packaging. Emails containing technical data sent to the program office. Interim progress reports. Test results. Draft specifications.

The marking requirement is where administrative process becomes IP strategy. Companies that treat marking as a compliance checkbox get it right most of the time and lose their IP the rest of the time. Companies that treat marking as a core business process -- with a designated reviewer, a checklist before every delivery, and a verification step in their document management system -- do not make the errors that end up before the Armed Services Board of Contract Appeals.

Under current DFARS rules, contractors who fail to mark or incorrectly mark SBIR data have six months from notification by the contracting officer to correct the markings. But this grace period requires the government to notify you of the deficiency, and the government has no affirmative obligation to do so. The grace period is a backstop, not a strategy.

Background IP: Drawing the Line Before the Contract Starts

Technology, data, and software that existed before your SBIR contract -- your background IP -- is not generated under the SBIR award and is not subject to the SBIR data rights clause. The government has no automatic license to your background IP simply because you used it in performing SBIR work. Your pre-existing algorithms, proprietary manufacturing processes, and patented technologies remain entirely yours.

The danger is that the line between background IP and foreground IP (data generated under the contract) blurs when it is not documented. If you bring a machine learning model you built before the contract into your SBIR project, train it on new data generated under the contract, and deliver the trained model to the government, is the model background IP or foreground IP? The answer depends on what you documented in your proposal and what you asserted in your data rights allocation.

Best practice is to include a background IP appendix in your SBIR proposal listing every pre-existing technology, dataset, algorithm, or trade secret you plan to use. Reference specific patent numbers, copyright registrations, or internal document identifiers. The more precise the inventory, the harder it becomes for a contracting officer to later argue that a particular technology was developed with SBIR funds.

Subcontractor IP adds complexity. If your Phase II includes a university lab or a specialized vendor, each subcontractor's background IP must be identified and protected separately. Federal law requires prime contractors to flow down data rights protections to subcontractors. Failing to do so does not just expose your subcontractor's IP -- it can compromise your own, because the government may claim broader rights to the integrated system than it would have to any individual component.

Patents vs. Data Rights: The Dual-Track Strategy

SBIR awardees retain title to any inventions created under an SBIR contract, subject to the Bayh-Dole Act (35 U.S.C. 200-212). The government receives a non-exclusive, royalty-free license to practice the invention for government purposes, but the patent belongs to the contractor. This is one of the most favorable IP arrangements in all of federal contracting.

But patent protection and data rights protection serve different functions, and pursuing one can undermine the other.

Filing a patent requires public disclosure. Once your patent application is published, the technical details describing your invention are available to anyone, including competitors. Data rights protection functions as a trade secret mechanism -- it prevents the government from disclosing your technical data to outside parties. A published patent renders that protection less meaningful because the information is already public.

The strategic answer for most SBIR firms is a dual-track approach. Patent the broadest inventive claims around what your technology does. Keep the most granular implementation details -- manufacturing calibration data, software architecture decisions, performance optimization parameters -- as trade secrets protected by SBIR data rights. The patent tells the world what the invention accomplishes. The data rights prevent the government from showing anyone how your specific implementation achieves it.

This dual-track approach requires discipline. Your patent application should disclose enough to secure the broadest defensible claims but not so much that it eliminates the value of your data rights protection. Patent counsel experienced in government contracting understands this balance; general-practice patent attorneys often do not.

How to Negotiate Data Rights in Your Proposal and Contract

SBIR data rights protections are statutory -- they attach automatically and do not require negotiation. But "automatic" does not mean "self-executing." There are five concrete actions that strengthen your IP position from proposal through contract closeout.

Assert your data rights in the proposal. Include a data rights section that identifies which deliverables will carry limited rights (technical data) or restricted rights (software), and which pre-existing technologies constitute background IP. Some solicitations include specific instructions for data rights assertions; follow them precisely. Where no specific instructions exist, include the assertion anyway.

Verify the correct DFARS or FAR clause appears in your contract. Before signing any SBIR contract, confirm that the data rights clause is DFARS 252.227-7018 (DoD) or FAR 52.227-20 (civilian), not the standard procurement clauses at DFARS 252.227-7013 (technical data) or 252.227-7014 (software). Standard clauses give the government broader rights. This error is especially common in Phase III contracts, where contracting officers unfamiliar with SBIR provisions default to their usual templates.

Negotiate supplemental protections when leverage permits. The statutory 20-year protection period is a floor, not a ceiling. In Phase III negotiations, where the government needs your technology and you are the sole qualified source, you can negotiate additional protections: restrictions on which government personnel can access your data, limitations on the government's right to authorize third-party use even for government purposes, or financial compensation if the government requests expanded license rights.

Document every disclosure. Maintain a log of every occasion when technical data or software is shared with the government, noting the date, recipient, contract reference, and applicable markings. This contemporaneous record is invaluable if a data rights dispute arises years later.

Carry protections forward into Phase III. The SBIR statute requires Phase III contracts to incorporate SBIR data rights protections from the underlying Phase I/Phase II awards. But DFARS 227.7104-1 also prohibits agencies from requiring contractors to relinquish data rights as a condition of award. If a contracting officer pushes back on including the SBIR clause in a Phase III contract, cite the regulation and escalate to the SBIR program manager.

The FAR Gap That Trips Up Civilian Agency Contractors

One regulatory problem has persisted for seven years without resolution. The FAR clause governing civilian agency SBIR data rights (FAR 52.227-20) still references the old four-year protection period, not the 20-year period established by the SBA's 2019 policy directive and codified in the 2025 DFARS amendment. DoD updated its clause. The FAR Council has not.

Legal analysis from practitioners including Amadeo Law confirms that the SBA directive controls regardless of the outdated FAR text -- the SBIR/STTR Policy Directive establishes a single program-wide protection period, and there is no authority for a civilian agency contracting officer to impose a shorter one. But the textual mismatch creates confusion at NIH, NSF, DOE, and other civilian agencies, where contracting officers may apply the clause as written rather than as superseded.

If your civilian agency SBIR contract references FAR 52.227-20 with a four-year protection period, raise the issue immediately. Point to SBA's SBIR/STTR Policy Directive, Section 8(b). Request a contract modification specifying the 20-year period. Put it in writing. The law supports your position, but written documentation prevents disputes from surfacing five or ten years later when institutional memory has faded and the contracting officer who understood the issue has moved to a different agency.

March-In Rights: Real Authority, Zero Precedent

The Bayh-Dole Act gives federal agencies "march-in rights" -- the power to require a contractor to license its SBIR-funded invention to third parties if the contractor fails to take effective steps to commercialize it. In theory, this is the government's override switch. In practice, it has never been used.

In more than 40 years since Bayh-Dole's enactment, no federal agency has exercised march-in rights. NIH has received multiple formal march-in petitions -- several involving pharmaceutical pricing disputes where activists argued that drugs developed with federal funding were being sold at prices limiting public access. NIH denied every petition.

For SBIR contractors, the takeaway is that march-in rights are a theoretical risk with no practical precedent, provided you are actively pursuing commercialization. The trigger for march-in is abandonment -- receiving SBIR funding to develop a technology and then neither commercializing it nor making it available to others who could. If you are selling products, licensing technology, or negotiating Phase III contracts, you are not the contractor march-in was designed to address.

That said, document your commercialization efforts. If a march-in petition were ever filed against an SBIR awardee, the defense would rest on evidence of active, good-faith commercialization -- and that evidence is much stronger when it exists in contemporaneous business records rather than reconstructed testimony.

The SBIR program's IP framework is arguably the most favorable in federal contracting -- contractors retain patent rights under Bayh-Dole, receive 20 years of data protection under the 2025 DFARS rules, and transition to Government Purpose Rights instead of unlimited rights when the clock expires. But those protections are worth nothing if you do not mark your deliverables, assert your rights in writing, and verify the correct clauses in every contract you sign.

Granted indexes thousands of open SBIR and STTR solicitations across all eleven participating agencies, so you can find the right opportunity and start protecting your IP from the very first proposal.