Paul Netopski

FAR & DFARS: Procurement Power

GovernmentTechnology

Listen

All Episodes

SBIR Data Rights, CUI, and the 20-Year Defense IP Shift

Eric Marquette and Paul Netopski break down the new 20-year SBIR/STTR data protection period under DFARS, including the move to perpetual Government Purpose Rights after expiration. They also unpack the compliance realities of CUI, ITAR, NIST SP 800-171, and why small businesses must carefully manage markings, deliverables, and IP strategy from day one.

This show was created with Jellypod, the AI Podcast Studio. Create your own podcast with Jellypod today.

Is this your podcast and want to remove this banner? Click here.


Chapter 1

The SBIR/STTR Data Rights Shield

Eric Marquette

Welcome to the show everybody! I'm Eric Marquette, here with Paul Netopski. And Paul, let's skip the small talk and jump straight into a massive shift in how the Department of Defense is handling intellectual property with small businesses. There is a number that is going to redefine the landscape for defense contractors: twenty years.

Paul Netopski

Twenty years, Eric. That's the standardized data protection period established under the latest DFARS changes, specifically DFARS 252.227-7018. It completely swept away the old system where you had to daisy-chain five-year extensions every time you generated new SBIR or STTR data. It's now a single, non-extendable twenty-year clock starting right at the date of the phase one, two, or three award.

Eric Marquette

The simplicity is great, but here is what actually caught my attention. When that twenty-year clock runs out, the government doesn't just get unlimited rights. They transition to perpetual Government Purpose Rights, or GPR. That's a huge win for small business owners who used to face the cliff of unlimited rights.

Paul Netopski

It is a critical compromise, Eric. Under GPR, the government can release or disclose that technical data or computer software within the government, or to support contractors under nondisclosure agreements, for competitive procurement. But they cannot release it for commercial purposes. The small business retains its exclusive commercial edge indefinitely. It preserves the intrinsic commercial value of the IP while letting the DoD sustain the system.

Eric Marquette

So the business model is shielded. But let's talk about the operational reality of this. I hear this myth all the time from startup founders: "Because we have an SBIR contract, we have data rights, so we're set." But they mix up rights with physical deliverables.

Paul Netopski

That is one of the most dangerous misconceptions in federal contracting. Having data rights does not mean the government has a copy of your work, and conversely, the government cannot utilize its rights unless it explicitly orders and receives the physical data. If the government wants the data, they have to buy the deliverables.

Eric Marquette

"Possession is nine-tenths of the law," right? If it's not listed on a CDRL -- a Contract Data Requirements List -- paired with a specific DID, or Data Item Description, the government has no mechanism to force you to compile and deliver that software source code or CAD model later. It's what lawyers call an inchoate right. It's a right in theory, but completely useless without the physical transfer.

Paul Netopski

Exactly, Eric. And on the flip side, if a contractor delivers technical data to the government without any restrictive markings or legends, the DFARS explicitly states the government is presumed to receive Unlimited Rights. You can have the most robust statutory protection in the world, but if you deliver a clean, unmarked PDF or codebase, you might have just handed over the keys to the castle.

Chapter 2

The Compliance Crucible: CUI, ITAR, and Cybersecurity

Eric Marquette

That brings us directly to the compliance side of this, which is where things get incredibly real, incredibly fast for a small business. We aren't just talking about patent legends here. We're talking about Controlled Unclassified Information -- CUI -- and export controls like ITAR and EAR.

Paul Netopski

This is the crucible, Eric. Under DFARS, small businesses are responsible for identifying, marking, and safeguarding this data on their own unclassified networks from a source document or guide. If you are handling proprietary technical data that describes military applications, it almost certainly qualifies as CUI, and likely falls under ITAR. That means you might be legally bound to protect it under NIST SP 800-171 cybersecurity standards. Information may qualify for multiple categories, and organizations need to follow contracts or other legal obligations to determine its category.

Eric Marquette

NIST SP 800-171. That's one hundred and ten security controls. For a ten-person software startup, implementing those controls is a monumental hurdle. But if they don't, they are exposing themselves to cyber espionage, and frankly, they risk losing their entire technological advantage before they even scale.

Paul Netopski

It's about supply chain integrity. Adversaries aren't targeting heavily fortified DoD servers; they're targeting the unclassified networks of small business subcontractors. If you're a founder, you have to map out your data use cases early. You need to know exactly what technical data or software is being generated, who needs to see it, where it will reside, and how it will be marked. And when we talk about targeting small businesses, it is generally indirect targeting. Meaning they find a government marketplace with lots of contract information on it...like Sam.gov.. then they blanket that contact list with malware, phishing, smishing and other mechanisms to try to get one or more of them to make a mistake and divulge information or credentials. It's like throwing out a casting net to see what gets caught instead of putting a specific lure on a hook to target one specific type of fish.

Eric Marquette

And that is where the newly established IP Cadres come in. These are dedicated teams of IP experts and lawyers embedded within the military departments to help both PMs and small businesses navigate these complex markings and negotiation strategies.

Paul Netopski

They are a vital resource, Eric. The IP Cadre helps prevent what we call "IP overreach" from the government, while ensuring the contractor doesn't inadvertently hand over proprietary detailed manufacturing or process data -- DMPD -- when standard form, fit, and function data would have sufficed. It's about strategic, interest-based planning before the RFP is even finalized.

Eric Marquette

It really is a chess game. You have to think about the twenty-year life cycle of the system from day one, balancing cybersecurity compliance, export controls, and licensing terms. If you don't plan early, you're either locking the government into a sole-source vendor lock, or you're giving away the intellectual property that makes your company valuable in the first place.

Paul Netopski

And that is the core tension. A balanced IP strategy is one where the contractor is appropriately rewarded for their innovation, and the government has the necessary access to sustain the system and protect the warfighter. It's not a zero-sum game, but it requires precision from both sides.