Introduction to Cybersecurity Due Diligence Program

The SBIR and STTR Extension Act of 2022 mandates that federal agencies operating SBIR/STTR programs implement a due diligence program to address cybersecurity (CS) and foreign risks. The goal of this mandate is to ensure that SBIR/STTR awardees implement appropriate CS practices to protect their research and development from cyber criminals and reduce risk to critical infrastructures.

The CS Due Diligence Program is focused on the CS risks associated with the business practices of SBIR/STTR applicants and awardees. The program’s main objectives are aligned with the DOE CS Strategy dated January 2024 and are aimed to understand the threats to DOE SBIR/STTR Programs, identify the related CS risks, and finally determine the risk rating and recommendation/no-recommendation for SBIR/STTR applicants and awardees. The DOE SBIR/STTR CS strategy is to protect the unauthorized disclosure of SBIR/STTR research and development efforts to foreign countries of concern (China, Russia, North Korea, & Iran). The SBIR/STTR CS team assesses the CS business practices of Phase II small business applicants/awardees to ensure they are within the acceptable level of risk at the time of application submission.

The following content was developed to help DOE SBIR/STTR applicants understand and implement the new requirements:

SBIR/STTR CS Requirement: Self-Assessment
Risk Rating Information
Learning and Education Resources
Auditing Information
Cyber Risk Management FAQs
Cybersecurity Team
Feedback

Introduction to Cybersecurity Due Diligence Program

Contact the DOE SBIR/STTR Programs Office

Contact Information