Introduction to Cybersecurity Due Diligence Program

The SBIR and STTR Extension Act of 2022 mandates that federal agencies operating SBIR/STTR programs implement a due diligence program to address cybersecurity (CS) and foreign risks. The goal of this mandate is to ensure that SBIR/STTR awardees implement appropriate CS practices to protect their research and development from cyber criminals and reduce risk to critical infrastructures.

The CS Due Diligence Program focuses on the CS risks associated with the business practices of SBIR/STTR applicants and awardees. The program’s main objectives are aligned with the DOE CS Strategy dated January 2024 and are aimed to understand the threats to DOE SBIR/STTR Programs and SBIR/STTR awardees, identify the related CS risks, and finally determine the risk ratings for selection or non-selection of SBIR/STTR awards. The DOE SBIR/STTR CS strategy is to protect the SBIR/STTR research and development efforts from the unauthorized disclosure to foreign countries of concern (China, Russia, North Korea, & Iran). The SBIR/STTR CS Due Diligence Program assesses the CS business practices of Phase I Release 2 (Fast Track only) and Phase II small business applicants to ensure they are within the acceptable level of risk at the time of application submission.

The following content was developed to help DOE SBIR/STTR applicants understand and implement the CS requirements:

SBIR/STTR CS Requirement: Self-Assessment
Risk Rating Information
Learning and Education Resources
Auditing Information
Cyber Risk Management FAQs
Cybersecurity Contact Information
Feedback

Introduction to Cybersecurity Due Diligence Program

Contact the DOE SBIR/STTR Programs Office