Introduction to Cybersecurity Due Diligence Program
The SBIR and STTR Extension Act of 2022 mandates that federal agencies operating SBIR/STTR programs implement a due diligence program to address cybersecurity (CS) and foreign risks. The goals of this mandate are to ensure that SBIR/STTR awardees implement appropriate CS practices to protect their research and development from cyber criminals and reduce risk to critical infrastructures.
The CS Due Diligence Program focuses on the CS risks associated with the business practices of SBIR/STTR applicants and awardees. The program requirements derived from the Cybersecurity Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPGs) and are aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The DOE SBIR/STTR CS Due Diligence Program is focused on protecting the SBIR/STTR research and development efforts from the unauthorized disclosure to foreign countries of concern (China, Russia, North Korea, & Iran). The SBIR/STTR CS Due Diligence Program assesses the CS business practices of Phase I Release 2 (Fast Track only) and all Phase II small business applicants to ensure they are within the acceptable level of risk to conduct research and development.
The following content was developed to help DOE SBIR/STTR applicants understand and implement the CS requirements: