DOE SBIR/STTR Cybersecurity Requirement: Self-Assessment

Will the Cybersecurity Maturity Model Certification satisfy DOE’s SBIR/STTR CS requirement?

Yes, CMMC Level 2 or 3 are acceptable.

The SBIR/STTR applicants who are compliant with level 2 or 3 of Cybersecurity Maturity Model Certification (CMMC)  do not have to complete the Cybersecurity Performance Goals (CPGs) listed on the SBIR/STTR Cybersecurity (CS) Self-Assessment, however they must indicate ‘CMMC Level 2 or 3’ on the self-assessment, upload their CMMC certification, self-assessment and application in the Portfolio and Analysis Management System (PAMS). The level 2 or 3 CMMC  meet or exceed the DOE SBIR/STTR CS Self-Assessment requirement and therefore are not required for SBIR/STTR applicants to complete.

What is the DOE SBIR/STTR CS Self-Assessment?

DOE requires SBIR/STTR Phase I (Fast Track Applicants Only) and Phase II Applicants to complete the SBIR/STTR CS Self-Assessment and submit it with their application. The CS Self-Assessment contains 16 required CPGs that were leveraged from the Cybersecurity Infrastructure Security Agency (CISA) CPG Checklist. The 16 CPGs are CS best practices that have been prioritized to focus on small business applicants applying for SBIR/STTR awards. Figure 1 below contains an example of a CPG from the SBIR/STTR CS Self-Assessment. The SBIR/STTR applicant/awardee should complete the CS Self-Assessment by indicating whether the CPG is fully Implemented, In-Progress, or Not Started (Figure 2 below).

To support the SBIR/STTR CS Self-Assessment, SBIR/STTR applicants/awardees should review the ‘Implementation Guidance for CPGs’ which can be found on the Learning and Education Resources web page. IT IS HIGHLY RECOMMENDED THAT THE 16 CPGS ARE FULLY IMPLEMENTED PRIOR TO THE PHASE II APPLICATION SUBMISSION DATE. The application submission date can be found on the Funding Opportunities web page, under ‘Full Applications Due’. A Security Risk Rating will be determined based upon the CS business practices of SBIR/STTR applicant and provided to the program offices as part of criteria of the selection process for a SBIR/STTR award. of selection for a SBIR/STTR award.  The responses provided on the CS Self-Assessment are subject to Audit based on the award terms and conditions.

Figure 1. DOE SBIR/STTR Cybersecurity Self-Assessment Example CPG

 

Figure 2. Definition of responses found on the SBIR/STTR CS Self-Assessment:

Implemented - The small business currently has the CPG fully implemented.

In-Progress - The small business does not have the CPG fully implemented; however, actions are being taken to fully implement it.

Not Started - The small business has not started implementing the CPG.

Feedback

All submissions are anonymous. Your feedback is important to us and will be taken into consideration for possible future improvements. Thank you for taking the time to share your feedback.