DOE SBIR/STTR Cybersecurity Requirement: Self-Assessment

Will the Cybersecurity Maturity Model Certification satisfy DOE’s SBIR/STTR CS requirement?

Yes, CMMC Level 2 or 3 are acceptable.

The SBIR/STTR applicants/awardees who possess a Cybersecurity Maturity Model Certification (CMMC) Level 2 or 3 do not have to complete the DOE SBIR/STTR Cybersecurity (CS) Self-Assessment, however they must indicate ‘CMMC Level 2 or 3’ on the CS self-assessment and upload their certification on the ‘Profile’ page within the Portfolio and Analysis Management System (*PAMS). These certifications meet or exceed the DOE SBIR/STTR CS Self-Assessment requirement and therefore are not required for SBIR/STTR applicants/awardees to complete.

*Currently there are on-going efforts to automate the CS Self-Assessment in PAMS. Automation of the CS Self-Assessment should be completed by Fall 2024. SBIR/STTR applicants and awardees will be notified when this change occurs.

What is the DOE SBIR/STTR CS Self-Assessment?

DOE requires SBIR/STTR Phase I (Fast Track Applicants) and Phase II Applicants to complete the SBIR/STTR CS Self-Assessment and submit it with their application. The CS Self-Assessment contains 16 required CS Performance Goals (CPGs) that were leveraged from the Cybersecurity Infrastructure Security Agency (CISA) CPG Checklist. The 16 CPGs are CS best practices that have been prioritized to focus on small business applicants and awardees applying for SBIR/STTR awards. Figure 1 below contains an example CPG from the SBIR/STTR CS Self-Assessment. The SBIR/STTR applicant/awardee should complete the CS Self-Assessment by indicating whether the CPG is fully Implemented, In-Progress, or Not Started (Figure 2 below).

To support the SBIR/STTR CS Self-Assessment, SBIR/STTR applicants/awardees should review the ‘Implementation Guidance for CPGs’ which can be found on the Learning and Education Resource web page. IT IS HIGHLY RECOMMENDED THAT THE 16 CPGS ARE FULLY IMPLEMENTED PRIOR TO THE PHASE II APPLICATION SUBMISSION DATE. The application submission date can be found on the Funding Opportunities web page, under ‘Full Applications Due’. A Security Risk Rating and recommendation/non-recommendation will be determined based upon the CS business practices of SBIR/STTR applicant/awardees. The responses provided on the CS Self-Assessment are subject to Audit based on the award terms and conditions.

Figure 1. DOE SBIR/STTR Cybersecurity Self-Assessment Example CPG

 

Figure 2. Definition of responses found on the SBIR/STTR CS Self-Assessment:

Implemented - The small business currently has the CPG fully implemented.

In-Progress - The small business does not have the CPG fully implemented; however, actions are being taken to fully implement it.

Not Started - The small business has not started implementing the CPG.


Feedback

All submissions are anonymous. Your feedback is important to us and will be taken into consideration for possible future improvements. Thank you for taking the time to share your feedback.