Cyber Risk Management Frequently Asked Questions

The FAQ is designed to help SBIR/STTR applicants/awardees understand and navigate questions related to the Cybersecurity (CS) requirement. The FAQ was developed based upon common questions asked by applicant/awardees during SBIR/STTR CS webinars. The FAQ addresses common questions regarding CS Performance Goal (CPG) implementation guidance, DOE SBIR/STTR application submission timelines, risk mitigation, as well as other topics. Whether you're just starting or looking to improve your understanding of the DOE SBIR/STTR CS Self-Assessment requirements, our FAQ provides practical insights and actionable steps to help smooth the process of completing the CS Self-Assessment and submission of your application.

The FAQ can be found via the following link: CS-Frequently Asked Questions_rev1

For the cybersecurity assessment, do we need any other documents beside the completed checklist?

No other documents are required at this time.

Some of the questions in the SBIR/STTR CS Self-Assessment are scoped and will be started in the next couple of months. Would that affect my submission?

Yes. Full implementation of the required 16 CPGs prior to application submission is highly recommended.

When will the SBIR/STTR Cybersecurity Training and learning resources be available?

Cybersecurity training will be available August 2024. Please refer to the Learning and Education Resources page for training schedules and updates.

For the cybersecurity self-assessment, what if we are a very small organization with limited resources - will that be considered when evaluating our readiness and scoring? Is there a 'passing grade' for the 16 required CPGs? It’s highly recommended that each applicant/awardee fully implements the 16 CPGs. The size of the business is not considered when evaluating the Cybersecurity Self-Assessment. Refer to the Implementation Guidance for the CPGs to understand the business factors when implementing the CPGs.
How is the subcontractor's Cybersecurity Self-Assessment handled? or is that not a requirement currently? The DOE CS Self-Assessment is a requirement for the small business applicant/awardee. Currently this is not a separate requirement for subcontractors. However, the small business applicant/awardee is responsible for the overall cybersecurity of their organization to include but not limited to its employees.
What is the criteria for "medium" or "high" risk ratings? Please refer to the Risk Rating information page for more details regarding risk ratings.
Regarding the Asset Inventory CPG: we use Microsoft OneDrive to keep the inventory data of our organizational assets and regularly update it. Does it count as implemented? IT services such as Google Workspace, Office 365, etc. may provide some assistance with asset inventory when enabled. However, please refer to the Implementation Guidance for the CPGs to ensure full implementation of asset inventory.
Will DOE accept Cybersecurity Maturity Model Certification (CMMC) level 1 in lieu of completing the SBIR/STTR Cybersecurity self-assessment? CMMC Level 2 or 3 is accepted in lieu of the Cybersecurity Self-Assessment. CMMC level 1 is not accepted.