Risk Rating Information
The Cybersecurity (CS) Due Diligence Program is responsible for the review of the CS business practices of SBIR/STTR applicants/awardees and determine if the security risk associated with the CS business practices are within an acceptable level. Based on this review, a CS risk rating will be assigned to the applicant/awardee and will be one of many factors used to determine recommendation/non-recommendation of a SBIR/STTR award. The CS risk rating will be provided to the Program Managers and as part of the review and selection process of SBIR/STTR awards. The SBIR/STTR applicants/awardees will also receive the CS risk rating after the CS Self-Assessment is completed in the Portfolio and Analysis Management System (PAMS).
*Currently there are on-going efforts to automate the CS Self-Assessment in PAMS. Automation of the CS Self-Assessment should be completed by Fall 2024. SBIR/STTR applicants and awardees will be notified when this change occurs.
FY 2025 Risk Rating:
Full implementation of all (16) Cybersecurity Performance Goals (CPGs) prior to application submission is highly recommended.
LOW RISK (No Mitigation Required): All 16 CPGs are fully implemented. The CS business practices are considered SATISFACTORY and within an acceptable level of risk. RECOMMENDED for an award.
LOW/MEDIUM RISK (Mitigation Required): Majority of CPGs have been fully implemented, to include full implementation of Critical CPGs. The CS business practices are considered SATISFACTORY, however NOT within an acceptable level of risk. If selected for a SBIR/STTR award, then an approved *Mitigation Plan is required to ensure all CPGs are fully implemented. RECOMMENDED for an award.
HIGH RISK: The CS business practices are considered UNSATISFACTORY and NOT within an acceptable level of risk. NOT RECOMMENDED for an award.
Mitigation Plan: If the SBIR/STTR applicant/awardee has implemented Critical CPGs, is selected for an award and meets low/medium risk requirements, however, did not implement remaining CPGs, then they may have an opportunity to implement remaining CPGs based on award terms and conditions.
Note: If Phase II Release 1 and 2 Awardees are selected for an award and their CS practices of are deemed low or medium risk and require mitigation, then the awardees should fully implement CPGs within the first 3 months of grant start date and submit an updated CS Self-Assessment. The Chicago Office will allow negotiation of a higher overhead rate to support funding for cybersecurity related expenses for Phase II awardees.
Feedback
All submissions are anonymous. Your feedback is important to us and will be taken into consideration for possible future improvements. Thank you for taking the time to share your feedback.