Case Study: CMMC Level 2 Compliance through JSVA

CMMC Consulting Case Studies. Reviews and formats for thinking about your CMMC evolution.

Case Study: CMMC Level 2 Compliance through JSVA

Case Study: Achieving CMMC Level 2 Compliance through JSVA, Joint Surveillance Voluntary Assessment (JSVA), defense contractor, cybersecurity posture

A mid-sized defense contractor was seeking early recognition for compliance with CMMC Level 2 to gain a competitive edge in securing defense contracts. Although a newer program, once this company understood the benefits of the Joint Surveillance Voluntary Assessment (JSVA) they contacted several C3PAOs to obtain proposals and ultimately decided to engage KLC Consulting, in part because of KLC’s “Best Price Guarantee.”

The primary challenge was the uncertainty and trepidation that companies often face with their NIST 800-171 implementation. Did it meet the stringent requirements of CMMC Level 2 to protect Controlled Unclassified Information (CUI)?

The Approach

Engaging with a C3PAO

[redacted] Corporation partnered with KLC Consulting, an authorized CMMC Third Party Assessment Organization (C3PAO). KLC Consulting brings specialized expertise in CMMC compliance to lead DIB companies through the JSVA process.

Conducting a Readiness (Mock) Assessment

KLC Consulting first conducted a thorough Readiness (Mock) Assessment. This practice run assessment identified common, unknown Controlled Unclassified Information (CUI) scoping errors and revealed gaps in compliance with the NIST 800-171 / CMMC requirements. A Mock Assessment helps uncover these issues before a formal Joint Surveillance Voluntary Assessment, preventing a potential score that would reflect poorly in the DoD’s Supplier Performance Risk System (SPRS) database. This involved:

  • Identifying gaps relative to CMMC Level 2 requirements.
  • Assessing the SSP, policies, procedures, and supporting artifacts against the 320 assessment objectives that inform the 110 security practices of NIST 800-171.

Implementing Improvements:

Based on the results of the Mock Assessment, [redacted] Corporation implemented several improvements, such as:

  • Correct CUI scoping deficiencies by following the current CMMC Scoping Guide.
  • Enhancing access control measures.
  • Conducting a table top incident response simulation.
  • Adding more employees into their cybersecurity training program.

Coordinating with Cyber AB and DIBCAC:

After ensuring preparedness, KLC Consulting coordinated the scheduling of the JSVA with the Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB) and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This involved:

  • Submitting required documentation including the assessment contract.
  • Ensuring the [redacted] Corporation was prepared for the assessment.
  • Collaborating to create an assessment project plan.

The Results

Successful JSVA Completion

[redacted] Corporation successfully completed the JSVA, demonstrating compliance with CMMC Level 2 standards. The assessment validated their cybersecurity measures, proving their readiness to handle CUI securely.

Extended Certification Period:

With the successful completion of the JSVA, and under the CMMC Proposed Rule, [redacted] Corporation’s JSVA will convert into a CMMC Level 2 certification and won’t need to recertify for 3 years.

Competitive Advantage

Achieving early compliance provided [redacted] Corporation with a significant competitive advantage as both a prime and subcontractor. Their JSVA result was entered into the DoD’s SPRS system and is visible to all DoD contract officers. And KLC’s letter of C3PAO attestation vouches for their status with prime customers as a secure and reliable partner to the DoD, enhancing their reputation and increasing their opportunities for new defense contracts.

Conclusion

The Joint Surveillance Voluntary Assessment (JSVA) proved to be a worth while, cost effective strategy for [redacted] Corporation, positioning them as leaders in cybersecurity within the defense contracting space. The proactive approach not only ensured compliance but also provided long-term benefits, including enhanced reputation and extended certification validity.

There’s a tsunami coming with only 53 C3PAOs to certify 77,000 DIB companies. One form lets you avoid the troubles:

"*" indicates required fields

Name
Email*
Want to keep up-to-date with our latest news and announcements?
This field is for validation purposes and should be left unchanged.

Check out our YouTube channel and LinkedIn pages for the latest informational and educational resources for Cybersecurity Maturity Model Certification.

Scroll to Top