A mid-sized defense contractor was seeking early recognition for compliance with CMMC Level 2 to gain a competitive edge in securing defense contracts. Although a newer program, once this company understood the benefits of the Joint Surveillance Voluntary Assessment (JSVA) they contacted several C3PAOs to obtain proposals and ultimately decided to engage KLC Consulting, in part because of KLC’s “Best Price Guarantee.”
The primary challenge was the uncertainty and trepidation that companies often face with their NIST 800-171 implementation. Did it meet the stringent requirements of CMMC Level 2 to protect Controlled Unclassified Information (CUI)?
The Approach
Engaging with a C3PAO
[redacted] Corporation partnered with KLC Consulting, an authorized CMMC Third Party Assessment Organization (C3PAO). KLC Consulting brings specialized expertise in CMMC compliance to lead DIB companies through the JSVA process.Conducting a Readiness (Mock) Assessment
KLC Consulting first conducted a thorough Readiness (Mock) Assessment. This practice run assessment identified common, unknown Controlled Unclassified Information (CUI) scoping errors and revealed gaps in compliance with the NIST 800-171 / CMMC requirements. A Mock Assessment helps uncover these issues before a formal Joint Surveillance Voluntary Assessment, preventing a potential score that would reflect poorly in the DoD’s Supplier Performance Risk System (SPRS) database. This involved:
- Identifying gaps relative to CMMC Level 2 requirements.
- Assessing the SSP, policies, procedures, and supporting artifacts against the 320 assessment objectives that inform the 110 security practices of NIST 800-171.
Implementing Improvements:
Based on the results of the Mock Assessment, [redacted] Corporation implemented several improvements, such as:
- Correct CUI scoping deficiencies by following the current CMMC Scoping Guide.
- Enhancing access control measures.
- Conducting a table top incident response simulation.
- Adding more employees into their cybersecurity training program.
Coordinating with Cyber AB and DIBCAC:
After ensuring preparedness, KLC Consulting coordinated the scheduling of the JSVA with the Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB) and the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). This involved:
- Submitting required documentation including the assessment contract.
- Ensuring the [redacted] Corporation was prepared for the assessment.
- Collaborating to create an assessment project plan.
The Results
Successful JSVA Completion
[redacted] Corporation successfully completed the JSVA, demonstrating compliance with CMMC Level 2 standards. The assessment validated their cybersecurity measures, proving their readiness to handle CUI securely.Extended Certification Period:
With the successful completion of the JSVA, and under the CMMC Proposed Rule, [redacted] Corporation’s JSVA will convert into a CMMC Level 2 certification and won’t need to recertify for 3 years.
Competitive Advantage
Achieving early compliance provided [redacted] Corporation with a significant competitive advantage as both a prime and subcontractor. Their JSVA result was entered into the DoD’s SPRS system and is visible to all DoD contract officers. And KLC’s letter of C3PAO attestation vouches for their status with prime customers as a secure and reliable partner to the DoD, enhancing their reputation and increasing their opportunities for new defense contracts.
Conclusion
The Joint Surveillance Voluntary Assessment (JSVA) proved to be a worth while, cost effective strategy for [redacted] Corporation, positioning them as leaders in cybersecurity within the defense contracting space. The proactive approach not only ensured compliance but also provided long-term benefits, including enhanced reputation and extended certification validity.
There’s a tsunami coming with only 53 C3PAOs to certify 77,000 DIB companies. One form lets you avoid the troubles:
"*" indicates required fields
