Joint Surveillance Voluntary Assessment

click here to close

Hello, my name is Kelly Hynes-McDermott of Hynes Communications. I also serve in the role of Marketing Director for KLC Consulting. I’m excited to be here today with two of our experts in the field of CMMC and for today’s conversation. In particular: C3PAO and Joint Surveillance Assessments or JSVA. Also known as DIBCAC High Assessment. I’d like to introduce our two experts, Kyle Lai president and CISO of KLC Consulting, a CMMC Certified Professional, and “To-Be,” a Certified Assessor. Also joining us today is Layla Remmert, who leads the delivery of KLC Consulting’s Cybersecurity and Compliance Services for our U.S. Defense Industrial Base clients. Layla is also a CMMC Certified professional and “To-Be” a Certified Assessor. Welcome, Kyle and Layla.

Kyle: Hi, very nice to be here.

Layla: It’s great to be here.

Role of the C3PAO in CMMC and JSVA

Kelly: Great to see you guys. So, the complexity of CMMC C3PAO and Joint Surveillance Voluntary Assessment can be challenging. And that’s why we’re here today, to talk about the nuts and bolts. It doesn’t need to be as difficult as folks tend to think it is. So, let’s jump right In. Kyle, first, what is a C3PAO? What is the role of the C3PAO in the CMMC ecosystem?

Kyle: Yeah, the C3PAO program was established as part of the DoD Cybersecurity Maturity Model Certification or CMMC program, which requires a C3PAO to ensure that defense contractors or Defense Industrial Base companies have adequate cybersecurity controls. So, a C3PAO or “CMMC Third Party Assessment Organization” is an organization that DoD authorizes to provide the Assessment and certify these companies seeking certification. Yeah, so they are doing business with the DoD.

Kelly: Got it. Who will require CMMC Certification? And who will be required to undergo a CMMC C3PAO Assessment?

Who will be required to get CMMC Certification?

Kyle: The requirement is for Defense Industrial Based companies that handle “Controlled Unclassified Information” or CUI. Or companies with DoD contracts with the DFARS “Defense Federal Acquisition Regulation Supplement” clause 252.204-7012. Or simply DFARS 7012 requirements. Yeah, so, if you have this, yeah, you will need to comply. And are required to have this CMMC certification eventually.

When will CMMC requirements begin?

Kelly: And when will that “eventually” be? When will CMMC Assessments be required by the Department of Defense?

Kyle: Right, so, based on our understanding today from DoD, it is that, most likely, CMMC Rulemaking will be completed and finalized by mid-2025. The exact date we don’t know yet. They will go through the “Public Comment Period” when Rulemaking ends. So, mid-2025, that’s what we’re hearing right now.

Kelly: Very good. Layla, what is the Joint Surveillance Voluntary Assessment program? Can you explain what it is and how it relates to NIST 800-171, SPRS, and CMMC?

About the Joint Surveillance Voluntary Assessment Program (JSVA)

Layla: The Joint Surveillance Voluntary Assessment or JSVA Program is again a voluntary program offered through the United States Department of Defense. It’s a team with which the Cyber AB works, with the C3PAO companies, for “Organizations Seeking Certification” to get ahead of CMMC. And will equal a “Level Two” CMMC Certification and Authorization once the Rulemaking process is out. CMMC joint surveillance program helps contractors assess and improve their compliance with DoD procurement regulations and standards through the DFARS and NIST cybersecurity requirements. The JSVA program confers what is known as a DIBCAC High Assessment, meaning “High” confidence, in comparison with a low-confidence self-assessment.

JSVA is a transitional assessment in CMMC

And specifically, NIST 800-171 cybersecurity requirements. The program helps contractors identify and address potential compliance issues before they become significant problems. And so, the Joint Surveillance Voluntary Assessment team provides valuable independent feedback to the contractor and the OSC, helping them improve their compliance and reduce the risk of non-compliance issues. So, DIB companies are undertaking these CMMC joint surveillance program assessments as a transitional program leaning into CMMC rather than waiting until mid-2025, as Kyle had mentioned when the DoD codifies CMMC.

Kyle: Layla participated in a Joint Surveillance Voluntary Program Assessment. So, Layla definitely knows what she’s talking about.

Layla: Thank you, Kyle.

Why is Joint Surveillance Voluntary Assessment called “Joint”?

Kelly: Excellent. Why is it called “Joint” Surveillance? And who are the parties involved? Layla, can you tell us more?

Layla: Yeah, and that’s an excellent question. I think that probably does confuse some Organizations Seeking Certification. So, the “Joint” is essentially the DoD’s “Defense Industrial Base Cybersecurity Assessment Center” or the DIBCAC, and a CMMC Third Party Assessment organization or C3PAO like KLC Consulting. So, we have an OSC or DIB company seeking certification and working with both organizations again to get ahead of the CMMC Final Rulemaking.

Kelly: It sounds a little bit like, um, triage, if you will. The CMMC joint surveillance program is a proactive way to stay ahead of your cybersecurity and get prepared for CMMC. A way to make sure that you’re ready for it. So that when the Rulemaking does come down, you have all the pieces in place. And there won’t be any surprises. Is that, is that a way to categorize it?

The appeal of the Joint Surveillance Voluntary Assessment program to DIB Companies

Layla: Yes, Kelly, I think that’s part of it. The other part that is very appealing to OSCs is that they can advertise and market to their customers and their DoD clients that, hey, we did get ahead of CMMC because we leaned in. We were compliant early. And so it is, almost if you will, bragging rights for OSCs to get into this program early. Recognition in the form of a DIBCAC High Assessment is stronger than a low-confidence NIST 800-171 self-assessment.

DFARS 252.204-7024 requirements

Kyle: And there’s DFARS 252.204-7024, which directs DoD contract officers to evaluate the SPRS score as part of the contract awards evaluation determination. So that if you have a score, SPRS score submitted by DoD saying you passed, that DIBCAC High Assessment, that carries a lot more weight than your self-Assessment. So, there’s another value-add to companies competing for those contracts.

Layla: That’s a great point, Kyle.

JSVA business advantages to DIB companies

Kelly: And seeing that these are voluntary and not mandatory, what are some other benefits, Kyle and Layla? You just mentioned several of them. Are there other reasons why companies should consider doing the CMMC joint surveillance program? In addition to the ones you’ve already mentioned, which are pretty compelling?

Layla: Yeah, there are some other advantages. I did mention being first, if you will, in the DIB, and in general, um not having to wait until it is mandatory. They do not potentially have to wait in a queue for a C3PO that might already have 20 or 30 Assessments ahead of them. Because once CMMC adjudicates, I think getting in for compliance will be a mad rush. So, it’s smart to get in early and do the Voluntary Assessment.

The DoD enters JSVA results in SPRS as a DIBCAC High Assessment

The other advantage, or one of the other advantages, is that the DoD enters these successful Assessment results into the Supplier Performance Risk System or SPRS database. And essentially, the SPRS DoD database is a repository that collects and reports information on contractor performance, including quality, delivery, and cost.

Refresher definition of the SPRS

And so, the SPRS database is used by government acquisition professionals to evaluate and manage the performance of contractors bidding on or wanting to bid on and working on DoD contracts. Having that score in early before CMMC is codified or adjudicated is a way to identify a level of risk and compliance – early. And it’s also a way for OSCs to look at past performance or, rather, for the DoD to look at OSC’s past performance. And it allows the DoD to make early contract awards decisions. Because they can see that these particular companies already did the Assessment before they had to.

The purpose of our JSVA video

And so, that is why we’re doing this video: to help encourage companies to conduct that Joint Surveillance Voluntary Assessment and gain that competitive edge in securing defense contracts. And securing defense contracts early because they ultimately become more appealing to the Department of Defense through the DIBCAC High Assessment as trusted partners. Versus companies that haven’t put in their SPRS score and haven’t undertaken that early Assessment.

The JSVA program fosters collaboration with government agencies

The CMMC joint surveillance program ultimately fosters closer collaboration with government agencies. And leads to long-term business relationships. Participation in these [JSVA] Assessments positions an OSC, a company in the DIB, as a trusted and responsible player in the overall market. Because it demonstrates a commitment to protecting their systems’ confidentiality and sensitive data. We talked a bit about bragging rights, but it enhances a company’s image and improves stakeholder relations.

How does JSVA affect CMMC recertification requirements?

Kelly: Great answer; thank you for that explanation. That’s helpful. And then, when the DoD finishes Rulemaking, how long would it be effective once you get that ruling?

Layla: Yes, so, at this time, the current expectation is that a successful Joint Surveillance Assessment, resulting in a score of 88 or more, will roll over and into that CMMC level 2 certification and authorization. So, if an OSC or you know a DIB company passed the Joint Surveillance today. And the final DoD Rulemaking completes a year from today, that certification could effectively last four years. So, which is also a great advantage of the CMMC joint surveillance program because it extends the three-year recertification period requirement. So, it really is a great advantage.

Kelly: You’re really getting that extra year by being proactive about it?

JSVA converts into CMMC Level 2 certification

Kyle: yes, right, yep. DoD will, based on what they’re saying today, yeah, you know the DoD will convert the certification that you’ve received. Which is right now, you get the DIBCAC High Assessment from the DoD. And they will convert that to a CMMC level 2 certification when Rulemaking is complete.

Kelly: Excellent is there a waiting list for C3PAOs and DIBCAC? Or how could a DIB get in on this now?

A waiting list for JSVA?

Layla: Yeah. So, I will say the latest that we have heard from attending town halls and different forums; Kyle is on the board of some of the CMMC and C3PAO forums, and there is currently a small waiting list. However, we have heard that the DIBCAC is doing or adding more assessors and training more assessors right now. And so, preparing to do more uh Joint Surveillance Assessments. But yes, there is a waiting list. How do you get on that waiting list?

So, essentially, if the Organization Seeking Certification says: Yes, I want to do the Joint Surveillance, the first step is to get on contract with a C3PAO such as KLC Consulting, um, to have a Certification Assessment. Once complete, and there are some very preliminary Readiness review activities to complete, KLC Consulting or another C3PO will reach out via the Cyber AB and ask to get on that waiting list. The Cyber AB then coordinates directly with DIBCAC to get that OSC or DIB company in the queue.

Kelly: Got it.

JSVA Schedule coordination between the OSC, C3PAO, and DIBCAC

Kyle: And so, yeah, DIBCAC, again, is the DoD. They will contact the OSC (the Organization Seeking Certification), and the C3PAO will coordinate the schedule and the plan for that JSVA / DIBCAC High Assessment. Right now, what we heard, I was attending a conference last week. So, we heard the Cyber AB mention about 90 companies in the queue or submitted to get the Assessment. But in terms of determining who gets picked to get the Assessment, that is still depending-determined by DIBCAC – the DoD. And then, they will do the prioritization.

Kelly: Okay, once you get picked, say, how long does it take to complete the CMMC joint surveillance program assessment?

How long does it take to complete the entire process for JSVA?

Layla: In my experience from the Joint Surveillance Voluntary Assessments that I participated in, as well as some other OSCs that I put into the queue, helped put into the queue, typically it seems like it’s about three months to start the Assessment by the time that you get into the queue. And then the Joint Assessment itself lasts approximately, from start to finish, from readiness review to certification, about six weeks. Would you agree with that, Kyle?

Kyle: Yes, yep. Uh yeah, because I think you will have to go through and make sure that you are ready before you start jumping to say: yep, you are ready; they’re going to start assessing you, right. If you are not prepared, they’ll just say, yep, let’s postpone or cancel because you are not ready.

Layla: Yeah, and that’s per the CAP guidance (or the Certification Assessment Process guidance) where the C3PAO and the DIBCAC jointly will look at the Readiness and say: well, do we want to re-plan, do we want to cancel, do we want to postpone, or do we want to proceed with this Assessment?

How long will it take to complete just the JSVA audit phase?

Kyle: Yeah, so Layla, the actual time for the Assessment: is that one week, usually?

Layla: Yes, it’s typically been about four to five business days.

Can a JSVA be completed 100% remotely?

And in my experience, some practices must be observed on-site. Again, quoting the CAP here that there are currently 15 practices that must be observed on site. However, it does seem to vary between DIBCAC team to DIBCAC team. Some DIBCAC teams may want to conduct the entire Joint Surveillance Assessment on-site. But for the most part, it seems to be a hybrid schedule.

How much does a JSVA cost?

Kelly: Okay, great. Then what are the costs involved in doing the CMMC joint surveillance program assessment? So, we’ve talked a lot about the benefits of having it done, and what are the costs involved in having this done?

Layla: Well, Kelly, it varies on many factors that would drive the cost:

1. What DIB sector or subsector in which the OSC does business.
2. Whether a manufacturer, an engineering firm, critical or general infrastructure, a software development company or a managed service provider (or MSP).
3. Number of CAGE code entities.
4. Size and complexity of the organization: how many employees do they have? How many endpoints do they have?
5. How many physical facilities?
6. How many applications?
7. Are they a cloud-only environment or more of a hybrid between cloud and on-prem?
8. How many managed service providers or managed security service providers? Is their customer responsibility matrix available?
9. And there’s mitigating cost factors as well. so, regarding reciprocity, are they using all Cloud products with Fedramp Moderate or Fedramp Moderate equivalency requirements? Or have they, do they have another certification like the ISO 27001 or ITAR? So, again several factors.

Other JSVA Cost Factors

And Kyle, am I, anything here that maybe we haven’t covered as far as cost factors?

Kyle: No, I think you covered all the major ones. So, yeah, if there’s complexity, I would say complexity is going to be the main driver of cost. So, we’re going to evaluate how many cloud service providers, how many MSPs, managed service providers you work with. You know, are you using just one cloud? You know, just using Azure? Or are you using Azure, plus AWS and Google. You know Google cloud platform, right GCP? All three of them? That will make the environment a little more complex. So, I think with all these, with these different factors we’re going to evaluate. And uh there could be a difference in the cost factor.

Kelly: Uh huh, a little bit of a sliding scale right? Depending on the complexity of the company involved. There’s a lot of factors to consider in that. And it kind of makes sense right, that the more employees the bigger the organization, than uh the greater the cost is going to be. And the more time it’ll take to actually perform the Assessment.

Kyle: Yep, absolutely, yes.

How can a DIB company know it’s ready for a JSVA?

Kelly: So Layla, how can a DIB company know if it’s ready to undergo a JSVA or a CMMC Assessment? How are they, how are they best ready to evaluate themselves to say yes, okay we’re going to give this a try, let’s go for it?

Layla: Yeah so, that that’s a great question because I, I think again, going back to all of the advantages of doing Joint Surveillance, everyone who hears about these advantages say: Yes, sign me up! But some very important questions to ask within your organization are:

1. Have we performed our NIST 800-171 self-Assessment?
2. What was the score? And did we get our SPRS score submitted into the database?
3. Has the organization scoped their assets following the CMMC 2.0 Assessment Guide and the CMMC version 2 Scoping Guide?
4. Any POA&M items? And have you remediated those deficiencies?
5. Have you developed policies, procedures, and supporting artifacts?
6. Do you have an SSP that details your implementation status for all 110 practices and 320 Assessment objectives?

Preparation is key to JSVA readiness

Kelly: That’s great. So, preparation seems to be the key word there. The self-Assessment, and preparing, and making sure that if you have any POA&M entities, that you need to get those addressed before you, before you proceed with this. So, preparation is key.

When should an OSC pursue a “Readiness Assessment” versus “Consulting Help”?

And along those lines, can you tell me the difference between “Readiness Assessment” and “Consulting Help”? When do you choose a Readiness Assessment, and when do you go for Consulting Help?

Layla: I did want to add Kelly; as far as preparation and POA&Ms, um, having deficiencies does not automatically mean that an OSC is not ready for Joint Surveillance. As long as they are not critical or five-point deficiencies for the SPRS scoring. And an organization has an overall score of 88 or higher. Then they certainly could still be ready to have a Joint Surveillance Assessment.

Kelly: That’s a really important distinction. I’m glad you brought that up. That’s really good to know.

Readiness Assessments are also referred to as Mock Assessments

Kyle: And also, if the company is not sure if they are ready, they can always engage with us to do a Mock Assessment. And what a “Mock Assessment” is: We’re going to evaluate to see if the company is ready. We cannot provide the Consulting because if we are engaging as an Assessment Service, we’re going to tell you: if you are ready, or if you are missing some of the controls – practices.

And at the end, if you aren’t ready, you know, if you are missing a few controls – practices, you remediate these controls – practices. And you can let us know when you are done with the remediation. We can go back and evaluate to do another Readiness Assessment on these gaps. On these POA&M items and see if those are addressed. Because we never engaged as [your] consultant. Then we can help you perform the Joint Surveillance Voluntary Assessment, the JSVA. If you pass all the controls then you’ll be able to get the certification.

A Readiness Assessment allows for a JSVA with the same C3PAO

Layla: that is a really great distinction Kyle, as far as a Readiness Assessment or a Mock Assessment. I think that sometimes you’ll hear both terms being used. But it is not a Consulting Service. It truly is a Readiness Assessment where a C3PAO such as KLC Consulting will go and do an Assessment, just like it would be formally with the DIBCAC. And address any deficiencies. And even tell you why you failed or did not pass a particular practice. Without giving the Consulting of how you can remediate it. And to Kyle’s points you can perform a Readiness or Mock Assessment and still come back to that same C3PAO and undergo a certification Assessment, which is great news for the DIB.

C3PAO Readiness Assessments save OSCs money

Kelly: That’s really good. So, and the thing is, you’re really helping to save the client or the company time and money by going through this Mock Assessment, you know. Because all of these things take time, if you can fill some of those gaps and make those remediations in advance, you would be in better shape or better condition to perform well on when you’re actually getting your Assessment. Is that right?

Layla: Yes absolutely. I feel that the Readiness Assessment or the Mock Assessment is integral to overall CMMC readiness.

 

C3PAO Readiness Assessment avoids adverse SPRS reporting

Kyle: Yeah, and when you are doing the Mock Assessment or Readiness Assessment, if you did not do well there’s no record in the DIBCAC or the SPRS. You know, when we’re doing the Consulting, if necessary, we can help participate during the Assessment as [your] consultant. But we cannot do the Assessment, no. So, if we are doing the Consulting, we do know other Good C3PAOS that could perform and do a good job. We’ll provide some names so that you can talk to them directly. We are not going to get involved. So, that is the rule.

Kelly: That makes sense no double-dipping, right? You’ve got to choose one or the other, but you can’t do both. Or else it would be a conflict of interest.

Kyle: Exactly.

Kelly: That keeps things clean. Got it.

KLC Consulting teams with other C3PAOs

Layla: That’s a great point. Another great point you made is that KLC Consulting does a wonderful job with, just teaming out there in the CMMC ecosystem. We partner with other C3PAOs in a very collaborative way.

KLC Consulting is a leader in the CMMC ecosystem

Kyle: Yes, yeah. I myself – I’m on the board of the C3PAO Stakeholder forum. So, we do talk to other C3PAOs. There are over 100 C3PAOs in this forum. And we do talk to the Cyber AB and the DIBCAC quite frequently. So, we understand how the ecosystem works. And we’ve built good relationships. But um, yeah, we stay independent when it comes to the Assessment.

What distinguishes KLC Consulting from other C3PAOs?

KLC Consulting holds advanced certifications and depth of experience

Kelly: Why would a DIB company want to work with KLC Consulting? What other factors do we bring to the table that other firms do not, for instance?

Kyle: Yeah so, from the from the Consulting side we work with small, medium, and larger Fortune 500 companies. And companies with a single CAGE code or multiple CAGE codes. So, we have that broad experience. And we have several Provisional Assessors and “To Be” Certified Assessors on staff. They all have gone through Joint Surveillance Assessments and participated in the C3PAO Assessments conducted by DIBCAC. So, we have been through the Assessments ourselves.

We are Certified by the DIBCAC. We understand the documentation. And also, our assessors have over 10 to 20 years of experience. They’ve been through Joint Surveillance as well. So, whether it’s from the Consulting point of view, from Readiness Assessment, or conducting Joint Surveillance, we have the experience. And we will be able to help. So, anything to add Layla?

KLC Consulting takes a spirit of advocacy with clients

Layla: Yeah, we really have great experience at KLC Consulting. But I also think the thing that makes KLC Consulting so special for OSCs is that we understand the stress of going through Assessments. And we have a spirit of advocacy with our clients in a way that does not make them feel that they’re going through an I.T. audit or that they are being graded or tested. Because KLC Consulting prioritizes empathy and collaboration with our clients. And by prioritizing these values, we build positive and enduring relationships with our clients. And I think that truly is what makes KLC Consulting stand out.

Kelly: Yeah, it’s excellent, really good. So, we’ve talked the talk and we’ve walked the walk so, to speak. And we really do partner with our clients to get them through this process because we’ve been there, right? And I think you guys both hit on that really well. Is there anything else you’d like to add before we close here? Any other points that you want to share that we might not have covered that you feel are important to add at this point?

KLC Consulting “walked the talk” to CMMC Level 2

Kyle: Yeah so, we all know that it is not easy to get yourself ready for NIST 800-171, DFARS, you know, CMMC ready. Yeah, it is a long journey. We’ve been there. We got ourselves ready and uh passed our DIBCAC, you know, CMMC level 2 Assessment. So, we know, we know it’s not easy. But if you need help, anything that we can do to help you? Yeah, please reach out.

Kelly: Excellent. Thank you, Kyle and Layla. Thank you for helping us better understand the nuts and bolts of C3PAO and JSVA Assessment Services. And thank you to our viewers for joining us today. If you’d like to contact KLC Consulting, please see our contact info at the end of this video. And thanks again for watching, and we’ll see you next time.

Kyle: all right thank you, everyone.

Kelly: Thank you.

Layla: Thank you, bye.  

Layla: Thank you, bye.  

click here to close