JSVA Update
The Joint Surveillance Voluntary Assessment (JSVA) program, which offered a streamlined path for Defense Industrial Base (DIB) contractors to achieve CMMC Level 2 certification, is no longer available. This program allowed contractors to undergo voluntary assessments conducted jointly by CMMC-accredited third-party assessment organizations (C3PAOs) and the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). As a result, DIB contractors seeking CMMC certification must now undergo a full CMMC Assessment conducted by a C3PAO.
What is a JSVA?
Joint Surveillance Voluntary Assessment (JSVA) is a transitional program designed to help Defense Industrial Base (DIB) contractors prepare for the Cybersecurity Maturity Model Certification (CMMC) framework. It’s a collaborative effort between the Department of Defense (DoD) and CMMC-accredited third-party assessment organizations (C3PAOs).
Avoid the CMMC rush with KLC Consulting’s Joint Surveillance Voluntary Assessment (JSVA). Gain a DoD-recognized ‘High Confidence’ assessment and a competitive edge.
Why Choose a Joint Surveillance Voluntary Assessment Program (JSVA) NOW?
If you’re a defense contractor diligently working on NIST 800-171 and CMMC compliance, and nearing readiness for your Level 2 assessment, the CMMC Joint Surveillance Program (JSVAP), also known as a Joint Surveillance Voluntary Assessment (JSVA), is the strategic advantage you need.
Getting certified early through the CMMC Joint Surveillance Program allows you to demonstrate your trustworthiness to the DoD and your prime customers, gain bragging rights, and position yourself favorably for new contracts and renewals.
Here’s Why Participating in the JSVA Program is a Smart Move:
Beat the CMMC Rush & Assessment Bottleneck
The CMMC rollout in early 2025 means a potential surge in demand for assessments. With only 56 authorized C3PAOs available to serve 77,000 DIB companies who need CMMC Level 2 certification, securing your JSV Assessment now puts you ahead of the curve.
Proven DoD Recognition with a DIBCAC High Confidence Assessment
Your JSVA score is officially entered into the DoD’s Supplier Performance Risk System (SPRS) database as a DIBCAC High Confidence Assessment. This prestigious designation, similar to a seal of approval from the DoD, carries more weight with contracting officers than self-assessments.
Letter of Attestation to Showcase Your Score
We provide you with a formal letter, showcasing your JSVA score, which you can share with your prime customers, demonstrating your commitment to CMMC compliance.
Direct Path to CMMC Certification
Under the CMMC proposed rule, a perfect JSVA score of 110 converts directly to a CMMC Level 2 certification when the rule is finalized. This means no recertification worries for three years!
Efficient Remediation with Delta Assessments
Even if you don’t initially achieve a perfect score on your JSV assessment, you can focus your efforts on addressing specific areas of improvement and return for a streamlined delta assessment, covering ONLY the practices you missed.
Take Advantage of Rev 2 Before Rev 3
With NIST 800-171 Rev 3 on the horizon, pursuing a JSVA under the current Rev 2 assessment offers a more approachable path to certification.
Steps to Schedule a Joint Surveillance Voluntary Assessment (JSVA)
- The prerequisite to all JSVAs is for a company to contract the assessment with an authorized C3PAO, such as KLC Consulting.
- You must also be engaged in an active DoD contract that contains the DFARS 252.204-7012 clause to be eligible.
- We’ ll conduct a preliminary readiness review to determine if you’re ready.
- When confirmed ready, we’ll request the Cyber AB coordinate and schedule a JSVA with DIBCAC.
- DIBCAC determines priority and order of all JSVAs, and schedules the assessment with KLC Consulting.
Why Choose KLC Consulting
- Deep Industry Expertise: Our team possesses in-depth knowledge of the defense industry and cybersecurity regulations.
- Proven Track Record: We have a successful history of assisting clients in achieving compliance and certification.
- Customized Approach: Our services are tailored to meet your unique business requirements and objectives.
- Commitment to Client Success: We are dedicated to helping you protect your organization and build trust with the DoD.
Let’s talk about a JSVA
The CMMC Joint Surveillance Voluntary Assessment program involves coordination and execution among four parties:
- The Organization Seeking Certification (OSC)
- KLC Consulting as the C3PAO
- Cyber AB
- Defense Industrial Base Certification Assessment Center (DIBCAC)
Prices vary for a CMMC Joint Surveillance Voluntary Assessment based on size, complexity, and number of CAGE codes. Contact KLC Consulting for more information.
Conquer Your Assessment with Our FREE Playbook
Demystify your CMMC Level 2 Assessment! Our FREE playbook simplifies the official “Objective Evidence List” from the DCMA DIBCAC. Get clear insights into C3PAO expectations for each security practice and what evidence they’ll require. Be fully prepared to ace your assessment.
C3PAO and JSVA: Your Roadmap to CMMC Compliance
The CMMC C3PAO and JSVA programs can be complex, but they don’t have to be. In this video, we break down the nuts and bolts of these programs. We discuss what a C3PAO is, who needs CMMC certification, and when CMMC assessments will be required. We also explain the JSVA program, its benefits, and how it differs from a regular CMMC assessment.
Whether you’re looking to get ahead of the CMMC curve or simply ensure your compliance, this video provides valuable insights. KLC Consulting offers expert guidance and support to help you navigate the CMMC landscape successfully.
Our C3PAO and Joint Surveillance Voluntary Assessments Video discusses the complexities of CMMC, C3PAO, JSVA and its costs, requirements, benefits, and process. Read the transcript. click here to close Kelly Hynes-McDermott interviews KLC’s Kyle Lai and Layla Remmert, Certified CMMC Assessors and CMMC Professionals to discuss C3PAO and Joint Surveillance Voluntary Assessment Program. Learn some COMPELLING reasons why JSVA certification elevates a Defense Industrial Base company standing in the defense community. CMMC awaits rulemaking completion from the Department of Defense, expected during 2025. Until then, the CMMC Joint Surveillance Program (JSVA) confers tremendous competitive advantages to Organizations Seeking Certification (OSCs) by elevating your status as a trusted DoD partner. JSVA demonstrates that you meet the requirements to handle sensitive government contracts and safeguard critical information. The DoD enters JSVA results into the SPRS database. Kelly: Hello. My name is Kelly Hynes-McDermott of Hynes Communications. I also serve as the Marketing Director for KLC Consulting. I’m excited to be here today with two of our experts in the field of CMMC for today’s conversation, focusing on C3PAO and Joint Surveillance Assessments, or JSVA. I’d like to introduce our two experts, Kyle Lai, President and CISO of KLC Consulting, a CMMC Certified Professional and soon-to-be a Certified Assessor. Also joining us today is Layla Remmert, who leads the delivery of KLC Consulting’s Cybersecurity and Compliance Services for our U.S. Defense Industrial Base clients. Layla is also a CMMC Certified Professional and soon-to-be a Certified Assessor. Welcome, Kyle and Layla! Kyle: Hi, very nice to be here. Layla: It’s great to be here. Kelly: Great to see you both. So, the complexity of CMMC, C3PAO, and JSVA can be challenging, and that’s why we’re here today, to talk about the nuts and bolts. It doesn’t need to be as difficult as folks tend to think it is, so let’s jump right in. Kyle, first, what is a C3PAO? Kyle: Yeah, so, the C3PAO program was established as part of the DoD Cybersecurity Maturity Model Certification (CMMC) program. A C3PAO is required to ensure that defense contractors, or Defense Industrial Base (DIB) companies, have adequate cybersecurity controls in place. A C3PAO, or CMMC Third Party Assessment Organization, is an organization authorized by the DoD to provide assessments and certify these companies seeking certification to do business with the DoD. Kelly: Got it. Who will be required to undergo a CMMC C3PAO assessment? Kyle: The requirement is for Defense Industrial Base companies that handle Controlled Unclassified Information (CUI) or companies that have contracts with the DoD under the DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012, also known as DFARS 7012 requirements. If you have this requirement, you’ll need to comply and are required to have this CMMC certification eventually. Kelly: And when will that “eventually” be? When will CMMC assessments be required by the Department of Defense? Kyle: Right, so, based on what we understand today from the DoD, CMMC Rulemaking is likely going to be completed and finalized by mid-2024. The exact date isn’t known yet. Once Rulemaking is done, they’ll go through a public comment period. So, mid-2024 is what we’re hearing right now. Kelly: Very good. Layla, what is the JSVA program? Can you explain what it is and how it relates to NIST 800-171, SPRS, and CMMC? Layla: Absolutely. The Joint Surveillance Voluntary Assessment (JSVA) Program is a voluntary program offered by the U.S. Department of Defense. It’s a team effort involving the Cyber AB and C3PAO companies, allowing Organizations Seeking Certification (OSCs) to get ahead of CMMC. The program essentially equals a Level 2 CMMC certification once the Rulemaking process is complete. JSVA helps contractors assess and improve their compliance with DoD procurement regulations and standards through DFARS and NIST cybersecurity requirements, specifically NIST 800-171. The program helps contractors identify and address potential compliance issues before they become significant problems. It provides valuable independent feedback, reducing the risk of non-compliance. DIB companies are using JSVAs as a transitional program into CMMC rather than waiting until mid-2024, when CMMC will be fully codified. Kyle: Layla has participated in a Joint Surveillance Voluntary Program Assessment, so she definitely knows what she’s talking about. Layla: Thank you, Kyle. Kelly: Excellent. Why is it called a “Joint” Assessment? And who are the parties involved? Layla, can you explain that? Layla: That’s a great question. The “Joint” refers to the collaboration between the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and a CMMC Third Party Assessment Organization (C3PAO) like KLC Consulting. The OSC or DIB company works with both organizations to get ahead of the final CMMC Rulemaking. Kelly: It sounds a bit like triage—this is a proactive way to stay ahead of your cybersecurity and ensure you’re prepared for CMMC. So, when the Rulemaking comes down, you have all the pieces in place, and there are no surprises. Would you categorize it that way? Layla: Yes, Kelly, that’s part of it. Another appealing aspect for OSCs is that they can advertise to their customers and DoD clients that they’ve gotten ahead of CMMC, which can be seen as a competitive advantage. It’s almost like bragging rights for being compliant early. Kyle: And there’s DFARS 252.204-7024, which tells DoD contract officers to evaluate the SPRS (Supplier Performance Risk System) score as part of the contract award process. Having an SPRS score that’s been verified carries more weight than a self-assessment, giving companies a competitive edge in contract bidding. Kelly: And seeing that these are voluntary and not mandatory, what are some of the other benefits of attaining JSVA now and not waiting? Layla, Kyle, any thoughts? Layla: Absolutely. Besides being first in the DIB, another advantage is avoiding potential queues once CMMC becomes mandatory. There might be a rush to get in for compliance, so doing the Voluntary Assessment early is smart. Additionally, successful JSVA results are entered into the SPRS database, which government acquisition professionals use to evaluate contractor performance. This gives companies a competitive edge when bidding on DoD contracts. Kelly: Great answer, thank you for that explanation. So, when Rulemaking is completed, how long will the certification be valid? Layla: At this time, the expectation is that a successful JSVA, resulting in a score of 88 or higher, will roll into a CMMC Level 2 certification once Rulemaking is finalized. This certification could effectively last four years, which extends the typical three-year recertification period. Kelly: You’re really getting that extra year by being proactive? Kyle: Yes, that’s correct. The DoD will convert the certification you received through JSVA to a CMMC Level 2 certification when Rulemaking is complete. Kelly: Excellent. Is there a waiting list for C3PAOs and DIBCAC? How can a DIB get involved now? Layla: Yes, there is a small waiting list. However, the DIBCAC is adding more assessors and preparing to conduct more Joint Surveillance Assessments. The first step for an OSC to get involved is to get on contract with a C3PAO, such as KLC Consulting, for a Certification Assessment. After that, the C3PAO will coordinate with Cyber AB to get the OSC on the waiting list. Kyle: Once you’re on the list, DIBCAC will reach out to the OSC and the C3PAO to coordinate the assessment schedule. Last week, I attended a conference, and we heard that about 90 companies are currently in the queue. But the DoD will prioritize who gets assessed based on their determination. Kelly: And once selected, how long does it take to complete the JSVA? Layla: From my experience, it typically takes about three months from getting into the queue to starting the assessment. The Joint Assessment itself lasts about six weeks from the readiness review to certification. Would you agree with that, Kyle? Kyle: Yes, I agree. It’s important to make sure the company is ready before the assessment starts. If you’re not ready, the assessment could be postponed or canceled. Layla: Yes, that’s part of the Certification Assessment Process (CAP) guidance. The C3PAO and DIBCAC jointly review readiness and decide whether to proceed, postpone, or cancel the assessment. Kyle: Layla, how long does the actual assessment last? Is it about a week? Layla: Yes, typically about four to five business days. Some practices must be observed on-site, although some DIBCAC teams may conduct the entire assessment on-site. But it usually follows a hybrid model. Kelly: What are the costs involved in doing the JSVA? Layla: The costs vary depending on factors like the business type (manufacturer, engineering firm, etc.), the number of CAGE codes, the size and complexity of the organization, and whether they have a cloud-only or hybrid environment. Other factors include the use of external service providers and certifications like ISO 27001 or ITAR. Kyle, anything to add? Kyle: No, I think you covered the main points. Complexity is the biggest driver of cost. We evaluate factors like how many managed service providers, cloud service providers, and locations a company has. Kelly: So, it’s a sliding scale depending on the complexity of the company? Kyle: Exactly. The bigger the organization and the more complex their environment, the greater the cost. Kelly: Layla, how does a DIB company know if it’s ready for a JSVA or CMMC assessment? Layla: That’s a great question. First, the company should perform its NIST 800-171 self-assessment and submit its SPRS score. Then, they need to scope their assets according to the CMMC 2.0 Assessment and Scoping Guides. They should also remediate any deficiencies and ensure they have an SSP (System Security Plan) that details the implementation status for all 110 practices and 320 assessment objectives. If those items are in place, they may be ready for assessment. Kelly: So, preparation is key. Can you also distinguish between a Readiness (Mock) Assessment and Consulting Help? Layla: Yes. Having deficiencies doesn’t automatically mean you’re not ready for Joint Surveillance, as long as they’re not critical deficiencies, and your SPRS score is 88 or higher. Kyle, would you like to explain the difference between a Readiness Assessment and consulting help? Kyle: Sure. A Readiness Assessment, also known as a Mock Assessment, evaluates if the company is ready for the formal assessment. We don’t provide consulting during this process since it would be a conflict of interest. If a company isn’t ready, we can identify gaps, and after remediation, they can come back to us for another Readiness Assessment. Layla: That’s a great distinction. A Readiness Assessment tells you where you stand without giving you guidance on how to fix issues, which makes it different from consulting. Kelly: So, by doing a Mock Assessment, the company is saving time and money by addressing gaps beforehand? Layla: Yes, absolutely. It’s an integral part of CMMC readiness. Kyle: Yes, and if the company isn’t ready during the Readiness Assessment, it doesn’t impact their record with DIBCAC or SPRS. Kelly: That makes sense—no double-dipping, right? You can’t do both the consulting and assessment work. Kyle: Exactly. Kelly: That keeps things clean. Layla, KLC Consulting has built strong relationships in the CMMC ecosystem, right? Layla: Yes, we collaborate with other C3PAOs and partner in the CMMC ecosystem. Kyle is on the board of the C3PAO Stakeholder Forum, and we frequently engage with the Cyber AB and DIBCAC. Kelly: Why would a DIB company want to work with KLC Consulting over other firms? Kyle: We have experience with small, medium, and large companies, including those with multiple CAGE codes. Our assessors have over 10 to 20 years of experience, and we’ve been through Joint Surveillance Assessments ourselves, so we know exactly what documentation and preparation are needed. Layla: At KLC Consulting, we also emphasize empathy and collaboration, which reduces the stress of going through an assessment. We build positive, enduring relationships with our clients because we prioritize understanding their needs. Kelly: That’s excellent. We’ve talked the talk and walked the walk, partnering with clients through this process because we’ve been there ourselves. Anything else you’d like to add before we wrap up? Kyle: It’s not easy to get ready for NIST 800-171, DFARS, and CMMC compliance. It’s a long journey, but we’ve been through it, and we can help. Feel free to reach out if you need assistance. Kelly: Excellent. Thank you, Kyle and Layla, for helping us better understand the nuts and bolts of C3PAO and JSVA Assessment Services. And thank you to our viewers for joining us today. If you’d like to contact KLC Consulting, please see our contact info at the end of this video. Thanks again for watching, and we’ll see you next time. Kyle: All right, thank you, everyone. Kelly: Thank you. click here to closeC3PAO and JSVA Interview
Secure Your CMMC
C3PAO Assessment
Don’t Get Left on the Ground. With limited C3PAOs and a growing number of DIB companies requiring CMMC Level 2 certification, securing your assessment spot is crucial. Reserve your assessment with KLC Consulting today and avoid delays.