Understanding C3PAO and JSVA in the CMMC Ecosystem

Navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) can be challenging for many Defense Industrial Base (DIB) companies. To help these organizations ensure compliance, the Department of Defense (DoD) introduced the CMMC Third Party Assessment Organization (C3PAO) and the Joint Surveillance Voluntary Assessment (JSVA) programs. These programs provide a structured approach to cybersecurity, allowing companies to stay ahead of DoD requirements, particularly as CMMC Rulemaking is set to be finalized by mid-2024.

What is a C3PAO?

C3PAOs play a critical role in assessing and certifying DIB companies for CMMC compliance. These organizations ensure that defense contractors have adequate cybersecurity controls in place to protect Controlled Unclassified Information (CUI). By working with a C3PAO, companies can meet DFARS 7012 requirements and position themselves to secure future contracts with the DoD. The assessment process also evaluates whether a company is ready for certification, ensuring they meet the necessary cybersecurity standards.

The Benefits of Joint Surveillance Assessments (JSVA)

The JSVA program, introduced by the DoD, offers companies a way to proactively achieve CMMC Level 2 certification. By undergoing a JSVA before CMMC becomes mandatory, companies can gain a competitive edge, avoid future assessment backlogs, and enter the Supplier Performance Risk System (SPRS) early. This allows organizations to demonstrate their commitment to cybersecurity and compliance, making them more appealing to DoD contract officers who evaluate SPRS scores during the contract award process.

Why Choose KLC Consulting for CMMC and JSVA?

KLC Consulting stands out in the CMMC ecosystem for its broad experience and client-centric approach. With certified professionals and assessors who have firsthand experience with the CMMC process, KLC Consulting offers both readiness assessments and full assessments. Their collaborative and empathetic approach helps reduce the stress of compliance, ensuring clients feel supported throughout the journey. By partnering with KLC Consulting, DIB companies can ensure they’re prepared for CMMC, while benefiting from early compliance and stronger government relationships.

CMMC awaits rulemaking from the Department of Defense, expected during 2024. Until then, the Joint Surveillance Voluntary Assessment (JSVA) program confers tremendous competitive advantages to Organizations Seeking Certification (OSCs) by elevating your status as a trusted DoD partner. JSVA demonstrates that you meet the requirements to handle sensitive government contracts and safeguard critical information. The DoD enters JSVA results into the SPRS database. Read the transcript of our C3PAO and Joint Surveillance Voluntary Assessment Video

click here to close

Kelly: Hello. My name is Kelly Hynes-McDermott of Hynes Communications. I also serve as the Marketing Director for KLC Consulting. I’m excited to be here today with two of our experts in the field of CMMC for today’s conversation, focusing on C3PAO and Joint Surveillance Assessments, or JSVA. I’d like to introduce our two experts, Kyle Lai, President and CISO of KLC Consulting, a CMMC Certified Professional and soon-to-be a Certified Assessor.

Also joining us today is Layla Remmert, who leads the delivery of KLC Consulting’s Cybersecurity and Compliance Services for our U.S. Defense Industrial Base clients. Layla is also a CMMC Certified Professional and soon-to-be a Certified Assessor. Welcome, Kyle and Layla!

Kyle: Hi, very nice to be here.

Layla: It’s great to be here.

Kelly: Great to see you both. So, the complexity of CMMC, C3PAO, and JSVA can be challenging, and that’s why we’re here today, to talk about the nuts and bolts. It doesn’t need to be as difficult as folks tend to think it is, so let’s jump right in.

Kyle, first, what is a C3PAO?

Kyle: Yeah, so, the C3PAO program was established as part of the DoD Cybersecurity Maturity Model Certification (CMMC) program. A C3PAO is required to ensure that defense contractors, or Defense Industrial Base (DIB) companies, have adequate cybersecurity controls in place. A C3PAO, or CMMC Third Party Assessment Organization, is an organization authorized by the DoD to provide assessments and certify these companies seeking certification to do business with the DoD.

Kelly: Got it. Who will be required to undergo a CMMC C3PAO assessment?

Kyle: The requirement is for Defense Industrial Base companies that handle Controlled Unclassified Information (CUI) or companies that have contracts with the DoD under the DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012, also known as DFARS 7012 requirements. If you have this requirement, you’ll need to comply and are required to have this CMMC certification eventually.

Kelly: And when will that “eventually” be? When will CMMC assessments be required by the Department of Defense?

Kyle: Right, so, based on what we understand today from the DoD, CMMC Rulemaking is likely going to be completed and finalized by mid-2024. The exact date isn’t known yet. Once Rulemaking is done, they’ll go through a public comment period. So, mid-2024 is what we’re hearing right now.

Kelly: Very good. Layla, what is the JSVA program? Can you explain what it is and how it relates to NIST 800-171, SPRS, and CMMC?

Layla: Absolutely. The Joint Surveillance Voluntary Assessment (JSVA) Program is a voluntary program offered by the U.S. Department of Defense. It’s a team effort involving the Cyber AB and C3PAO companies, allowing Organizations Seeking Certification (OSCs) to get ahead of CMMC. The program essentially equals a Level 2 CMMC certification once the Rulemaking process is complete.

JSVA helps contractors assess and improve their compliance with DoD procurement regulations and standards through DFARS and NIST cybersecurity requirements, specifically NIST 800-171. The program helps contractors identify and address potential compliance issues before they become significant problems. It provides valuable independent feedback, reducing the risk of non-compliance. DIB companies are using JSVAs as a transitional program into CMMC rather than waiting until mid-2024, when CMMC will be fully codified.

Kyle: Layla has participated in a Joint Surveillance Voluntary Program Assessment, so she definitely knows what she’s talking about.

Layla: Thank you, Kyle.

Kelly: Excellent. Why is it called a “Joint” Assessment? And who are the parties involved? Layla, can you explain that?

Layla: That’s a great question. The “Joint” refers to the collaboration between the DoD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and a CMMC Third Party Assessment Organization (C3PAO) like KLC Consulting. The OSC or DIB company works with both organizations to get ahead of the final CMMC Rulemaking.

Kelly: It sounds a bit like triage—this is a proactive way to stay ahead of your cybersecurity and ensure you’re prepared for CMMC. So, when the Rulemaking comes down, you have all the pieces in place, and there are no surprises. Would you categorize it that way?

Layla: Yes, Kelly, that’s part of it. Another appealing aspect for OSCs is that they can advertise to their customers and DoD clients that they’ve gotten ahead of CMMC, which can be seen as a competitive advantage. It’s almost like bragging rights for being compliant early.

Kyle: And there’s DFARS 252.204-7024, which tells DoD contract officers to evaluate the SPRS (Supplier Performance Risk System) score as part of the contract award process. Having an SPRS score that’s been verified carries more weight than a self-assessment, giving companies a competitive edge in contract bidding.

Kelly: And seeing that these are voluntary and not mandatory, what are some of the other benefits of attaining JSVA now and not waiting? Layla, Kyle, any thoughts?

Layla: Absolutely. Besides being first in the DIB, another advantage is avoiding potential queues once CMMC becomes mandatory. There might be a rush to get in for compliance, so doing the Voluntary Assessment early is smart. Additionally, successful JSVA results are entered into the SPRS database, which government acquisition professionals use to evaluate contractor performance. This gives companies a competitive edge when bidding on DoD contracts.

Kelly: Great answer, thank you for that explanation. So, when Rulemaking is completed, how long will the certification be valid?

Layla: At this time, the expectation is that a successful JSVA, resulting in a score of 88 or higher, will roll into a CMMC Level 2 certification once Rulemaking is finalized. This certification could effectively last four years, which extends the typical three-year recertification period.

Kelly: You’re really getting that extra year by being proactive?

Kyle: Yes, that’s correct. The DoD will convert the certification you received through JSVA to a CMMC Level 2 certification when Rulemaking is complete.

Kelly: Excellent. Is there a waiting list for C3PAOs and DIBCAC? How can a DIB get involved now?

Layla: Yes, there is a small waiting list. However, the DIBCAC is adding more assessors and preparing to conduct more Joint Surveillance Assessments. The first step for an OSC to get involved is to get on contract with a C3PAO, such as KLC Consulting, for a Certification Assessment. After that, the C3PAO will coordinate with Cyber AB to get the OSC on the waiting list.

Kyle: Once you’re on the list, DIBCAC will reach out to the OSC and the C3PAO to coordinate the assessment schedule. Last week, I attended a conference, and we heard that about 90 companies are currently in the queue. But the DoD will prioritize who gets assessed based on their determination.

Kelly: And once selected, how long does it take to complete the JSVA?

Layla: From my experience, it typically takes about three months from getting into the queue to starting the assessment. The Joint Assessment itself lasts about six weeks from the readiness review to certification. Would you agree with that, Kyle?

Kyle: Yes, I agree. It’s important to make sure the company is ready before the assessment starts. If you’re not ready, the assessment could be postponed or canceled.

Layla: Yes, that’s part of the Certification Assessment Process (CAP) guidance. The C3PAO and DIBCAC jointly review readiness and decide whether to proceed, postpone, or cancel the assessment.

Kyle: Layla, how long does the actual assessment last? Is it about a week?

Layla: Yes, typically about four to five business days. Some practices must be observed on-site, although some DIBCAC teams may conduct the entire assessment on-site. But it usually follows a hybrid model.

Kelly: What are the costs involved in doing the JSVA?

Layla: The costs vary depending on factors like the business type (manufacturer, engineering firm, etc.), the number of CAGE codes, the size and complexity of the organization, and whether they have a cloud-only or hybrid environment. Other factors include the use of external service providers and certifications like ISO 27001 or ITAR. Kyle, anything to add?

Kyle: No, I think you covered the main points. Complexity is the biggest driver of cost. We evaluate factors like how many managed service providers, cloud service providers, and locations a company has.

Kelly: So, it’s a sliding scale depending on the complexity of the company?

Kyle: Exactly. The bigger the organization and the more complex their environment, the greater the cost.

Kelly: Layla, how does a DIB company know if it’s ready for a JSVA or CMMC assessment?

Layla: That’s a great question. First, the company should perform its NIST 800-171 self-assessment and submit its SPRS score. Then, they need to scope their assets according to the CMMC 2.0 Assessment and Scoping Guides. They should also remediate any deficiencies and ensure they have an SSP (System Security Plan) that details the implementation status for all 110 practices and 320 assessment objectives. If those items are in place, they may be ready for assessment.

Kelly: So, preparation is key. Can you also distinguish between a Readiness (Mock) Assessment and Consulting Help?

Layla: Yes. Having deficiencies doesn’t automatically mean you’re not ready for Joint Surveillance, as long as they’re not critical deficiencies, and your SPRS score is 88 or higher. Kyle, would you like to explain the difference between a Readiness Assessment and consulting help?

Kyle: Sure. A Readiness Assessment, also known as a Mock Assessment, evaluates if the company is ready for the formal assessment. We don’t provide consulting during this process since it would be a conflict of interest. If a company isn’t ready, we can identify gaps, and after remediation, they can come back to us for another Readiness Assessment.

Layla: That’s a great distinction. A Readiness Assessment tells you where you stand without giving you guidance on how to fix issues, which makes it different from consulting.

Kelly: So, by doing a Mock Assessment, the company is saving time and money by addressing gaps beforehand?

Layla: Yes, absolutely. It’s an integral part of CMMC readiness.

Kyle: Yes, and if the company isn’t ready during the Readiness Assessment, it doesn’t impact their record with DIBCAC or SPRS.

Kelly: That makes sense—no double-dipping, right? You can’t do both the consulting and assessment work.

Kyle: Exactly.

Kelly: That keeps things clean. Layla, KLC Consulting has built strong relationships in the CMMC ecosystem, right?

Layla: Yes, we collaborate with other C3PAOs and partner in the CMMC ecosystem. Kyle is on the board of the C3PAO Stakeholder Forum, and we frequently engage with the Cyber AB and DIBCAC.

Kelly: Why would a DIB company want to work with KLC Consulting over other firms?

Kyle: We have experience with small, medium, and large companies, including those with multiple CAGE codes. Our assessors have over 10 to 20 years of experience, and we’ve been through Joint Surveillance Assessments ourselves, so we know exactly what documentation and preparation are needed.

Layla: At KLC Consulting, we also emphasize empathy and collaboration, which reduces the stress of going through an assessment. We build positive, enduring relationships with our clients because we prioritize understanding their needs.

Kelly: That’s excellent. We’ve talked the talk and walked the walk, partnering with clients through this process because we’ve been there ourselves. Anything else you’d like to add before we wrap up?

Kyle: It’s not easy to get ready for NIST 800-171, DFARS, and CMMC compliance. It’s a long journey, but we’ve been through it, and we can help. Feel free to reach out if you need assistance.

Kelly: Excellent. Thank you, Kyle and Layla, for helping us better understand the nuts and bolts of C3PAO and JSVA Assessment Services. And thank you to our viewers for joining us today. If you’d like to contact KLC Consulting, please see our contact info at the end of this video. Thanks again for watching, and we’ll see you next time.

Kyle: All right, thank you, everyone.

Kelly: Thank you.

click here to close

Scroll to Top