What is the government if not an organization dedicated to the creation of paperwork? All of that paperwork means something, though, and it can range from trivial to vitally important. One of the more important forms, if it’s required for your business or institution to fill out, is the DD2345 form. What is it, what is it used for, do you need one, and how does it interact with CMMC?
Whether you’re first getting started with the process of obtaining relevant certifications, or you’re stepping into the role of data custodian, or you’re investigating the options for military and government contracts, you’re going to encounter a lot of information related to CMMC, including how it interacts with DD 2345. There’s a lot to cover, so let’s get started.
What is DD 2345?
The DD 2345 form is an application form. It’s used by the Joint Certification Program, which is administered by the Defense Logistics Agency.
The purpose of the DD 2345 application is to certify a business, agency, institution, or contractor to work with MCTD. MCTD is Militarily Critical Technical Data; that is, data such as blueprints, drawings, software, specifications, and documents pertaining to military, space, and related technologies.
Primarily, the certification you apply for when you submit form DD 2345 is required if you want to work with unclassified MCTD while working with either the United States Department of Defense or the Canadian Department of National Defense.
What is MCTD?
As mentioned above, MCTD is Militarily Critical Technical Data. This data is export-controlled, meaning without certification, it’s a violation of federal law to share it with businesses, partners, or other entities outside of the United States and outside of the list of certified entities.
MCTD can include things like blueprints, operating instructions, software, or technical specifications for military and/or space equipment. The exact types of information are specified in three codes:
- The International Traffic in Arms Regulation, ITAR
- The Export Administration Regulations, EAR
- The Canadian Controlled Goods Program, CGP
These three codes contain specifications for what is and isn’t considered unclassified MCTD. In a broad overview, it contains basically anything related to military or space operations for either the United States or Canada unless that information is even more tightly controlled, such as with a classified status.
Who Handles DD 2345s?
DD 2345 applications are processed by the Defense Logistics Agency as part of the JCP, or Joint Certification Program. More specifically, applications are handled by the JCO or Joint Certification Office.
The Joint Certification Office, by their own description:
- Is a jointly staffed office managed by members of both the United States DoD and the Canadian DND.
- Is the only office or agency that processes DD 2345 applications.
- Is the primary resource for providing customer support to defense contractors applying for certification via DD 2345.
- Is the office responsible for taking DoD and DND directives and creating policy out of them.
- Is a partner with DoD legal counsel and can advise or recommend debarment actions.
The office handles around 9,000 DD 2345 forms every year. To make sure yours is one that passes inspection, it’s important to follow all instructions, fill out the form and application properly, and be sure to ask relevant contacts or the JCO directly if you have any questions.
Who Needs a DD 2345?
The DD 2345 application is required for all United States contractors and subcontractors who want to work with or obtain access to unclassified militarily critical technical data or technology. Classified information still requires additional security clearance to obtain and is more rigorously controlled. Unclassified MCTD is more along the lines of CUI, with only military data instead of more general data.
You may notice if you’ve researched the topic before that virtually every public research university has their certification and has a page for DD form 2345. You may also notice that the whole initiative is a joint program between the United States and Canada, allowing Canadian agencies to work with the United States government directly, or with United States contractors, without additional controls.
What is a DAV?
Businesses and entities that wish to handle MCTD may need to obtain that data in person. This process is known as a DAV or Directly Arranged Visit. DAVs are direct visits to military facilities or other locations that otherwise aren’t accessible to you or your entity. Since the information you need can’t generally be simply emailed to you or otherwise transmitted through insecure means, a direct visit is the usual way to go.
To arrange a visit, once you have your JCP certification, you can reach out to a point of contact at the specific facility you wish to visit. Your request needs to include the purpose of the visit, when it will be, where it will be, who your contact is, who is attending, citizenship information for those involved, and a copy of your JCP certification. All of this allows you to arrange a visit to transfer or gather the information you’re approved to harvest.
What Do You Need to Get a DD 2345?
In order to submit a completed DD 2345, you must first meet several baseline requirements as a contractor. If you don’t meet these requirements, your application will generally be rejected.
First, you need to complete the NIST SPRS. This is a process wherein you complete an assessment from the National Institute of Standards and Technology, and upload the results of that assessment to the Supplier Performance Risk System, found here.
Second, you need to register with SAM. SAM is the government contractor registration system. If your business or other institution doesn’t already have a SAM entity ID, you will need to submit your registration to obtain your unique entity ID. You can do so by following the process here.
The unique identifier given to you by SAM is also known as your CAGE code, or Commercial And Government Entity Code. This is a very important unique identifier that can be used throughout various government dealings, so it’s critical that you get one and keep it on hand for when you need it.
Canadian companies have a similar but different code called the NCAGE code. This is the NATO Commercial And Government Entity Code. These are not issued by SAM, but rather by the NATO Support and Procurement Agency.
You will also need to review the Introduction to Proper Handling Training document, which is a document provided by the Defense Logistics Agency, found here. There’s no official process to proceed with this training or certify that you’ve completed it; it’s just the foundational level of information you need to properly handle the information you’re applying to have access to.
There are usually additional instructions as well, which may be specific between the United States and Canada, and can be specifically relevant to your type of business or institution.
Additional requirements include:
- Your business or entity must be either Canadian-owned or United States-owned.
- Your designated data custodian must be a Canadian or United States citizen.
- You must renew your DD 2345 every five years.
Finally, you will need to have two-factor authentication configured. The DLA specifies the use of Google Authenticator.
What Does a DD 2345 Have to Do with CMMC?
CMMC is the Cybersecurity Maturity Model Certification. It’s meant to be a single unified framework and standard for cybersecurity, as developed and maintained by the Department of Defense. It exists to secure controlled unclassified information and sensitive information throughout the Defense Industrial Base.
All defense contractors that wish to work with the DoD and handle CUI will need to comply with CMMC specifications and obtain CMMC certification. With three levels of certification (Foundational, Advanced, and Expert), CMMC has different levels of stringent controls depending on the kind of institution you are and the kind of information you intend to handle and process.
Other than CMMC, the Department of Defense also administers ITAR, the International Traffic in Arms Regulations. This set of regulations governs and controls the export, import, and brokering of defense and defense-related technical data. It’s basically export control for sensitive information.
As mentioned above, ITAR helps define what information is considered militarily critical technical data, which is governed in part by the joint certification program using DD 2345.
CMMC is generally relatively narrow, especially compared to ITAR. Since DD 2345 is concerned with ITAR information, CMMC is effectively covered. After all, it’s rare for something to be governed by ITAR but not CMMC.
Do You Need CMMC Certification to Submit DD 2345?
Yes and no.
Technically, you don’t need CMMC certification to submit a DD 2345 form. However, if you’re a business working with controlled military information, as a defense contractor, you’re going to be required to adhere to CMMC anyway, so it’s effectively required. The two are not technically connected beyond both being necessary; they are not precursors or prerequisites for one another.
How Do You Submit a DD 2345 Form?
Until recently, the DD 2345 form was filled out and mailed through the postal service to the JCP Logistics Information Services Federal Center address in Battle Creek, Michigan. However, recently, they decided to no longer process paper applications. You must now submit your form digitally through the JCP website.
During the transition between paper and online submissions, the JCP accepted submissions of the DD 2345 form via email. Email is no longer an acceptable way to submit the form; you must use the web portal now.
What Else Do You Need to Know?
The CAGE number is a critically-important piece of information, but there are many reasons why you might not know your number. For example, maybe your entity received one many years ago, eventually lost the contract that they needed it for, and haven’t reapplied since. You can identify whether or not you have a CAGE number by searching through the CAGE program’s search & inquiry form on their official site.
Finally, if you need assistance or have a question that hasn’t been covered here or on the JCP website, you can contact the JCP directly. Their office phone number is (877) 352-2255, or you can email them at JCP-ADMIN@DLA.MIL.
If you review your application or certification and realize there is incorrect information, you need to correct it via the JCP portal.
It can take time for the JCP to process your application. As mentioned above, they handle around 9,000 applications per year, which means they’re processing 30-40 applications per business day. The JCP recommends submitting your application or renewal at least 60 days prior to the time you need it, which is either when your contracts start or when your current certification expires.
There are currently no fees for submitting or processing your information or the DD 2345 form. Likewise, there is no fee to obtain a CAGE or NCAGE number.
Part of the DD 2345 form is a block where you describe what your business does. For large and complex businesses, this can be a difficult thing to distill down into the space provided. Unfortunately, there’s no way to add additional pages or expand the available space. Your application can be returned as incomplete if your description is not sufficiently robust, but it can also be returned if you overrun the space available. It can be tricky to walk this line, so be careful.
If you need assistance on the CMMC, ITAR, or other security frameworks that you need to comply with before you apply for certification with the JCP, you can also reach out to us. As a certified FedRAMP 3PAO and a long-time expert in all things government security, we have a unique perspective and the ability to help you out with the certification process. The Ignyte Platform is also a powerful tool for tracking and ensuring compliance with frameworks like CMMC, ITAR, and the underlying NIST documents like 800-54 and 800-171 that they’re based on. If you’re interested in seeing what it can do for you, all you need to do is book a demo today.
If you have any questions about us and our platform, about CMMC, about ITAR, or about DD 2345, feel free to reach out and contact us today.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.