• Home
  • Blog
  • CMMC
  • JVSA and JVSAP Guide: What Do These Programs Do?

JVSA and JVSAP Guide: What Do These Programs Do?

JVSA and JVSAP
Facebook
Twitter
Pinterest
LinkedIn

To secure CUI and FCI according to CMMC rules, DIB contractors working with the DoD need to comply with NIST SP 800-171. CMMC is still an evolving framework, and becoming an early adopter allows you to participate in the JVSAP to deliver feedback on implementation and lessons learned about the process.

That’s a lot of acronyms, so let’s step back, explain the program and why it exists, what benefits it has for you, and how to go through it.

We’ve talked a lot about this process before, including on our podcast. You can click the play button below to listen in!

BLUF - Bottom Line Up Front

To secure Controlled Unclassified and Federal Contract Information under CMMC rules, Defense Industrial Base contractors need NIST SP 800-171 compliance. CMMC 2.0 levels range from basic to advanced, with increasing requirements for each level. One path to early CMMC Level 2 certification involves the Joint Surveillance Voluntary Assessment (JVSA), helping contractors meet standards ahead of CMMC's full implementation, navigate changes, and maintain a competitive edge in securing defense contracts.

CMMC and the DIB

CMMC is the Cybersecurity Maturity Model Certification. It’s a program aimed at the Defense Industrial Base, meant to help Department of Defense contractors in the DIB protect themselves – and, by extension, the government agencies they work with – from cybersecurity threats and attacks.

Cybersecurity Maturity Model Certification

Originally, CMMC had five tiered levels of security, ranging from basic to advanced. In 2021, the Department of Defense announced CMMC 2.0, a new iteration of the certification and its rules with a more streamlined setup.

  • Level 1 has 15 security requirements and requires annual self-assessments and affirmations.
  • Level 2 has 110 requirements pulled from NIST SP 800-171. It requires third-party assessment, annual affirmation, and triennial self-assessment, and certain programs have additional requirements.
  • Level 3 has over 110 requirements based on NIST SP 800-171 and 800-172, and requires triennial government-led assessments, along with annual affirmation.

As things currently stand, CMMC is not a requirement to operate as a federal contractor as part of the Defense Industrial Base working with the Department of Defense. However, the time is coming when CMMC will be fully implemented, at which point a vast number of contractors are going to pursue certification. The original CMMC rule became effective on November 30, 2020, and established a five-year phase-in period, which we are only a bit over a year from reaching.

Reaching CMMC Level 2

If you looked at the CMMC levels and thought, “There’s a massive jump between Level 1 and Level 2”, you’re right. In many ways, it’s the equivalent of going from FedRAMP Li-SaaS to FedRAMP Moderate Impact; the jump in requirements, scrutiny, and compliance is huge.

CMMC Level 1 is essentially just a way for the DoD to encourage contractors in the DIB to put some thought and effort into their security without making it a huge and onerous responsibility. It’s aimed mostly at contractors that handle FCI only (Federal Contract Information) but, in their position as federal contractors, still need to go above and beyond the commercial bare minimum.

Reaching CMMC Level 2

CMMC Level 2, meanwhile, is a stricter level of requirements because it’s aimed at contractors that handle CUI and FCI, or that are part of a program that is otherwise important to national security, and needs to maintain a higher standard of security and resistance to threats.

There are an estimated 300,000 DIB companies that will need to implement some level of CMMC. That’s a lot of contractors! Certainly, not all of them will need Level 2 certification – many will be fine with Level 1 attestations – but some 77,000 or so DIB contractors will need to achieve Level 2 or higher. Furthermore, the problem starts to become clear when you learn that there are only 54 C3PAOs – certified third-party assessment organizations like Ignyte – and as of the end of last year, only 22 JVSAs have been completed. These numbers obviously change overtime.

In other words, there’s going to be a crowd, and pursuing a JVSA sooner rather than later can put you ahead of the pack.

What Are JSP, JVSA, and JVSAP?

To take a step back, let’s talk about these three acronyms. They’re all broadly referring to the same thing.

  • JSP is the Joint Surveillance Program.
  • JVSA is the Joint Surveillance Voluntary Assessment.
  • JVSAP is the Joint Surveillance Voluntary Assessment Program.

JVSAP and JSP are the same thing; some people simply choose to use one acronym over the other.

There are effectively two paths towards achieving CMMC Level 2.

The first is to rigorously go through all 110 security controls in NIST SP 800-171, assess and implement all of them, perform a review using the NIST SP 800-171A assessment system and its 300+ individual requirements, and then engage a C3PAO to perform an audit to validate and verify all of those implementations. All of this aims to achieve DFARS High Confidence status, which will be transferrable to CMMC Level 2.

Reviewing Security Controls

The second is to pursue a JVSA.

The Joint Surveillance Voluntary Assessment is, effectively, a sort of “early access” path to CMMC Level 2 certification. Given that CMMC is not currently implemented and can still potentially change before full implementation, the JVSA is also a way to contribute both successes and challenges to the overall feedback of CMMC’s development and possibly influence the direction of its implementation.

Two important things matter about the JSP and JVSA.

  • Achieving certification with a JVSA now will transfer to CMMC Level 2 later.
  • When CMMC is officially rolled out, the JVSAP/JSP will cease to exist.

Essentially, the JSP is a way for DIB contractors to pursue preemptive CMMC Level 2 certification before CMMC even fully exists.

Why Pursuing a JVSA is a Good Idea

There are many reasons why a DoD contractor might decide to pursue JVSA rather than another DFARS certification.

The biggest reason is to get in the game early and achieve your certification ahead of the pack. With 77,000 potential contractors seeking the attention of fewer than 60 C3PAOs, space will be limited, wait times will be long, and the process has the potential to leave you high and dry or duplicating work for a DFARS certification while you wait. Alternatively, you may simply not be able to operate with your government contract for an unspecified period.

Since a successful JVSA will transfer directly into CMMC Level 2, you can effectively achieve certification before the ability to achieve certification exists. In fact, completing a full JVSA gives you a score that is officially entered into the DoD Supplier Performance Risk System and automatically gives you the DFARS High Confidence rating. In some ways, it’s even better than simply pursuing DFARS certification on its own since you can achieve DFARS without getting the High Confidence designation.

Additionally, since the CMMC certification is set to expire every three years, you perpetually evade the cycle of recertification. Everyone who waits to certify and fights the crowd to do it will need to go through the same process in 2028-29, 3031-32, and so on. By working to pass a JVSA now and certify, essentially, a year early, you can then recertify in 2027-28 and 2030-31, staying ahead of the curve.

Over time, as contractors drop in and out, the crowds will thin and disperse over the years, but it will take quite some time before that triennial surge is fully ironed out.

Pursuing a JVSA

There are two additional benefits to pursuing a JVSA now rather than waiting for the standard CMMC process to roll out.

The first is that you can take advantage of the fact that the DoD has not yet fully implemented NIST SP 800-171 Revision 3. Currently, JVSAs and DFARS are based on Revision 2. Revision 3 is, while not necessarily more difficult, at least different enough that there will likely be some roadblocks, some changes, and some adjustments to be made.

By achieving the JVSA certification now on revision 2, you can take your time and adjust simply to the changes between revision 2 and revision 3. If you wait, you’ll need to adopt revision 3 as a whole while working through the unfamiliarity along with everyone else. Admittedly, this isn’t necessarily a huge benefit. Revision 3’s draft documents – and even their final publication – have been out for a while, so there’s not much mystery to it.

The second advantage is that you have a longer timeframe for adjusting for failure. Under normal DFARS compliance, you have no margin for error, and a failure sets you back immensely. Very few controls are allowed to use POAMs to delay implementation and fix issues. With the JVSA, you have more controls – including higher three and five-point controls – that you can put on POAMs, and you have up to 180 days to fix them. POAMs are non-existent.

How to Perform a JVSA

If you’re convinced and interested in pursuing the JVSA process to preemptively achieve CMMC certification, your next step is figuring out how to do it. Fortunately, the process isn’t terribly complex, especially if you’ve already been through the DFARS process.

The first step of the process is to verify that you’re eligible in the first place. In order to be eligible to complete a JVSA, your business needs to have an active contract with the Department of Defense. Moreover, that contract needs to have a DFARS 252.204-7012 clause, and you have to have access to CUI as part of your contract.

Why is this the case? If your company doesn’t handle CUI or FCI, or you don’t have the DFARS clause, you don’t need to achieve CMMC Level 2 (or higher) to work with the DoD, so your security posture isn’t as important, and your feedback on the process isn’t relevant.

Once you’ve verified that you’re eligible, you can apply to the JSP. If you’re accepted, you’ll have a call to review documentation and determine if you’re in a state where you can undergo an assessment or if you need to do more groundwork before that assessment can be performed. You will need to hope the DIBCAC picks you to participate in the process. The number of C3PAOs available to perform these audits is limited, and space is filling up quickly, so keep that in mind; getting in on the ground floor requires taking action ASAP.

A Third-Party Assessment Organization Audit

It will generally take a few months from the time of being accepted to performing an assessment, and that’s if you’re basically ready to go. The assessment itself can take some time as well, depending on how well you’ve kept records and data, and how much evidence you’re able to present for each security control.

Every control will require at least some evidence or artifacts proving its implementation, but most C3PAOs will dig even deeper and have highly technical discussions, requiring very recent evidence to support your implementation.

To help make sure you have all of this data readily on hand, we highly recommend the Ignyte Platform. We designed the Platform specifically with frameworks like CMMC in mind, to provide a centralized, secure, and non-siloed way to handle and collaborate on data, evidence, and documents required to achieve certification for various government frameworks. You can book a demo and see what it can do for you, right away.

There are generally three results for the JVSA. The first is full failure. You have time to adjust and attempt another assessment to pass, but there’s a limited amount of time before CMMC rolls out and the JSP is retired, so don’t delay. The second result is a qualified success; you have some controls that need work, but a POAM can cover the gap. The third is a success with flying colors, which sets you in a very good position for the rollout of CMMC in the future.

Regardless of the results of the assessment, you can also evaluate the process itself and give feedback. This can be used to make last-minute adjustments to the CMMC process.

Want to Pursue JVSA? Contact Us

At Ignyte, we can do two things to help you if you’re interested in the JVSA process. The first is providing the Ignyte Platform for your use. As a platform designed from the ground up to assist with collaboration and certification across a wide range of government frameworks and certifications, it’s uniquely positioned to help support your efforts.

A Person Using the Ignyte Platform

The second is that, as a C3PAO, we have the option of working with certain clients on the JVSA itself. Companies may hire any consultant they wish to help them prepare/sit the JSVA. Alternatively, companies selected for an assessment by DIBCAC can request their assessment to be converted to a JVSA. You’ll need to gain permission from the DIBCAC to do so, but we’re available to answer questions if you have them, so feel free to reach out and contact us.

Stay up to date with everything Ignyte