Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Insight Into the Joint Surveillance Voluntary Assessment (JSVA) Program

Federal Assessments | CMMC

With the introduction of the Cybersecurity Maturity Model Certification (CMMC) program, contractors working with the U.S. Department of Defense (DoD) will be required to meet a certain level of cybersecurity maturity ensuring the protection of the involved sensitive information and data, specifically controlled unclassified information (CUI) and federal contract information (FCI).

Intended to provide a unified standard for cybersecurity across the DoD supply chain, CMMC is a framework that builds upon existing cybersecurity regulations and standards, such as NIST SP 800-171.

Getting Ready for CMMC

Though rulemaking for CMMC continues, becoming an early adopter and participating in the ongoing maturity of the CMMC program can be beneficial for Defense Industrial Base (DIB) contractors who want to prepare for and support the emerging (and final) CMMC ecosystem—especially since the path to do so has been established.

Enter the Joint Surveillance Voluntary Assessment (JSVA) program, colloquially known as the JSP.

Participation in the JSVA program allows DIB contractors to provide feedback on the program's requirements and lessons learned while also sharing best practices for implementing NIST SP 800-171 cybersecurity controls in support of the CMMC program—for those contractors that work with the U.S. DoD and are required to meet certain cybersecurity requirements to protect sensitive information and data, that could be especially important to maintain their ability to work with the DoD and remain competitive in that market.

Using JSVA as a Market Differentiator

By participating in the JSVA program and engaging with CMMC third-party assessment organizations (C3PAOs), DoD, and other stakeholders, DIB contractors can indeed support the emerging new ecosystem—and some already have.

Historically, DIB contractors have been required to undergo Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) High assessments to ensure their continued compliance with DoD cybersecurity requirements—more specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which mandates that covered contractors must implement certain cybersecurity controls to protect CUI, covered defense information (CDI), and controlled technical information (CTI).

 

But these assessments have a shelf life of just three years, and so when the time came for certain contractors to renew and undergo another, they instead chose to participate in the JSVA program to both differentiate themselves in the market and prepare more acutely for the eventual "go-live" of the CMMC program.

 

What follows are insights into their experiences.

 

Working with Schellman During the JSVA Process

Upon their decision to participate in the program, the contractors selected Schellman as their Certified Third-Party Assessment Organization (C3PAO)—as the contractors’ partnering organization, Schellman provided assessment services and participated in the feedback loop with DIBCAC.

 

Planning

In the pre-assessment phase, Schellman coordinated with the contractors—the Organizations Seeking Certification (OSCs)—as well as the Defense Contract Management Agency (DCMA) to:

 

  • Determine the scope;
  • Review documentation;
  • Schedule the project;
  • Develop the Security Assessment Plan; and
  • Set up information sessions with organizational SMEs to establish a foundation for the assessors (Schellman) to work with before onsite work.

On-Site Assessment

Once preparation was complete, Schellman proceeded with its onsite assessment, which took a week with assessors, control owners, subject matter experts, and leadership from all parties contributing in person (though some did attend remotely).

During this phase, Schellman assessors conducted a series of interviews using a methodology shaped by the firm’s experience performing federal assessments, as well as their expert knowledge of the related standards and guidelines in NIST 800-171, NIST 800-171A, and (loosely) the CMMC Assessment Process (CAP) draft.

In parallel with these roundtable discussions, Schellman also visited and observed sampled facilities as OSC performed demonstrations to validate their implementation of the 110 NIST SP 800-171 revision 2 controls involving physical protection, media protection, and related controls.

As these activities progressed, daily checkpoints were held between all parties to discuss any potential deficiencies, necessary follow-up actions, and clarifications.

Remote Testing

Following the onsite, a period of remote testing followed during which Schellman assessors:

  • Documented testing procedures (examination, interview, and test methods) from reviews of evidence provided;
  • Observed more demonstrations;
  • Conducted further interviews; and
  • Began preparing the assessment closing meeting and draft report, which included details regarding testing procedures and outcomes for each assessment objective outlined in the NIST SP 800-171A.

 After Schellman issued the final report to the OSCs and the OSCs subsequently shared it with DCMA, the assessment was considered concluded, though DCMA still had to deliver final scoring for the DIBCAC High assessment—it eventually did issue the formal results of the DIBCAC High assessment to the OSCs.

 

Challenges/Lessons Learned from Early JSVA Program Participation

Post-assessment, Schellman and the OSCs participated in debriefs with DCMA and DoD leadership to provide feedback about the joint surveillance process. Together, their proposed considerations for future improvement of both joint surveillance and the future state of CMMC included three specific areas that need further development and/or focus moving forward.

 

1. Responsibility and Relationship Clarity is Still a Work in Progress.

The relationship between DIBCAC, C3PAO, and OSC can be described as a triangle, but one where not all parties truly connect—while the C3PAO and OSC are contracted partners and have a formal relationship during the assessment, the OSC is also directly connected to DIBCAC whereas their C3PAO does not typically coordinate or communicate directly with DIBCAC without the OSC present.

This relationship is further complicated by the historical responsibility DIBCAC held in driving cybersecurity assessments for DIB contractors—a responsibility they are now largely handing over to C3PAOs who now drive these assessments.

Both this complex communication distinction and the transfer of assessment responsibility created some coordination challenges during the planning and assessment process for Schellman and their OSC. During Schellman’s first and second JSVAs, it took some time for the C3PAO and DIBCAC to establish a rapport and streamline the process to ensure the OSC was not adversely impacted.

Open communication channels and clear expectations on the roles and responsibilities of each party can help alleviate these challenges, as was the case during the third, fourth, and fifth JSVAs when these communication channels and relationships were much more natural and clear.

 

2. Knowledge of Relevant Standards is Key.

Another thing that became clear was the importance of the authoritative standards and guidance used in the assessment, including:

 

  • NIST 800-171;
  • NIST 800-171A; and
  • DoD Assessment Methodology. 

Understanding these the way they need to be understood can be a challenge for those unfamiliar with the nuances of these frameworks, as it takes experience and expertise to comprehend things that may not be immediately apparent during the assessment, including unique implementations that may qualify as enduring isolated exceptions or temporary deficiencies.

Any OSCs considering a JSVA should document any compensating controls and mitigating factors for any areas planned or not fully implemented/met while also planning for DIBCAC assessors to test the DFARS 7012 C-G clauses (as that is a DoD responsibility in joint surveillance). Ideally, this would all be coordinated between DCMA and the OSC ahead of time, with the C3PAO allowed to be observed for inclusion, as appropriate and applicable, in Media Protection and related controls testing.

 

3. Beware of Specific Control Issues.

During the assessment process, many issues familiar to the DIB resurfaced during these JSVA assessments, including specific implementation challenges with the NIST SP 800-171 revision 2 controls.

Of those, multifactor authentication (MFA) (3.5.3) and the use of FIPS-validated cryptography (3.13.11) have proven the controls most frequently not fully implemented by organizations, in Schellman’s experience. Both controls require significant investment in both time and resources to overcome the technical challenges of implementing them—so for those considering participating in the JSP in the future, special focus on those should be allotted.

 

Moving Forward with a Joint Surveillance Voluntary Assessment

Though it’s still to be defined by future rulemaking, CMMC stakeholders have proposed that a successful JSVA be converted to CMMC Level 2 certification, which—if finalized—would become another significant incentive for participation in the Joint Surveillance Program.

For now, the JSVA process represents a critical component of the DIB’s cybersecurity program that provides a standardized approach to cybersecurity assessments and an opportunity to demonstrate a commitment to cybersecurity, cybersecurity maturity, and support of CMMC—all while also differentiating themselves in the current market.

Some contractors have already taken advantage and participated in the program with Schellman as their C3PAO partner, and together they discovered what was a complex and challenging assessment process that requires coordination between multiple parties and a deep understanding of cybersecurity standards and guidance.

Though there will surely be more lessons to be learned as CMMC matures further and as other organizations move forward down the JSVA path, Schellman’s experience as a pioneer C3PAO in both the certification process and performance of the early JSP assessments may provide a level of comfort and excellence for any other OSCs that are beginning to explore the JSVA program as an option for their company to get ahead of the curve.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.