What is the Joint Surveillance Program?
Back in August 2022—while rulemaking for the Cybersecurity Maturity Model Certification (CMMC) was ongoing (as it still is)—the Joint Surveillance Program (JSP) was sanctioned by the DoD and CyberAB as an interim step in the CMMC program that allowed organizations to pursue a formal DIBCAC High (NIST 800-171) assessment.
As CMMC continues to take shape and gain more traction, the industry has also seen interest in the JSP continue to grow. For those considering this route, we’re uniquely qualified to tell you a bit more about it, given that we’ve already performed these assessments for several organizations.
So, in this article, we’ll provide some informed perspective on what the JSP and its assessments are and who qualifies to participate, as well as how you can do so and how Schellman can help.
Though CMMC remains a work in progress, you do have this option right now, and after reading, you’ll understand a bit better if it’s right for your organization.
What are Joint Surveillance Voluntary Assessments (JSVA)?
At the heart of the JSP are the assessments, which are called Joint Surveillance Voluntary Assessments (JSVA), because they are performed jointly—of course!—between an authorized CMMC Third Party Assessor Organization (C3PAO) and the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC) team.
They split the work as follows:
- The C3PAO leads the assessment and performs testing in accordance with both the NIST SP 800-171 and 800-171A standards as well as the DoD Assessment Methodology.
- The DIBCAC oversees the assessments, performs validation activities for DFARS 252.204-7012 parts c-g, and reviews the C3PAO assessment testing and results to ultimately determine your final score.
These assessments and participation in the program are voluntary, as without complete rulemaking, there aren’t any mandatory CMMC requirements yet.
But if your organization does work in the defense industrial base (DIB) and has implemented NIST SP 800-171, you might look to participate in Joint Surveillance as a market differentiator. Or it may be that you previously underwent a DIBCAC High Assessment and it’s expiring soon, but there are many reasons organizations may choose to participate in the JSP.
Are You Eligible for Joint Surveillance?
That being said, these assessments and the JSP program generally appeal to:
- Organizations that currently have a DFARS 7012 clause in their contracts; to
- Organizations that will be required to undergo CMMC L2 once rulemaking is complete; to
- Organizations that have previously undergone DIBCAC High assessments.
However, to actually participate, you must first be eligible for the Joint Surveillance program, which means you must have:
- Your NIST 800-171 score entered into the Supplier Performance Risk System (SPRS); and
- An active contract – either prime or sub – in the DoD space or DIB.
If you do meet said criteria, you should also understand that you should not seek to have specific software or hardware products evaluated under the JSP—rather, you can submit specific enclaves, sub-organizations, and entire entities for assessment:
- For example, a cloud service offering (e.g., SaaS, PaaS, IaaS) would not be eligible to undergo Joint Surveillance Voluntary Assessment as they would be expected to pursue a FedRAMP designation per DFARS 252.204-7012.
- Note: This doesn’t necessarily exclude the organizations or enclaves utilizing cloud services from JSVA, but the assessment would need to be scoped in a specific way.
How to Participate in Joint Surveillance
But if you do elect to move forward with a JSVA, it’s recommended to begin by contacting to initiate the process, including discussions of:
- Eligibility
- Readiness/maturity
- Scoping
In the current workflow implemented between DoD and the CyberAB, your C3PAO would submit your organization’s information to the CyberAB who will then submit candidate organizations to DCMA for selection to participate in the JSP.
If and when your organization is selected, DCMA will reach out to you, at which point you will move forward with your chosen C3PAO.
(We understand that an organization may have already held coordination activities with DCMA to discuss participation in the JSP and timing of the JSVA before engaging with a C3PAO—particularly when an organization has previously undergone DIBCAC High and their assessment is up for renewal—but those instances have been rare to this point.)
How Schellman Can Help with Your Joint Surveillance
Insofar as your options for a C3PAO to work with, Schellman is one. Of course, then you have to ask why work with us over others.
We’re the only company in the world that is a CMMC C3PAO, a FedRAMP 3PAO, a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, and a HITRUST Assessor. Such a range of services provides our clients with a major advantage—they’re able to use us as their single independent assessor across multiple domains, allowing them to streamline costs and save expended resources even as our experienced teams consistently deliver the highest quality services across the board.
Because we specialize in performing IT and security assessment, attestation, certification, and validation services, we’re not a traditional government contracting firm or DIB organization like some of our C3PAO counterparts. But this difference—and our related and robust understanding of assessment frameworks and methodologies, as well as how to apply them to large organizations and complex architectures—uniquely positions us to serve you well as a C3PAO.
Schellman’s JSVA Methodology and Experience
We follow a standardized procedure for JSVAs with analysis rooted in authoritative standards such as NIST 800-171, 800-171A, and the DoD Assessment Methodology, and we provide ample supporting documentation as required by assessment type, including the CMMC Assessment Guides, CMMC Assessment Process (CAP), etc.
Specific to day-to-day assessment activities, we adhere to a “no surprises” policy, which means we will provide verbal or written communication of discrepancies or deficiencies that may result in assessment findings (deviations) at the time they are identified, rather than catching you off-guard post-testing—this approach is a testament to the open communication between our assessment team and your personnel that is a hallmark of all our work.
Moreover, we’ve developed a collaborative and trusted rapport with DCMA through our completed Joint Surveillance Program assessments that have seen our methodology, outcomes, and deliverables become expected, understood, and respected—it’s this experience that also allows us to provide more mature feedback to organizations relative to other providers within the industry.
Next Steps for Your JSVA
As your partner, we would work closely with you and draw on that experience and expertise to see that you are successful as well. Now that you have more of an understanding of both the JSP and JSVAs, you can assess your eligibility and move forward more confidently in selecting the right C3PAO for your organization.
To further supplement your CMMC knowledge ahead of the formalization of the program, make sure you check out our other content that can help with your preparation as well as other federal cybersecurity initiatives:
- Determining Your Level of CMMC Compliance: The Importance of CUI
- Cybersecurity and the Federal Government
- How to Get CMMC Certified
And if you are interested in pursuing participation in the JSP with Schellman as a potential partner, please reach out to us so that we may answer any questions you have regarding our experience, approach, and fit for your organization.
About Marci Womack
Marci Womack is a Managing Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).