Getting Ahead of CMMC with Joint Surveillance Voluntary Assessments

A JSVA could be the answer your company has been looking for to get ahead of CMMC. Katie, a CCA on our team, helps outline everything you need to know about getting CMMC Level 2 certified - giving your company the advantage before CMMC even starts!

If you’ve been keeping an eye on CMMC and are a Defense Industrial Base (DiB) supplier, chances are you know that the expectation of compliance with CMMC’s requirements is right around the corner. The proposed CMMC rule cleared review and is expected to be published in early October - meaning third-party assessment requirements for DoD contracts could be in place as early as June 2025. If your company is going to be processing Controlled Unclassified Information (CUI) and already meets the NIST 800-171 control requirements, there is one way for you to get a head start on your CMMC compliance journey - a Joint Surveillance Voluntary Assessment (JSVA).

“What is a JSVA?”

Joint Surveillance Voluntary Assessments in the context of CMMC are collaborative evaluations conducted by a registered C3PAO in collaboration with the Defense Industrial Bases Cybersecurity Assessment Center (DIBCAC) to assess compliance with NIST SP 800-171 Revision 2 (as of September 2024, all CMMC assessments are based on revision 2, rather than the updated revision 3). Unlike traditional audits, JSVAs are typically voluntary and focus on fostering cooperation and transparency among participating entities. The goal is to identify areas of strength and opportunities for improvement without the adversarial nature often associated with compliance assessments.

“Why would I want to participate in a JSVA, rather than waiting for CMMC?”

There are several benefits to participating in a JSVA:

1. Collaboration: JSVAs involve a partnership between organizations, the C3PAO, and DIBCAC, promoting open dialogue and shared goals.

2. Voluntary Participation: Organizations choose to engage in JSVAs, which fosters a sense of ownership over the assessment process.

3. Continuous Improvement: The focus is on identifying best practices and enhancing compliance efforts rather than merely checking boxes.

Beyond these, the strongest case to be made for participating in a JSVA might simply be: if the assessment determines you comply with all NIST SP 800-171 controls, you will be CMMC Level 2 certified as soon as CMMC goes into effect.

“How do I get scheduled for a JSVA?”

Before you get started with a JSVA, you need to make sure you have clearly defined and scoped the boundary of the assessment. Every information system or service in your organization that CUI flows to or through needs to be part of your scope. Once that is defined and you are certain you meet all the requirements for NIST SP 800-171, reach out to a registered C3PAO. All registered C3PAOs can be found on the Cyber-AB Marketplace, and will work with your organization to schedule a JSVA with DIBCAC.

Are you ready for a JSVA? Hive Systems is in the process of becoming a registered C3PAO and has access to a network of additional C3PAOs to help get you started. Are you preparing for the upcoming CMMC assessment requirements, but aren’t quite ready for a JSVA? Our CMMC Readiness Assessment service will position your company to understand how you will be assessed, what requirements need to be in place, and help you implement processes and technology to overcome any issues that may prevent you from meeting the DoD’s strict criteria. We also have FREE System Security Plan templates to download for both NIST 800-171 Revision 2 and Revision 3, and our subject matter experts are Certified CMMC Assessors - bringing in-depth knowledge of the unique requirements of CMMC and hands-on experience implementing them.