Some tidbits about CMMC’s Joint Surveillance Voluntary Assessment (JSVA) program that you might not know:
JSVA program is intended to train C3PAOs and CMMC Assessors
1) The DoD is essentially using the JSVA program to train and vet our private sector assessment teams over-the-shoulder with the DoD’s cybersecurity assessment teams. This lets us learn from seasoned DoD assessors who have been doing DIBCAC High assessments for DFARS 252.204-7012 compliance. Thank you for this program DoD!
Eventually, the goal for JSVAs is for experienced C3PAOs to perform them with oversight by DIBCAC Lead Assessors, reducing the dependency on limited resources in DIBCAC. DIBCAC can only support about 200 full-team assessments per year right now. If they move to an oversight role, DIBCAC can reduce their team size from ~5 assessors to ~1 assessor, greatly increasing the number of assessments that can be completed by DIBCAC over time.
What is an experienced C3PAO? After three successful JSVAs, with good reviews by DIBCAC, the C3PAO is considered experienced.
Will this actually happen? Still watching to see. There are very few C3PAOs that have 3+ successful JSVAs. But word around the street is that those few C3PAOs are allowed to schedule future JSVAs faster due to not needing full DIBCAC teams.
The C3PAO is invited by the defense contractor
2) Strictly speaking, the C3PAO is performing the JSVA assessment as part of the client’s team. Similar to how internal accountants can be invited to participate in a government audit of a firm. DIBCAC retains ultimate authority on the assessment.
From DCMA’s Surveillance manual:
“To minimize impact on resources and to improve efficiency, the FS/ACO may consider actions not requiring performance at the contractor’s location.”
“Joint surveillance is performed as a team with either the contractor, other government entities (e.g., Missile Defense Agency), and/or DCMA multifunctional team. The use of co-leads is encouraged to ensure findings are discussed to provide a common conclusion versus having multiple FSs/ACOs performing independent evaluations and reaching different conclusions.”
This means that the defense contractor being assessed needs to ensure they pull in the C3PAO to emails and meetings if DIBCAC doesn’t. If the C3PAO is good at their job, they will have a strong process to lead the assessment so that DIBCAC can just observe.
JSVAs convert to CMMC Level 2 Certifications if…
3) According to the CMMC Proposed Rule, JSVAs will convert to a CMMC Level 2 assessment certification once CMMC goes live if they meet the following: a) performed under the JSVA program. b) perfect 110 score recorded by DIBCAC. c) scoping matches CMMC scoping for Level 2. The certification expires 36 months after the original assessment was done.
Some gotcha’s to watch out for:
DIBCAC performs a “DIBCAC High confidence assessment” of the in-scope information system according to the NIST SP 800-171 DoD Assessment Methodology, and using scope as described in DFARS 252.204-7012 for the “covered contractor information system”.
““Covered contractor information system” means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information.” DFARS 252.204-7012
This is not necessarily the same as CMMC scoping according to the CMMC Proposed Rule. The C3PAO is responsible for performing scoping activities for CMMC Level 2 and keeping records of asset categorization according to the CMMC Scoping Guide.
DFARS compliance will be assessed during JSVAs, but not by the C3PAO
4) The DoD’s assessment team (DIBCAC) performs an assessment of DFARS 252.204-7012 compliance, not the C3PAO. The DoD team literally reviews each DFARS part one by one to see if your company is following it. It is possible to fail portions, like subcontractor flow-down, without affecting your NIST SP 800-171 results.
The #1 question that comes up at this point is “Does that mean a company can get a high score even if they are storing CUI in a non-FedRAMP cloud, since the FedRAMP requirement is only in paragraph (D) of DFARS 252.204-7012?” The short answer is no.
What? FedRAMP is a DFARS requirement, not a 800-171 requirement!!
Let me try to explain.
If you put your CUI into a cloud system, you are responsible for ensuring that the CUI is protected by every requirement in NIST SP 800-171. You can’t just say that it is someone else’s problem. That would be equivalent to handing your toddler off to just any babysitter out there without checking references or certifications. Reckless!
So how do you ensure that your CUI is protected, if you put it on someone else’s (cloud) system?
Option 1) Verify all the security yourself. If you have access to full evidence that every requirement is performed by the cloud, and you are performing continual monitoring over time, you’re all set!
Option 2) Have someone you trust verify all the security on your behalf. Who does the U.S. Government trust for cloud systems? You guessed it – FedRAMP assessors. A FedRAMP assessment meets or exceeds a NIST SP 800-171 assessment. The only other viable option is a FISMA or RMF assessment, but that doesn’t really exist for cloud systems.
What happens if you can’t do Option 1 or Option 2? Well, to be blunt, you should assume that the security requirements are not being performed.
^ The above is how NIST SP 800-171 requirements are scored when there is no verification of security. Each requirement that should be performed on the cloud system is marked Other than Satisfied / Not Met. Since basically all requirements should be performed by the cloud system in order to protect the CUI on the cloud system, this causes a huge failure across many requirements.
POA&Ms are allowed
5) Unlike the future CMMC assessment, any 800-171 requirement can be failed and fixed within 180 days. You don’t get a CMMC certification unless you are perfect, but you get more than one attempt to be perfect without starting from scratch. This is SO MUCH more forgiving than the way a formal CMMC assessment is written to work. This by itself is a huge reason to be an early adopter for JSVA.
Right now, the way the DoD has described the CMMC certification program, more than half of the requirements in 800-171 are “not POA&M-able”. This means that if you miss a single assessment objective on one of those requirements, there is no process to repair the issue and get re-assessed on just that one item.
It is very common for a well-prepared defense contractor to almost pass their entire assessment, with the exception of 2-3 assessment objectives. Often these are very minor things to correct, requiring process changes or documentation modifications. CMMC Assessments don’t handle this situation well. They read as requiring a new assessment from scratch if one of those 2-3 assessment objectives is for a “non-POA&Mable requirement” (a high % chance).
Is DIBCAC following the correct process for fixing issues?
I really think that the DoD simply forgot to talk about letting companies fix issues in the CMMC Proposed Rule text. I think the DoD meant to allow companies to fix issues and get re-assessed on any requirement so that they can be certified. But unfortunately, they didn’t write it into the rule. Perhaps the DoD was so focused on trying to allow companies with minor problems get certified immediately without fixing problems that the DoD forgot about letting companies fix major problems.
Good news though, the JSVA program is allowing a common-sense approach. You can miss a few requirements, fix them quickly, and achieve that perfect score for CMMC certification.
If the CMMC rule doesn’t change, and still doesn’t allow fixing issues without a whole new assessment, the JSVA program will be the most forgiving way to get certified.
We hit a milestone – four JSVAs!
Cool milestone: Kieri Solutions (the sponsor of CMMCAudit.org) just confirmed our fourth JSVA with DIBCAC, which means we are starting to take off our training wheels and will be able to deepen our assessment schedule over the next months. Yeah!!
Amira Armond is the founder and Quality Manager for Kieri Solutions, an Authorized C3PAO. Kieri Solutions provides CMMC preparation and Authorized C3PAO assessment services. Check their services out at https://www.kieri.com