Joint CMMC Assessments for Defense Contractors: What You Need to Know
Despite the delayed CMMC implementation setback, organizations can still find hope in the Joint Surveillance Program (JSP). Operating under the authority of the DIBCAC High assessment, this program has successfully conducted numerous assessments and provides a range of advantages. Not only does it allow C3PAOs to gain valuable experience, but it also provides valuable feedback to the DIBCAC and helps address the supply problem of C3PAOs. Furthermore, organizations can position themselves at the forefront of receiving a CMMC Certification by participating in the JSP program while awaiting final rulemaking.
The highest authority level of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts a DIBCAC High assessment. The DIBCAC is responsible for conducting cybersecurity assessments on behalf of the Department of Defense (DOD) to evaluate the cyber defenses of its contractors and subcontractors. The DIBCAC High assessment is the most comprehensive and rigorous assessment, which assesses the contractor's implementation of all 110 security controls required by the Cybersecurity Maturity Model Certification (CMMC).
If you have DIBCAC assessment requirements outside of CMMC, Joint Surveillance Assessments can offer you two assessments/certifications for the price of one. This option is also suitable for those wanting to be CMMC certified from day one, assuming the DoD gives credit for JSP in final rulemaking. Additionally, suppose you have contracts with Defense Federal Acquisition Regulation Supplement (DFARS) clause that are coming up for renewal/recompete in 2024. In that case, those contracts will likely be considered the first CMMC contracts post-rulemaking. Finally, you want to beat the expected rush to schedule an engagement with a C3PAO. Suppose that's the situation you're in. In that case, the JSP can assist you in selecting from a small pool of approved C3PAOs in the market and finding the ideal one according to your preferences without being influenced by market prices or the availability and capacity of top-notch C3PAOs.
The CMMC update submitted to the OMB on 24 July by the DoD will impact Joint Surveillance assessments. With the CMMC implementation now delayed until 2024, organizations are increasingly turning to the Joint Surveillance Program (JSP) for CMMC as their best option to be among the first to receive CMMC certification. The JSP presents an exclusive chance for companies to maintain an edge and showcase their dedication to cybersecurity.
The JSP is a pilot program executed before rulemaking finishes. A CMMC 3PAO assessment team is paired with a Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessment team to conduct a DIBCAC High assessment. Under the JSP, the DIBCAC High Assessment produces an immediate result. The DoD has indicated the intent to translate that into a CMMC Level 2 certification issued by the participating C3PAO upon the CMMC rulemaking. The 3-year recertification clock would then start at the time of rulemaking.
Additionally, the JSP assessment process is new and involves three separate organizations, which can make assessments disjointed due to a lack of documentation. You may need to update your assessment if there are changes or if things become defined later. It is essential to ask your C3PAO how the inheritance of security controls during a JSP assessment varies from C3PAO to C3PAO, especially if your company is considering JSP.
Suppose the DoD follows through with its intent to convert JSP assessments to CMMC Level 2 certifications upon final rulemaking. In that case, you will have a competitive advantage when it appears as a contract requirement. If you are ready for an assessment, being a first mover will have advantages due to the expected supply problem. It is easy to see why some C3PAOs are also offering discounts during JSP due to the pilot nature of it.
In the case of a DIBCAC High assessment, it is different from a pass-or-fail situation. Instead, a score is given and recorded in SPRS when completed. Suppose you're not mandated to undergo the assessment. In that case, there should be minimal impact, provided that you did not report an inaccurate score to SPRS and expose yourself to potential legal action (see False Claims Act). If allowed to remediate by the assessors, you must undergo another assessment after completing the necessary remedial measures.
Currently, CMMC Level 2 is the highest possible assessment level since CMMC Level 3 is not yet included in the current rulemaking and may not get implemented until 2024 or 2025. The DOD and Cyber AB are considering whether CMMC Level 2 certification counts towards Level 3, which would mean only undergoing assessment for the additional controls.
If you want to conduct a CMMC Joint Surveillance Assessment, contact the CMMC Accreditation Body (CMMC-AB) for more information. They can provide you with the necessary steps and any requirements you must meet to proceed with the assessment. It's important to note that the CMMC-AB is the only authorized organization to conduct CMMC assessments, so you must work with them to achieve certification.
DIBCAC selects OSCs through nomination by a C3PAO via the Cyber AB. If chosen, they will contact you directly to schedule. Although some aspects of the selection process are not entirely transparent, having an active DoD contract is a prerequisite for consideration. If you have a DIBCAC assessment requirement in 2023, your chances of being chosen increase. If you have a DIBCAC High assessment already scheduled, it is possible to switch to Joint Surveillance. Being on the DIBCAC's schedule already makes it more probable that you will be chosen for Joint Surveillance, barring unforeseen circumstances.
When beginning your CMMC compliance journey, it's best to seek the guidance of a cybersecurity lawyer with experience in litigation rather than solely relying on an advisor. A cybersecurity attorney experienced in litigation can provide valuable advice and guidance, ensuring that your compliance journey adheres to the complex requirements and minimizes the risk of potential false claims act violations. The guidance of a skilled litigation attorney can significantly enhance the likelihood of winning your case if it ever goes to court. Additionally, conducting a Joint Surveillance CMMC assessment with the guidance of legal counsel can offer contractors protection against unintentional mistakes or oversights that could lead to non-compliance, ultimately saving on costly legal battles.
At eTrepid, we have a team of skilled cybersecurity and compliance experts fully equipped to assist you in achieving continuous compliance. We are passionate about compliance and would be more than happy to chat with you about it. Don't hesitate to give us a call for help!