The Path To Success: CMMC 2.0 Compliance
Do you understand the requirements of CMMC 2.0? Achieving and maintaining compliance is critical to continued business with the DoD.Read More
Joint Surveillance Voluntary Assessment Program (JSVAP)
The Joint Surveillance Voluntary Assessment Program (JSVAP) is a critical step in demonstrating that Defense Industrial Base (DIB) contractors have the cybersecurity maturity required to be a Department of Defense (DoD) trusted partner. As a Certified Third-Party Assessment Organization (C3PAO) authorized by the CMMC Accreditation Body (Cyber AB) and Licensed Training Provider (LTP), ABS Quality Evaluations (ABS QE) is nominating DIB Contractors to take part in the JSVAP.
What is the Joint Surveillance Program?
The JSVAP is a joint assessment program authorized by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) that allows DIB contractors with an active DoD contract to undergo a DIBCAC NIST 800-171 assessment.
Once all 110 of the NIST 800-171 controls are met, the contractor will achieve DIBCAC NIST 800-171 compliance, and DIBCAC will record a score in the Supplier Performance Risk System (SPRS). DIBCAC NIST 800-171 compliance is required to be eligible for a Level 2 CMMC certification valid for three years once federal rulemaking is in effect.
Become an Early Adopter
The best time to comply with CMMC 2.0 was yesterday—the next best time is today. Give your organization a competitive advantage and eliminate the need to wait in line once certifications are mandatory.
As a C3PAO, ABS QE can nominate your organization for a DIBCAC High assessment. Upon successfully meeting all requirements, your organization will automatically become eligable to receive a CMMC Level 2 certification once the CMMC rule is final. As an LTP certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO), ABS QE can conduct training courses for your team that aid with implementing the NIST 800-171 controls and meeting CMMC compliance requirements.
Train Your Team Today
Our certified training courses can provide your staff with a better understanding of the CMMC program and the CMMC ecosystem, an in-depth understanding of NIST 800-171 control implementation and how to prepare for and conduct internal and external assessments.
Preparing for CMMC compliance can be a long and arduous process. Training your staff on the necessary competencies can help ensure compliance and that day-to-day operations aren't negatively impacted.
What JSVAP Can Do for Your Organization
Minimize Cyber Risk
- Provides an accurate assessment of NIST 800-171 compliance
- Allows time to improve cyber posture prior to CMMC 2.0 being mandatory
- Permits an organization to assess its risk and posture honestly
Gain a Competitive Advantage
- Get ahead of the compliance curve
- Contend for contracts requiring the meeting of DIBCAC High requirements and/or a verified 110 SPRS score
- Show commitment to bolstering your cybersecurity systems
Avoid the Wait
- Become eligable for Level 2 certification upon final rulemaking
- Beat the rush of organizations seeking certification
- Retain a trusted C3PAO partner
Why ABS Quality Evaluations?
We're a global leader in Certified Performance.
ABS QE is a Certified Third-Party Assessor Organization (C3PAO) authorized by the Cyber Accreditation Body (Cyber AB) and a licensed training provider (LTP) certified by the Cybersecurity Assessor and Instructor Certification Organization (CAICO) to provide CMMC assessment services and training.
Our cybersecurity services include CMMC training, self-assessments, readiness reviews, gap assessments, Joint Surveillance Voluntary Assessment Program (JSVAP) assistance and certifications for ISO/IEC 20000, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018 and ISO/IEC 27701, among others.
From the Knowledge Center
Read More
CMMC 2.0: The New Cybersecurity Program
While CMMC 2.0 borrows principles from well-known security standards, there is no substitute for compliance if you you want to meet the new contract requirements established by the DoD.Read More
Three Steps to CMMC 2.0 Implementation
If you're a contractor bidding on DoD contracts, CMMC certification is in your future. Discover the three steps to CMMC 2.0 implementation.Read More
Frequently Asked Questions (FAQ)
Should we just complete Level 1 certification because it is easier?
The level of compliance is dependent upon the type of information your organization is protecting and should be indicated in contractual documents and requirements. However, Level 2 certification is the most common level for DIB contractors and better prepares your organization for the future.
Should we just complete Level 1 certification because it is easier?
Why do we need a third party if we can conduct a self-assessment internally?
While self-assessments are an option, they leave room for critical errors that can ultimately bring your business and operations to a costly halt. Ask yourself: can you ensure your people are qualified and have the bandwidth to conduct an independent self-assessment while maintaining operations? A C3PAO will have the independence, experience and competencies necessary to provide an unbiased and accurate assessment.
Why do we need a third party if we can conduct a self-assessment internally?
We already have good cybersecurity systems in place; why do we need an assessment?
Although your organization may have a substantial cybersecurity system in place, CMMC 2.0 requirements are complex and time-consuming. Becoming an early adopter and identifying areas for remediation now is better than when you are pursuing certification as you would have to go back and fix them, potentially slowing your day-to-day operations. If you are found non-compliant or submit a false Supplier Performance Risk System (SPRS) score due to an insufficient self-assessment, you could be subject to fines, penalties, suspension or loss of contracts and also be found in violation of the False Claims Act.
We already have good cybersecurity systems in place; why do we need an assessment?
Why do I need to start my CMMC assessment now - don't we have a few years to comply?
Between fiscal years 2019 and 2020, DIBCAC assessed 110 companies to test their compliance with CMMC. Of those companies, only 16% met their satisfactory level. As of October 2021, the number has increased, but only to 22%. Starting the process now will allow you and your organization to identify areas for improvement before you attempt to achieve certification. Becoming an early adopter removes the strain and potential monetary consequences of needing to wait in a very long line for compliance.
Why do I need to start my CMMC assessment now - don't we have a few years to comply?
What is a CMMC Gap Assessment and what steps are included?
ABS QE can perform a Gap Assessment related to CMMC compliance. The Gap Assessment will be a mock assessment. An Executive Summary and Assessment Report will be provided as deliverables addressing each of the 110 security controls as part of the standard. No advice or remediation recommendations are provided. During the assessment, controls will be marked as "met", "not met" or "N/A" with no additional advice provided. It will be up to the organization to remediate its own environment. This option allows ABS QE to later perform a CMMC Certification assessment if desired.
The assessment will consist of the following steps:
- Validate CMMC Assessment Scope
- Create an inventory of cybersecurity practices against the CMMC model
- Collect, examine and analyze evidence
- Conduct interviews and assess responses
- Observe tests and analyze results
- Identify and document evidence gaps
- Score organization's practices and validate preliminary results
- Determine final practice results
- Create, finalize and record recommended final findings
What is a CMMC Gap Assessment and what steps are included?
What is a CMMC Readiness Review and what areas are assessed?
ABS QE can perform a basic readiness review related to CMMC compliance. Compared to a Gap Assessment, a readiness review is more limited in scope as it does not review controls and evidence for compliance but for completion. During the review, items will be marked as "met", "not met" or "N/A" with no additional advice provided. This option allows ABS QE to later perform a CMMC certification audit.
During the review, the following areas will be assessed:
- System Security Plan (SSP) review against the 110 CMMC controls and objectives
- Controlled Unclassified Information (CUI) data flow
- Network topology and diagram review
- Hardware and software asset list review
- Confirm a Plan of Action & Milestones (POA&M)
- Define and complete the verification of the CMMC scope
- Shared responsibility matrix review
- Ensure roles are defined and assigned
- SPRS confirmation
What is a CMMC Readiness Review and what areas are assessed?