Joint Surveillance Voluntary Assessment
Also known as: JSVA, Joint Surveillance
A Joint Surveillance Voluntary Assessment (JSVA) is a NIST SP 800-171 assessment conducted by a C3PAO under DIBCAC oversight that a contractor could undergo voluntarily ahead of the CMMC program. A passing JSVA has been recognized as convertible to a CMMC Level 2 certification, letting early movers get credit before formal CMMC assessments were widely available.
Related terms
- Defense Industrial Base Cybersecurity Assessment Center
The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Defense Contract Management Agency (DCMA) component that conducts NIST SP 800-171 assessments and CMMC Level 3 assessments on DoD contractors. DIBCAC assessments are the highest assurance level in the program.
- CMMC Third-Party Assessment Organization
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1, Level 1 is exclusively self-assessed, and they are not used at Level 3, which is assessed by DIBCAC.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.
- NIST SP 800-171
NIST SP 800-171 is the National Institute of Standards and Technology publication that defines 110 security controls for protecting Controlled Unclassified Information (CUI) on non-federal systems. It is the controls catalog used at CMMC Level 2, but is not used at Level 1, which is based on the 15 safeguarding requirements in FAR 52.204-21.