Understanding The Joint Surveillance Voluntary Program - CMMC

  • November 1, 2022

The Cybersecurity Maturity Model Certification (CMMC) guidelines are rapidly becoming compulsory for winning government contracts. Now is the time to build your cyber security infrastructure to meet CMMC requirements and benefit your business. The CMMC program was created to strengthen the protection of unclassified information (CUI) and federal contract information (FCI). It's designed so that the Department of Defense is sure DIB companies can secure CUI and FCI, including information passed down in a multi-tiered supply chain. Although non-DIB businesses may not face mandatory CMMC compliance, they must still work to defend their data. As you prepare your organization for its CMMC certification process, these objectives should be taken into consideration.


The first official CMMC assessment began in August 2022 under the DoD’s “joint surveillance voluntary program (JSVP).” Under the JSVP, a voluntary assessment that passes certification criteria will be converted into a three-year CMMC certification when the rules take full effect. As part of the JSVP, certified third-party assessment organizations (C3PAOs) perform examinations to determine a company’s level of compliance with CMMC rules and report results to the Defense Contract Management Agency (DCMA) for final approval.

The CMMC program is overseen by the Office of the DoD Chief Information Officer and supported by DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) when it comes to conducting assessments. The CMMC program gives DIBCAC the “authority and responsibility to do assessments,” so it’s the final arbiter that can make or break your official CMMC certification. Understanding what DIBCAC is looking for in its assessments is therefore essential to achieving CMMC readiness.

For those who are ahead of the game and looking for a pilot program to get a CMMC Audit completed, the JSVP is a great place to start. However, if you’re not quite as far along, the following point of maintaining a HIGH SPRS Score will help bring you up to speed with CMMC.


Your Supplier Performance Risk System (SPRS) score represents how well your organization complies with the National Institute of Standards and Technology (NIST) 800-171 framework. This number is used to determine whether you're eligible to receive awards from the DoD, and it can also be a key indicator of how closely you’re following CMMC requirements.

To get your SPRS score, use a pre-formatted spreadsheet to conduct a self-assessment of your compliance maturity. The higher your score (up to 110), the closer you are to perfect compliance with the NIST 800-171 framework. A high SPRS score is a good sign that your organization already safeguards its CUI and FCI well enough to be fit for CMMC certification.

Blog Post

Related Articles

Connect With Our Team

Are you ready to take the next step on your CMMC journey? Our team is here to help regardless of your current cybersecurity program status.