Lessons learned from a joint surveillance voluntary assessment for CMMC

Microsoft recently had an opportunity to sit down with Derek Kernus, Director of Cybersecurity Operation at DTS, to discuss their experience with the Joint Surveillance Voluntary Assessment (JSVA).  

 

The Joint Surveillance Voluntary Assessment (JSVA) program is a transitional certification to CMMC, a new cybersecurity framework for Defense Industrial Base (DIB) contractors. The JSVA program allows DIB contractors to undergo voluntary assessments jointly conducted by CMMC-accredited third-party assessment organizations (C3PAO) and the DOD’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). JSVA is a critical step in demonstrating that DIB contractors have the cybersecurity maturity required to be a Department of Defense (DoD) trusted partner and is available until the DoD finalizes its rulemaking for CMMC, which is expected in mid-2024.  

It is estimated that the CMMC rule will impact 300,000 DIB companies and will have a  phased rollout. Today, there are only 48 C3PAOs, so conducting a JSVA early can help a company verify that they are meeting cybersecurity requirements before there is a backlog of CMMC assessments to be conducted.  

 

While the numbers have likely increased since August, the CyberAB shared that only 22 JSVA have been completed. Completing a JSVA is a major accomplishment for any company and gives companies an early opportunity to pursue new business, or join a team, once the CMMC rule is finalized. In addition, it confirms compliance with NIST 800-171, required by the current DFARS 252.204-7012 standard.  

As of August, there were 109 companies wanting to be assessed under JSVA. From that point, an organization seeking certification (OSC) gets scheduled for a JSVA. It takes organizations a significant amount of time, typically 6 to 18 months, to prepare for and complete the assessment. 

 

To help organizations prepare, Microsoft will continue to host Q&A sessions with companies that have completed JSVA. The Q&A below is an actual conversation during one of our information sharing sessions with any sensitive information removed:  

 

Justin Orcutt: Microsoft, Aerospace and Commercial Defense Team 

Derek Kernus: DTS, Director of Cybersecurity Operations 

 

Justin: What is DTS and what is your role there? 

Derek: DTS is an organization that supports the federal government commercial, and health entities with our expertise in cybersecurity, digital transformation, knowledge management, and workforce training development. We lead through innovation, going far beyond simply meeting the requirement or “getting the job done.” We continually find better, more efficient, and more effective ways to achieve success for our customers’ missions while maximizing our value to them. We pride ourselves in employing exceptionally talented individuals with a passion for excellence. Our guiding philosophy is customer first, people always. DTS was founded on strong values that guide our work and our company growth, an important part of “Changing business. Delivering results.” 

 

Justin: Why is CMMC important to DTS?  

Derek: As a government contractor, we support the DoD and have access to CUI in the performance of our contracts. We know we need to secure that information for the safety of the warfighter and for the American citizen. We also know the requirements of CMMC are the current contractual requirement of DFARS 252.204-7012 and we are committed to delivering our requirements. In other words, cybersecurity is critical to our contracts. We take the same care of commercial clients who need to meet regulations or are committed to the highest standards of security withing their operations. 

 

Justin: How did you go about getting on the list for a JSVA?  

Derek: We contacted a CMMC 3rd Party Assessment Organization (C3PAO) found on the Cyber AB Marketplace and let them know that we were ready to go through a JSVA. 

 

Justin: Why did you want to get a JSVA? 

Derek: We wanted to demonstrate to small businesses that the requirements can be fully met in a cost-effective way. The Microsoft cloud was a big part of making that happen – on-premises infrastructure is much too expensive for SMBs. We also believe demonstrating our level of security through a 3rd party assessment as early as possible is a competitive advantage for contracting and leading the remediation efforts for other companies. Our customers can have the highest confidence that DTS is protecting sensitive data. 

 

Justin: How long did it take to get the JSVA scheduled?  

Derek: Approximately 1 month 

 

Justin: What were some of the steps involved with the JSVA (initial kickoff call, scoping, onsite, etc.)?  

Derek: We had to verify that DTS has a current contract with a DoD component, that the contract has the DFARS 252.204-7012 clause, and that we have access to CUI in the performance of our contract. When DoD confirmed those factors and we were accepted into the JSVA program, we had an initial call to review our documentation to ascertain whether we were prepared enough to complete an assessment. When it was determined we were ready, the official assessment was scheduled and conducted approximately 2 months later. 

 

Justin: What was one thing that happened during the process that surprised you (a question they asked, a step in the process, a document they asked for, etc.)?  

Derek: The depth of evidence required for each control. We knew there had to be two pieces of objective evidence or artifacts for every control, but the assessment really drills down and asks for demonstrations, or very recent examples, to prove a control is implemented. One area that caused a need for thorough explanation was how MFA is used to log on to PCs. It became a much more technical conversation than I was expecting. 

 

Justin: What helped make this a smooth assessment? 

Derek: Extremely thorough documentation, knowing our information security program built around NIST SP 800-171 inside and out, executing that program day in and day out, and using Cloud Service Providers that meet the FedRAMP Moderate baseline. 

 

Justin: What changes did you need to make to prepare for CMMC? 

Derek: We had to adjust how our users operate on their PCs, which is no easy task because it’s changing the culture of how people work, and we needed to incorporate many new, highly structured procedures that had to be enforced and executed per our new policies. 

 

Justin: What are some key technologies you use to help you achieve CMMC? 

Derek: We utilized a significant amount of the Microsoft GCC High and Azure Government security stack, along with a few third-party Cloud Service Providers that are well-aligned and interoperable with the GCC High Cloud. 

 

Justin: In hindsight, is there anything you would have done differently? 

Derek: I would have recommended the company move to the GCC High cloud faster because I didn’t understand the relationship between CMMC and DFARS 252.204-7012. Initially, DTS migrated from the cloud services we used in Google to Microsoft Commercial cloud services in 2019. Once we came to understand we needed to be compliant with the Cloud Service Provider requirements of DFARS 252.204-7012, we decided to migrate again to the GCC High cloud services. This stepped approach incurred more expense and taxed the organization since we had to move assets between clouds a second time and realign our physical assets to the security stack in GCC High and Azure Government. 

 

Justin: What advice do you have for others going through CMMC.  

Derek: Don’t delay. The longer organizations wait, the more stressful and expensive the remediation will be. Most are going to need 3rd party support, and those companies are going to get busy quickly and may become more selective about who they work with. Use cloud services meeting the FedRAMP Moderate baseline to support your compliance, especially if you’re an SMB. 

 

 

About DTS:  

 

DTS Cyber Services spans the cybersecurity lifecycle, helping businesses establish and maintain a culture of security with solutions, systems, and policies. Services include cybersecurity posture assessments; remediation services; managed cybersecurity and IT for ongoing monitoring and maintenance, training, and emergency response; and Fractional CIO support, supplying customers with a senior technology leader who understands the business objectives and can provide technical direction. As an AvePoint partner, DTS expands and improves its offerings to end-customers. 

 

DTS also offers DTS CyberSchool, an online educational offering that includes courses, learning modules, and a cybersecurity awareness training solution that allows small businesses to meet basic cybersecurity requirements in-house. The newest offering, Cyber Track: Basic, guided online course explains key concepts for the 15 FAR security requirements and 17 minimum security controls required for CMMC Level 1 and provides step-by-step instructions for how to document each one for compliance. 

 

For more information, please visit DTS Cyber Services. For more information on DTS CyberSchool and how small businesses can be active participants in their own cybersecurity compliance, email CyberSchool@consultDTS.com. 

 

Appendix 

  

Please follow me here and on LinkedIn. Here are additional blog articles from CMMC Acceleration: 

  

  

Blog Title	Aka Link
New! Microsoft Collaboration Framework	https://aka.ms/ND-ISAC/CollabFramework
New! ND-ISAC MSCloud - Reference Identity Architectures for the US Defense Industrial Base	https://aka.ms/ND-ISAC/IdentityWP
History of Microsoft Cloud Service Offerings leading to the US Sovereign Cloud for Government	https://aka.ms/USSovereignCloud
Gold Standard! Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings	https://aka.ms/MSGovCompliance
The Microsoft 365 Government (GCC High) Conundrum - DIB Data Enclave vs Going All In	https://aka.ms/AA6frar
Microsoft US Sovereign Cloud Myth Busters - A Global Address List (GAL) Can Span Multiple Tenants	https://aka.ms/AA6seih
Microsoft US Sovereign Cloud Myth Busters - A Single Domain Should Not Span Multiple Tenants	https://aka.ms/AA6vf3n
Microsoft US Sovereign Cloud Myth Busters - Active Directory Does Not Require Restructuring	https://aka.ms/AA6xn69
Microsoft US Sovereign Cloud Myth Busters - CUI Effectively Requires Data Sovereignty	https://aka.ms/CUISovereignty
Microsoft expands qualification of contractors for government cloud offerings	https://aka.ms/GovCloudEligibility