Joint Surveillance Voluntary Assessments and the Path to CMMC

A Joint Surveillance Voluntary Assessment gives you a DIBCAC-led, C3PAO-partnered test of NIST SP 800-171 implementation. DoD materials describe CMMC Level 2 as verification of those same 110 requirements on a three-year cycle, with independent C3PAO assessments required when solicitations demand it. DoD started a four-phase rollout on November 10, 2025, and program descriptions from reputable sources state that a qualifying JSVA may convert to a CMMC Level 2 certification when DoD criteria fit.

JSVA mechanics

DIBCAC teams work with an authorized C3PAO to assess your control implementation against NIST SP 800-171 and the assessment procedures in NIST SP 800-171A. DIBCAC directs the engagement. The C3PAO provides assessors who apply the objectives from the CMMC Level 2 Assessment Guide and the Cyber AB CAP v2.0 process, then DIBCAC issues the final result.

A successful JSVA leads to a DIBCAC High confidence outcome on your NIST SP 800-171 posture. Industry summaries that track DoD briefings report that DIBCAC records the score and scope for that outcome. Program commentary from CMMC-focused firms presents JSVA as a high-rigor path that prepares assessors and contractors for CMMC Level 2.

Eligibility and scoping

DIB contractors qualify when they hold an active DoD contract that includes DFARS 252.204-7012 and process, store, or transmit CUI. Sources that track the program state that DIBCAC expects a complete and accurate scope before it will schedule the work.

Scoping discipline decides the outcome. Define the assessment boundary so that every system, enclave, and service that touches CUI sits in scope, including external services that handle CUI on your behalf. See our guidance on CUI boundary scoping.

The C3PAO relationship starts after your leadership, program office, and prime or government customer agree on the plan. You select a C3PAO from the Cyber AB Marketplace, then request that the C3PAO coordinate with DIBCAC for a JSVA. CAP v2.0 describes the phases the C3PAO follows during planning, execution, reporting, and closeout, and those expectations apply during a JSVA.

Assessors expect a current System Security Plan that maps each 800-171 requirement to people, process, and technical evidence. Your SSP must align to the scoped boundary and reflect live configurations. Use our reference on System Security Plan content. Your current SPRS entry should match the SSP and evidence set. If your score trails your claimed implementation, fix that first. Our notes on SPRS scoring can help you reconcile the numbers to the 800-171A objectives.

From DIBCAC High to CMMC Level 2

CMMC Level 2 verifies implementation of the 110 NIST SP 800-171 requirements, either by self-assessment or by an independent C3PAO assessment when the solicitation requires it. DoD CIO materials describe Level 2 as triennial, with certification required when the contract includes the clause.

Industry sources that follow the rule describe a JSVA-to-Level-2 conversion model with specific conditions. The common pattern references these elements:

DIBCAC and the C3PAO complete a JSVA that records a score of 110, with scope that matches Level 2 scoping.
The resulting CMMC Level 2 certificate picks up the JSVA assessment date and a 36-month expiration.

Treat those points as program descriptions reported by third parties that track DoD guidance. DoD can update the mechanics during the phased rollout.

Level 3 sits beyond this path. DoD CIO materials describe Level 3 as a DIBCAC-led assessment of selected NIST SP 800-172 requirements, and an organization needs a final Level 2 status before it enters that process.

Placement in the phased rollout

DoD launched a four-phase CMMC rollout starting November 10, 2025. Early phases use self-assessments for Level 1 and Level 2. Later phases introduce third-party assessments and condition of award language more broadly. DoD embeds CMMC through clauses in solicitations and awards, so each contract controls the timing for that work.

JSVA operates during this transition. Program watchers report that DoD intends to retire JSVA once CMMC assessments reach steady state. That plan can change, so confirm availability with your C3PAO and contracting chain before you commit resources.

Preparation and decision factors

You face a choice between a JSVA with DIBCAC participation or a direct C3PAO Level 2 assessment once the solicitation requires it. Both paths test the same 110 requirements. The differences sit in scheduling, coordination with DIBCAC, and how the outcome might map into Level 2 status during the rollout.

Reasons to pursue a JSVA:

You want a DIBCAC High result that signals strong NIST SP 800-171 implementation to your customer base.
You aim to validate evidence and scoping with the team that will lead Level 3 work later.

Reasons to delay:

Your SSP, asset inventory, and recurring activities still contain material gaps.
Your sponsorship and contract timing do not align with JSVA windows.

Preparation steps that move the needle:

Close scope and evidence gaps before you invite assessors. AC.L2-3.1.1, AC.L2-3.1.7, and CM.L2-3.4.1 often expose scoping and role design issues. Document who can do what, how admins log actions, and how baseline configurations get created and maintained.
Institutionalize recurring activities. IR.L2-3.6.1 expects a working incident process with preparation, detection, analysis, containment, recovery, and user response. RA.L2-3.11.2 expects vulnerability scans on a schedule and when new threats hit your stack. SI.L2-3.14.1 expects patch intake, risk review, and flaw remediation on time.

Evidence habits that survive third-party scrutiny:

Produce configuration evidence from named systems and services. Screens, exports, and command outputs should show dates, versions, and applied settings that link to your SSP sections.
Tie tickets and change records to the control objectives. Assessors test practice, not policy. The CAP v2.0 process tells assessors to collect objective evidence and map to the CMMC Assessment Guide objectives for each practice.

Control families that often drive assessment time:

Access control and account management. Role design, privilege boundaries, and admin activity capture drive AC.L2-3.1.1 and AC.L2-3.1.7 outcomes.
Configuration and system management. Asset inventories, baselines, and drift control drive CM.L2-3.4.1 and related checks.

Project mechanics that reduce risk:

Run an internal assessment using 800-171A objectives and the Level 2 Assessment Guide language. Treat each objective as a test case. Capture objective evidence with timestamps and owners.
Track POA&M items with clear risk, owner, and completion criteria. DoD expects full implementation for a JSVA that aims at a perfect 110 score. A strong POA&M process still helps you drive closure and defend status during closeout.

JSVA execution details contractors often miss

Assessors will match the scoped boundary to supplier and cloud services that touch CUI. That means contracts, shared responsibility matrices, and service configuration evidence must line up with SSP claims. You control the completeness of that package. Do not let vendor defaults speak for you.

DIBCAC and the C3PAO will ask for live demonstrations. Plan who will drive each demo and which system shows the control. Follow a script that links the demo flow to the exact assessment objectives. The team that runs the environment should run the demo. Assessors trust operators who know the system and can produce fresh evidence on demand.

Your SPRS score must match the assessment reality. If you carry a positive delta that you cannot defend with 800-171A objectives, fix the score or fix the gap. Contracting officers look at SPRS, so treat the entry as a public claim.

A practical way to decide

You can anchor the decision with two checkpoints:

Contract timing and sponsor appetite for DIBCAC involvement. If your sponsor supports a JSVA and the window fits your milestones, that increases the case.
Readiness to defend a perfect 110 in scope. If you can defend that score across all in-scope assets and services, a JSVA can position you for Level 2 during rollout.

If those checkpoints do not line up, focus on a direct C3PAO Level 2 assessment plan and keep scoping and evidence tight. Our crosswalk on NIST 800-171 to CMMC Level 2 helps teams confirm that their 800-171 controls map cleanly to Level 2 objectives.