How the Enhanced JCP + SPRS score application process works

An image of technical drawings and bearings to associate with the enhanced JCP process and SPRS reporting.

At the Fall 2024 NAPEX conference in Washington DC, a member of the Defense Logistics Agency (DLA) Joint Certification Program Office (JCPO) gave a presentation on the JCP and DLA Enhanced Validation (DEV) programs. We thought in this post we’d share our notes on this presentation, as we have many clients that need access to DLA resources, such as DIBBS and cFolders, access to which requires DEV and a certified form DD2345.  Arguably the most burdensome part of the enhanced JCP process requires the organization to complete a NIST 800-171 cybersecurity self-assessment and report the results of that assessment through the DoD’s Supplier Performance Risk System (SPRS).  This means the organization must maintain a NIST 800-171-aligned System Security Plan (SSP), which is no small feat.  We’ll share some resources on how to do the SPRS assessment and reporting below, as well as outline the JCP and DEV application process.

What are all these acronyms, and why do I care?

What the heck is DIBBS?  What is the JCP?  You might be wondering if you need to keep reading this post, as many of these acronyms we’ve been throwing around may be unfamiliar.  No worries.  Here’s the bottom line.  If your organization is currently, or plans in the future to, manufacture, finish, and/or assemble mission-related tangible products for the DoD or Canadian Department of National Defence (DND), this post is for you.  For instance, if your company manufactures ammunition, machines bearings, casts dockyard bollards, cures glass, metal-plates fittings, powder-coats vehicle components, etc., you’ll be interested in reading on. 

One of the DLA’s main tasks is to maintain information on parts and supplies the the DoD and the DND procures from the Defense Industrial Base (DIB).  Contractors that aim to produce these goods can access the data about the goods and supplies — e.g. specifications, drawings, or conformance/quality requirements — directly from DLA and submit bids for production through the DLA Internet Bid Board System (DIBBS).  In the DLA’s own words:

The DLA Internet Bid Board System (DIBBS) is a web-based application that provides the capability to search for, view, and submit secure quotes on Requests For Quotations (RFQs) for Defense Logistics Agency (DLA) items of supply. DIBBS also allows users to search and view Request For Proposals (RFPs), Invitations For Bid (IFBs), Awards and other procurement information related to DLA.

DIBBS website

Since DIBBS contains export-controlled and Controlled Unclassified Information (CUI) information, access to the site in general requires approval through the Joint Certification Program (JCP, a combined “joint” DoD and DND effort established in 1985), which is overseen by the Joint Certification Program Office (JCPO).  

Access to the technical data related to DoD parts — which is published in a DIBBS database called “cFolders” (“Collaboration Folders”) — requires additional “Enhanced DLA Validation” (DEV), or what is commonly known as “enhanced JCP”.  

General notes and words of caution about JCP, enhanced JCP, and SPRS

  • An entity must be issued a DD2345 form from the JCPO to get access to the DLA resources noted above.
  • Only US and Canadian entities may apply for a DD2345.
  • There currently are ~15,000 JCP certified entities. JCP certifications expire after 5 years.
  • There currently are ~2,600 enhanced JCP entities (organizations that have been approved under the DEV program).  DEV certificiatons expire after 3 years.
  • Entities that apply for enhanced JCP must be able to adequately protect CUI and export-controlled information in accordance with DFARS 252.204-7012.  A self-assesment of the impmentation of this adequate security is required by DFARS 252.204-7019/7020, and the results of this self-assessment must be posted to the SPRS system as part of the enhanced JCP application.  The SPRS report must not be older than 3 years. We cover SPRS scoring extensively in this post
  • Entities that plan on handling munition information must register with the Department of State Directorate of Defense Trade Controls (DDTC).
  • Despite submitting proof of business for SAM & CAGE registration, an entity must submit the same proof for JCP and DEV.
    • If your SAM or CAGE expires, the JCP / DEV certification will expire.
    • If no Department of State proof of business (DDTC) is available, a business tax license is sufficient for proof of business.
  • An entity cannot access cFolders and DIBBS from outside the US, or across a VPN, as you’ll need to register the IP address and specific machine MAC address with the JCPO. Unauthorized access to DIBBS or cFolders will invalidate your DEV!
    • In essence, you must identify to the JCPO a particular machine you will access DIBBS/cFolders from, and any deviation will result in invalidated certification.
  • Entities with more than one location that need access to DIBBS/cFolders from multiple locations must obtain a separate DD2345 for each CAGE code.
  • Each CAGE code Data Custodian should be very familiar with the DoDI 5230.24 regarding Distribution Statements. (PS, anyone who handles Controlled Technical Information (CTI, a type of CUI) should be familiar with this instruction as well!)

How to apply for enhanced JCP, including SPRS reporting

The JCP website lays out in great detail the steps to apply for JCP and DEV, but many readers find that level of detail overwhelming, especially when first beginning the application process.  Here are the steps in a nutshell: 

  1. Make sure your business is registered in SAM and has a CAGE code. 

  2. Conduct NIST 800-171 self-assessment and post the score and System Security Plan (SSP) information in the DoD Supplier Performance Risk System (SPRS). Here is our blog on how to do that: https://www.totem.tech/how-to-generate-and-report-your-dod-self-assessment-score/. The self-assessment will take several business days, maybe even a week, so don’t drag your feet.  Yes, your organization needs an SSP to perform the self-assessment!  If you’d like extra help on the self-assessment, consider our SPRS Workshop.  If you have no idea what an SSP or self-assessment is, consider our CMMC Level 2 Readiness Workshop

  3. Start the DIBBS registration process: https://www.dibbs.bsm.dla.mil/Register/.  Part of this process will require you to submit the IP and MAC address of the machine your organization plans to use to access DIBBS. 

  4. Complete and submit the JCP application within the JCP Portal: https://www.public.dacs.dla.mil/jcp/ext/. You will need to include a DD2345 form submission, proof of business, verification of citizenship, justification for access, and SPRS scores. Right now, the enhanced JCP just requires the presence of an SPRS self-assessment report, but your Primes and/or components that participate in the DEV review may have specific SPRS score criteria they are looking for.  We’ve also seen specific Contracting Officers require a score of 88 or better.  The JCPO will review and suggest revisions that you’ll have to make. This process can take up to 60 days.  The DEV process may take even longer.  (Note, you do not need “super user” permission to complete any tasks or access the resources once the DD2345 is issued.)

  5. Once the application is accepted, the JCPO will email back the completed and authorized/certified DD2345.

  6. Once the DD2345 is issued, allow 72 hours for access to cFolders to be activated.

JCPO Help Desk information

Many of our clients find the enhanced JCP application process confusing, and the DLA acknowledges this, so they stress the following:

  • If you need help with JCP or DEV, DLA recommends you call the DLA Customer Interaction Center (CIC) helpdesk: 877.DLA.CALL (877.352.2255). This help desk is staffed 24/7.

  • DLA plans on hosting a monthly JCP webinar starting soon (as of October 2024).  Stay tuned!

That being said, most of you should find this post helpful, as the information here comes straight from the source!

Wrapping up

If you think this post had a lot of information, wait until you see the JCP site!  It can seem overwhelming, but, as stated above, the DLA Help Desk is willing and able to provide guidance on the application process. 

The most challenging aspect of the enhanced JCP process is the SPRS cybersecurity assessment and report submittal.  We can help with this.  Totem Tech’s mission is to help you — our small business contracting peers — with implementing the cybersecurity safeguards to protect the type of information you’re applying for access to, so check out all of our free resources, as well as the Workshops we’ve mentioned above.  

If you’re still feeling confused, reach out to us, or consider participating in one of our free monthly Town Halls.  

Good Hunting!

–Adam

Like this post? Share it!

Get notified when new blogs are published!

Protect Your Business. Train Your Organization.

If you have any questions, please don’t hesitate to contact us.
Let us know how we can help!
logo
Simplifying your cybersecurity through consulting, compliance training, cybersecurity compliance software, and other cybersecurity services.
Contact Us

(385) 492-3405

[email protected]

Veteran Owned Small Business

Copyright © 2024 Totem Technologies, LLC
All rights reserved. Privacy Policy.

Facebook Twitter Youtube Linkedin