Jaco Logo

Millions of Consumable Products for the Aerospace Industry

NIST 800-171, CMMC, DIBCAC, JSVA, CUI - Jaco Aerospace Qualified Distributor



Cybersecurity Maturity Model Certification (CMMC)

Is your head spinning? Understanding what this recipe of acronyms means for you and cybersecurity compliance requirements can help you comprehend how organizations protect sensitive information, especially when dealing with the U.S. Department of Defense (DoD).

Jaco Aerospace, a small woman-owned business, has completed a Joint Surveillance Voluntary Assessment (JSVA) due to our exceptional adherence to strict security measures and protocols. The DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) performed the in-depth assessment along with a CMMC Certified 3rd Party Assessment Organization (C3PAO) for the CMMC program. It verified the cybersecurity program against the 110 requirements outlined in NIST SP 800-171 and the company’s ability to safeguard Controlled Unclassified Information (CUI). Most importantly, it allowed Jaco Aerospace to show compliance early, receive a “DIBCAC high” score, and be eligible to convert to a CMMC Level 2 Certification automatically.

Jaco Aerospace passed the JSVA with a perfect score of 110 after years of hard work getting ready. In the words of the DIBCAC, “This is the smallest OSC (Organizations Seeking Certification) our team has assessed and one of the most comprehensive packages we have seen.” Not only did Jaco Aerospace properly implement a comprehensive program, but they also aced the assessment—no bucket list of items to fix, no POA&Ms, no corrections.

Compliance with CMMC is crucial in protecting Controlled Unclassified Information (CUI) to keep our national security interests secure and in the right hands. Completing the JSVA positions, Jaco Aerospace is among the few selected Organizations Seeking Certification (OSCs) ready to support new contracts, including the CMMC L2 Certification requirement (DFARS Clause 252.204-7021).

The CMMC rule has been published and is currently in the public comment period. The CMMC Requirements are expected to be included in DoD contracts by 2025 or earlier. The rule will further enforce how government contractors and subcontractors protect CUI in their systems and networks. Completing the JSVA, on top of our NIST 800-171 compliance, AS9120 certifications, and ITAR ability, demonstrates Jaco Aerospace’s commitment to upholding the highest security standards for the Department of Defense.

Imagine that you are sending a valuable gift through the mail. This gift is similar to Controlled Unclassified Information (CUI), which is essential information that is not classified as top secret but still needs to be protected because it is sensitive.

Some specific rules and guidelines must be followed to ensure this gift reaches its destination safely. NIST SP 800-171 and CMMC are instructions for properly packing and sealing the box. They provide the rules and procedures for handling and protecting the information.

DIBCAC acts like the post office inspector who ensures your package follows safety guidelines before shipping. This ensures that the package is secure and protected from tampering.

JSVA is like a unique program that allows you to invite the inspector to help pack the gift and ensure everything is secure together. This program ensures that you get expert help to ensure your package is well-protected and reaches its destination without being tampered with.

In short, these standards and programs help ensure that sensitive information is handled safely and securely, like guaranteeing a valuable package is well-protected and delivered without being tampered with.

Cybersecurity Maturity Model Certification (CMMC)

Purpose: CMMC is a standard that ensures all companies doing business with the DoD have adequate cybersecurity measures. It's designed to protect Controlled Unclassified Information (CUI) that flows through the defense industrial base.

Levels: There are different levels of certification, ranging from Level 1 to Level 3, with each level representing a step up in security, sophistication, and robustness. The higher the level, the more stringent the security measures a company must have in place.

Assessment: Companies must pass an evaluation conducted by certified third-party assessors to prove they meet the required cybersecurity maturity level before they can be awarded DoD contracts.

NIST SP 800-171

Purpose: This is a set of standards developed by the National Institute of Standards and Technology (NIST) to protect the confidentiality of CUI when processed, stored, and used in non-federal information systems and organizations.

Requirements: NIST SP 800-171 outlines requirements that organizations must fulfill in areas like access control, incident response, and system and information integrity. These are less about specific technologies and more about managing risk and securing sensitive data.

Compliance: Organizations must self-assess and ensure they comply with these requirements to work with the federal government. It's a part of showing they are serious about cybersecurity.

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is a branch of the Defense Contract Management Agency (D.C.M.A.) that audits and evaluates the cybersecurity practices of defense contractors to ensure compliance with required standards, such as NIST SP 800-171. DIBCAC's assessments validate the security measures contractors claim to have, guaranteeing that these measures effectively safeguard sensitive defense information, including CUI.

The Joint Surveillance Voluntary Assessment (JSVA) is a cooperative initiative where contractors voluntarily partner with the Department of Defense (DoD) to assess their cybersecurity posture. This helps both parties to understand and manage the risks associated with CUI and other sensitive information. In a JSVA, teams consisting of members from both the contractor and the DoD review the implementation of cybersecurity practices and controls. This collaborative approach enhances the security of information systems through shared insights and proactive management.

In summary, regarding cybersecurity for organizations working with the U.S. government, consider handling information like handling delicate items in a shipping process. CUI is a valuable package that needs special wrapping and handling instructions. DIBCAC is like a quality control inspector who checks that the business follows all the rules for packaging and handling correctly. JSVA is akin to a collaborative safety drill where the shipping company and inspector work together to find the best safe and secure delivery methods.

Organizations must meet specific cybersecurity standards such as CMMC and NIST SP 800-171 to protect such valuable 'packages.' Compliance with these standards helps prevent data breaches, safeguard national security, and maintain trust in digital interactions.

Cybersecurity Compliance Requirements

General Idea: Organizations must follow These rules and standards to protect information from cyber threats. Compliance is crucial for securing sensitive information and maintaining trust in the digital age.

Scope: Compliance might include adhering to standards like CMMC, NIST SP 800-171, GDPR, or HIPAA, depending on the data handled and the sector in which the organization operates.

Benefits: Besides protecting data, compliance helps organizations improve their security practices, build customer trust, and avoid penalties for non-compliance.


Think of cybersecurity compliance like the safety inspections required for cars. Just as vehicles must meet specific safety standards before being driven, organizations must meet particular cybersecurity standards before working with the DoD or handling sensitive information. CMMC and NIST SP 800-171 are specific checklists of what safety features and practices need to be in place, ranging from essential locks (low-level requirements) to advanced alarm systems (high-level requirements). Compliance ensures that all parts of the 'vehicle' (the company's cyber infrastructure) are in good working order to prevent data breaches and protect national security.