Clearwater’s Redspin division confirms Microsoft Federal’s JSVAP Assessment is the first to be completed without a need for a Plan of Actions & Milestones (POA&M)

Nashville, TN (March 7, 2023) – Redspin, a division of Clearwater and the first organization authorized as a Cybersecurity Maturity Model Certification (CMMC) Third-Party Assessment Organization (C3PAO), today announced that Microsoft Federal, a division of Microsoft Corporation, has successfully completed the Joint Surveillance Voluntary Assessment Program (JSVAP). As the authorized C3PAO, working alongside the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), Redspin conducted this JSVAP assessment to gauge Microsoft Federal’s compliance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171r2. DCMA DIBCAC conducted their high confidence assessment simultaneously capturing the requirements of Defense Federal Acquisition Regulation (DFARS) 252.204-7012 and NIST SP 800-171r2. The joint voluntary assessments allow authorized C3PAOs to assess Defense Industrial Base (DIB) organizations that have implemented NIST 800-171r2 and DFARS 252.204-7012 practices until the CMMC rulemaking process is complete and mandatory requirements are defined.

“We are honored to have been selected by Microsoft Federal to conduct the JSVAP assessment,” said Brian McManamon, President of Clearwater’s Redspin division. “Redspin and its parent company Clearwater have a long-standing reputation for delivering high-quality cybersecurity solutions and services, and we are committed to helping organizations like Microsoft Federal maintain the highest standards of privacy and security to win and maintain contracts to do business with the DoD.”

Clearwater’s Redspin division and DCMA DIBCAC conducted a comprehensive evaluation of Microsoft Federal’s cybersecurity practices, policies, and processes, as part of the assessment. The JSVAP assessment was conducted in a four-phased approach, including documentation review, interviews with the Microsoft Federal Security team, and reviews of artifacts/configurations that included live demonstrations of the various practices.

“At Microsoft Federal, we are constantly striving to enhance and ensure our products meet the highest standards of quality and security,” said John Bergin, Director Federal Security, Microsoft Federal. “The JSVAP assessment is a crucial step in this journey as it allows us to evaluate and validate the functionality and security of our cybersecurity programs. We are proud to take the lead in being one of the first to undergo a JSVAP assessment to reinforce our commitment to operating under strong cybersecurity protocols and providing the best technology solutions to our customers.”

Redspin’s reviews encompassed the 110 practices from NIST 800-171 Revision 2, and the CMMC methodology was applied where possible. Passing the assessment results in Microsoft Federal being issued a DIBCAC High certificate until the published rule is in place. It is anticipated that when the rule is in place the DoD will allow a DIBCAC High certificate to be replaced with a CMMC Certificate.

About Redspin
Redspin is a division of cybersecurity and compliance company Clearwater, which focuses on improving the cyber readiness and resiliency of Defense Industrial Base (DIB) organizations. As the first authorized C3PAO for CMMC, Redspin has the expertise and resources to help DIB organizations to minimize cyber risks and protect sensitive information.