New JCP Portal User Guide To be Released This Week.

JCP Header Graphic

Redirecting...

JCP Portal
Enter Here  

JOINT CERTIFICATION PROGRAM (JCP) OFFICE

What Is the Joint Certification Program (JCP)?         

Once JCP Certified, U.S. and Canadian entities are allowed access to unclassified military technical data which is not available to the public. This data helps with defense-related work like research, manufacturing, and government contracts.

Who Can Apply?

Your company must:

  • Be registered and physically located in the U.S. or Canada
  • Have an active SAM registration and CAGE / NCAGE code *
  • Complete a cybersecurity assessment (NIST SP 800-171) / Upload results to the SPRS   system *
  • Follow rules for protecting sensitive information (DFARS Clause 252.204-7012  )

       * Not required by all Canadians.  Refer to Canadian specific instructions

Ineligible Entities

  • Companies outside the U.S. or Canada 
    • Only businesses based in the United States or Canada can apply 
    • International entities are excluded
  • U.S. or Canadian entities not registered in SAM   (System for Award Management)
    • SAM registration must be active and accurate 
    • Without it, your application will be rejected
  • Organizations without a valid CAGE/NCAGE code
    • This code is required to identify your company in government systems 
    • If you don’t have one, you can’t apply
  • U.S. or Canadian companies that haven’t completed a NIST SP 800-171 cybersecurity assessment
    • This assessment Must be documented in the SPRS system before applying
    • Assessment is valid for 3-Years, then it MUST be renewed, prior to the expiration date.
  • Applicants with revoked certifications or export violations
    • If your company or its representatives have violated:
      • U.S. or Canadian export control laws you’re disqualified
      • Have had a JCP certification revoked, you’re disqualified
  • Individuals or entities debarred or suspended from government contracts
    • If you’re on a government exclusion list, you cannot be certified

Pre-JCP Portal Application Requirements

Before you log into the portal, make sure you’ve completed these:

Application Process via the JCP Portal

  • Access the JCP Portal    (For the 1st time), Go to the JCP Portal and click on Register
  • Here are two options:
    • Username & Password
    • CAC User
  • All fields must be filled in

  • Returning Portal Users

    • Click on Login 
      • Once logged in you can update your ‘Profile’ information or ‘Reset’ your password anytime
      • If Help is needed, click here
    • Type in your Username and Password or CAC
    • Get your Authentication Code from your ‘Google Authenticator’
    • Type that code into the Authentication Code box
      • Reminder the authentication code changes at least every 30 seconds or sooner
  • Download the JCP External Portal User Guide (document will be available later this week)
    • The guide will walk you through the application step by step
  • Documents required to be uploaded:
    • Proof of Business - HQ DLA requires the ‘Proof of Business’ to be from the Secretary of State office for the State of Incorporation that you have listed in your SAM.gov account under the ‘Business Information’ section
    • The ‘Proof of Business’ document you upload to the portal application must indicate your CAGE is in ‘Good Standing’ or holds an equivalent status. The document Must with dated within 12 months of your application to the portal
  • Proof of Business (Sole Proprietor) – Must with dated within 12 months of your application to the portal. Provide a copy of one of the following documents for your JCP application in the Portal:
    • Business License
    • Articles of Formation
    • Certification of Formation
    • Lease Agreements
    • Federal Tax ID
  • Proof of Business (Native American Tribal)
    • Three Main Structures:
      • IRA Section 17 Corporations
      • Tribally Chartered Corporations
      • State Charted Tribal Corporations
  • Other Documents are determined by the answers provided to certain questions in the application
    • Examples:
      • Directorate of Defense Trade Controls (DDTC) Letter  
      • Export License
      • Certified DD Form 2345 (For DEV applications only)
      • Manufacturing Licensing Agreements (MLA)
      • Technical Assistance Agreements (TAA)
      • Distribution Agreements (establish warehouse/distribution point abroad)

Canadian Applicants to the JCP

  • Must be:
    • Canadian citizens or lawful permanent residents
    • Corporations, companies, institutes of higher education incorporated under Canadian federal or provincial law
  • Must hold:
    • A valid NCAGE code
    • Active Controlled Goods Program (CGP) registration OR if not, they must complete the U.S. DoD Introduction to Proper Handling of DoD Export-Controlled Technical Data and have signed and submitted the compliance agreement found at page 15 of the training.

PREPARING FOR A JCP PORTAL APPLICATION

The requirements for Canadians applying to the Joint Certification Program, depend on the circumstances or reasons for which you are making application. First consideration is whether or not, you are registered with the Controlled Goods Program in Canada. That will determine where to start:

Requirements for all CANADIANS Applying to the JCP CAGE SAM DOD Training NIST DIBBS User ID
1 Not registered with the CGP- CONTROLLED GOODS PROGRAM X   X    
OR
2 if REGISTERED with the CGP X        
Requirements specific to your JCP certification purpose
A MANUFACTURERS of GOODS without access to export-controlled data X        
B WORKING with U.S. INDUSTRY X X X X  
C SUBCONTRACTING WITHIN U.S. GOV. CONTRACT X X X X If Prime requires it
D PRIME to U.S. GOVERNMENT X X X X If desired
E REQUESTING DLA ENHANCED VALIDATION (DEV) X X X X X

 

Before you log into the portal, make sure you’ve completed all the required steps that apply to your specific situation.

  • Ensure you have a NCAGE   code
  • If needed, Register in SAM   (U.S. System for Award Management)
  • Ensure your SAM registration (expires annually) is active and accurate
  • If completing a NIST SP 800-171 cybersecurity self-assessment, upload results to the SPRS (renewal required every 3-years)
  • Review and complete the Introduction to Proper Handling of DoD Export-Controlled Technical Data
  • Install Google Authenticator for two-factor authentication to access the Portal

Application Process via the JCP Portal

Once you have the necessary requirements ready;

To Access the JCP Portal    the 1st time:

  • Go to the JCP Portal, click on Register
  • You will be required to enter your Username & Password
  • All fields must be filled in to proceed

  • Returning Portal Users

    • Click on Login 
      • Once logged in you can update your ‘Profile’ information or ‘Reset’ your password anytime
      • If Help is needed, click here
    • Type in your Username and Password or CAC
    • Get your Authentication Code from your ‘Google Authenticator’
    • Type that code into the Authentication Code box
      • Reminder the authentication code changes at least every 30 seconds or sooner
  • Download the JCP Portal User Guide ( the document will be available later this week) 
    • The guide will walk you through the application step by step
  • Documents required to be uploaded:
    • Proof of Business - An organization must provide proof of business in legal standing, by providing a clear copy of 1 of the following:  
      • Certificate of Incorporation 
      • Certificate of Amalgamation 
      • Certificate of Amendment 
      • Certificate of Continuance 
      • Certificate of Compliance  
      • Business Name Registration 
      • Registraire des entreprises du Québec 

A partnership must prove they are a business in legal standing by providing a legible copy of 1 of the following:

• Business Name Registration (for partnerships between two or more companies); or

• Letters Patent (for partnerships between two or more individuals)

An individual (the business status for a non-corporate company, including sole proprietorships) may provide an up-to-date and clear copy of 1 of the following:

The Defense Logistics Agency (DLA) has a responsibility to protect the export-controlled data entrusted to its care by the Military Services from unauthorized disclosure and IAW Trade Security Control laws.  To meet this obligation, DLA suppliers requesting access to export-controlled technical data for a DLA solicitation/purchase order/contract must:

  • Have an approved US/Canada Joint Certification Program (JCP) certification (DD Form 2345).
  • Have an approved DLA Internet Bid Board System (DIBBS) account with an enabled DLA technical data distribution system (cFolders) account.
  • Have a business need for the export-controlled data (e.g., to quote on a DLA solicitation, fulfill a DLA purchase order/contract, or conduct a DLA approved research and development project).
  • Have an approved DLA-specific certification for access to export-controlled data.  To request DLA-specific certification, you must:     

After the JCP Office reviews these documents, along with your DD Form 2345, the DLA controlling authority will then complete a Trade Security Control (TSC) assessment to determine the eligibility of the DLA supplier seeking access to the export-controlled technical data.  Approval for access to DLA export-controlled technical data is rendered by the DLA and not the JCP Office.

E-mail us at DLAJ344DataCustodian@dla.mil    for questions or additional interest in DLA Export Control Data Access.

JCP Portal - Troubleshooting “Invalid Credentials” – JCP Two-Factor Authentication

If you receive an “invalid credentials” error message when accessing the JCP Portal using the Two Factor Authentication:

IMPORTANT: When contacting DISA, please reference: J62KAA - DACS-JCP (JCP Portal)

Make sure to provide:

  • Entity Name & CAGE Code

Clearly indicate the nature of your request:

  • Password Reset
  • Secret key reset
  • Username/Password update

DLA Customer Interaction Center (CIC)

Your 24/7 support hub for Defense Logistics Agency related inquiries

Highlights:

  • One Call Resolution: Most issues handled on the first contact
  • All ways Available: 24/7/365, Including weekends and holidays

Contact:

Callers - Must provide the Entity Name and CAGE/NCAGE code

APEX Accelerators  

A nationwide network of 300+ centers helping businesses enter and grow in government contracting.

Services Include:

  • No-cost entry guidance into government marketplace entry
  • Help with SAM registration
  • Certification support (e.g., Women-Owned, Veteran-Owned, HUBZone)
  • Proposal writing and market research
  • Access to prime and subcontracting opportunities

Specialized Support:

  • Native American APEX Accelerators: Tailored guidance for Tribal government opportunities.
  • Six regional centers support federal, state, local and tribal contracting needs

Joint Certification Program (JCP) Office

Experienced JCP personnel are available to assist with all aspects of the program.

Contact: jcp-admin@dla.mil  

JCP FAQs

Collapse All Expand All
Expand List item 6143Collapse List item 6143  JCP Portal 35 Day Lockout
  • As of August 1st, 2024, all JCP account registrants are:
    • Required to log into the JCP Portal at least every 35 days to keep their accounts active
  • Accounts not active past 35 days will be disabled
    • A warning email from j62.dacs@dla.mil will be sent five (5) days and then one (1) day prior to your account being locked.
    • If you find that your account is locked/disabled, please go to the DACS Portal: https://www.public.dacs.dla.mil/portal/ and click the "Unlock Account" link
    • You will need to provide your username and email address to unlock/enable your JCP Portal account
Expand List item 6148Collapse List item 6148  Will previously certified entities be affected? 

Existing certifications remain valid; however, depending on the situation, entities may be asked to provide updated documentation or undergo ‘Revalidation’ under the new guidelines.

Expand List item 6145Collapse List item 6145  What type of Entities are eligible for JCP Certification?

Eligible entities must be registered in the United States or Canada and demonstrate legitimate business needs to access Unclassified Military Technical Export-Controlled Data. Additional criteria will apply under the Enhanced Validation processing.

Expand List item 6139Collapse List item 6139  Do I need to register in the System for Award Management (SAM) before applying for Joint Certification Program (JCP) Certification?

All U.S. defense contractors, and any Canadian defense contractors intending to do business with the Department of Defense (DOD), must register in SAM . The SAM expiration date must also be current before applying for JCP Certification.

Expand List item 6133Collapse List item 6133  What is the NIST Assessment Score and Its Meaning?

The NIST assessment score reflects an organization’s security posture based on the implementation and effectiveness of specific security controls. It is derived using methodologies like the NIST Cyber Risk Scoring tool, which evaluates risks based on factors such as confidentiality, integrity, and availability of data. The score helps prioritize areas for improvement and demonstrates compliance with cybersecurity standards. The NIST Assessment score is a numerical representation of your organization's cybersecurity posture. It is derived by evaluating the implementation of security controls outlined in frameworks like NIST SP 800-171 or SP 800-53.

The score considers factors such as:

  • Control Implementation: 

How well security controls are implemented.

  • Risk Impact: 

The potential impact of vulnerabilities on confidentiality, integrity, and availability.

  • Prioritization: 

Areas needing improvement are highlighted to guide resource allocation.

The score is often calculated using tools like the NIST Cyber Risk Scoring (CRS) tool, which integrates data from vulnerability scans, risk assessments, and control evaluations

Certification and NIST 800-171 Requirements:

Achieving certification indicates that an organization’s security system aligns with the requirements outlined in NIST 800-171. However, that certification alone does not guarantee full compliance with all aspects of NIST 800-171, as ongoing adherence to security protocols and updates is essential.

Certification under NIST 800-171 indicates that your organization has implemented the required security controls to protect Controlled Unclassified Information (CUI).

However:

  • Certification is not a one-time achievement

It requires continuous monitoring and updates to address emerging threats.

  • It demonstrates compliance

Does not guarantee immunity from cyber risks.

Additional Security Protocols: 

Even with certification, organizations may need to implement additional security measures beyond what was assessed to adopt additional protocols to address:

  • Emerging Threats: 

New vulnerabilities or attack vectors.

  • Regulatory Changes: 

Updates to NIST guidelines or other frameworks like SP 800-53.

  • Specific Needs: 

Tailored controls based on unique organizational risks.

Record of the SSP (System Security Plan): 

The SSP documents the security requirements and controls implemented for an organization’s system. It is typically maintained as part of an organization's compliance records and should be accessible through internal documentation or systems. NIST provides guidance on developing and maintaining SSPs in publications like SP 800-1878.

The SSP is a critical document that outlines:

  • Security Controls: 

Details of implemented controls and their effectiveness.

  • Responsibilities: 

Roles and responsibilities for maintaining security.

  • Assessment Records

Documentation of assessments and findings.

The SSP is typically maintained internally but should align with NIST's guidelines, such as those in SP 800-18

FAR 52.204-17 Ownership or Control of Offeror

Highest-level owner means:

The entity that owns or controls an immediate owner of the offeror, or that owns or controls one or more entities that control an immediate owner of the offeror. No entity owns or exercises control of the highest-level owner.

SPRS Assessing Scope Information

The definitions associated with the Assessing Scope data choices are:

  • Enterprise
    • Entire company’s network is under the CAGES listed.
  • Enclave
    • Standalone under Enterprise CAGE as business unit (test enclave, hosted resources, etc.)
  • Contract
    • Contract specific SSP review.
Expand List item 6136Collapse List item 6136  Information concerning a DLA Enhanced Validation (DEV)

DEVs are only valid for 3-Years (unless information concerning the entity has changed, if so then the entity would need to reapply).

If JCP certification expires within 3 months, a new JCP application will need to be initiated.

Expand List item 6138Collapse List item 6138  Do I need a Commercial and Government Entity (CAGE)/North Atlantic Treaty Organization (NATO) Commercial and Government Entity (NCAGE) Code before applying for Joint Certification?

Yes, all defense contractors must have an active CAGE/NCAGE before applying for JCP Certification.

Expand List item 6141Collapse List item 6141  How long does it take to process my JCP Portal Application? 
  • Initial JCP Portal Application
    • Needs to be initiated at least 120 days prior to needing a JCP certification
  • 5-Year Renewal JCP Portal Application
    • Needs to be initiated at least 120 days prior to your current 5-Year expiration.
  • Revisions to a Current Active 5-Year JCP Certification
    • Need to be initiated as soon as possible when a change occurs regarding any of the following:
      • Entity name changes
      • Entity Physical CAGE Site/Location changes
      • Type of primary work changes (examples: non-Manufacture, Manufacture, Research & Development, etc.)
      • Individual that signed the ‘Signature’ Page in the application no longer works for the entity or no longer has the authority/capacity to obligate the entity to a government contract any longer.
      • Primary Data Custodian and /or Alternate Data Custodian (if one was appointed) no longer works for the entity, and/or no longer works in the capacity as a Data Custodian
      • If an Entity identifies in the portal application that they are registered with DDTC, the DDTC Registration must be active for the entire 5-Year certification, if not renewed every year of the 5-Year period, the Data Custodian Must initiate a JCP Certification ‘Revision’
  • The entity is MANDATED to create NEW JCP Application or Revise their current active JCP Application on the JCP Portal if any of the above occurs.
    • If this does not happen the entity will be in ‘Violation’ of their signed agreement with the Defense Logistics Agency

 

Expand List item 6142Collapse List item 6142  How long does the JCP Certification Process take when going for DLA Enhanced Validation (DEV)? 

Processing times may vary based on the volume of applications received into the JCP Portal and the completeness of submitted documentation. We appreciate your patience as each case undergoes thorough investigation at the JCP Office and then at HQ DLA.

 

Expand List item 6135Collapse List item 6135  How long does the JCP Certification Process take when also applying for DLA Enhanced Validation (DEV)?

Processing times may vary based on the volume of applications and the completeness of submitted documentation. We appreciate your patience as each case undergoes a thorough investigation at the JCP Office and then at HQ DLA.

Expand List item 6140Collapse List item 6140  How do I update or correct the information in my existing certification?

Companies are required to update JCP portal of any changes during the certification period.

  • When changes are required, please log into JCP Portal.
  • The JCP Office no longer accepts emailed DD Form 2345’s, all required/requested documentation is now uploaded to the Portal Application
Expand List item 6137Collapse List item 6137  What is DLA Enhanced Validation (DEV)?

DLA suppliers requesting access to Unclassified Military Technical Export-Controlled Data for a DLA solicitation / purchase order / contract - must have an Active JCP Certification and apply for a DEV, or if a new applicant to JCP, the Entity can apply for both at the same time.

Expand List item 6146Collapse List item 6146  Why have the security requirements changed?

Due to global shifts in technology and increased risk of foreign influence, the Defense Logistics Agency implemented an Enhanced Validation policy. This is to ensure protection of American and Canadian Unclassified Military Technical Export-Controlled Data.

Expand List item 6147Collapse List item 6147  Why is more documentation now required?

Additional documentation helps verify the legitimacy of entities requesting access and mitigates risks of unauthorized disclosure of sensitive technical information.

Expand List item 6144Collapse List item 6144  What is a Directly Arranged Visit (DAV)?

A Directly Arranged Visit (DAV) is used for purposes of:

  • Procurement activities
  • Related to pre-solicitation conferences
  • Discussions related to unclassified solicitations
  • Performance of an unclassified contract
  • Research
  • Attendance at restricted meetings, etc.

An Approved/Certified DD Form 2345 in the JCP Portal allows Entities to make arrangements directly with the Point of Contact at the Industry Event or Military Facility that attendance / visitation is being requested.

To do so, send an email or letter to your point of contact, and they will forward the request for the visit to the security official at the facility for review and approval.

Your request must include:

  • Purpose of the visit
  • Date and time of the visit
  • Location of the Entity’s facility and Point of Contact
  • List of personnel that be included in the visit
  • Citizenship information for each individual planning to attend
  • A copy of the JCP Certificate (for the Entity requesting the visit), (This can be downloaded from your JCP Portal Account)
Expand List item 6134Collapse List item 6134  Are Data Custodians allowed to be connected to more than one CAGE Code?

No, a Data Custodian is the person that an entity has designated to take responsibility for who has access to the unclassified military technical export-controlled data derived from the use of the JCP Certification.

It is the Standard Operating Procedure for the JCP Office to have an entity represented by a Primary Data Custodian (now with the option for an Alternate Data Custodian) per JCP Certification at the Physical Site/Location for that CAGE Code.

Note: if an Alternate Data Custodian is to be added after an entity has already been certified, a portal application revision will need to be initiated, and related documentation will need to be filled out and approved by the JCP Office prior to utilization of an Alternate Data Custodian.