JCP Certification: Everything Defense Contractors Need to Know in 2025 - Rusted Certificate Solutions for Education, Training & Business

If your business works with the U.S. Department of Defense (DoD) or the Canadian Department of National Defence (DND), you have likely heard the term JCP certification come up — possibly as a hard requirement on a contract bid or a prerequisite for accessing sensitive technical data. Yet many contractors still enter the process underprepared, resulting in delays, rejections, and lost opportunities worth millions of dollars

This article breaks down everything you need to know about Joint Certification Program (JCP) certification — what it is, who needs it, how to apply, the cybersecurity requirements attached to it, and what happens if you skip it altogether. Whether you’re a first-time applicant or renewing an existing certification, this guide gives you the full picture.

What Is JCP Certification? A Deep Dive Into the Joint Certification Program

The Joint Certification Program (JCP) was established to certify United States and Canadian contractors for access to unclassified technical data disclosing critical technology controlled in the U.S. Managed by the Defense Logistics Agency (DLA), the JCP is the gateway through which private companies, universities, and research institutions gain lawful access to export-controlled military technical data that is not available to the general public.

Table of Contents

The U.S. and Canada signed a Memorandum of Understanding (MOU) in 1985 that established the U.S.-Canada Joint Certification Program. The JCP “certifies access to unclassified technical data on an equally favorable basis to contractors of each country” through the U.S.-Canada Joint Certification Office (JCO), located in the Defense Logistics Information Service (DLIS).

It is important to understand that JCP certification does not grant access to classified information. Rather, it establishes your eligibility to receive unclassified, export-controlled data — data that, while not classified, is still too sensitive to be freely shared due to its military and national security implications.

JCP certification grants eligible companies access to unclassified, export-controlled technical data, such as data vital for national defense, ensuring contractors are equipped to support military operations securely.

Key Entities Involved in JCP Certification

Entity	Role
Defense Logistics Agency (DLA)	Administers and oversees the JCP program
Joint Certification Office (JCO)	Processes DD Form 2345 applications
NIST	Provides cybersecurity framework (SP 800-171)
SPRS (DoD System)	Stores and validates self-assessment scores
SAM.gov	Manages federal contractor registration
PIEE	Platform for procurement and compliance submissions

Why JCP Certification Matters for Federal Contractors

The defense industrial base is built on trust and compliance. Without JCP certification, businesses are cut off from an enormous share of DoD contracting opportunities. Here is why it matters more than ever:

Many DoD contracts involve sensitive technical data, which is restricted to certified contractors. Without JCP certification, your business might be excluded from bidding on and completing key defense-related contracts. Being certified under JCP shows that your company has met the required security and compliance standards. It signals to federal agencies that you are capable of safeguarding sensitive information, which can increase your chances of winning contracts.

For example, contractors involved in the production or maintenance of military aircraft, communication systems, or other specialized defense equipment must have JCP certification to access critical data. Not having JCP certification can have serious consequences, as lost business opportunities are a common result, with many contracts requiring access to sensitive technical data.

Beyond contract eligibility, JCP certification also communicates cybersecurity maturity. As of 2020, the program now requires documented NIST 800-171 compliance — meaning that certified contractors have demonstrated a measurable commitment to protecting Controlled Unclassified Information (CUI).

Top Reasons Your Business Needs JCP Certification

Access DoD solicitations — bid on contracts requiring export-controlled technical data
Attend defense-related conferences — where sensitive technical data may be shared
Conduct R&D collaboration — with government agencies and defense partners
Access the DIBBS database — the DLA’s platform for supply chain bid information
Arrange Directly Arranged Visits (DAVs) — to military facilities or data-holding organizations
Build credibility — with DoD procurement officers and prime contractors

Who Qualifies for JCP Certification?

Not every business is automatically eligible. The program has specific qualification criteria that must be met before an application can even be submitted.

To qualify for JCP certification, your organization must: be a U.S. or Canadian entity; have an active SAM Registration and CAGE/NCAGE code; complete a NIST cybersecurity assessment (SP 800-171) and upload results to SPRS; meet DFAR Clause 252.204-7012 requirements for safeguarding information; and access technical data for DoD solicitations or research.

It is also worth noting that the program covers a wide range of entity types — not just large defense prime contractors. Universities, research laboratories, small businesses, and even individual consultants can apply, provided they meet the baseline requirements.

For university researchers, a JCP authorization may be required for membership in certain organizations, to conduct research with defense-related sponsors, or when you plan to attend a meeting or conference where unclassified technical data will be shared, used, or disclosed.

“JCP certification not only qualifies you for more contracts but also builds trust with federal agencies. It shows that your business meets the stringent requirements for handling sensitive information, making you a stronger candidate for future contracts.” — USFCR Federal Contracting Blog

The Core Document: DD Form 2345 Explained

At the heart of every JCP certification application is DD Form 2345, officially titled the Military Critical Technical Data Agreement. This document is your formal declaration of eligibility, compliance, and intent.

JCP certification establishes the eligibility of a U.S. or Canadian contractor to receive technical data governed, in the U.S., by Department of Defense Directive 5230.25 and, in Canada, by the Technical Data Control Regulations (TDCR). Certification is required for U.S. or Canadian contractors who wish to obtain access to unclassified technical data disclosing militarily critical technology with military or space application that is under the control of, or in the possession of, the U.S. Department of Defense or the Canadian Department of National Defense.

DD Form 2345 applications are processed by the Defense Logistics Agency as part of the JCP. More specifically, applications are handled by the JCO or Joint Certification Office. The Joint Certification Office is a jointly staffed office managed by members of both the United States DoD and the Canadian DND. It is the only office or agency that processes DD Form 2345 applications, and it is the primary resource for providing customer support to defense contractors applying for certification via DD Form 2345. The office handles around 9,000 DD Form 2345 forms every year.

Key Sections of DD Form 2345

The form is divided into several critical blocks:

Block 2 — Entity identification (company name, address, CAGE code)
Block 3 — Data Custodian information (must be a U.S. or Canadian citizen)
Block 4 — Relevant Business Activity (what your company makes, provides, or researches)
Block 5 — Certifications and compliance declarations
Block 7 — Certification approval (completed by the JCPO upon approval)
Block 10 — Identifying the government agency or third party requiring the certification

Once approved, the JCPO will email back the completed and authorized DD Form 2345. Your entity’s certification number is assigned and shown in Block 7b on the form. This certification is valid for a five-year period with the expiration date shown in Block 7c.

Step-by-Step: How to Apply for JCP Certification

Getting your Joint Certification Program status approved requires careful preparation. Rushing the process leads to rejections that can push your timeline back by months.

To complete the JCP application successfully, you must: conduct a NIST 800-171 self-assessment and post the score and System Security Plan (SSP) information in the DoD Supplier Performance Risk System (SPRS); start the DIBBS registration process; and complete and submit the JCP application within the JCP Portal, including a DD2345 form submission, proof of business, verification of citizenship, justification for access, and SPRS scores.

Here is the full step-by-step breakdown:

Step 1: Verify SAM.gov Registration

Companies doing business with the DoD must have a Unique Entity Indicator (UEI) and register in the SAM database prior to submitting their online application that will populate the DD Form 2345. SAM and UEI registration must be current and active.

Step 2: Obtain a CAGE or NCAGE Code

An active CAGE Code or a Canadian-issued NATO Commercial and Governmental Entity Code (NCAGE Code) must be obtained and is required for all companies prior to the submission of your completed online application that will populate the DD Form 2345.

Step 3: Complete the NIST SP 800-171 Self-Assessment

As part of JCP eligibility for U.S.-based applicants, contractors must conduct a self-assessment aligned with NIST SP 800-171, generate a score using the DoD Assessment Methodology, maintain a written System Security Plan (SSP), and upload the assessment score into SPRS via PIEE. The DoD Assessment Methodology evaluates implementation of all 110 NIST SP 800-171 security controls and produces a score ranging from 110 to -213 depending on identified deficiencies.

Step 4: Upload Results to SPRS

As of November 30th, 2020, JCP applicants must have their NIST 800-171 assessment documented in the SPRS. This requirement stems from the Defense Federal Acquisition Regulation Clause (DFARS) 252.204-7012, which mandates NIST 800-171 compliance for all DoD contractors and subcontractors.

Step 5: Submit the JCP Application Online

The JCP has transitioned to an online application portal. The JCP has transitioned to an online application process, which incorporates the required information for the DD Form 2345. The portal is accessible at: https://www.public.dacs.dla.mil/jcp/ext/

Step 6: Await Review and Approval

Processing times fluctuate depending on delivery method and the volume of applications received. Service is quicker if the application is emailed to JCP-ADMIN@dla.mil. Applications containing errors can take as long as 2-3 months.

Understanding NIST SP 800-171: The Cybersecurity Backbone of JCP Certification

One of the most significant updates to the JCP certification process is the mandatory NIST SP 800-171 compliance requirement. This is no longer optional — it is a hard gate that prevents approval if not met.

NIST Special Publication (SP) 800-171 provides a framework for protecting Controlled Unclassified Information (CUI). CUI encompasses sensitive government information that is not classified, but still requires safeguarding.

The 110 controls within NIST SP 800-171 cover 14 security domains:

Security Domain	Focus Area
Access Control	Who can access what systems and data
Awareness and Training	Security education for personnel
Audit and Accountability	Logging and monitoring user activity
Configuration Management	Securing system configurations
Identification & Authentication	Verifying user identities
Incident Response	Responding to security breaches
Maintenance	Securing system maintenance procedures
Media Protection	Protecting physical and digital media
Personnel Security	Screening and managing personnel risk
Physical Protection	Controlling physical access to systems
Risk Assessment	Identifying and evaluating threats
Security Assessment	Evaluating the effectiveness of security
System & Communications	Protecting data in transit
System & Information Integrity	Detecting and correcting vulnerabilities

Arguably the most burdensome part of the enhanced JCP process requires the organization to complete a NIST 800-171 cybersecurity self-assessment and report the results of that assessment through the DoD’s Supplier Performance Risk System (SPRS). This means the organization must maintain a NIST 800-171-aligned System Security Plan (SSP), which is no small feat.

Enhanced JCP (eJCP) vs. Standard JCP Certification: What’s the Difference?

Many contractors are surprised to discover that there are two levels of JCP certification — standard and enhanced. Knowing which one you need upfront saves significant time and effort.

JCP certifications are often required for the handling of DoD CUI/CTI with a Distribution Statement. JCP stands for Joint Certification Program, and eJCP stands for Enhanced Joint Certification Program.

Access to the technical data related to DoD parts — which is published in a DIBBS database called “cFolders” (Collaboration Folders) — requires additional “Enhanced DLA Validation” (DEV), or what is commonly known as “enhanced JCP.” There are currently approximately 2,600 enhanced JCP entities (organizations that have been approved under the DEV program). DEV certifications expire after 3 years.

Standard JCP vs. Enhanced JCP at a Glance

Feature	Standard JCP	Enhanced JCP (eJCP/DEV)
Expiration	5 years	3 years
SPRS Score Required	Yes	Yes (stricter review)
DD Form 2345	Required	Required
DIBBS cFolders Access	No	Yes
NIST SSP Required	Yes	Yes
Active JCP Entities	~Thousands	~2,600

Common Mistakes That Lead to JCP Certification Rejection

To make sure your application is one that passes inspection, it’s important to follow all instructions, fill out the form and application properly, and be sure to ask relevant contacts or the JCO directly if you have any questions.

Here are the most frequent reasons JCP applications are returned or rejected:

Outdated SAM.gov registration — Your SAM registration must be active and current at the time of submission
Missing or incorrect CAGE code — The CAGE code on your application must match exactly what is registered in SAM.gov
SPRS score not uploaded — Failing to document your NIST 800-171 assessment in SPRS is an automatic disqualifier
Incomplete business activity description — Block 4 of DD Form 2345 must clearly describe what your company does and what it manufactures or provides
Data Custodian citizenship issues — If the location of the entity is in the United States, the Data Custodian must be a U.S. citizen, or a person admitted lawfully for permanent residence into the United States.
Missing DDTC registration — If your products are on the U.S. Munitions List (USML), you must be registered with the Directorate of Defense Trade Controls
Stale proof of business — Supporting documentation must be dated within 12 months of application submission

JCP Certification Renewal: What You Need to Know

Holding a JCP certification is not a permanent status. The program requires periodic renewal to ensure that certified entities continue to meet evolving security and compliance standards.

A Certified Entity must not provide and/or impart military critical technical data to a Non-Certified Entity. All JCP certified entities must have a current, up-to-date NIST SP 800-171 Assessment documented on the Supplier Performance Risk System (SPRS) website.

Please send your renewal in at least 60 days prior to expiration. Processing times fluctuate depending on delivery method and the volume of applications received.

Many JCP certifications are approaching their five-year renewal period. Companies renewing their JCP certification for the first time since the NIST requirement came into effect will need to ensure their NIST assessment is documented in the SPRS. Failure to do so will result in a denial of their JCP application.

Renewal Checklist:

[ ] Verify SAM.gov registration is current and active
[ ] Confirm CAGE/NCAGE code is still valid
[ ] Update or re-run NIST SP 800-171 self-assessment
[ ] Upload refreshed SPRS score via PIEE
[ ] Review and update your System Security Plan (SSP)
[ ] Submit renewal application at least 60 days before expiration
[ ] Update proof of business (must be within 12 months)

JCP Certification and CMMC: How They Relate

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s broader framework for validating cybersecurity across the entire defense industrial base. While JCP and CMMC are separate programs, they are deeply interconnected — especially after the 2020 update requiring SPRS documentation for all JCP applicants.

JCP confirms that a contractor is a legitimate entity eligible to request controlled technical data. It does not certify cybersecurity maturity or validate implementation of NIST SP 800-171 controls. However, eligibility to access technical data now operates alongside documented cybersecurity posture.

Think of the relationship this way:

NIST SP 800-171 is the standard (the rules you must follow)
CMMC is the verification mechanism (proving you follow those rules)
JCP certification is the access gateway (unlocking technical data once you’ve demonstrated compliance)

Contractors who have already invested in CMMC compliance will find the SPRS/NIST requirements for Joint Certification Program applications considerably easier to fulfill — the foundational work is largely already done.

Security Obligations After Receiving JCP Certification

Receiving JCP certification comes with ongoing legal and operational obligations. Compliance does not end at approval — it must be maintained for the entire duration of the certification period.

Key post-certification obligations include:

Safeguard all received technical data from unauthorized disclosure or export
Report cyber incidents to the DoD within 72 hours of discovery
Do not share data with non-certified entities — a Certified Entity must not provide and/or impart military critical technical data to a Non-Certified Entity
Maintain an up-to-date SSP that reflects the actual state of your cybersecurity environment
Submit malicious software discovered during operations to the DoD for analysis
Arrange Directly Arranged Visits (DAVs) for in-person data transfers, including purpose, location, attendee details, and a copy of your JCP certification

Real-World Impact: A Case Study Perspective

To illustrate the value of JCP certification, consider the following scenario that mirrors real experiences across the defense contracting landscape.

Case Study — Virginia Tech Applied Research Corporation:

PreVeil helped enable Virginia Tech’s Applied Research Corp. to increase their SPRS score by 80 points, which directly supported their ability to meet JCP certification requirements. The Applied Research Corporation needed to access export-controlled DoD technical data for advanced defense research projects. Without an adequate SPRS score — a prerequisite for the JCP application — their access would have been denied, halting the research entirely.

By implementing a compliant cybersecurity platform and documenting their NIST SP 800-171 controls properly, they not only satisfied the JCP requirement but also positioned themselves favorably for CMMC Level 2 certification — unlocking an even broader set of DoD contracting opportunities.

This illustrates a critical point: investing in cybersecurity compliance for JCP certification creates a compounding return — it simultaneously satisfies multiple DoD requirements and improves your competitive standing in the federal marketplace.

How JCP Certification Connects to Physical Security Compliance

Defense contractors handling sensitive technical data often also maintain physical security systems at their facilities. If your company secures classified or sensitive spaces using monitored alarm systems, you may also require a central station alarm certificate to demonstrate that your physical security monitoring meets federal and DoD standards. Physical and cybersecurity compliance work hand-in-hand for contractors operating within the defense industrial base.

Tips for a Faster, More Successful JCP Application

Based on real-world data from the Joint Certification Program Office and industry practitioners, here are proven strategies for improving your JCP certification approval timeline:

Email your application rather than mailing it — service is quicker if the application is emailed to JCP-ADMIN@dla.mil
Start your NIST assessment early — it can take several business days to complete even with dedicated resources
Use the JCP Portal — the online application system reduces errors compared to manual form submissions
Double-check your CAGE code against your SAM.gov registration before submitting
Hire a compliance consultant if your SPRS score is negative or very low — the JCP office will scrutinize low scores heavily
Contact the DLA Help Desk for guidance — DLA recommends you call the DLA Customer Interaction Center (CIC) helpdesk: 877.DLA.CALL (877.352.2255). This help desk is staffed 24/7.
Monitor your inbox — the JCPO communicates primarily via email and requires prompt responses to requests for additional information

🚀 Ready to Start Your JCP Certification Process?

Don’t let compliance complexity hold your business back from winning lucrative DoD contracts. Begin your JCP certification journey today by visiting the official Defense Logistics Agency portal. Start with your SAM.gov registration, build your NIST SP 800-171 System Security Plan, and submit your DD Form 2345 — the gateway to the defense industrial base is open to those who prepare correctly.

Visit the Official DLA JCP Portal →

Frequently Asked Questions About JCP Certification

What does JCP certification stand for?

JCP certification stands for Joint Certification Program certification. It is a Defense Logistics Agency program that certifies U.S. and Canadian contractors for access to unclassified, export-controlled military technical data.

How long does JCP certification take?

Processing times vary. If your application is complete and error-free, approval can come within 4–6 weeks when submitted via email. However, applications with errors or missing documentation can take 2–3 months or longer.

How long is JCP certification valid?

Standard JCP certification is valid for 5 years. Enhanced JCP (DEV) certification expires after 3 years. Renewal should begin at least 60 days before expiration.

Is JCP certification the same as CMMC?

No. JCP certification is a data access credential managed by the DLA, while CMMC (Cybersecurity Maturity Model Certification) is a cybersecurity compliance framework. However, they share common requirements — especially NIST SP 800-171 — making simultaneous pursuit logical and efficient.

Who processes DD Form 2345?

DD Form 2345 applications are processed by the Defense Logistics Agency as part of the JCP. More specifically, applications are handled by the Joint Certification Office (JCO), which is the only office or agency that processes DD Form 2345 applications.

Can Canadian companies apply for JCP certification?

Yes. The Joint Certification Program allows U.S. and Canadian contractors to apply for access to unclassified export-controlled data belonging to either country. Canadian applicants use an NCAGE code in place of a standard U.S. CAGE code.

What is the SPRS score requirement for JCP certification?

There is no minimum SPRS score required to apply, but a documented assessment must be on file in the SPRS system. A negative or very low score may increase scrutiny from the JCPO and require explanation or a Plan of Action & Milestones (POA&M).

What happens if my JCP certification lapses?

If your JCP certification expires, you lose your eligibility to access DoD export-controlled technical data until a renewal is approved. This can halt active contracts and disqualify you from new solicitations. Always track your expiration date and begin the renewal process early.

Where do I submit my DD Form 2345?

Submit your completed DD Form 2345 as a PDF attachment to: JCP-ADMIN@DLA.MIL. You can also submit through the official JCP online portal at https://www.public.dacs.dla.mil/jcp/ext/

Is JCP certification required for universities?

Yes, in many cases. The U.S. Department of Defense requires certification from U.S. contractors, including universities, that wish to obtain access to unclassified technical data that discloses specifications for technology considered critical by the U.S. Department of Defense.

Citation: Defense Logistics Agency. “Joint Certification Program (JCP).” DLA.mil. Retrieved 2025. https://www.dla.mil/logistics-operations/services/joint-certification-program/

Last updated: 2025 | Category: Defense Contracting, Federal Compliance, Cybersecurity