JCP/eJCP Fundamentals: What Every Foundry Should Know
Before You Can Access DLA Technical Drawings, You Need Two Things Some Suppliers Miss
When the U.S. Department of Defense develops a weapons system, aircraft component, or military vehicle part, the engineering drawings and specifications that describe how to build it don't become public information, even when they're unclassified. They're controlled under federal law as Militarily Critical Technical Data, and access to them is restricted to companies that have been vetted and approved by the government. That vetting process is called the Joint Certification Program, or JCP.
What JCP Actually Is
JCP is a U.S. and Canadian government program administered by the Defense Logistics Agency (DLA) that authorizes approved companies to access unclassified, export-controlled military technical data, things like blueprints, engineering drawings, material specifications, and technical data packages for defense components. Without JCP Certification, that data is simply off-limits, which means you can't fully evaluate a solicitation, price a part accurately, or submit a competitive bid on many DLA contracts.
To get JCP certified, your company submits DD Form 2345 to the Joint Certification Program Office (JCPO), designates a Data Custodian who is legally responsible for how the data is handled, and certifies compliance with U.S. export control laws. You also must complete a cybersecurity self-assessment against NIST SP 800-171, a 110-control federal security framework, and document your score in the DoD's Supplier Performance Risk System (SPRS). This has been a hard requirement since November 2020 and is the most common reason applications are delayed or denied. JCP certification is valid for five years.
JCP Is the Foundation; DEV Opens the Door
For suppliers working with ICON, JCP alone isn't enough. Because all ICON solicitations run through DLA, you also need a second certification called DLA Enhanced Validation, or DEV (formerly eJCP). Where JCP establishes your general eligibility to receive controlled technical data, DEV specifically authorizes access to cFolders, DLA's system for storing technical data packages, item-level drawings, and proprietary specifications tied to active solicitations. DEV is valid for three years and cannot be approved without an active JCP certification already in place. There is no shortcut around the sequence.
Remote Workers: Your Machine Has to Be Registered
This is the part that surprises almost everyone. cFolders doesn't just verify your credentials, it verifies the physical machine you're connecting from. Both your IP address and your MAC address must be registered with the JCPO as part of your DEV certification. If your company registered its main office machines when DEV was approved, remote workers connecting from another location will be blocked, even with valid credentials.
The fix requires your company's Data Custodian to contact the JCPO and register your machine as an additional approved access point. Also important: never use a VPN when accessing cFolders. DLA prohibits it, and it will block your access every time.
Where to Start
The complete step-by-step checklist, from SAM registration through DEV approval, is in the JCP Certification Knowledge Brief. If you're starting from scratch, that's your roadmap.
Find government contract opportunities on ICON. Register at iconportal.com to get started.