DD-2345 / JCP execution signals (software-first firms)
Higher score = stronger compliance posture for ITAR-controlled program access.
The Joint Certification Program in plain language
The Joint Certification Program is the joint U.S. Department of Defense and Canadian Department of National Defence mechanism for certifying that a private-sector entity is a U.S. or Canadian person and may receive export-controlled unclassified technical data. On the U.S. side, JCP enrollment is administered by the Defense Logistics Agency through the public.dacs.dla.mil/jcp/ext portal. DD Form 2345 is the application. Once approved, a JCP-certified company can receive ITAR- and export-controlled documentation from DoD.
Joint Certification Program enrollment for firms whose physical presence is limited to remote-first software operations. The published guidance accommodates this posture; documentation must describe actual handling patterns concretely.
The 2026 portal-only reality
In 2026, JCP applications are accepted only through the DLA web portal. Email, fax, and mailed applications are not processed. This change matters for software-first firms accustomed to administrative submissions through other channels — the portal has its own credentialing flow, document-format requirements, and validation steps, and the application has to be assembled in a specific order or it will be returned. We verified this directly with DLA in April 2026; the public portal is the only path.
The portal expects machine-readable PDFs, not scans of printed forms, for the entity-data elements; CAGE and UEI fields are validated against SAM.gov in real time, so an entity with a SAM.gov registration that lapsed or is in renewal cannot complete a clean submission. The Joint Certification Office at DLA Land and Maritime is the administering office on the U.S. side, and the public portal documentation describes the cover-letter, attachments, and signature requirements. Reading the portal's own guidance verbatim before drafting saves at least one round of returns.
Software-first firms should also note that the portal session is short. Drafting the answers in a controlled document and pasting them in is more reliable than composing inside the form fields. The export-control statements in particular benefit from being reviewed offline by counsel familiar with ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) before submission.
Document set
The DD-2345 document set, per the published guidance, includes corporate identification consistent with SAM.gov registration (entity legal name, address, CAGE code, UEI), key-personnel information for company officers and the designated JCP point of contact, the Empowered Official designation if the firm holds a separate ITAR registration, and statements about controlled-material handling. Most federally-registered firms have these elements available; the work is in assembling and presenting them in the JCP-required form.
The corporate-identification section is unforgiving. The legal name on the application has to match the SAM.gov registration character-for-character, the physical address has to match the address of record, and the CAGE/UEI pair has to be active. A firm whose Articles of Organization show one name and whose SAM.gov record shows a slightly different one will need to reconcile the two before applying. The same applies to NAICS codes — a software-only firm typically primary-codes 541512 or 541511, and the secondary codes should reflect any legitimate adjacent work.
Key-personnel information includes the U.S.-person status of officers and of the JCP point of contact, and disclosure of any non-U.S.-person ownership above the threshold. The published guidance is specific about who counts as an officer for the purposes of the form; firms with advisory boards, fractional executives, or external counsel as legal representatives should map their actual structure against the form's definitions before drafting.
Physical security for digital firms
JCP enrollment includes statements about how the firm will safeguard controlled material. For software-first firms with no physical office space — a common posture for remote-first SBIR firms — this section requires careful drafting. The publicly published JCP guidance accommodates remote operations, but the firm's documentation has to describe the actual handling pattern in concrete terms: encrypted storage, U.S.-person-only access, audit logging, and clean retention practices. Vague claims do not pass review, and reviewers have seen enough generic boilerplate to recognize it.
The relevant control families to mirror in the narrative are NIST SP 800-171 for CUI baseline (the 110 security requirements grouped into fourteen families) and, where applicable, NIST SP 800-172 enhanced-security requirements for higher-confidentiality categories. The narrative does not need to assert CMMC certification — that is a separate program with its own assessment cadence — but it should be consistent with the maturity the firm is actually operating at, since CMMC and JCP narratives that contradict each other create downstream review friction.
Encrypted storage. Where controlled material is stored at rest, with what encryption posture (FIPS 140-2 or 140-3 validated modules where applicable), under whose key control. Cloud-managed encryption needs to be paired with U.S.-person key custody and a documented key-rotation process.
U.S.-person-only access. Identity-verified access to anything that touches controlled material, with multi-factor authentication, a documented offboarding path when relationships end, and a clear separation between personnel cleared to handle controlled material and other contractors or advisors who are not.
Audit logging. Tamper-resistant access logs covering both human and service-principal access to controlled artifacts, retained for a period consistent with the firm's data-retention policy and reviewable on request. Cloud-native logging (CloudTrail, Audit Logs) plus a central SIEM is the common pattern.
Clean retention. Defined retention periods, defined destruction processes (cryptographic erasure for cloud-resident material, NIST SP 800-88-aligned media sanitization for any local copies), and a documented chain showing both are honored in practice rather than only on paper.
Encrypted storage. Where controlled material is stored at rest, with what encryption posture, under whose key control. Cloud-managed encryption needs to be paired with U.S.-person key custody.
U.S.-person-only access. Identity-verified access to anything that touches controlled material, with a documented offboarding path when relationships end.
Audit logging. Tamper-resistant access logs covering both human and service-principal access to controlled artifacts.
Clean retention. Defined retention periods, defined destruction processes, and a documented chain showing both are honored in practice.
Foreign-national exposure
The application requires the firm to disclose foreign-national employees, contractors, and ownership percentages above certain thresholds. Software-first firms with international consulting relationships need to be careful here: the line between "consultant who reviewed open-source code" and "foreign-national with access to controlled data" is bright, and the firm has to be on the right side of it before submitting. The ITAR definition of a "deemed export" — the release of controlled technical data to a foreign person inside the United States — applies the same standard as a physical export, and the JCP narrative needs to demonstrate the firm understands that.
The practical operational pattern for remote-first software firms is to maintain a roster of cleared U.S.-person personnel with documented identity verification (I-9 plus passport or other immigration documentation as relevant), to segregate controlled work product into repositories and storage locations that only those personnel can access, and to keep non-U.S.-person contractors entirely outside that boundary. Mixing the two — even briefly, even for what looks like benign open-source work — creates a deemed-export risk that is difficult to undo on the record.
Ownership disclosure has its own arithmetic. Beneficial-ownership thresholds in CFIUS and ITAR contexts are non-trivial; firms with foreign passive investors should consult counsel on the structure before assuming the JCP narrative is straightforward. The Federal Acquisition Regulation, DFARS 252.225 clauses, and Treasury's beneficial-ownership reporting under the Corporate Transparency Act all touch this surface.
Processing time and downstream effects
JCP processing time is variable and not formally guaranteed. Offerors planning to bid on ITAR-controlled programs need to start enrollment well in advance — not days before a proposal deadline. Treating JCP as a standing posture rather than a per-proposal activity gives the firm the room to handle the document return that often happens on the first submission, especially for first-time applicants whose physical-security narrative or personnel disclosures need refinement.
Once approved, JCP-certified status enables receipt of controlled solicitations and post-award technical data, which is its own workstream. The certification has to be renewed periodically, the firm's contact information has to be kept current, and any change in U.S.-person status of officers or in foreign ownership has to be reported. Firms that treat the certification as fire-and-forget run into renewal lapses at inconvenient moments.
For DoD SBIR specifically, the 2026 BAA language requires either a copy of an active DD-2345 or evidence of a submitted application within Volume 5 for ITAR-controlled programs. That phrasing matters: a firm with a submitted but not-yet-approved application can attach the submission acknowledgment as evidence and remain eligible to propose, provided the program-office requirements allow it. The compliance posture that scales is one where the JCP relationship is maintained as part of normal operations, so the question on proposal day is whether to attach the certificate or the receipt — not whether to apply.
Why this work matters to us
Precision Federal is a software-only SBIR firm. The reason articles like this one exist on this site is simple: federal program offices fund teams whose principal investigators have demonstrated, in public, that they think carefully about the problems the program is trying to solve. We write to demonstrate that posture, not to telegraph any particular technical approach. If your office is exploring the problem class above and wants a partner who reads the literature, codes the prototypes, and ships under a Phase I or Direct-to-Phase-II SOW, we are listening.
JCP / DD Form 2345 Enrollment — Realistic Timeline
Compliance checklist
- Entity legal name matches SAM.gov registration exactly
- CAGE code is active and verifiable
- All officers and JCP point of contact identified, with title and citizenship
- U.S.-person status of all team members documented per 22 CFR 120.62
- Foreign-national consultants and academic collaborators declared (or excluded from controlled access)
- Controlled-material handling plan covers storage, access, audit, and retention
- Physical-security narrative addresses remote-first posture if applicable
Common questions on the public-record framing
What does DD Form 2345 actually require?
Corporate identification matched to SAM.gov registration (entity legal name, address, CAGE, UEI), key-personnel information for officers and the JCP point of contact, and statements about controlled-material handling. The form does not require EIN.
How are remote-first software firms accommodated?
JCP guidance accommodates remote operations, but the firm's documentation must describe the actual handling pattern: encrypted storage, U.S.-person-only access, audit logging, and clean retention. Vague claims do not pass review.
What is the realistic enrollment timeline?
Variable and not formally guaranteed. The published guidance is to enroll well in advance of any proposal deadline that would require certified status.
What does this article not cover?
Specific export-controlled program content, specific JCP review criteria beyond what is publicly published, or any Precision Federal client list.
Public DD-2345 / JCP requirements
| Requirement | Source | Software-first posture |
|---|---|---|
| SAM.gov match | DLA JCP guidance | Entity legal name, CAGE code, UEI must match exactly |
| Officer disclosures | DD Form 2345 | Citizenship and address for all corporate officers |
| Foreign-national declarations | 22 CFR 120.62 | Per ITAR U.S.-person definition |
| Controlled-material handling | DLA JCP guidance | Encrypted storage, U.S.-person-only access, audit logging |
| Physical-security narrative | DLA JCP guidance | Required even for remote-first software firms |
Frequently asked questions
DD Form 2345 is the Militarily Critical Technical Data Agreement application administered by DLA under the Joint Certification Program. Any U.S. or Canadian private-sector entity that needs to receive export-controlled unclassified technical data from DoD must hold an active JCP certification.
No. As of 2026, DLA accepts JCP applications only through the public DLA web portal at public.dacs.dla.mil/jcp/ext. Email, fax, and mailed applications are not processed.
Processing time is variable and not formally guaranteed, so firms expecting to bid on ITAR-controlled programs should treat enrollment as a standing-posture activity rather than a per-proposal one. Starting weeks or months ahead of the first relevant deadline is the safer pattern.
The publicly published JCP guidance accommodates remote operations. The firm's documentation, however, has to describe the actual handling pattern for controlled material — encrypted storage, U.S.-person-only access, audit logging, and retention practices — in concrete rather than vague terms.