COTS Contracts and CMMC

The U.S. Department of Defense’s new cybersecurity maturity model certification (CMMC) will apply to over 300,000 contractors. According to the official CMMC website, there may be an exception for companies selling “commercial off the shelf” (COTS) items. Here is what the DoD says: "If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification". As of the writing of this blog post, companies only providing COTS items to the DoD will not need to earn a CMMC certification. To be safe however, we encourage contractors to always check their contract.

According to Federal Acquisition Regulation (FAR) 2.101, “Commercially available off-the-shelf (COTS) item— (1) Means any item of supply (including construction material) that is: A commercial item (as defined in paragraph (1) of the definition in this section), sold in substantial quantities in the commercial marketplace and offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. Commercialy off the shelf items do not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.”