COTS Contracts and CMMC
By: Omer Kaan Aslim
June 03, 2020
Do you need to earn a CMMC if you sell commercial off the shelf (COTS) items to the U.S. Department of Defense?
The U.S. Department of Defense’s new cybersecurity maturity model certification (CMMC) will apply to over 300,000 contractors. According to the official CMMC website, there may be an exception for companies selling “commercial off the shelf” (COTS) items. Here is what the DoD says: "If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification". As of the writing of this blog post, companies only providing COTS items to the DoD will not need to earn a CMMC certification. To be safe however, we encourage contractors to always check their contract.
What is a Commercial off the Shelf Item (COTS)?
According to Federal Acquisition Regulation (FAR) 2.101, “Commercially available off-the-shelf (COTS) item— (1) Means any item of supply (including construction material) that is: A commercial item (as defined in paragraph (1) of the definition in this section), sold in substantial quantities in the commercial marketplace and offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. Commercialy off the shelf items do not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.”
Learn what Cub Cyber solutions can do for you:
For contractors seeking to become compliant
For IT and cybersecurity service providers
Supply Chain Verifier
For large contractors seeking to verify partner compliance