Commercial off the shelf (COTS)

COTS Contracts and CMMC

Do you need to earn a CMMC if you sell commercial off the shelf (COTS) items to the U.S. Department of Defense?

Join our newsletter:
The U.S. Department of Defense’s new cybersecurity maturity model certification (CMMC) will apply to over 300,000 contractors. According to the official CMMC website, there may be an exception for companies selling “commercial off the shelf” (COTS) items. Here is what the DoD says: "If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification". As of the writing of this blog post, companies only providing COTS items to the DoD will not need to earn a CMMC certification. To be safe however, we encourage contractors to always check their contract.

What is a Commercial off the Shelf Item (COTS)?

According to Federal Acquisition Regulation (FAR) 2.101, “Commercially available off-the-shelf (COTS) item— (1) Means any item of supply (including construction material) that is: A commercial item (as defined in paragraph (1) of the definition in this section), sold in substantial quantities in the commercial marketplace and offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. Commercialy off the shelf items do not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.”
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.