CMMC – Will the COTS Exception Apply to Me?

By Jeff Ellinport, Division Counsel

CMMC, DOD’s Capability Maturity Model Certification, will require almost all government contractors doing business with the Department of Defense to be independently certified by a third party as meeting one of five cyber security standards. This requirement will apply to every link in the government’s supply chain – including OEMs, distributors and resellers.

To the relief of many contractors, DOD updated its CMMC FAQs a few months ago to provide this exception (the only one so far): CMMC certification will not be required for companies that only provide commercial off-the-shelf (COTS) items. 

Under NIST SP 800-161, COTS is defined as “Software and hardware that already exists and is available from commercial sources.” Under FAR 2.101, COTS means any item of supply, other than real property, that is:

• Of a type customarily used by the general public or by non-governmental entities for purposes other than governmental purposes,
• Sold in substantial quantities in the commercial marketplace
• Offered to the government without modification

It would seem, then, that any company that provides services – on a standalone basis or in combination with IT products – would not qualify for this exception.

Most IT solutions, for example, include not only a software or hardware product, but also some kind of services like maintenance and support. This begs the question of what qualifies as “services”? Since maintenance is usually comprised of software updates and upgrades, and since GSA Schedules recognize maintenance as a product, it likely falls under the definition of COTS. But what about call center support or installation? And, what about software as a service (SaaS)? It has the word “service” right in its description.

This grey area probably makes it prudent for contractors, which otherwise might only be providing COTS items, to consider at least a Level 1 certification. There are other reasons as well.

First, even if the exception does firmly apply, it still may be wise to obtain a Level 1 certification to avoid any argument (and risk losing business) with a contracting officer or prime contractor at the order level if they disagree on the nature of the items you are providing (e.g., COTS versus a commercial item).

Second, as with other regulations, just because the government does not require the certification, it may still be a good idea to implement Level 1 security controls as an industry “best practice.”

Finally, obtaining a certification may help in the situation where a prime contractor requires one even though not required by the government, which many systems integrators are prone to do.

So, while the recent CMMC exemption for COTS products was a welcome and sensible update, it may not exclude as many companies from compliance as may appear, given that the definitions of COTS do not include services. And, there are compelling reasons to still obtain a certification even if one is clearly not mandatory.

You may also be interested in reading our blog about the CMMC interim rule surprises revealed just before the end of FY20.

Keep up on what’s happening in government IT. Subscribe to immixGroup’s Government Sales Insider blog now!