Commercial off the shelf (COTS)

COTS Contracts and CMMC

Do you need to earn a CMMC if you sell commercial off the shelf (COTS) items to the U.S. Department of Defense?

Join our newsletter:
The U.S. Department of Defense’s new cybersecurity maturity model certification (CMMC) will apply to over 300,000 contractors. According to the official CMMC website, there may be an exception for companies selling “commercial off the shelf” (COTS) items. Here is what the DoD says: "If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1. Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification". As of the writing of this blog post, companies only providing COTS items to the DoD will not need to earn a CMMC certification. To be safe however, we encourage contractors to always check their contract.

What is a Commercial off the Shelf Item (COTS)?

According to Federal Acquisition Regulation (FAR) 2.101, “Commercially available off-the-shelf (COTS) item— (1) Means any item of supply (including construction material) that is: A commercial item (as defined in paragraph (1) of the definition in this section), sold in substantial quantities in the commercial marketplace and offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace. Commercialy off the shelf items do not include bulk cargo, as defined in 46 U.S.C. 40102(4), such as agricultural products and petroleum products.”

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.