Kelly Hynes McDermott interviews KLC Consulting’s Kyle Lai in this Commercial Off the Shelf COTS video. What is it, what products qualify for it, and how Defense Industrial Base companies can avoid unnecessary DFARS and CMMC compliance program costs by obtaining a COTS exemption.
[Kelly] Hi Kyle how you doing today?
[Kyle] Good how are you doing Kelly?
What is Commercial Off The Shelf COTS?
[Kelly] Good thank you. I’m excited to talk about COTS. What it is and how it affects people out there doing business in the defense industrial services. So, what can you tell us what is COTS?
[Kyle] COTS is what we call commercially off the shelf products. So, what it is, is the government wants to save money by purchasing COTS. Because if they don’t have to make any modifications, they can save money. If they can buy something directly from the commercial market. When they don’t have to make any modifications, then they will in fact pay the same price as you and I are paying for a hammer.
They don’t have to spend $500 if they can just buy it directly from the market. Yeah, they can save a lot of money. So, that’s why government created this division called “Commercial Item Group.” To determine if there are products that are commercial items they can purchase them. And if it is not modified at all, and it’s available to the public, and we can purchase it, then it’s considered COTS. So, we’ll get into a little bit more detail in the definition.
Commercial Off The Shelf COTS originated in the 1970’s
[Kelly] Yeah, well it’s funny that you should mention the hammer because back in the 1970s and early 1980s, there was a slew of this kind of stuff going on. The government had paid $640 for instance, for a plastic toilet seat. And $435 for a claw hammer. $37 for a screw. All of these items that you could get at your local hardware store. And So, it’s interesting to see that this is why COTS was established; to prevent this kind of thing from happening. And really the bottom line is, if it’s off the shelf then you’re saving the consumer dollars, right?
[Kyle] Oh absolutely Yeah, and why reinvent the wheel. And why do other specs when you can just buy directly from the market.
Commercial Off The Shelf COTS = costing checks and balances
[Kelly] Yeah, and it also seems to me Kyle, and correct me if I’m wrong, but it seems to also put some checks and balances into defense contractors doing business with the government. Because in a news story from 1986, this large defense contractor had defrauded the government out of $6.3 million on military contracts. And I can see that COTS has a way of putting this checks and balances in place, from people in the defense contractor space doing business with the federal government. What do you have to say about that?
[Kyle] Yeah, I think if they are selling some common goods to the government they are just configurations. These are not really modifications. They can really consider them as COTS. Then yeah, they don’t really have to charge So, much for a COTS item. And if the government thinks like – hey these are the COTS products Yeah, they can pay less. And also there’s a benefit for the vendor as well. Because when this program established COTS, if you make a COTS product, if you are COTS vendor, that also helps the vendors. They can get an exemption from a lot of the regulations. So, we’ll talk about that as well.
[Kelly] Okay sounds good. Yeah, there’s a lot to cover. We’re going to get through it!
[Kyle] Yes Yeah, absolutely.
Commercial Off The Shelf COTS Benefits To DIB companies
[Kelly] All right. So, Kyle we were talking about the many implications of a COTS exemption to defense industrial based companies. What are some of those implications that we need to know about?
[Kyle] Yeah, So, if you are a COTS vendor there are a lot of benefits as mentioned. So, you get exempted from DFARS 252.204-7012, which is about protecting the Controlled Unclassified Information for non-federal organizations. And their systems, right. So, you are exempt from those cyber security regulations. Simply put, there is a DFARS 7012 and there is a DFARS 7019 and 7020. And there is a DFARS 7021 which is CMMC. The cybersecurity maturity model certification. There are others like FAR 52.204-21 which is for protecting Federal Contract Information. You get exempt from that as well.
There’s a lot of benefit because if you’re a COTS vendor, you are just basically providing this product, the same product, same price, same catalog result, for the government. And also, for the general public. So, anybody can buy it. So, there’s not really a specific requirement for you to protect this information in terms of how do you produce this product. Because that’s more like your IP [intellectual property], you are on your own.
Commercial Off The Shelf COTS and Cost Savings
[Kelly] Yeah, that’s interesting. So, I can see how it would be a benefit to prove that it is COTS. Because otherwise you have to go through this whole process. Which can be very time consuming and can also be very costly. But if you prove that it’s COTS then it’s a huge cost savings, is that right?
[Kyle] Yes absolutely. If your product that you produce is qualified as a COTS Yeah, there’s a lot of benefits.
[Kelly] Yeah, what are the authoritative FAR and DFARS clauses that spell out COTS exemptions? Can you walk us through some of those clauses?
[Kyle] Yeah, absolutely. So, FAR 12.103 and FAR 2.101 specify what the definitions are for a commercial item. And they get into the definition of what is COTS, and what are “Commercially Off The Shelf” products. Also within DFARS 252.204-7012, 7019, 7020, CMMC, as well as FAR 52.204-21, they all mention that if you’re a COTS vendor you are exempt from these regulations.
Examples of Commercial Off The Shelf COTS Products
[Kelly] Okay. Kyle can you give me some examples of what that would look like? What kinds of companies would be exempt for instance? As a regular consumer would it be someone like Microsoft? Can you give us some examples of what companies those would be?
[Kyle] It could be as simple as a pencil. A pen or pencil that’s available now. The government buys it. So, it’s always the same. You have the standard price. Buy it from Amazon, from a catalog. Something that is defined, already the general public is buying it. They’re purchasing it in a big quantity. So, it could be as simple as a pencil.
It could be as complex as a cockpit computer that goes into a in a military plane; produced by Boeing. Because Boeing they have cockpits that are categorized as “Commercially Off The Shelf.” They’ve already been using this in some of their Boeing 727, 737, 747 aircraft, right. So, they already use it in their products. And any anyone that have they want to buy it to fit into the commercial airlines, they can already do it. The government sometimes buys these cockpit computers for their own use as well. Because if they don’t really make any modification, they can just change some configurations.
If no modifications, then they can just claim that this is a COTS product. And Boeing successfully worked with the DOD. The DOD certified that yes, this cockpit computer is COTS. So, it could be as simple as a pen or microphone. Or something that used within the office. Microsoft Office for example, an operating system. These are all COTS right. And also, a camera. If there are some camera systems without modifications there are COTS. There are a wide range of products.
[Kelly] Sure. So, various commercial uses, everyday uses. Can you give us an example of one that is not COTS? Like, give me an example of when it would be flagged for not being COTS?
Commercial Off The Shelf COTS Product Disqualifications
[Kyle] Yeah, So, for example, if I produce a capacitor. And the capacitor is very simple. It’s being used in my computer. This is our very standard capacitor. If the Government comes and says: “yeah, we just want this capacitor, this order” directly from my catalog. Or from my website, and places an order from the website, they already have the pricing. It’s very simple. That’s COTS.
But if the Government comes and says “we want that product, but we want to have the power variation be no greater than 0.0001 percent and it must be very specific. And anything over that that tolerance is no good for us. So, we want that same product, but we have additional specifications. When you give it to us, make sure you follow that specification. Then the vendor must do additional work.
That specification is provided by the government. So, this becomes a very specific requirement. Anyone else as a regular customer may not be able to get that because I’m designing something that is very specific for the government. Now that becomes a deviation or a modification for the government. And that is when you deviate from COTS. So, when you have that specification from the government, it’s no longer COTS. Because it’s not available to other consumers at all.
Modification versus Configuration
[Kelly] Okay thank you for that that that really helps to clarify things. So, you talked the things that jumped out at me were: “a modification” or “a specification” that changes the off-the-shelf products.
[Kyle] Another example: maybe you have a wrench, a regular wrench. And it’s very easy, it’s COTS. You can buy it from Home Depot. And the government might use it. So, they have a wrench. But the head must be tilted at 37 degrees. Because that’s where we need it to work on a machine that’s specifically designed for the government.
When you have that specification, the wrench that you are designing for the government is no longer available to the regular customer. Then that wrench is not going to be COTS. You will have to meet all the regulatory requirements when it comes to cybersecurity.
[Kelly] Right, okay. Thank you for those great examples. That really helps to clear it up. So, at a high level what are the requirements?
[Kyle] For a “Commercial Item” because, before we talk about Commercially Off-The-Shelf” products, we have to talk about Commercial Items. Because for COTS there are three requirements:
- It has to be a Commercial Item,
- Be produced in mass quantity – in significant quantity – and also
- The product cannot be modified in any way for the government.
Of a type
So, those are the basic three requirements for COTS. So, what is commercial item? A commercial item means the phrase “of a type.” Which means, this product must have a market. It must be used by somebody in a marketplace and not just used by the government.
Available to general public
So, it must be what they call “of a type.” It’s customarily used by the general public, by non-government entities. This product must be sold to the general public, or licensed to the general public, or is being offered for sale, if it’s not already available. But it must be offered for sale or lease or license to the general public.
[Kelly] Okay, So, it’s produced and is accessible to the public?
[Kyle] It must be accessible by the general public for the same product, right, yep. And also, this product must be available when the government is purchasing it. So, this commercial product must be available. And, you cannot have any modification. It’s no longer a commercial item when there are some modifications. You no longer make the product available in the commercial market. Or when you must charge more for the product, it becomes a non-commercial product.
Not custom made
[Kelly] Yeah, I understand. So, it sounds like there’s one that’s a commercial item and there’s something else that’s sort of a custom-made item. Something that’s custom-made.
[Kyle] Correct. The Commercial Item is not something that you made specifically based on the government’s specification. And is not available to the general public. The pricing must be available So, people can see how much it costs in your catalog, on your website. You must be very transparent. So, when the government buys it, they know exactly how much it cost and the general public knows too.
[Kelly] Okay. Yeah, that’s a good way to ward off the $437 hammer!
[Kyle] Yes absolutely. So, at a high level that’s what it means when we’re talking about a commercial item.
Commercial Off The Shelf COTS Products Save Taxpayers Money
[Kelly] I see So, these are all great advancements that have happened in this area that save the consumer and the government money when it comes to products and services that are off the shelf, right?
Examples of Commercial Off The Shelf COTS Products sold in Substantial Quantities
[Kyle] Yep, right, absolutely. So, now we know the product is a commercial item, that’s when you are qualified to go to the next level to determine if the product could be COTS: a commercially off the shelf product. We want to see if the product has been sold in substantial quantity. I think it is going to be in the context of what the product is. If you are talking about Boeing and we’re talking about a cockpit computer, they are not going to be sold in millions. But maybe they are going to be in the thousands. That will be substantial quantity in that context.
If you’re talking about pens, creating something that’s a specific pen that’s going to be commercially available, maybe you have a million, or hundreds of thousands of pens. Then you can say, yep this is a very substantial quantity. You’re creating this pen. I mean a pen is a simple example, but this is a good example in terms of what is substantial quantity.
Precision Fluid Dispensing Example of COTS
We worked with a company that creates precise fluid dispensers. And we needed to demonstrate that they have substantial quantity. When you have substantial quantity it’s not just you. You must have competitors that are producing similar products as well. So, you know there’s a market. Have a basis to compare with. And what percent of the market do you produce this for. It could be five percent, ten percent, etc. You may own that five percent or ten percent of the market. And you know, hey I produced this precision fluid dispenser and they’re sold in “so much” quantity. And we produce So, many, then we know there’s a market; this is a commercial marketplace. We can satisfy and prove this is a substantial quantity produced by you.
Modifications disqualify products for Commercial Off The Shelf COTS Exemption
Then you need to see if there are modifications. Does the company do this for the government? But if we don’t really do modifications because we (instead) do configuration changes, and anyone can make these configuration changes. We’ll do it for them, or they can make their own configuration changes. Then there’s no modification. So, there’s a very distinct difference between modification and configuration: modification is when you start changing or make some physical changes to your product. If you need to cut something, or you have to change some of the characteristics of your product – that’s modification.
But if I only have to change the settings within my product just to change your settings, push your buttons, that is considered configuration changes. I don’t have to do any code changes. No material modification to the characteristics of the material, or the tolerance of the performance. If I don’t need to make that modification, I only must tweak based on the configuration changes that are available to anyone, then that’s configuration. So, if there’s not modification that’s that will qualify you as COTS. If you start changing anything that’s considered modification then it will no longer make you COTS.
Compliance Letter Requests and Commercial Off The Shelf COTS Status
[Kelly] Okay yeah, that’s an important distinction. It gets very nuanced doesn’t it with these changes? You know they’re subtle? But there is a difference. And it’s also one of those things that KLC Consulting can help companies determine. Walk you through that process to see exactly where these differences lie. Help you through the COTS determination.
[Kyle] let’s imagine that I am a defense industrial base company. I’ve just received a letter from my prime customer and they’re asking about my compliance with DFARS 252.204-7012, -7019, -7020, and -7021, does that mean that they’ve already determined that we don’t qualify for COTS? What does that mean when I get that letter from my prime customer asking about my compliance?
[Kyle] Yeah, So, all these clauses the DFARS 7012, 7020, 7021, they all have what we call flow-down requirements. What that means is prime contractors will need to make sure their subcontractors are following the same requirements. The DFARS -7012, -7020, -7021 or CMMC. They a lot of time they either never discussed if your company produces COTS or not or they don’t know who they are sending it to because they just send it do a mass mailing, emailing all their subcontractors saying you have to comply. Here are the rules that you have to comply.
How to pursue a Commercial Off The Shelf COTS Exemption
So, if you receive this letter and you are convinced that you are selling only COTS to your prime contractors, you can talk to them and say: “Hey this is what we sell.” For example, if you are selling raw material only specific aluminum alloy for example, you can tell your prime contractor: this is all we sell to you and we don’t sell you anything else. Can we get an exemption? Because this is COTS, this is commercially off the shelf. Nothing to it, anyone can order it. No difference between what you’re buying and what the other customers in the public are buying.
So, you can make that claim. Sometimes it’s more sophisticated. You can talk to them and ask them: hey we think we’re COTS. They will give you something called COTS or commercial item or COTS determination form for you to fill out. Once you fill it out, they will review and make that determination to see if you are a COTS vendor. You will have to go through that process.
[Kelly] Okay all right that’s good to know So, this is sort of like a blanket questionnaire that is sent to everybody. And then it’s up to you to prove and to say whether you are or you’re not COTS. It’s a standard operating procedure to get this letter. Is that right?
[Kyle] Yeah, correct and this process is the same process when you deal with DOD or when you deal with your prime customers.
Help with obtaining Commercial Off The Shelf COTS exemptions
[Kelly] Okay if there’s any doubt or if there are like we talked about earlier these little nuances where somebody is unsure about that, then they would need to go to a third-party vendor such as say KLC Consulting to determine exactly where they stand with this. With COTS whether it is or whether it’s not. And in that way, they can have the confidence of knowing exactly what it is and have that back up by a third-party. Can you speak a little bit to how important that is? How that would be important to somebody who’s going who’s received this letter and they’re a little bit unsure if you’re a subcontractor or even a prime contractor you think you have COTS products?
[Kyle] Yeah, you should definitely fill out this form – the COTS determination form, to prove that you are indeed a COTS vendor if you are not too sure about this determination. Because there is quite a bit of documentation that you must put together. For example, you have to show that you have the product that’s “of a type” being used by both the non-government and also the government. You have to prove that, do a little bit of research. It’s not just you are producing it, you must have competitors. There are some things that you have to put together and research.
KLC Consulting provides help with obtaining COTS Exemptions
Also, you have to justify the price. There are many things that you have to put together to show to the DOD or your prime customers that this is COTS. If you are not sure, you want to consult with somebody like KLC Consulting to help you put together a preparation package So, you can convince your customer that you are COTS the first time. Because if they say “no”, it will be very difficult to go back to them again.
[Kelly] Well that would take a lot of time in order to go through that process. And then it would also cost more money in the end because you’re not able to sell that product until you have that determination.
[Kyle] Yep absolutely and Yeah, if they reject and say you’re not COTS, it will be difficult to appeal and get them to review it again.
Difference between Commercial Off The Shelf COTS Exemption with DoD and Prime Contractors
[Kelly] Right Yeah, So, it’s good to be proactive about that. Is there a difference for this process in obtaining a COTS Exemption from the DOD or from a prime customer? Any difference between the process between the two?
[Kyle] The process is going to be similar. Although it really depends on how much the prime customers – your prime contractors – have been trained in evaluating commercially off the shelf or commercial items. What they will do is they are going to evaluate to see if your product is a commercial item first. If you pass the first stage, they will evaluate to see if you are meeting all the requirements as COTS. So, there’s a two-step process. You want to make sure you get all the docs in order and provide them with all the information they need to make a determination for these two processes.
Don’t waste time and money on a failed Commercial Off The Shelf COTS Exemption bid
[Kelly] I see yeah. So, there are some steps to go through. I think you brought up a really important point that you know if you self-determine that you are COTS and it turns out later that the finding is that no, you’re not COTS, because there are certain modifications that have been made to this particular product that you’re providing, then it really can be a huge setback for people.
As you pointed out, it’s prudent to go through the process of self-determination. Or go to a third-party vendor to help you determine if there’s any question there. Because the risk in the long run long run is not really worth it. It costs you time and money in order to make this determination. So, you know, just know that folks like KLC consulting are here to help with that. And to really, I think this has been very helpful to understand what COTS is. All the nuances behind it and the process behind it. And also not to be freaked out if you’ve received this letter. Because everybody gets that letter you know. Just to know that if there’s any question about whether you’re COTS or not that there are there are options for you to pursue to make that determination.
DoD’s Commercial Item Group
[Kyle] Yep I just want to add that within the DOD they do have a group it’s called commercial item group. They do the review for the commercial item determination and COTS determination. With the prime customers they have their own process. If you are a subcontractor, you deal with your prime customers. And if you are prime you deal with the DOD. If you are a subcontractor, it will be difficult for you to talk to DOD directly.
What if you’re not a COTS vendor?
[Kelly] Okay great right. So, Kyle what happens if it’s a “no”? If you’re not meeting the requirements for COTS? What happens then?
[Kyle] Yeah, obviously you want to try to see if it is COTS. But if you are not COTS that means you still have to comply with DFARS 7012, 7019, 7020, and CMMC. You have to follow DOD cybersecurity requirements. You will have to follow that process. And if you are not COTS you want to start preparing for DFARS 7012 as soon as possible, if you are not complying yet.
DFARS 252.204-7012 is a regulation that has already been put in most, if not all of the DOD contracts right now as of today. If you’re talking about DFARS -7020 that’s when you have to generate the score based on the DOD assessment methodology. And you have to submit to the SPRS system. That requirement is most likely in the new contracts that you are seeing today. CMMC is in the future most likely July 2023. That’s when they are going to finalize it, that’s the expected date they’re going to finalize.
Start as early as possible because if you are not complying that means you are already in violation with some of these clauses. At KLC Consulting we can help you put together the required documentation and go through the gap assessment to help you define your scope. The scope and boundary for CUI, the controlled unclassified information, put together the system security plan for you.
As we identify the gaps, we will put them into plan of action and milestones a POAM with documentation. So, we’ll help you put these documentation together you will be able to submit the score. We’ll help you generate the score and submit to SPRS. You will be in compliance with DFARS 7012 and 7020. And then we will help you prioritize the gaps. Because you don’t have unlimited resources. So, we’ll help you prioritize these gaps So, you can work on them and put down some realistic dates. You can tell the DOD when you’re going to complete all 110 controls, all practices you have to do. We’ll help you go through this this process along the way. But you want to start as early as possible. We’re here to help.
How long does compliance take?
[Kelly] Thanks for that. And how long does this take? How long would this process take if somebody were to find out that – no they’re not COTS and not compliant. So, now they have to go through this this whole process?
[Kyle] The time frame really depends on your availability your resources your budget. And also, the complexity of your system, how many sites that you have – physical sites, how many cage codes that you have. We’ll see most of the companies that wTe deal with will start with 12 months. Give them enough time So, they can plan it out. Don’t cram everything into a short period of time because it can get everybody stressed. We want to plan something that is realistic as well. If this is a thing that you cannot do yourself and you want to outsource you want to have a budget. You know plan for that as well. So, I think we’ll start with we usually start with 12 months. It’s all going to be on the case-by-case basis. It depends on all the different variables.
How is the work performed?
[Kelly] Sure and then how is it done? Do you KLC consulting actually go into the client’s workspace? Can you do this virtually, how does that work?
[Kyle] Yeah, we usually do this virtually. So, we don’t need to be on the client’s site, their physical site. If a client wants to have us look at their physical security, then we can go on site. But most of the work is going to be done virtually. So, we’ll conduct a few Zoom calls to go through an interview. We can walk through the scope to identify the CUI data lifecycle. The input, storage, usage, of CUI, the sharing, archiving, backup, and the disposal of CUI. The entire life cycle. We define the scope. And then we’ll get into; based on the scope, we define the boundary. Then focus on the systems that are in scope. Go through the 110 controls.
Critical importance of CUI scoping
Identify the gaps. Do a gap assessment. Document the SSP during the gap assessment and make recommendations. So, that’s typically how we work. And initially it’s very important to get the scope in place because a lot of time people overlooked the importance of having the scope. So, we will help you identify the systems, software, hardware, the applications, and the even the people and departments that touch CUI. The people, the staff, the roles that touch CUI. So, we will help you determine what is your actual scope and will only focus on the scope we define. You don’t have to define your scope as the entire company because your financial, your accounting system may not have CUI. So, we don’t have to worry about that So, we want to limit the scope to only what systems applications people that touch CUI.
Plan on a year for POAM remediation
[Kelly] I can see why this would take about 12 months because even though it’s very focused in scope, it’s also very comprehensive. And you just talked about So, many subcategories that are involved in this. I can see why it does take time and you want to do it So, that you’re not overwhelmed. But you want to take the time to make sure that you go layer by layer to get it right.
[Kyle] Yep absolutely. So, definitely want to pace yourself but we will get there.
[Kelly] well Kyle thank you very much. Is there anything else that you wanted to add that we haven’t covered today, where it’s involving COTS? Or anything else?
[Kyle] No I think that pretty much covers it. Start as early as possible try to get COTS if you think you’re a COTS vendor. But if you are not a COTS vendor, start the cybersecurity compliance process as soon as possible. And we’re here to help. So, let us know.
[Kelly] Excellent thank you So, much Kyle.
[Kyle] All right thank you very much Kelly.
[Kelly] Thank you we’ll see you soon.
[Kyle] All right take care, thank you, bye-bye.
Check out our Commercial Off The Shelf COTS Consulting Page for the help obtaining a COTS exemption
Are you in a fog about NIST 800-171 and CMMC Compliance?
Are you ready for your CMMC Assessment by a C3PAO?
Be sure! Gain confidence with our mock C3PAO assessment.