From Our Client Files:
Our client sought to “do the right thing” and honor their requirements. But they were anxious about the cost of a CMMC program. And they assumed that CMMC is required because they received these letters.
Is CMMC 2.0 mandatory for COTS Items?
If a Defense Industrial Base (DIB) company only sells COTS products to the DoD, CMMC 2.0 is not required! A few simple examples of COTS include standard hardware and software items widely available in the marketplace. But in practice, the determination about whether a product is COTS or made using CUI is nuanced. If the product qualifies as COTS, it’s exempt from CMMC and its cost of compliance.
As we reviewed their product configurations, it became clear that the DoD purchases their products with the exact product configuration options as other non-DoD customers!
We helped them document their case. They saved a six-figure CMMC 2.0 Level 2 compliance program cost by seeking a COTS exemption from their prime customer.
We demonstrated their products meet the requisite definitions
We helped them prepare a COTS commercial item determination and assertion to submit to their prime contractor to show their products meet the definitions under applicable FAR and DFARS regulations.
And built a case file to support a COTS claim
We made it easy for the prime customer’s contract officer to allow a COTS exemption. The Prime customer has the final say, so we needed to build a clear and detailed case file to support their COTS exemption claim. We helped specify the product line’s functionality and how it helps their commercial customers in the same way it helps the Prime customer. It was also crucial to demonstrate that their DoD sales involve product configuration choices versus custom DoD specifications and tolerances. And in this case, we also showed that competitor sales of similar products are also commonplace in the commercial market.
We saved our client over $150,000 through our COTS Exemption Consulting Service by determining their products qualify. They weren’t required to pursue a CMMC 2.0 Level 2 compliance program.
If you believe your products are Commercial Off The Shelf COTS and they meet the requirements, we can help you prove it.
Check out our YouTube channel and LinkedIn pages for the latest informational and educational resources for Cybersecurity Maturity Model Certification.