COTS Exemption Case Study #2

COTS Exemption for a Manufacturer of Metal Alloys

COTS Exemption Case Study #2: A precious metals manufacturer asked us for help with DFARS compliance. They received letters from 3 of their DoD prime customers about Controlled Unclassified Information (CUI) and asking where they were at in their compliance program:

Graphic of sample letters received by DIBs (Defense Industrial Base) companies., inquiring about compliance status with DFARS 252.204-7012, DFARS 252.204-7020, FAR 52.204-21, and CMMC. COTS Exemption Case Study #2
Example of DFARS Compliance Status Request Letters

Don’t assume that these DFARS cybersecurity requirements apply because you received one of these letters!  If you sell COTS products to the DoD or a prime defense contractor, these requirements don’t apply!

Where to begin

First, determine if you handle Controlled Unclassified Information (CUI) in the performance of your DoD contracts. 

Is CMMC 2.0 mandatory for COTS items? 

Subtle differences can make or break your COTS exemption approval.  But CMMC doesn’t apply when products truly qualify as COTS.

Our collaborations revealed uncertainty exists in how their 3 prime customers use their metal rods. Do they use them as raw materials? Or do they use them “as-is” in a product assembly? 

The Solution

We determined their products meet the definition of a “commercial item”. And we prepared a COTS commercial item “determination and assertion” to submit to their prime customers. The assertion demonstrates their products meet the definitions under applicable regulations.

And built a case file to support their COTS claim

Prime customers have the final say, so we built a clear case file to make their decision simple.  We described how the products are used the same way by the DoD and commercial customers in concise language.  A decision often hinges on whether customers make configuration choices versus meeting required specifications and tolerances. And in this case, we also showed that competitor sales of similar products are common in the commercial market.

The End-Result in this COTS Exemption Case Study #2

We saved our client over $150,000 through our Let’s Prove Its COTS service.  CMMC requirements don’t apply.

KLC Consulting YouTube channel for more information about COTS Exemptions, NIST 800-171 and CMMC
KLC Consulting LinkedIn page for more information about COTS Exemptions, NIST 800-171 and CMMC

Check out our YouTube channel and LinkedIn pages for the latest information and educational resources for Cybersecurity Maturity Model Certification.

Let’s Talk About Your COTS Exemption!

We meet you where you’re at and provide flexible and affordable CMMC compliance solutions

Scroll to Top