COTS Exemption for a Manufacturer of Metal Alloys
COTS Exemption Case Study #2: A precious metals manufacturer asked us for help with DFARS compliance. They received letters from 3 of their DoD prime customers about Controlled Unclassified Information (CUI) and asking where they were at in their compliance program:
Don’t assume that these DFARS cybersecurity requirements apply because you received one of these letters! If you sell COTS products to the DoD or a prime defense contractor, these requirements don’t apply!
Where to begin
First, determine if you handle Controlled Unclassified Information (CUI) in the performance of your DoD contracts.
Is CMMC 2.0 mandatory for COTS items?
Subtle differences can make or break your COTS exemption approval. But CMMC doesn’t apply when products truly qualify as COTS.
Our collaborations revealed uncertainty exists in how their 3 prime customers use their metal rods. Do they use them as raw materials? Or do they use them “as-is” in a product assembly?
We determined their products meet the definition of a “commercial item”. And we prepared a COTS commercial item “determination and assertion” to submit to their prime customers. The assertion demonstrates their products meet the definitions under applicable regulations.
And built a case file to support their COTS claim
Prime customers have the final say, so we built a clear case file to make their decision simple. We described how the products are used the same way by the DoD and commercial customers in concise language. A decision often hinges on whether customers make configuration choices versus meeting required specifications and tolerances. And in this case, we also showed that competitor sales of similar products are common in the commercial market.
The End-Result in this COTS Exemption Case Study #2
We saved our client over $150,000 through our Let’s Prove Its COTS service. CMMC requirements don’t apply.
Check out our YouTube channel and LinkedIn pages for the latest information and educational resources for Cybersecurity Maturity Model Certification.