The US Department of Defense has repeatedly stated that organizations which supply commercial off the shelf (“COTS”) products will not be required to obtain CMMC certifications for their environments. In fact, the Interim Rule states:

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at 252.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025. Contracting officers will not make award, or exercise an option on a contract, if the offeror or contractor does not have current (i.e. not older than three years) certification for the required CMMC level. Furthermore, CMMC certification requirements are required to be flowed down to subcontractors at all tiers, based on the sensitivity of the unclassified information flowed down to each subcontractor.

Yet for some reason, certain consultants and tools vendors are out there insisting that even COTS vendors must become CMMC certified. Please be careful and stay informed.