COTS Exemption FAR 2.101 DFARS 252.204-7021 // 6 MIN READ

The COTS Trap in CMMC

"Commercial" Does Not Mean Exempt

One of the most persistent myths in the defense supply chain: "We use commercial applications, so we're exempt from CMMC." It sounds reasonable. It is wrong — and misreading this line is one of the most consequential scoping errors a contractor can make.

A COTS (Commercially Available Off-the-Shelf) item for CMMC is a commercial product sold in substantial quantities in the commercial marketplace and offered to the government without modification, as defined in FAR 2.101. The CMMC COTS exemption is real, but it is narrow and legally specific. Under DFARS 252.204-7021 and 32 CFR Part 170, the CMMC flowdown applies to commercial products and commercial services — but explicitly excludes true COTS items. The legal threshold from FAR 2.101 determines whether a subcontractor needs to satisfy NIST SP 800-171 controls, and without modification is not a guideline. It is the bright line.

What is the COTS exemption for CMMC?

Under FAR 2.101, a commercially available off-the-shelf item must be:

  • 01Sold in substantial quantities in the commercial marketplace, and
  • 02Offered to the government without modification, in the same form in which it is sold in the commercial marketplace.

All conditions must be satisfied simultaneously. Think literally: a COTS item is something you could walk into Best Buy, purchase today, and hand directly to the government without changing a single component, specification, or line of code.

COTS is a legal term of art — not a synonym for "commercial," "off-the-shelf," or "commercially available." All conditions must be met. One modification strips the status entirely.

Where does DFARS 252.204-7021 exclude COTS items from CMMC?

DFARS 252.204-7021(f) requires prime contractors to insert the CMMC clause in subcontracts "including those for the acquisition of commercial products and commercial services, excluding commercially available off-the-shelf items, if the subcontract will contain a requirement to process, store, or transmit FCI or CUI."

Two conditions must both be met for the exemption to hold: the subcontract must be solely for a true COTS item as defined in FAR 2.101, and the subcontractor must not process, store, or transmit FCI or CUI. If either condition fails, the full flowdown applies.

Critically: services are never COTS. The COTS exclusion applies only to items — not to services. A SaaS subscription, a managed service provider, or a cloud hosting arrangement is a commercial service and receives no COTS exemption if FCI or CUI is involved.

When does modifying a commercial product void the COTS exemption?

✓ Pure COTS Path
Standard commercial product — sold to general public, identical specification
Offered to DoD without modification — same form as commercial marketplace
✓ COTS Exempt — No CUI generated. No flowdown required.
✗ Derivative Product Path
Standard commercial product — sold to general public, identical specification
Modified to DoD specifications — custom tolerances, classified drawings, special firmware
✗ Generates CUI — CMMC Level 2 Required. Full flowdown applies.
Table: COTS exemption path vs derivative product path under DFARS 252.204-7021 — any modification strips COTS status.
The modification test is binary. The moment a commercial product is altered to meet DoD specifications — regardless of how minor the change appears — the product and all associated technical data lose COTS status.

Two fastener scenarios from CMMC assessor training illustrate exactly how thin this line is. Company A sells standard bolts to hardware stores and hands the identical bolt to DoD — pure COTS, exempt. Company B takes that bolt and machines it to custom tolerances specified in an F-35 technical drawing. The drawing is CUI. The product is no longer COTS. Company B now needs CMMC Level 2 and a C3PAO assessment.

The physical product may look nearly identical. The legal status could not be more different.

Is COTS software out of scope for CMMC if the environment handles CUI?

COTS Application (e.g., Microsoft Word)
Out of Scope for CMMC Assessment
The application itself is exempt as a COTS item
↓ Data flows to storage and processing environments ↓
Processing & Storage Environment — Fully In Scope for CMMC
Physical Laptop Endpoint hardware — fully assessed. All CMMC controls apply to the device.
Cloud / File Server Document storage — fully assessed. FedRAMP Moderate/High required for CUI.
Figure: COTS application vs processing environment scope — the application is exempt but the endpoint and storage environment remain fully in scope for CMMC assessment.
The exemption follows the application — not the data. Word is out of scope. The laptop Word runs on and the server where the document is saved are fully in scope and must satisfy every applicable CMMC control.

A SaaS platform that receives CUI is a different matter entirely. SaaS is a commercial service, not a COTS item. Upload CUI into a cloud platform and that environment must meet FedRAMP Moderate or High authorization — and enters your assessment scope. The commercial nature of the subscription creates no exemption.

How do you determine if a product qualifies as COTS for CMMC?

Step 01 Is it sold to the general public in the exact same form?
YES →
Proceed to Step 2.
NO →
NOT COTS. Custom-built or government-unique — fully in scope.
Step 02 Has the product been modified in any way to meet DoD specifications?
YES →
NOT COTS. Any modification = derivative product. Likely generates CUI. In scope.
NO →
Proceed to Step 3.
Step 03 If software/SaaS: does the environment store, process, or transmit FCI or CUI?
YES →
App may be COTS, but the hosting environment is IN SCOPE for CMMC.
NO →
Pure COTS item. Exempt from CMMC flowdown under DFARS 252.204-7021.
Figure: Three-step decision tree for determining COTS exemption status under CMMC — commercial sale, modification test, and CUI data flow check.

The Bottom Line

For every product or service in your supply chain, apply the three-step test: (1) verify it is sold to the general public in identical form, (2) confirm zero modifications were made for DoD specifications, and (3) confirm the subcontractor does not process, store, or transmit FCI or CUI. Document your COTS determination for each subcontract in your System Security Plan and scoping documentation. If any test fails, apply the full CMMC flowdown under DFARS 252.204-7021.

Audit every subcontract: list the product or service, apply the FAR 2.101 three-part test, document the COTS determination, and retain the evidence. For any product that fails the test, issue the CMMC flowdown clause. For SaaS and managed services, require FedRAMP Moderate authorization and confirm it in writing.

Related Articles

CMMC Level 2 Assessment Scope ExplainedFCI vs CUI for CMMC: Identification and MarkingsCMMC Level 1 vs Level 2: What Triggers Each LevelCMMC and MSPs: Scope, Shared Responsibility, and EvidenceCMMC Remote Work Scoping