COTS Exemption FAR 2.101 DFARS 252.204-7021 // 6 MIN READ

The COTS Trap in CMMC

"Commercial" Does Not Mean Exempt

One of the most persistent myths in the defense supply chain: "We use commercial applications, so we're exempt from CMMC." It sounds reasonable. It is wrong — and misreading this line is one of the most consequential scoping errors a contractor can make.

The CMMC COTS exemption is real, but it is narrow and legally specific. Under DFARS 252.204-7021, the CMMC flowdown applies to commercial products and commercial services — but explicitly excludes commercially available off-the-shelf (COTS) items. The legal threshold comes from FAR 2.101, and without modification is not a guideline. It is the bright line.

What Is a COTS Item? The FAR 2.101 Definition

Under FAR 2.101, a commercially available off-the-shelf item must be:

  • 01Sold in substantial quantities in the commercial marketplace, and
  • 02Offered to the government without modification, in the same form in which it is sold in the commercial marketplace.

All conditions must be satisfied simultaneously. Think literally: a COTS item is something you could walk into Best Buy, purchase today, and hand directly to the government without changing a single component, specification, or line of code.

COTS is a legal term of art — not a synonym for "commercial," "off-the-shelf," or "commercially available." All conditions must be met. One modification strips the status entirely.

Where DFARS 252.204-7021 Excludes COTS Items

DFARS 252.204-7021(f) requires prime contractors to insert the CMMC clause in subcontracts "including those for the acquisition of commercial products and commercial services, excluding commercially available off-the-shelf items, if the subcontract will contain a requirement to process, store, or transmit FCI or CUI."

Two conditions must both be met for the exemption to hold: the subcontract must be solely for a true COTS item as defined in FAR 2.101, and the subcontractor must not process, store, or transmit FCI or CUI. If either condition fails, the full flowdown applies.

Critically: services are never COTS. The COTS exclusion applies only to items — not to services. A SaaS subscription, a managed service provider, or a cloud hosting arrangement is a commercial service and receives no COTS exemption if FCI or CUI is involved.

The Modification Trap: When "Without Modification" Fails

✓ Pure COTS Path
Standard commercial product — sold to general public, identical specification
Offered to DoD without modification — same form as commercial marketplace
✓ COTS Exempt — No CUI generated. No flowdown required.
✗ Derivative Product Path
Standard commercial product — sold to general public, identical specification
Modified to DoD specifications — custom tolerances, classified drawings, special firmware
✗ Generates CUI — CMMC Level 2 Required. Full flowdown applies.
The modification test is binary. The moment a commercial product is altered to meet DoD specifications — regardless of how minor the change appears — the product and all associated technical data lose COTS status.

Two fastener scenarios from CMMC assessor training illustrate exactly how thin this line is. Company A sells standard bolts to hardware stores and hands the identical bolt to DoD — pure COTS, exempt. Company B takes that bolt and machines it to custom tolerances specified in an F-35 technical drawing. The drawing is CUI. The product is no longer COTS. Company B now needs CMMC Level 2.

The physical product may look nearly identical. The legal status could not be more different.

COTS Software and SaaS: The Application Is Out of Scope. The Environment Is Not.

COTS Application (e.g., Microsoft Word)
Out of Scope for CMMC Assessment
The application itself is exempt as a COTS item
↓ Data flows to storage and processing environments ↓
Processing & Storage Environment — Fully In Scope for CMMC
Physical Laptop Endpoint hardware — fully assessed. All CMMC controls apply to the device.
Cloud / File Server Document storage — fully assessed. FedRAMP Moderate/High required for CUI.
The exemption follows the application — not the data. Word is out of scope. The laptop Word runs on and the server where the document is saved are fully in scope and must satisfy every applicable CMMC control.

A SaaS platform that receives CUI is a different matter entirely. SaaS is a commercial service, not a COTS item. Upload CUI into a cloud platform and that environment must meet FedRAMP Moderate or High authorization — and enters your assessment scope. The commercial nature of the subscription creates no exemption.

Decision Tree: Is This COTS for CMMC Purposes?

Step 01 Is it sold to the general public in the exact same form?
YES →
Proceed to Step 2.
NO →
NOT COTS. Custom-built or government-unique — fully in scope.
Step 02 Has the product been modified in any way to meet DoD specifications?
YES →
NOT COTS. Any modification = derivative product. Likely generates CUI. In scope.
NO →
Proceed to Step 3.
Step 03 If software/SaaS: does the environment store, process, or transmit FCI or CUI?
YES →
App may be COTS, but the hosting environment is IN SCOPE for CMMC.
NO →
Pure COTS item. Exempt from CMMC flowdown under DFARS 252.204-7021.

The Bottom Line

The CMMC COTS exemption is meaningful — the DoD is not requiring certification from suppliers of standard letterhead and pencils. But the threshold is without modification, no FCI/CUI flow, and supplied in the same form as sold to the public. One modification, one CUI data flow, or any service engagement — and the exemption does not apply.

In CMMC, "commercial" is a category. "COTS" is a legal status. They are not the same word. Treating them as interchangeable is one of the most common — and most consequential — scoping errors in the defense supply chain.

Related Articles

CMMC Level 2 Assessment Scope ExplainedFCI vs CUI for CMMC: Identification and MarkingsCMMC Level 1 vs Level 2: What Triggers Each LevelCMMC and MSPs: Scope, Shared Responsibility, and EvidenceCMMC Remote Work Scoping