CMMC won’t apply to commercial-off-the-shelf suppliers, DOD website shows

DOD officials have long said every single defense contractor will need CMMC certification, but new info says otherwise.
USS Lake Champlain
Chief Personnel Specialist Jose Quintero prepares food for a Super Bowl party in the mess deck of Ticonderoga-class guided-missile cruiser USS Lake Champlain (CG 57) on Feb. 5, 2017. (U.S. Navy / Mass Communication Specialist 2nd Class Nathan K. Serpico)

The Cybersecurity Maturity Model Certification (CMMC) will not apply to Department of Defense suppliers that only provide commercial-off-the-shelf products, a recent change to the DOD’s website shows.

The change comes after months of DOD and CMMC officials saying that every single contractor and subcontractor must be certified, under the new cybersecurity program, by a third-party assessor to continue doing business with the military. The change was made sometime between March 19 and April 11, according to archived versions of the Office of the Under Secretary of Defense for Acquisition and Sustainment’s official website for the CMMC. The previous version of the website’s FAQ page stated all contractors needed CMMC certification, even those that did not handle controlled unclassified information.

The new text on the FAQ section states: “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.”

The new information is a departure from prior public comments but doesn’t represent a substantial change to CMMC policy and mostly deals with the details of defense acquisition regulation.


“It was as a clarification based on the existing rule,” Katie Arrington, CISO for acquisition and sustainment and leading force behind CMMC told FedScoop in an email.

An article posted by the law firm Morrison and Foerster cautioned against thinking this new informaiton will apply to many contractors.

“Companies should be careful not to assume they or their subcontractors will fall within this narrow exception,” according to the article, which first flagged the change and was confirmed by FedScoop through the WayBack Machine to access archived versions of the CMMC FAQ page.

The Morrison and Foerster article used chicken suppliers or fuel producers as examples of potentially CMMC-exempt contractors.

CMMC is only designed to certify that contractors have the cybersecurity practices in place to handle controlled unclassified information, not the products themselves.


This is a developing story and will be updated as more information becomes available. 

Latest Podcasts