As we come to the end of Cybersecurity Awareness month, I wanted to call attention to the impending Cybersecurity Maturity Model Certification (CMMC) requirements and what the potential implications are for commercial off the shelf (COTS) software companies.

So what is the purpose of CMMC?  The Department of Defense (and potentially other agencies) “will be using the CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”

Does a COTS company have to get a CMMC certification? According to the FAQs on the official DoD CMMC website, “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.” However, the FAQ also says that if a company “possess Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Figure: Image Source: CMMC Public Briefing

CMMC Level 1 covers 17 practices and covers all practices in FAR Clause 52.204-21. Level 1 is all about ‘Basic Cyber Hygiene’ and is focused on making sure the 17 practices are being performed in at least an ad-hoc manner.

What does this mean for COTS software companies? I would encourage software companies not to make any assumptions on whether or not this ‘exception’ applies to them.  Each company will have to decide if they will have to process Federal Contract Information (FCI) in the course of business and make a determination based on their own unique situation. If your organization is looking for ways to avoid maintaining FCI or unsure how to proceed, feel free to drop us a note and we can walk you through a couple of options to keep you on track for selling to the agencies that require CMMC.