20 Ways to Test if You Are a COTS Company under DFARS

By Carl Herberger • August 9, 2022

Working with the government can present many challenges. One of the determinations you will need to make prior to engaging with the Department of Defense (DoD), is if your company supplies commercial off the shelf (COTS) products or not. This vital piece of information will dictate which cybersecurity measures you need to enact before you take your first order.

 

When it comes to DFARS compliance, you might supply a COTS product or service when you have:

  1. Commercial business – Your products are sold to non-government customers at scale. For example, more than 50% of your revenues are generated from commercial customers for the same product or service sold to the government.
  2. Commercial marketplace presence – Your product or service has established marketplace pricing. This could mean it is sold through commercial marketplaces or VARs without required manufacturer or vendor consent. Examples of this are reselling catalogs or public-cloud marketplaces.
  3. Numerous competitors – It is likely you have a COTS product or service if there are numerous competing solutions from which to choose.
  4. Little marketplace differentiation – The more your product or service has little uniqueness or bespoke capabilities the more likely it is COTS.
  5. Little to no research or development – When you generate no patents and don’t perform R&D, and your product or service reflects little input from research or innovation, it is likely a COTS item.
  6. Thousands of customers for the same product or service – Large amounts of like-customers is the very definition of commercially available and off-the-shelf. Sales volume for the same service or product produces a scale which demonstrates high marketplace acceptance and COTS concepts.
  7. Public, XaaS, or non-human interacted credit card transactions – If your product or service is marketed or considered public (such as a public cloud, public stock, or public store), available X-as-a-Service (for instance you provide turnkey services from simple transactions), or you take credit cards for a service whereby no human interaction is required, you are likely a COTS company.
  8. Brand-name recognition – A well-known brand often comes from wide understanding and marketplace acceptance of a product or service which many have come to recognize.
  9. Large revenues or are a public company – The odds are the larger the company and the more publicly available information on the offering, the more likely you have COTS capabilities.
  10. Clear compliance with the government COTS definition – Read the definition here

 

COTS company when you have:

  1. A struggle to comply with the government’s COTS definition referenced above.
  2. Very little commercial business – DoD or government contracting defines your business or a large amount of your business, accounting for more than 25% of your revenues.
  3. Unique solutions – You sell large bespoke, custom, or seriously unique solutions to few customers.
  4. Small or little revenue – Often it is the case that small revenues do not imply widely or commercially available products.
  5. An offering not commercially available via known catalogs, websites, or public marketplaces – If your product must be sold through a salesperson and with negotiations for unique terms and conditions, it is likely not to be considered COTS.
  6. A company that is not well known – A small brand normally means you produce a product or service which is not–or not yet–widely commercially available or off-the-shelf.
  7. No reselling of your service or product – If your product is not able to achieve easy-to-sell status it is likely not COTS.
  8. A large R&D function or numerous patents used in selling your product or service – Often it is the case that highly differentiated solutions are not always COTS.
  9. Requirements that bind you to ITAR or other export-controlled laws – Often it is the case that if you are bound by the U.S. government’s laws on international trade in arms or controlled technologies for export, you are not considered COTS.
  10. Controlled unclassified information (CUI) in your business – Odds are that if you have CUI then you are not a COTS-oriented company.

 

If you have questions about whether or not you provide a COTS offering, we’d be happy to help you make the determination. Contact us to get started.

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO