The Cybersecurity Maturity Model Certification will not apply to Department of Defense suppliers that only provide commercial-off-the-shelf products, a recent change to DoD’s website shows. “Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification,” the site now says. However, attorneys caution against thinking this new information will apply to many contractors. “Companies should be careful not to assume they or their subcontractors will fall within this narrow exception,” Morrison and Foerster attorneys wrote in a recent blog post on the topic. They identified not-IT focused contractors such as food and fuel suppliers as examples of vendors who would be exempt under this clause.
Cybersecurity, Privacy, & AI
Trending Now
What Business Leaders Need to Know About Cybersecurity Certification and Enforcement in 2025–2026 • NRC Efficiency Plan to Reuse DOE, DoD Data Met With Skepticism • Closed Briefing Sets Stage For House Hearing On Anthropic’s Mythos and Cyber Risks • CISA, G7 Partners Release AI Software Bill of Materials Guidance • OMB to Refresh the Federal IT Dashboard
CMMC Won’t Apply to Commercial-Off-The-Shelf Suppliers, DOD Website Shows
Stay compliant and protected with daily updates on cybersecurity, data privacy, and federal oversight with our Cyber & Privacy newsletter, delivering up-to-the-minute intelligence Monday–Saturday — Subscribe here.