CMMC for VARs and Resellers: Who Needs It, the COTS Exceptions, and Your Current 2026 Path
By The Defense Compliance Report Editorial Team · Last reviewed July 2026 · Last verified July 17, 2026 · Not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, or NIST.
CMMC for VARs and resellers comes down to what your contract requires and what information touches your systems — not your business model. Three things decide it. Is the contract exclusivelyfor commercially available off-the-shelf (COTS) products, and above the $15,000 micro-purchase threshold? Then CMMC generally doesn’t reach that order — 32 CFR § 170.3(c) excludes it. Does the contract impose a requirement and does FCI touch your covered systems? Level 1 (Self) applies. Does CUI touch your covered systems? Level 2 (Self) is the current minimum.
Here’s the part that gets lost when someone’s trying to sell you compliance: plenty of resellers are being told they need Level 2 when the facts may not support it — and some who assume they’re exempt are quietly wrong. Both mistakes are expensive. This page gives you the test to tell which one you’re at risk of, with the primary source behind every branch, so you stop guessing before you spend six figures.
Your situation at a glance
| Where you sit | Your starting answer |
|---|---|
| You sell standard OEM products as-is, and only ever see public catalog data and payment info | Likely out of scope — document a COTS/no-scope position |
| A CMMC or DFARS clause appears, and FCI lives in your email/CRM/ERP | Level 1 (Self) candidate |
| A clause appears, and you handle CUI (controlled drawings, technical data) | Level 2 (Self) candidate during the current suspension |
| You modify, image, integrate, or build product to a government spec | The COTS analysis changes — level then depends on FCI vs CUI |
| You administer a customer's cloud tenant, or hold their logs/configs/backups | External Service Provider (ESP) scope analysis needed |
| You pass CUI to an OEM or drop-ship partner | Downstream Level 2 (Self) flow-down candidate |
| Your solicitation still says "Level 2 (C3PAO)" or "Level 3" | Confirm the amendment the suspension requires — don't assume it vanished |
Read the rows that sound like you. Every one is explained, and sourced, below.
One honest admission:some reseller transactions genuinely don’t require any CMMC status. If you’re a true “box mover” — unmodified commercial product, no nonpublic government information touching your systems — you may owe nothing for that sale, and we’ll show you why in the COTS section. But don’t confuse “I’m a reseller” with “I’m exempt.” Those are different claims. The reseller who assumes exemption and signs a compliance representation anyway is the one taking on False Claims Actrisk — knowingly false, material cybersecurity representations are exactly what the Department of Justice’s Civil Cyber-Fraud Initiative pursues. The first compliance task isn’t buying a tool. It’s establishing the facts and writing them down.
Does CMMC apply to VARs and resellers?
Sometimes — and the deciding factors are what your contract requires and what information touches your systems, not what you sell. A pure reseller moving standard COTS products as-is, who never handles government information beyond public catalog data and payment fields, generally falls outside CMMC for that order under 32 CFR § 170.3(c). Once the contract imposes a requirement and FCI or CUI enters your covered systems, the rule applies.
Section 170.3(c) applies CMMC to DoD solicitations and contracts where a contractor “will process, store, or transmit FCI or CUI on unclassified contractor information systems, including those for the acquisition of commercial items (except those exclusively for COTS items)valued at greater than the micro-purchase threshold.” The trigger is the informationcrossing your covered systems, gated by the COTS carve-out and the threshold. “VAR,” “reseller,” and “distributor” are business labels, not scope determinations. Not sure what your required level even is? Start with our plain-English CMMC Level 1 vs Level 2 vs Level 3 breakdown.
The reseller applicability matrix
* This column is The Defense Compliance Report’s editorial triage based on the assumptions in each row — not a determination. Current-program note: under the July 13, 2026 suspension, only Level 1 (Self) and Level 2 (Self) can currently be required; Level 2 (C3PAO) and Level 3 requirements are suspended for new designations. Verified against 32 CFR Part 170 and FAR/DFARS on July 17, 2026.
| Reseller operating model | Exclusively COTS? | Touches FCI? | Touches CUI? | Governing authority | Current likely status* | What to verify first |
|---|---|---|---|---|---|---|
| Pure box mover — unmodified OEM product, sees only public catalog + payment data | Yes | No | No | COTS exclusions apply | Likely none | That the order is exclusively COTS and no specs/drawings will be sent |
| Configuring / modifying VAR — images, integrates, or builds to a gov spec | Often no (fact-specific) | Usually | Sometimes | FAR 52.240-93; possibly DFARS 7012 | Level 1 (Self), or Level 2 (Self) if CUI | Whether the config is a gov-unique modification, and whether the tech package is CUI |
| VAR handling controlled tech data — receives CUI drawings, CAD, engineering data | Usually no | Yes | Yes | DFARS 252.204-7012; § 170.23 | Level 2 (Self) minimum | Where CUI lives in your environment; enclave options |
| Cloud / license reseller — customer owns the tenant, you have no admin access | N/A (service) | Sometimes | Possibly | Depends on data you hold | Depends on your systems, not the product | That reselling a compliant cloud ≠ your environment being compliant |
| Reseller who administers the tenant or holds logs/configs/backups | No | Likely | Possibly | § 170.4; § 170.19 (ESP) | ESP in the customer's scope | Whether you hold CUI vs only Security Protection Data |
| Reseller providing managed/professional services touching gov systems or data | No (services) | Likely | Possibly | FAR 52.240-93; DFARS 7012 if CDI | Level 1 or 2 (Self) by data type | Whether your support reaches FCI/CUI systems |
| Distributor passing CUI to an OEM or fulfillment partner | Usually no | Yes | Yes | § 170.23 flow-down | Level 2 (Self) flows downstream | The exact data the prime will send, and to whom |
| Sub-tier supplier to a prime, any of the above | Per scenario | Per scenario | Per scenario | § 170.23 | Flows down per information type | The prime's flow-down language and the data behind it |
Does CMMC apply to reseller orders at or below the micro-purchase threshold?
Generally no — the CMMC exclusion in 32 CFR § 170.3(c) applies to acquisitions at or below the micro-purchase threshold, which is currently $15,000 for most buys. That threshold rose from $10,000 to $15,000 effective October 1, 2025 (FAR 2.101, inflation adjustment at 90 FR 41872). An order at or below $15,000 generally isn’t a vehicle for CMMC obligations even if some covered information touches the transaction.
Don’t over-read this. The $15,000 figure is the generalmicro-purchase threshold — FAR 2.101 sets different figures for certain circumstances. And a low-dollar order doesn’t erase separate obligations that ride on other clauses in the instrument, or your duty to protect any covered information you do receive.
Are COTS resellers exempt from CMMC?
Not automatically — the exemption is narrower than the word “commercial” makes it sound, and it hinges on two separate questions. First, is the item itself COTS under FAR 2.101: a commercial product, sold in substantial quantities in the commercial marketplace, offered to the Government without modification, in the same form it’s sold commercially? Second, is the acquisition exclusively for COTS items? You can fail the exemption on either axis.
When an acquisition is genuinely COTS-only, three separate obligations fall away at once:
- CMMC doesn’t apply — 32 CFR § 170.3(c) excludes contracts “exclusively for COTS items.”
- The basic safeguarding clause — FAR 52.204-21, renumbered to FAR 52.240-93 in the February 2026 overhaul — carries a COTS carve-out at both the prime and subcontract level.
- DFARS 252.204-7012 is not required when the only items procured are COTS.
The two-axis COTS test
Most explainers collapse COTS into a single yes/no. It isn’t. Run both axes:
Axis 1 — Is the item still COTS?A COTS item must be offered “without modification, in the same form in which it is sold in the commercial marketplace.” A government-unique modification— changing the product to meet a Government spec — takes it out of the COTS definition. Routine commercial setup that’s typically available in the marketplace may not be a disqualifier; that’s a fact question.
Axis 2 — Is the acquisition exclusively for COTS items? Even if the underlying product stays COTS, separately purchasedconfiguration, integration, imaging, kitting, installation, or support can mean the acquisition isn’t exclusively for COTS items. Read the line items and the statement of work, not just the part number.
Is my situation COTS-only?
| Fact | Supports COTS-only | Cuts against it |
|---|---|---|
| Standard commercial SKU, sold widely in the marketplace | ✅ | Product sold only to government/niche buyers |
| Supplied without modification | ✅ | A government-unique modification to meet a spec |
| No separately purchased services | ✅ | Integration, installation, engineering, administration as line items |
| You see only public + simple payment data | ✅ | Any nonpublic performance or technical data |
| Instrument expressly identifies a COTS-only procurement | Strong support | Mixed product-and-service line items |
If you land on the COTS-only side, don’t just believe it — document it.Keep the manufacturer catalog and evidence of commercial sales, a statement that the item ships without modification, your line-item analysis, a short data-flow note showing no covered information enters your systems, and the full instrument. A documented COTS position is a defensible answer to a prime’s questionnaire. An undocumented assumption is a liability.
One more trap: COTS-only doesn’t mean data-free.If a buyer hands you covered information — a controlled drawing, a marked spec, nonpublic performance data — to perform the order, that’s a signal the work may not be exclusively COTS, or that a separate clause like DFARS 252.204-7012 attaches on its own terms.
Which CMMC level does a VAR or reseller need right now?
Where a CMMC requirement applies, the information you handle sets the level: FCI maps to Level 1 (Self); CUI maps to Level 2 (Self) at minimum. FCI in your covered systems puts you in Level 1 territory — the 15 basic safeguarding requirements, self-assessed annually (32 CFR § 170.23). CUI puts you at Level 2 minimum — the 110 requirements of NIST SP 800-171 Revision 2 across 14 control families.
Level 1 (Self) — for FCI. Fifteen basic safeguarding requirements, originally at FAR 52.204-21(b)(1) and now carried in FAR 52.240-93 after the 2026 renumbering. You self-assess annually, an affirming official affirms it, and you post it in SPRS. There’s no Plan of Action and Milestones (POA&M) at Level 1 — it’s pass or fix. For the full control-by-control walkthrough, see our FCI basic safeguarding guide.
Level 2 (Self) — for CUI. The full 110 requirements of NIST SP 800-171 Revision 2, in 14 families. You self-assess every three years, affirm annually in SPRS, and need a minimum assessment score of 88 out of a possible 110to be award-eligible with a limited POA&M. POA&M items must be closed within 180 days, and not every requirement is POA&M-eligible. CMMC Level 2 is assessed against NIST SP 800-171 Revision 2, not Revision 3. If a vendor is building your program to Revision 3, make sure it’s also closing every gap against the Revision 2 baseline the rule actually requires.
| Your information, where a requirement applies | Current CMMC path | Assessment frequency | Affirmation |
|---|---|---|---|
| FCI, Level 1 required | Level 1 (Self) | Annual | After assessment / annual |
| CUI, Level 2 applies | Level 2 (Self) during the suspension | Every 3 years | Annual |
| New Level 2 (C3PAO) designation | Paused — not currently designable in new procurements | — | — |
| New Level 3 designation | Paused — not currently designable in new procurements | — | — |
Are purchase orders, quotes, BOMs, and drawings FCI or CUI?
A document’s filename or purpose doesn’t set its status — the information does. Public information and simple transactional data fall outside FCI. Nonpublic information provided by or generated for the Government under a contract is FCI. Controlled technical or other protected information can be CUI when a law, regulation, or Government-wide policy requires safeguarding. For a reseller, the same quote can be nothing, FCI, or CUI depending on what’s inside it.
Usually outside FCI: public catalog descriptions, published solicitation material, public price lists, and the payment-processing fields needed to get paid. The FCI definition expressly excludes information the Government has already made public and simple transactional information such as that used to process payments.
Likely FCI (review it):a nonpublic purchase order, a nonpublic statement of work, delivery schedules tied to a contract, nonpublic customer requirements, internal contract-status detail. Don’t reflexively tag every nonpublic record tied to a government customer as FCI; test it against the definition and the actual contract.
Potentially CUI (check the source and authority): controlled technical information, technical drawings, government-unique configurations, engineering data, and information-system vulnerability data. A big one for resellers: export-controlled technical data.“Export Controlled” is a formal CUI category (NARA CUI Registry), so export-controlled technical data on a DoD contract typically means CUI, and Level 2 should be on your radar. A CUI marking is strong evidence; a missing or wrong marking doesn’t automatically resolve the underlying contractual responsibility.
Questions to send your prime in writing
- Exactly what data will be provided to us to perform this order?
- Is it FCI, CUI, public information, or simple transactional information?
- If CUI, which category and safeguarding authority apply?
- Does that information have to enter our systems, or can it go directly from you (or the Government) to the OEM?
- Which of our systems are expected to carry the required CMMC status?
- Will the instrument be amended to reflect the intended scope?
| Reseller artifact | Starting treatment | What changes the answer | Who can clarify |
|---|---|---|---|
| Public catalog / SKU | Usually public | Nonpublic mission context | Contracting officer / prime |
| Payment fields | Often simple transactional | Bundled nonpublic performance/funding detail | Prime / contracts |
| Purchase order | Fact-specific | Public vs nonpublic performance content | Prime / contracting officer |
| Quote | Fact-specific | Embedded technical requirements or mission config | Prime / contracting officer |
| Bill of materials (BOM) | Fact-specific | Government-unique or controlled technical content | Prime / data owner |
| Drawing | Potentially CUI | Source, marking, category, authority, contract | Data owner / contracting officer |
| Configuration file | Potentially CUI / Security Protection Data | Whether it describes protected systems or deliverables | Security lead / prime |
| Logs, vulnerability data | Potential Security Protection Data / CUI scope | System relationship and contractual purpose | Security lead / contracting officer |
This is triage to help you ask the right question — not a classification of your documents.
Not sure what actually crosses your systems? See what a Level 2 path really involves — or, if you’re likely FCI-only, start with our FCI basic safeguarding guide. Map the data first; buy the environment second.
When does reselling cloud or managing a tenant put you in CMMC scope?
Reselling a cloud license does not, by itself, make you a Cloud Service Provider or drag you into a customer’s assessment. Handling their protected data does. Under the CMMC rule (32 CFR § 170.4 and § 170.19), you become an External Service Provider (ESP) when you process, store, or transmit FCI, CUI, or Security Protection Data (SPD)— logs, configurations, security telemetry — in providing IT or cybersecurity services.
1. License-only resale.The customer owns the tenant subscription. You hold no standing administrator account, receive no customer data, and route support to the OEM or CSP. In that posture, reselling the license doesn’t make you an ESP or a CSP.
2. SPD-only administration or security services.The moment you administer the environment, run the SIEM, or manage endpoints, you’re processing that customer’s Security Protection Data. What triggers scope isn’t the job title; it’s that your service handles that protected data. Your relevant assets are assessed as Security Protection Assetsinside the customer’s assessment. You do not need your own separate CMMC certification for this.
3. Non-CSP ESP that handles CUI.Even if your service processes, stores, or transmits CUI, and you’re nota CSP, you still don’t automatically need your own separate CMMC certification. Under 32 CFR § 170.17, a customer may use a non-CSP ESP that processes, stores, or transmits CUI as long as the arrangement is documented in the customer’s SSP and the ESP’s services are assessed within the customer’s assessment. You may electyour own CMMC assessment to avoid being re-scoped for every client, but the rule doesn’t force it.
4. You become the CSP. If you contract for and modify the underlying cloud service, or stand up your own cloud offering that handles CUI, you can land in the CSP category. A CSP that processes, stores, or transmits CUI must be FedRAMP Moderate authorized, or meet the DoD’s FedRAMP Moderate equivalency requirements, per DFARS 252.204-7012. Reselling Microsoft GCC High or another compliant cloud does not, on its own, make your environment compliant.
| Your role | Likely treatment | Own certification? | Main evidence to keep |
|---|---|---|---|
| License seller only, no access | Not an ESP/CSP | No | Tenant ownership + no-access record |
| SPD-only admin / security services | ESP → Security Protection Assets in customer's scope | No | Privileged roles + responsibility matrix |
| Non-CSP ESP that handles CUI | CUI Assets assessed within customer's scope | Not required (may elect) | SSP entry, service description, customer responsibility matrix |
| You contract for and modify the cloud service, handling CUI | CSP | FedRAMP Moderate (authorized or DoD equivalency) | CSP contracts + service architecture + authorization/equivalency evidence |
How does CMMC flow down from a prime to a reseller, distributor, or OEM?
Flow-down follows the information, not the tier or the label. Under 32 CFR § 170.23, CMMC requirements flow to subcontractors at every tier that will process, store, or transmit FCI or CUI in performance — FCI-only subs to Level 1 (Self), CUI subs to Level 2 (Self) minimum. The rule does not require flowing CMMC down to a supplier that receives neither FCI nor CUI from the prime.
Prime → VAR. Does the prime send you only a public product request, or nonpublic order and performance data, or an actual controlled drawing? Each answer is a different level.
VAR → OEM or distributor. Before you forward anything, ask: does the OEM actually need the covered data, or can the Government or prime send it directly? Can the OEM work from public product specs alone? A distributor moving SKU, quantity, and shipping data is in a very different position from one receiving a controlled technical package.
Drop-ship.Physical possession of the product doesn’t answer the information question. A drop-ship partner that never sees nonpublic order or technical data may be outside flow-down entirely; one receiving a controlled drawing or nonpublic BOM is not.
Whatever you conclude, keep the record: the information categories, the required level, the systems involved, the clause text, the COTS determination, any amendment, and the supplier’s acknowledgment. See our CMMC Flowdown Letter Template for the mechanics of how flowdowns are written and communicated.
What changed in 2026: the clause renumbering and the Phase II suspension
Two 2026 events reshaped what resellers see in their contracts. First, a February 1, 2026 class deviation moved several cybersecurity clauses for affected acquisitions. Second, on July 13, 2026, the Department suspended CMMC Phase II. Neither rolled back your underlying obligations — but both change the words on your paperwork.
The clause changes (Class Deviation 2026-O0025, effective February 1, 2026)
- FAR 52.204-21 → FAR 52.240-93. Same 15 basic safeguarding requirements for FCI. The requirements are retained; the number and location moved.
- DFARS 252.204-7019— the notice provision requiring a current NIST SP 800-171 DoD assessment for award eligibility — is omitted from the deviation-era Part 240 for affected acquisitions. It still exists in the codified DFARS and may appear in existing instruments.
- DFARS 252.204-7020 → DFARS 252.240-7997for affected acquisitions — not a clean one-for-one renumber. The deviation-era clause reframes around Medium and High government-performed assessments and drops the standalone “Basic” self-assessment track.
- Unchanged by number: DFARS 252.204-7012, 252.204-7021 (CMMC), and 252.204-7025. The COTS exclusion carries through the deviation.
Because this is a class deviation ahead of formal rulemaking, the codified regulations still list the legacy numbers — so you’ll see both old and new numbers depending on when your contract was issued.Seeing “FAR 52.240-93” instead of “52.204-21” doesn’t mean a new obligation appeared. We keep a fuller, dated crosswalk on our CMMC Final Rule breakdown if you need to reconcile a specific instrument.
The Phase II suspension (July 13, 2026)
The Department suspended the Phase II transition — the phase that would have required third-party (C3PAO) assessments starting November 10, 2026 — and launched a 60-day review. During the pause, contracting officers may designate only Level 1 (Self) or Level 2 (Self). What remains in force:
- Level 1 (Self) and Level 2 (Self) where required, with annual affirmations and SPRS posting
- NIST SP 800-171 Revision 2 as the Level 2 baseline
- DFARS 252.204-7012 and its 72-hour cyber-incident reporting
- False Claims Act risk for knowingly misrepresenting your compliance
| Question | Before July 13 | Current answer |
|---|---|---|
| Phase II C3PAO transition on Nov 10, 2026? | Scheduled | Suspended |
| New Level 2 (C3PAO) requirement? | Expanding | Not currently designable |
| New Level 3 requirement? | Future phase | Not currently designable |
| Level 1 (Self) / Level 2 (Self) | In effect | Remain in effect |
| DFARS 252.204-7012 | Applies where included | Remains |
| Existing L2 (C3PAO) / L3 contract language | Could remain | Formal amendment/modification process applies |
We track the suspension and the 60-day review as they develop on our CMMC Phase II status page. If your active solicitation still names Level 2 (C3PAO) or Level 3, look for — or request — the actual amendment or modification in writing before you act on it.
What should a VAR do when a PO or subcontract shows up with CMMC or DFARS language?
Don’t ignore the clause, and don’t accept a blanket level without testing the facts. Save the instrument, map each clause to its function, check the dollar value against the applicable threshold, determine whether the acquisition is exclusively COTS, inventory the information and systems involved, reconcile the 2026 clause numbers and the suspension status, and get written clarification where the clause set conflicts with the transaction. Then do only the assessment the verified requirement actually supports.
- Save the complete instrument — solicitation, contract, subcontract, or PO, plus every attachment, flow-down letter, amendment, and modification.
- List every cyber clause present and match it to its function (use the 2026 crosswalk if the numbers look unfamiliar).
- Check the dollar value against the applicable micro-purchase threshold.
- Test the two COTS axes — item-level and acquisition-level. Separate product line items from services.
- Inventory the information — public, simple transactional, FCI, possible CUI, Security Protection Data.
- Map the systems and providers that touch it — email, CRM, ERP, file transfer, support portals, cloud admin, OEM, distributor, MSP/MSSP.
- Apply the current path: FCI + valid requirement → Level 1 (Self) candidate; CUI + valid requirement → Level 2 (Self) candidate during the suspension; a suspended assessment type still in the instrument → amendment issue; no FCI/CUI downstream → no-flow-down candidate; you administer or protect the environment → ESP analysis.
- Get disputed facts in writing. Contract ambiguity isn’t resolved by a website or a sales call — it’s resolved by your contracting officer, your prime, or counsel.
- Assemble the evidence, then choose a provider category — not before.
Before you answer a prime’s questionnaire, build this file:
- The instrument and all modifications
- Your clause crosswalk
- Your two-axis COTS determination
- Your FCI/CUI inventory and a simple data-flow diagram
- Your system boundary
- Your provider responsibility matrix (who owns which control)
- Any SPRS/assessment/affirmation records
- Written scope clarification from the customer or contracting officer
What does CMMC cost a reseller — and what should you not buy yet?
There’s no honest one-size cost, because validating a COTS/no-scope transaction and operating a Level 2 CUI environment are different projects with different price tags. A straightforward COTS/no-scope analysis might cost only internal time. Level 1 (Self) is usually the lighter lift. Level 2 (Self) is the expensive tier, and its cost is driven far more by scope— how much of your environment touches CUI — than by any vendor’s price list. (For grounded Level 2 ranges built from real market data, see our CMMC Level 2 cost breakdown.)
The scope-reduction lever.For many resellers, the cheapest compliant path isn’t certifying the whole company — it’s keeping CUI in a small, well-defined enclave and keeping the rest of your CRM, ERP, and email out of the boundary. Fewer users and systems in scope means less to secure, less to assess, and less to maintain. This is where a CUI enclave genuinely earns its cost — but only after you’ve confirmed you actually have CUI.
The expensive mistake, stated plainly:a reseller can spend more buying a “CMMC environment” too early than it would have spent establishing whether covered information ever needed to enter its systems in the first place. GCC High purchased because someone said the word “CMMC.” An enclave stood up before anyone confirmed there’s CUI. A C3PAO engagement treated as a substitute for readiness — and, right now, one that can’t even be a required assessment type during the suspension. Confirm scope, reduce scope, then buy the smallest thing that satisfies the verified requirement.
What we actually verified
We don’t ask you to take our word for regulatory facts, so here’s exactly what we checked and when.
What we verified for this page (July 17, 2026):
- 32 CFR § 170.3(c) (applicability, the COTS-only exclusion, the micro-purchase-threshold condition) and § 170.23 (subcontractor flow-down by information type) in the eCFR.
- ESP, CSP, and Security Protection Data treatment — against § 170.17 and § 170.19.
- Current $15,000 micro-purchase threshold from FAR 2.101 and the Federal Register inflation-adjustment rule (effective October 1, 2025).
- February 1, 2026 clause changes against DoD Class Deviation 2026-O0025 and the FAR Overhaul Part 40 deviation guide.
- “Export Controlled” as a CUI category in the NARA CUI Registry.
- July 13, 2026 Phase II suspension against the official Department of Defense release and DoD CIO materials.
What we did not verify:your actual contract, your document’s CUI status, your system architecture, or a universal reseller cost figure. Those depend on facts only you and your contracting chain hold. This page is educational research, not legal, contractual, or compliance advice. Confirm your scope and applicability with a CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) or a qualified federal-contracts attorney. See our methodology, editorial standards, and corrections policy for how we source and update this work.
Frequently asked questions: CMMC for VARs and resellers
- Does reseller status automatically require CMMC?
- No. The actual instrument, whether the acquisition is exclusively COTS, whether it's above the micro-purchase threshold, the information you handle, and the systems it touches decide the path — not the label VAR, reseller, or distributor (32 CFR § 170.3(c)).
- Are all COTS resellers exempt from CMMC?
- No. The exclusions apply to acquisitions exclusively for COTS items, and COTS has a specific FAR 2.101 definition: a commercial product sold in substantial quantities and offered without modification. Both the item and the acquisition have to qualify.
- Does standard commercial configuration count as a COTS modification?
- It's fact-specific. A government-unique modification — changing the product to meet a Government spec — takes it out of the COTS definition. Routine commercial setup that's typically available in the marketplace may not. And separately purchased configuration or services can make the acquisition not-exclusively-COTS even if the underlying product stays COTS.
- Does CMMC apply to orders at or below the micro-purchase threshold?
- Generally no. 32 CFR § 170.3(c) applies CMMC to covered acquisitions above the micro-purchase threshold, currently $15,000 for most buys (FAR 2.101, effective October 1, 2025). Some circumstances carry different thresholds, and other clauses in the instrument can still apply.
- What CMMC level does a reseller need?
- It depends on the information. Under 32 CFR § 170.23, a reseller handling only FCI needs Level 1 (Self); one handling CUI needs Level 2 (Self) at minimum. The contract clause sets the level.
- Can a prime require a reseller to have the prime's CMMC level?
- A prime flows down the level appropriate to the information and systems involved — not automatically its own level. The rule does not require CMMC flow-down to a supplier that receives neither FCI nor CUI from the prime (32 CFR § 170.23).
- Are purchase orders automatically FCI?
- No. It depends on whether the information is nonpublic and provided by or generated for the Government under a contract. Public information and simple transactional (payment) information are excluded from the FCI definition; other order details are fact-specific.
- Are BOMs and drawings automatically CUI?
- No. Source, content, contractual purpose, marking, CUI category, and safeguarding authority all matter. Confirm with the party who can classify it — don't self-classify a customer's document.
- Does drop shipping keep a reseller out of scope?
- Not automatically. A drop-ship partner receiving no FCI or CUI is a different case from one receiving a controlled drawing, nonpublic BOM, or contract-performance data.
- Does a software-license reseller need CMMC?
- License resale alone doesn't answer it. Analyze the two COTS axes, the order information, tenant ownership, your support access, and the instrument.
- Does reselling a cloud tenant make me a Cloud Service Provider?
- Not automatically. An MSP isn't the CSP merely because it resold a tenant licensed to the customer. Contracting for and modifying the underlying cloud service can change that (32 CFR § 170.4).
- Can an MSP or reseller be in CMMC scope without receiving CUI?
- Yes. Handling Security Protection Data — logs, configurations, security telemetry — as an External Service Provider brings your service into the customer's assessment scope as Security Protection Assets, even without CUI (32 CFR § 170.19).
- Do I need my own CMMC certification if I'm an ESP?
- Usually not. A non-CSP ESP is assessed as part of the customer's assessment — even when it processes, stores, or transmits CUI (32 CFR § 170.17). You may elect your own assessment to avoid per-client re-scoping, but the rule doesn't require it. A CSP handling CUI is the exception — it must meet FedRAMP Moderate authorization or the DoD's equivalency requirements.
- Does export-controlled (ITAR/EAR) data mean CMMC Level 2?
- Export-controlled technical data typically qualifies as CUI under the "Export Controlled" category, so on a DoD contract, expect Level 2 to be in play. Confirm the CUI category, authority, and required status for your specific data; ITAR/EAR status by itself doesn't set a given system's CMMC level.
- Why does my 2026 solicitation say FAR 52.240-93 instead of 52.204-21?
- The February 1, 2026 class deviation (2026-O0025) moved it under the new FAR Part 40 for affected acquisitions. The 15 basic safeguarding requirements are unchanged; the number and location moved.
- What is DFARS 252.240-7997?
- For affected deviation-era acquisitions, it carries the Government Medium/High NIST SP 800-171 assessment role (formerly under DFARS 252.204-7020). It drops the "Basic" self-assessment track and carries a solely-COTS exclusion.
- Did the Phase II suspension mean resellers can stop CMMC work?
- No. Phase II and the later milestones are suspended, but Level 1 (Self), Level 2 (Self), NIST SP 800-171 Revision 2, and DFARS 252.204-7012 remain in force where applicable, and False Claims Act risk is unchanged.
- What if my solicitation still requires Level 2 (C3PAO) or Level 3?
- The suspension procedures direct that such requirements be amended, but the announcement doesn't rewrite your contract on its own. Look for — or request — the formal amendment or modification in writing.
- Who should confirm an ambiguous scope decision?
- A CMMC Registered Practitioner or Registered Provider Organization (RP/RPO) can help with technical scoping; contested contractual applicability and any representation you make should be reviewed by a qualified federal-contracts attorney. Note that the firm that helps you get ready generally can't be the one that later runs your certification assessment.
Choose the right CMMC path before you hire
You came here to answer one question — does this apply to us, and what do we do next — and you now have the test, the levels, the clause map, and the current status, all sourced. The last step is the cheapest one to get right and the most expensive to get wrong: pick the right kind of help before you spend.
Disclosure
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.
Independence
The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency. This page provides educational research, not legal, contractual, or compliance advice. Confirm scope and applicability with a CMMC Registered Practitioner/Registered Provider Organization or a qualified federal-contracts attorney. The contract clause and your CUI handling set your level — not a checklist.