New cybersecurity regulations for the U.S. defense sector are prompting a number of small suppliers to reassess their participation in military contracts, industry insiders say, as compliance costs mount and audit capacity lags. The changes come at a time when the Trump administration is pressuring prime contractors to boost production and broaden their supplier base, raising questions about the resilience of the industrial supply chain.
The long-awaited U.S. Cybersecurity Maturity Model Certification - CMMC - began its initial implementation last November with a requirement that companies working on federal contracts perform cybersecurity self-assessments as the first of three certification levels. A more demanding second level, which includes third-party audits, is expected to start by November.
Executives at a number of small supplier firms described months-long waits for audits, and said confusion over which kinds of information must be protected has made it harder to meet the higher standards. Those executives spoke on condition of anonymity because they considered the matter sensitive.
Without a clear and agreed-upon definition of what constitutes controlled information, contractors are, in some cases, requiring suppliers to adopt stricter cybersecurity measures even if the supplier does not handle sensitive material - for example, technical drawings of a fighter jet fuel pump, one industry source said.
Cost is a principal concern. Industry sources report that additional compliance expenses can run into the hundreds of thousands of dollars for some small companies, deterring suppliers that already operate with fragile finances. "Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing them to reconsider - if not exit - the defense marketplace altogether, further challenging the health and resilience of the industrial base," said Margaret Boatner, vice president of national security policy at the Aerospace Industries Association.
The Aerospace Industries Association represents many companies that supply the defense sector, and a 2022 U.S. House Small Business Subcommittee report shows that 88% of aerospace firms are small businesses. That high share of small suppliers makes their responses to CMMC particularly consequential for the defense supply chain.
Three aerospace companies - two based in the United States and one in Canada - told industry analysts that each has a handful of suppliers who will not submit to the more stringent CMMC requirements, such as undergoing the mandated audits. The president of one U.S. company said roughly half of its suppliers have not indicated whether they will comply. The chief executive of another firm, which is the sole source of a part used by a U.S. fighter jet program, said he is unsure how his suppliers will respond.
The Department of Defense declined to comment.
Small suppliers play an outsized role in the defense industrial base, and observers keep a close watch on their health after recent years of production bottlenecks. Some small firms are the only producers of specific parts that larger contractors need to assemble weapons and equipment, making any supplier exit or delay a potential production risk.
Legal and compliance advisers warn that the certification regime could unintentionally shrink competition in the lower tiers of the defense supply chain. Alex Major, a lawyer at McCarter & English who counsels defense contractors on CMMC compliance, said the requirements could reduce the number of viable suppliers at those lower levels.
CMMC was introduced in 2019 but was delayed for several years amid industry concerns and confusion that required extended discussion with the Pentagon. The challenge is particularly acute for international suppliers that must also comply with European data privacy laws and other regional cyber standards, Major said. "You’re telling these contractors to hold data a particular way or identify it as controlled information pursuant to the United States government, and (other) data privacy laws might differ," he said.
Executives cite concrete examples of the financial burden. An executive at the Canadian company reported that complying with overlapping European and U.S. rules will require an expenditure of C$500,000, equivalent to $365,176.75. The story of one U.S. nonprofit aerospace supplier illustrates the business calculus facing some smaller firms: Dave Trader, CEO of Pathfinder Manufacturing, said he is uncertain whether the cost of compliance is worth it, since his firm does limited defense work making wire harnesses and also sees strong demand from the commercial planemaker Boeing.
Implications for industry stakeholders are direct and immediate. Increased compliance costs and audit backlogs may dissuade small firms from bidding on defense business or prompt them to withdraw, which could narrow supplier choices for prime contractors. That, in turn, could affect lead times and production schedules for defense programs that depend on specialized parts.
While CMMC aims to protect controlled unclassified information on federal contracts, the path to full implementation is proving complicated for a supply chain that includes many small, cash-constrained companies and international participants navigating multiple regulatory regimes.
For now, companies and legal advisers alike are watching for the pace and clarity of audit rollouts, the definition of what information must be protected, and how enforcement will be managed - factors that will determine whether the new rules bolster security without unduly weakening the supplier base that underpins U.S. defense production.