New Cybersecurity Rules Pose Challenges for Defense Industry Suppliers
New U.S. Cybersecurity regulations for the defense sector are causing some smaller suppliers to reassess their involvement in military projects due to the substantial costs of achieving compliance. This development raises concerns about potential production disruptions as the Trump administration continues to push contractors to increase output and broaden the supply base.
The Cybersecurity Maturity Model Certification (CMMC)
The Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program, initiated in November 2025, aims to safeguard sensitive information, specifically controlled unclassified information (CUI). The program requires companies working on federal contracts to perform cybersecurity self-assessments, representing the first of three CMMC levels. More rigorous second-level requirements, including audits, are slated to begin in November.
Compliance Hurdles and Costs
Executives report facing months-long delays in obtaining audits to verify compliance and confusion regarding the specific information requiring protection. These challenges build meeting the higher CMMC standards more difficult. Without a clear definition of what constitutes sensitive information, contractors are increasingly requesting compliance from suppliers even if they don’t handle critical data, such as technical drawings for complex components.
The additional costs associated with CMMC compliance are proving substantial, potentially reaching hundreds of thousands of dollars per small company. This financial burden is deterring some suppliers, particularly those with limited financial resources, from continuing to participate in the defense marketplace.
Impact on the Defense Industrial Base
Margaret Boatner, vice president of national security policy at the Aerospace Industries Association, notes that the accumulation of complex and costly regulatory requirements is prompting some firms to reconsider or even exit the defense marketplace, potentially weakening the health and resilience of the industrial base. Approximately 88% of aerospace firms are classified as small businesses according to data from a 2022 U.S. House Small Business Subcommittee.
Several aerospace companies have indicated that a portion of their suppliers will likely be unable to meet the more stringent CMMC requirements, including undergoing the necessary audits. One company president reported that half of their suppliers have not yet confirmed their compliance plans, while another, a sole-source provider for a U.S. Fighter jet program, is also uncertain about its suppliers’ intentions.
Challenges for International Suppliers
The CMMC requirements present particular difficulties for international suppliers who must also adhere to European data privacy laws and other regional cybersecurity standards. Alex Major, a lawyer advising defense contractors on CMMC compliance, explains that differing data privacy regulations can create conflicts for contractors handling data under U.S. Government requirements.
For example, a Canadian company executive estimates needing to spend C$500,000 ($365,176.75) to comply with both European and U.S. Regulations.
Looking Ahead
The Department of Defense declined to comment on these developments. The health of small suppliers is a critical concern for investors, given their role as sole producers of key parts needed by larger contractors. The CMMC certification requirements could inadvertently reduce competition within the defense supply chain. The CMMC program, initially introduced in 2019, faced delays due to industry concerns and confusion, requiring extensive discussions with the Pentagon.