New U.S. cybersecurity regulations for the defense sector are prompting some small suppliers to reconsider military contracts due to high compliance costs. This comes at a critical time when the government is pushing for increased output and supply chain diversification.
The Defense Department's Cybersecurity Maturity Model Certification (CMMC), which began in November, aims to protect sensitive information. Companies must now conduct self-assessments as a first step, with more rigorous audits expected soon. Executives report that lengthy audit waiting times and ambiguity over data protection requirements are complicating compliance efforts.
Industry insiders suggest that contractors are seeking compliance even for suppliers who may not handle critical data, such as technical drawings. The added costs, potentially hundreds of thousands of dollars per company, are a significant deterrent for financially fragile firms.
"The accumulation of complex and costly regulatory requirements is forcing them to reconsider-if not exit-the defense marketplace altogether," stated Margaret Boatner, vice president of national security policy at the Aerospace Industries Association. This situation challenges the health and resilience of the U.S. industrial base, where small businesses play a crucial role.
Concerns are mounting as some suppliers have not confirmed their intent to comply with the stricter CMMC requirements, including audits. This uncertainty impacts the production of essential parts for U.S. fighter jet programs.
Alex Major, a lawyer advising defense contractors, noted that CMMC requirements could inadvertently reduce competition among lower-tier suppliers. International suppliers face additional hurdles, needing to reconcile U.S. mandates with existing regional data privacy laws.
For some, the cost of compliance, estimated at over $365,000, may not be justifiable given limited defense work and strong demand from commercial markets.