US Defense Suppliers Rethink Contracts Over Costly Cybersecurity Rules
Small suppliers in the United States defense sector are reportedly reconsidering their involvement in military contracts, according to a Reuters report. This shift is driven by new federal cybersecurity regulations that have significantly increased compliance costs, potentially disrupting production and supply chains. The rules are part of the US Department of Defense's Cybersecurity Maturity Model Certification (CMMC), which began implementation in November 2025 to protect sensitive, classified, and unclassified information.
Implementation of CMMC and Its Challenges
The CMMC framework requires companies working on federal defense contracts to complete cybersecurity self-assessments under the first of three levels. The more demanding second level, which mandates formal audits, is expected to take effect by November this year. Industry executives have highlighted that months-long audit wait times and uncertainty over what information qualifies for protection have complicated compliance efforts.
Executives, speaking anonymously due to the sensitivity of the matter, told Reuters that the lack of clear definitions has led prime contractors to demand higher compliance standards even from suppliers that may not directly handle sensitive materials, such as technical drawings of a fighter jet fuel pump.
Impact on Small Suppliers and Industry Concerns
America's new cybersecurity guidelines for defense contractors are particularly worrying smaller suppliers. Industry sources indicate that higher compliance and certification costs may prompt some to reconsider entering the defense supply chain. The CMMC program is likely to add several hundred thousand dollars to the costs for smaller companies.
Margaret Boatner, vice president of national security policy at the Aerospace Industries Association, noted to Reuters that small businesses make up about 88% of aerospace firms, according to a 2022 U.S. House Small Business Subcommittee. She stated, "Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing them to reconsider—if not exit—the defense marketplace altogether, further challenging the health and resilience of the industrial base."
Uncertainty and Broader Implications
Defense manufacturers have reported that several suppliers are unwilling or uncertain about complying with stricter CMMC requirements, including mandatory audits. Executives from aerospace companies in the United States and Canada said some suppliers have declined participation, while others have yet to confirm compliance, creating uncertainty even for firms supplying components to critical fighter jet programs.
Industry analysts believe the impact on small suppliers is being closely monitored, especially after years of production bottlenecks, as many are the sole producers of specialized parts needed by large contractors. Alex Major, a lawyer advising defense companies on compliance, explained, "You're telling these contractors to hold data a particular way or identify it as controlled information pursuant to the United States government, and other data privacy laws might differ."
Executives also pointed to rising cross-border compliance costs, with one Canadian supplier estimating C$500,000 (approximately $365,176.75) in expenses to meet both European and US requirements. Dave Trader, CEO of aerospace nonprofit Pathfinder Manufacturing, expressed uncertainty about whether compliance is viable for companies with limited defense exposure, despite continued demand from commercial customers such as Boeing.
