- U.S. Defense Department implements Cybersecurity Maturity Model Certification.
- Small suppliers cite high compliance costs, audit delays.
- Some firms reconsider defense contracts over certification requirements.
- Industry warns rules could shrink defense supply chain.
Recent U.S. cybersecurity directives to defense contractors, coupled with their possible high compliance expenses and the complexity of regulations, are sending some small suppliers back to military business by imploding upon the extended defense supply chain.
In November, the long-awaited program Cybersecurity Maturity Model Certification (CMMC) conducted by the Defense Department officially started implementing the program to help further protect controlled unclassified information shared by the defense industrial base.
The framework has required that companies involved with federal contracts do an initial self-assessment of their cybersecurity at Level 1. Strict Level 2 requirements such as the third-party audits are predicted to be implemented by November.
Executives of the industry indicate that months of time waiting to have audits of certifications and a lack of awareness of what information is deemed as controlled unclassified information is an obstacle to compliance. Some were interviewing on the basis of anonymity as it was a sensitive matter.
Also, according to one industry source, some of the prime contractors are also mandating larger scope of compliances of the suppliers even those suppliers that do not deal directly with sensitive technical information like designs of fighter jet components.
High Costs, Fragile Finances
Cost of compliance is one of the main issues to small businesses that have tight margins. According to industry sources more costs may grow to hundreds of thousands of dollars per company.
Some of these companies, especially those that are also in the commercial markets, report that the accretion of sophisticated and expensive regulatory demands is compelling them to reevaluate, or even abandon, the defense market place altogether, but this further exacerbates the entrepreneurship of the industrial base.
It is possible to assess the scope of the impact as approximately 88 percent of aerospace companies are small businesses, according to 2022 data released by a U.S. House Subcommittee of the Small Business committee.
Three aerospace firms, two of them in the United States and the third in Canada, informed Reuters that a number of their suppliers have stated they have no intention to obtain Level 2 certification, which mandates independent audit.
An American-based company president stated that roughly fifty percent of its suppliers are yet to respond whether they will comply. One of the other executives with a company that is the only provider of a part in a fighter jet program in the United States said that he does not know what his suppliers have in mind.
The DoD refused to address the issues of concern by the industry players.
Supply Chain Risk and Global Challenge.
The importance of small suppliers as critical points in the Defense Production Chain is also common and these suppliers are sometimes the only provider of specialized components needed by larger contractors.
Stability among suppliers has been the point of interest among investors and defense officials in the recent past following diversion of key weapon production programs due to production bottlenecks.
That new certification requirements may decrease competition between other suppliers that are lower-level, according to Alex Major, a lawyer at McCarter and English who advises defense contractors on CMMC compliance.
The initial introduction of the CMMC program in 2019 was postponed due to industrial concerns as well as continuing negotiations with the Pentagon regarding the implementation specifics.
There is further complexity in international suppliers. Firms that conduct business in Europe will have to find a compromise between the U.S. data-handling regulations and local privacy regulations and cybersecurity measures.
Major explained to them, You are instructing these contractors to store data in a specific manner or recognize it as controlled information under the United States government and (other) data privacy legislation may vary otherwise.
A Canadian executive of an aerospace company estimated it would cost his company about C 500, 000 to meet the standards of the European and U.S. regulations (C 500, 000 -365, 176. 75).
In other companies having slight exposure to defense, the economic trade-off is hard to argue. Dave Trader, a chief executive of nonprofit aerospace supplier Pathfinder Manufacturing, said that he is considering the question of whether compliance costs would be worthwhile given his company relatively small amount of defense work that produces wire harnesses.
Commercial demand, such as that of planemaker Boeing (BA.N), is also high and Trader observed alternative sources of revenue.
The government of the United States is pressuring defense contractors to produce more products and widen suppliers, and industry executives are warning that rising cyber demands could reduce the number of potential vendors, which could remodel the face of the defense industrial base during the coming years.
Recommended FAQs
What is the CMMC program and why was it introduced?
The Cybersecurity Maturity Model Certification is a U.S. Defense Department program aimed at protecting controlled unclassified information within the defense industrial base. It requires contractors to assess and upgrade their cybersecurity practices to qualify for federal contracts.
Why are small defense suppliers struggling with new cyber rules?
Industry executives say compliance costs can reach hundreds of thousands of dollars, straining companies with tight margins. Uncertainty over audit timelines and regulatory complexity has also made it harder for smaller firms to comply.
When do stricter CMMC requirements take effect?
Level 1 self-assessments are already required, while stricter Level 2 requirements, including third-party audits, are expected to be implemented by November. Companies must meet these standards to continue certain defense contracts.
How could the new rules affect the defense supply chain?
Some suppliers are considering leaving the defense market rather than absorbing compliance costs. Analysts warn this could reduce competition and create supply bottlenecks, especially for specialized components.
Do international suppliers face additional challenges under CMMC?
Yes, foreign companies must balance U.S. data security requirements with local privacy and cybersecurity laws. This dual compliance burden can significantly increase costs for suppliers operating across borders.
