The U.S. Cybersecurity Maturity Model Certification (CMMC), long delayed, was launched last November to protect sensitive but unclassified government data, known as controlled unclassified information (CUI). Under the program, companies working on federal contracts must first complete self-assessments for CMMC Level 1, with more rigorous Level 2 audits—requiring formal inspections—expected to begin by November.
Executives from several defense suppliers, speaking on condition of anonymity due to the sensitivity of the matter, say the lack of clarity about what counts as sensitive information, combined with months-long waits for audits, has made meeting higher compliance standards difficult. Some contractors are taking extra precautions even for suppliers that do not handle critical items, such as fighter jet fuel pump drawings.
Costs and Compliance Challenges
Compliance costs, which can run hundreds of thousands of dollars per small company, are deterring some suppliers, particularly those with limited finances.
"Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing them to reconsider—if not exit—the defense marketplace altogether, further challenging the health and resilience of the industrial base," said Margaret Boatner, vice president of national security policy at the U.S.-based Aerospace Industries Association. Many of the organization’s members also serve the defense industry.
Small businesses make up a significant portion of the U.S. aerospace supply chain. According to a 2022 U.S. House Small Business Subcommittee report, 88% of aerospace firms qualify as small businesses. Several executives told Reuters that some of their suppliers are unwilling or unsure about undergoing the more stringent CMMC audits. One U.S. company said half of its suppliers had yet to indicate whether they would comply. Another, which provides a sole-source part for a U.S. fighter jet program, said it remains unclear what its suppliers will do. The Department of Defense declined to comment.
Small Suppliers Critical to National Security
Small suppliers are integral to the defense industrial base, often producing unique parts required by larger contractors to assemble weapons and equipment. Analysts warn that compliance costs could inadvertently reduce competition and weaken the lower tiers of the defense supply chain.
"You're telling these contractors to hold data a particular way or identify it as controlled information pursuant to the United States government, and (other) data privacy laws might differ," said Alex Major, a lawyer at McCarter & English who advises defense contractors on CMMC compliance. The challenge is particularly acute for international suppliers who must also comply with European data privacy and cybersecurity standards. One Canadian supplier estimated spending C$500,000 ($365,177) to meet both U.S. and European requirements.
Even some small U.S. companies producing niche components for limited defense applications are questioning the value of compliance. Dave Trader, CEO of nonprofit aerospace supplier Pathfinder Manufacturing, said his firm, which makes wire harnesses and has strong commercial demand from Boeing, is unsure whether the cost is justified.
CMMC, originally introduced in 2019, faced years of delays and industry pushback due to confusion over implementation and definitions of controlled information. As the Pentagon moves forward with audits, small suppliers—many of whom are critical to national security production—will face tough decisions about whether to bear the rising costs of compliance.