Stringent cybersecurity compliance requirements implemented by the Defense Department are causing smaller suppliers to walk away from military contracts due to overwhelming costs and complexity.
The Pentagon’s Cybersecurity Maturity Model Certification program launched in November after years of delays, designed to safeguard controlled unclassified information within the defense supply chain.
Defense contractors must now complete cybersecurity self-evaluations as the initial step in a three-tier certification system. The more demanding second tier, which includes mandatory audits, is scheduled to roll out by November.
Industry executives, speaking anonymously due to the sensitive nature of the topic, report that lengthy audit waiting periods and unclear guidelines about which information requires protection have complicated compliance efforts.
According to an industry insider, contractors are demanding heightened compliance measures even from suppliers who don’t handle sensitive materials like technical blueprints for fighter jet components.
The financial burden is particularly challenging for smaller companies, with compliance costs reaching hundreds of thousands of dollars per firm, industry sources indicate.
Margaret Boatner, vice president of national security policy at the Aerospace Industries Association, explained the impact: “Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing them to reconsider—if not exit—the defense marketplace altogether, further challenging the health and resilience of the industrial base.”
Statistics from a 2022 House Small Business Subcommittee show that 88% of aerospace companies qualify as small businesses.
Reuters spoke with three aerospace firms—two American and one Canadian—who each reported having multiple suppliers unwilling to meet the stricter certification requirements, including the audit process.
One U.S. company president revealed that half of their suppliers haven’t committed to compliance. Another company executive, whose firm is the exclusive manufacturer of a component for a U.S. fighter jet program, remains uncertain about supplier participation.
The Defense Department chose not to provide comment on the matter.
Small suppliers play a crucial role in the defense supply chain, with investors closely monitoring their stability following years of production delays. Many serve as the sole manufacturers of essential components needed by larger contractors for weapons and equipment assembly.
Alex Major, a defense contractor attorney at McCarter & English specializing in certification compliance, warned that these requirements might unintentionally limit competition among smaller defense supply chain participants.
The certification program, originally introduced in 2019, faced significant delays due to industry pushback and confusion that required extensive Pentagon consultations.
International suppliers face additional challenges, particularly those already complying with European data privacy regulations and other regional cybersecurity standards, Major noted.
“You’re telling these contractors to hold data a particular way or identify it as controlled information pursuant to the United States government, and (other) data privacy laws might differ,” he explained.
A Canadian company executive estimated needing to spend C$500,000 ($365,176.75) to satisfy both European and American regulatory requirements.
Dave Trader, CEO of nonprofit aerospace supplier Pathfinder Manufacturing, questioned whether compliance costs justify the investment given his company’s limited defense work producing wire harnesses, especially with strong demand from Boeing.
