New U.S. cybersecurity requirements for the defense industrial base are forcing some small manufacturers and specialty suppliers to reconsider whether military work is worth the price of compliance, raising concerns about resilience and competition across the defense supply chain. The rules are part of the U.S. Department of Defense’s long-delayed Cybersecurity Maturity Model Certification (CMMC) program, intended to better protect sensitive government information—especially “controlled unclassified information” (CUI)—from hacking and espionage.
CMMC began a phased rollout in November 2025, requiring companies on federal contracts to complete cybersecurity self-assessments at the initial stage. The next step is harder: more stringent “Level 2” requirements—expected to include audits—are projected to start coming into force by November 2026, and suppliers say uncertainty about timing, audit capacity, and what exactly must be protected is already creating friction.
The biggest immediate obstacle is cost. Industry sources said that compliance can add hundreds of thousands of dollars per small firm, a daunting burden for companies with thin margins—especially those that also serve commercial customers and can choose to avoid the defense market. Margaret Boatner of the Aerospace Industries Association warned that layering complex and expensive regulatory requirements can push suppliers to reduce or exit defense work altogether, weakening the industrial base just as the Trump administration is pressing contractors to boost output and broaden the supplier pool.
That matters because small suppliers often make highly specialized parts that are difficult to replace quickly. Investors and prime contractors watch lower-tier suppliers closely after years of production bottlenecks—and because some small shops are sole-source providers for critical components. In interviews, aerospace firms said they already have suppliers indicating they will not pursue the tougher CMMC requirements (including audits), while another executive said as many as half of their suppliers have not even confirmed whether they will comply.
Confusion about what counts as protected information is amplifying the burden. Suppliers said they are sometimes being asked for higher levels of compliance even when they do not handle sensitive items like technical drawings—because contractors are unsure how broadly “controlled” information should be defined and safeguarded. Meanwhile, months-long waits for audits can slow readiness and add planning risk.
The challenge is even sharper for international suppliers navigating conflicting regimes. A lawyer advising contractors, Alex Major of McCarter & English, said U.S. rules can collide with European privacy and cybersecurity standards, complicating how data is stored, labeled, and accessed. One Canadian supplier said it may cost about C$500,000 to comply across Europe and the U.S.
For some firms, the business case is genuinely uncertain. Dave Trader, CEO of Pathfinder Manufacturing, said he is weighing whether compliance costs make sense given limited defense work and strong demand from Boeing in the commercial market.
Overall, the new rules aim to reduce cyber risk in national security programs, but if compliance costs and audit bottlenecks discourage small and international suppliers, the defense supply chain could become narrower, less competitive, and more vulnerable to disruption.
