Small suppliers in the US defence sector are reportedly reconsidering their involvement in military contracts. According to a Reuters report, this is due to new federal cybersecurity rules that have raised compliance costs, potentially disrupting production and supply chains. This follows the implementation of the US Defence Department’s Cybersecurity Maturity Model Certification (CMMC), which began in November 2025 to protect sensitive, classified, and unclassified information. The new rules are being implemented at a time when the Trump administration is encouraging defence suppliers to increase production and broaden their supplier base.
What is the US Department of Defence’s Cybersecurity Maturity Model Certification
Under the framework, companies working on federal defence contracts must currently complete cybersecurity self-assessments under the first of three CMMC levels, while the more demanding second level, which requires formal audits, is expected to take effect by November this year, Reuters reports.
Industry executives said months-long audit wait times and uncertainty over what information qualifies for protection have complicated compliance efforts.
Executives, speaking on condition of anonymity due to the sensitivity of the matter, told Reuters that the lack of clear definitions has led prime contractors to demand higher compliance standards even from suppliers that may not directly handle sensitive materials such as technical drawings of a fighter jet fuel pump.
Why small vendors worry about new US cybersecurity rules
America’s new cybersecurity guidelines for defence contractors are also worrying smaller suppliers, with industry sources saying higher compliance and certification costs may prompt some to have second thoughts about entering the defence supply chain. The new requirements, developed as part of the Cybersecurity Maturity Model Certification (CMMC) program, would likely add several hundred thousand dollars to the cost for smaller companies.
Margaret Boatner, vice president of national security policy at the Aerospace Industries Association told Reuters noting that small businesses make up about 88% of aerospace firms, according to a 2022 U. S. House Small Business Subcommittee.
Defence manufacturers told Reuters that several suppliers are unwilling or uncertain about complying with stricter CMMC requirements, including mandatory audits. Executives from aerospace companies in the United States and Canada said some suppliers have declined participation, while others have yet to confirm compliance, creating uncertainty even for firms supplying components to critical fighter jet programmes.
Industry analysts believe the impact on small suppliers is being closely monitored, especially in the wake of years of production bottlenecks, as many are the sole producers of specialised parts needed by large contractors.
said Alex Major, a lawyer advising defence companies on compliance. he said.
Executives also pointed to rising cross-border compliance costs, with one Canadian supplier estimating C$500,000 ($365,176.75) in expenses to meet both European and US requirements. Dave Trader, CEO of aerospace nonprofit Pathfinder Manufacturing, said he remains uncertain whether compliance is viable for companies with limited defence exposure despite continued demand from commercial customers such as Boeing.
