Cybersecurity Maturity Model Certification (CMMC) is the new U.S. cybersecurity regulation for the defence sector that was rolled out in November 2025 by the Department of Defence to better protect sensitive information called controlled unclassified information.
Federal contractors are currently required to complete internal cybersecurity self-assessments under the first tier of the CMMC, while the stricter second tier, which involves formal third-party audits, is expected to take effect by November.
However, it's worth noting that this regulation is aimed at strengthening cybersecurity, but from the other side, it is also affecting defence contractors and their supply chains. The regulation is imposing costly compliance requirements on small suppliers who have limited financial resources.
Notably, some 88% of aerospace companies are small businesses, according to data from a 2022 U.S. House Small Business Subcommittee.
These suppliers are facing audit delays, confusion over requirements, and compliance costs that can reach hundreds of thousands of dollars, according to some executives from defence contracting companies and suppliers within the U.S. defence industrial base, who spoke on condition of anonymity due to the sensitivity of the matter.
Due to these high factors, many of these defence contractors and their supply chains are considering exiting military work, which could weaken production capacity, as production risks will be significantly raised and competition will increase just as the Trump administration is pressuring contractors to boost output and diversify the supply base.
Because guidance on what qualifies as protected information is not clearly defined, contractors are demanding higher compliance standards from their suppliers, even when those suppliers do not directly handle highly sensitive materials, such as detailed technical components for military equipment.
Rising compliance costs put small defense suppliers at risk
Leaders of several U.S. defence suppliers say uncertainty is spreading across the supply chain as tougher cybersecurity standards approach. In fact, the president of one of the U.S. companies said half of its suppliers have not shown any sign that signals whether they will comply with the new CMMC requirements.
In addition to what the president of one of the U.S. companies has said, the head of the only company that provides a specific component used in a U.S. fighter jet programme also said that he does not know how his own suppliers will respond.
All these simply indicate that investors are paying close attention to smaller manufacturers because many serve as the exclusive source of critical parts needed by major contractors, and the industry has already struggled with years of production slowdowns and bottlenecks.
According to Alex Major, an attorney at McCarter & English who counsels contractors on meeting CMMC standards, the new rules could unintentionally shrink competition among lower-tier suppliers. Although CMMC was first introduced in 2019, its rollout was slowed for years due to industry pushback and confusion that required extended negotiations with the Pentagon.
Major noted that compliance is even more complex for overseas suppliers that must balance U.S. security requirements with European data protection regulations and other regional cybersecurity laws, which do not always align.
The financial burden is also significant. An executive at a Canadian supplier said his company expects to spend about 500,000 Canadian dollars to meet both U.S. and European compliance standards.
Similarly, Dave Trader, CEO of the nonprofit aerospace supplier Pathfinder Manufacturing, questioned whether the investment makes sense for a company that does only limited defence work, such as producing wire harnesses.
He pointed out that demand from commercial customers like Boeing remains strong, making non-defence business potentially more attractive than absorbing the high costs tied to federal cybersecurity mandates.
