Home / Business and Economy / Cyber Rules Push Defense Suppliers to Exit
Cyber Rules Push Defense Suppliers to Exit
20 Feb
Summary
- New U.S. cybersecurity rules raise production risks for defense sector.
- Small suppliers may exit military work due to high compliance costs.
- Unclear definitions increase compliance burdens for contractors.
New U.S. cybersecurity regulations are compelling small defense suppliers to re-evaluate their involvement in military contracts due to substantial compliance expenses. These rules, under the Cybersecurity Maturity Model Certification (CMMC), were implemented in November to safeguard controlled unclassified information.
Initial self-assessments are underway, with more rigorous audits expected by November. However, prolonged audit waits and ambiguity surrounding data protection requirements are escalating challenges. This has led to increased compliance demands, even for suppliers not handling sensitive technical data, according to industry sources.
Additional costs, potentially reaching hundreds of thousands of dollars for small businesses, are a major deterrent. Some firms, especially those also serving commercial markets, are finding the cumulative regulatory burden too high, forcing them to consider exiting the defense sector. This trend poses a risk to the health and resilience of the defense industrial base, which relies heavily on small suppliers for critical components.
International suppliers face additional complexities, needing to navigate both U.S. CMMC requirements and other regional data privacy laws. The financial strain is significant, with one Canadian company estimating C$500,000 in compliance costs for European and U.S. rules. The Department of Defense has not provided comment on these concerns.
