Analysis-New cybersecurity rules for US defense industry create barrier for some small suppliers

By Allison Lampert and Mike Stone

Feb 20 (Reuters) – New U.S. cybersecurity rules for the defense sector are leading some small suppliers to rethink military work due to high compliance costs, raising production risks at a time when the Trump administration ‌is pressuring contractors to boost output and diversify the supply base.

The Defense Department’s long-delayed U.S. Cybersecurity Maturity Model Certification started last November ‌to protect sensitive information, known as controlled unclassified information.

Companies working on federal contracts now perform cybersecurity self-assessments as the first of three CMMC levels, with the more stringent second level ​that includes audits expected to begin by November.

Months-long waits for audits to ensure compliance and confusion over what information needs protection have made meeting the higher standards more difficult, the executives say. They spoke on condition of anonymity due to the sensitivity of the matter.

Without a clear definition, contractors are asking for greater compliance even if the supplier does not handle sensitive information such as technical drawings of a fighter jet fuel pump, an industry source ‌said.

COSTS RAISE CONCERNS

Additional costs of hundreds of thousands of dollars ⁠per small company are also deterring some suppliers with fragile finances, industry sources said.

“Some of these firms, particularly those that also compete in commercial markets, report that the accumulation of complex and costly regulatory requirements is forcing ⁠them to reconsider—if not exit—the defense marketplace altogether, further challenging the health and resilience of the industrial base,” said Margaret Boatner, vice president of national security policy at the U.S.-based Aerospace Industries Association. Many of its member companies also serve the defense industry.

Some 88% of aerospace firms are small businesses, according to data from ​a ​2022 U.S. House Small Business Subcommittee.

Three aerospace companies, two in the United States and ​one in Canada, told Reuters they each have a ‌handful of suppliers who will not comply with the more stringent CMMC requirements, such as undergoing the audit.

The president of one of the U.S. companies said half of its suppliers have not indicated whether they will comply. The head of another company, which is the sole source of a part for a U.S. fighter jet program, is also unsure what his suppliers will do.

The Department of Defense declined to comment.

SMALL SUPPLIERS CRITICAL TO SUPPLY CHAIN

The health of small suppliers is closely watched by investors after years of production bottlenecks. Some are the only producers of key parts ‌needed by bigger contractors to assemble weapons and equipment.

Alex Major, a lawyer at McCarter & ​English who advises defense contractors on CMMC compliance, said the certification requirements could inadvertently ​reduce competition in the lower rungs of the defense supply chain.

CMMC, ​introduced in 2019, was delayed by industry concerns and confusion that required years of discussion with the Pentagon.

The challenge ‌is particularly acute for international suppliers who also comply with ​European data privacy laws and other ​regional cyber standards, Major said.

“You’re telling these contractors to hold data a particular way or identify it as controlled information pursuant to the United States government, and (other) data privacy laws might differ,” he said.

An executive with the Canadian company said he will need to spend ​C$500,000 ($365,176.75) to comply with rules in Europe and ‌the U.S.

Dave Trader, CEO of the nonprofit U.S. aerospace supplier Pathfinder Manufacturing, said he is unsure whether compliance is worth the ​cost since the firm does limited defense work making wire harnesses, and sees strong demand from planemaker Boeing.

($1 = 1.3692 Canadian ​dollars)

(Allison Lampert in Montreal and Mike Stone in WashingtonEditing by Rod Nickel)