Are the Opportunities Worth It? 

Manufacturers have never loved regulations and compliance, but at PNDC we hear every day from manufacturers who are increasingly frustrated. There are more rules for key certifications like ITAR, ISO and EAR, not to mention the pending CMMC regulations which appear to be poised to go into effect in 2024. 

Still, the opportunities are undeniable. The Defense Federal Acquisition Regulation Supplement (DFARS) Buy American Act clause is poised to expand the domestic content threshold requirement to align with the Federal Acquisition Regulation. This means that domestic content for cost of components will go from 55 percent to 65 percent in 2024 and 75 percent by 2029. 

Howard Roth, a partner with Smith Currie Oles said, “The point of course is to allow more U.S. companies to get into the space and create American jobs, but that also means that prime contractors and those farther up the chain have to add more U.S. manufacturers — and if they can’t do that due to lack of U.S. suppliers they have to request a waiver, which is increasingly difficult to get.”

American Precision Industries (API) has been preparing to take advantage of the increasing opportunity by adding AS9100D and medical device ISO13485 certifications, so they can expand their partnerships in Washington and Oregon, especially in aerospace.

“This was a decision that required a great deal of hard work for our QC manager as well as our upper management team,” said Todd Cook of API, “But we realized that these two certifications were vital to our new sales and marketing plan. It’s critical to be able to differentiate API from other shops out there.”

They are determined to make the effort pay off. They feature their certifications front and center on their website, and have plans to highlight their capabilities in marketing campaigns — things that a surprising number of manufacturers overlook. “In the future we know that other certifications and security requirements are going to be necessary in order to continue to be a cutting edge manufacturer,” said Todd.

Howard Roth is critical of the added cost of federal compliance regulations, stating that, “None of this is good for companies. While there is an influx of money going into defense manufacturing the government vastly underestimates the cost of compliance programs such as cybersecurity. Therefore, for compliance in an area such as the International Traffic in Arms Regulations (ITAR), the key is to figure out what elements of ITAR compliance apply. For suppliers with products not on the munitions list, this means focusing on the identification and protection of any ITAR technical information obtained under defense subcontracts or contracts. Any organization participating in ITAR-controlled activities should review the ITAR guidelines in detail and develop an action plan to address any gaps.” 

Added to this, the Cybersecurity Maturity Model Certification (CMMC) 2.0 program is poised to become reality in 2024. What does that mean for businesses who supply the aerospace industry? 

“You could view it as a cost burden that makes it harder to do business,” says Dave Miller, director of business development and a certified CMMC professional with Future Networking Inc., “But it’s important to keep in mind why the DoD is doing this. The U.S. has been losing the information war for many years. As soon as we develop a new capability, major U.S. foes are ready and able to steal that innovation. In an actual armed conflict, that will cost lives.”

He feels that companies seeking a competitive advantage in the commercial aerospace industry would be wise to start positioning themselves in accordance with CMMC guidelines rather than waiting. “It will have a huge impact on the supply chain. First, the requirements will trickle down to tier 2 and 3 suppliers. At the same time getting assessments will be increasingly hard as we approach the deadline, which will cause delays and drive up prices.Every contract that involves DoD will require all suppliers in the chain to provide proof of compliance. And this isn’t a cursory glance under the hood. Regulators will assess every single control, not just spot check.” 

Circumventing the regulation will come at a higher cost than ever before, with the False Claims Act (FCA) and Whistleblower Protection Act playing a major role. In 2019, Cisco Systems marked the first payout to a whistleblower on a False Claims Act case — brought over a failure to meet cybersecurity standards. It cost them $8.6 million. 

The amount of time it will take suppliers to meet CMMC depends on many factors. “Company culture and the state of their current technology vary widely. CMMC also requires company-wide behavioral change.”

So, is it worth it? PNDC thinks it is. Their goal is to connect manufacturers in the Pacific Northwest with the experts, resources and information that can help them assess the potential advantages of the defense and security and with those resources that can guide them through the process.