NASA got Orion around the Moon and home. Now Artemis depends on whether a small supplier aerospace base can absorb six figure CMMC audit costs while GAO says the Pentagon still lacks a documented plan for assessor capacity shortfalls.
Artemis 2 proved NASA can get astronauts around the Moon and back. Artemis 3 faces a duller problem and probably a more dangerous one: the contractor base behind the program is heading into a cybersecurity certification regime that looks expensive, slow, and badly matched to small suppliers. The rule is called Cybersecurity Maturity Model Certification, or CMMC. It will require many Defense Department contractors to prove, through audits and paperwork, that they can protect controlled but unclassified information, meaning sensitive government data that is not secret but still should not leak.
That matters because Artemis does not run on rockets alone. It runs on a defense-adjacent industrial base full of specialist shops that machine parts, integrate electronics, write software, and do the invisible work between a NASA press conference and an actual flight. A March 2026 Government Accountability Office report said the Defense Department relies on about 200,000 private companies across that industrial base, and that small businesses make up roughly three-quarters of it. If compliance gets costly or slow, the pain lands first on the part of the supply chain that has the least cash and the least slack.
The timing is ugly. The same GAO report said the Pentagon's contract-side rule took effect on Nov. 10, 2025, and DefenseScoop reported that Level 2 third-party certification becomes mandatory for many covered contracts on Nov. 10, 2026. Level 2 is the tier for contractors handling controlled unclassified information. Those companies need an outside assessor.
The problem is not that nobody saw this coming. It is that the government still has not shown its work on how the queue clears. GAO reported that the Defense Department "did not assess and document how it intends to mitigate the risk of private sector capacity being insufficient to meet its needs for assessments," even though the entire system depends on private-sector assessment capacity. The Pentagon told GAO it can issue waivers if external factors create serious problems. A waiver is not throughput. It is a note explaining why throughput did not happen.
The cost side is easier to pin down than the queue. DefenseScoop reported from the Pentagon's proposed rule that a Level 2 certification assessment is projected to cost nearly $105,000 for small entities and about $118,000 for larger ones. The GAO report separately said the streamlined CMMC framework carried estimated assessment costs ranging from $4,042 to $117,768, depending on assessment type. Either way, this is not minor compliance lint for a small aerospace supplier. It is real money before anyone ships a single bracket or cable harness.
Artemis was already expensive before cybersecurity became a scheduling variable. NASA's Office of Inspector General said Artemis campaign costs were expected to reach $93 billion between fiscal years 2012 and 2025. SpaceNews reported that NASA pegs each SLS and Orion mission at roughly $4.1 billion and called that figure unsustainable in its current form. Add six-figure compliance costs and uncertain audit capacity to that backdrop, and the story starts looking like another way large incumbents get an easier life than smaller suppliers.
There is an important limit here. CMMC is a Defense Department regime, not a NASA policy, and not every company facing it is an Artemis dependency. The clean version of the argument is narrower. Artemis depends on the same defense-linked manufacturing base that federal aerospace programs use more broadly. If that supplier layer gets more expensive to stay in, or harder to certify on time, flagship space programs inherit the fragility whether they asked for it or not.
SpaceNews argued that this pressure is arriving while Artemis also faces proposed budget cuts. Even without leaning too hard on that line, the structural point holds. Big programs usually fail noisily at launch, on orbit, or in a budget hearing. Supplier ecosystems tend to fail earlier and quieter. They fail when one more compliance bill makes a small contractor decide defense work is not worth the trouble.
Artemis 2 gave NASA the picture every moon program wants: the spacecraft came home and the mission worked. Artemis 3 has to survive the part hardware people worry about more. Not the splashy failure. The spreadsheet failure underneath it.