FAR/DFARS Compliance Costs Drive Commercial Tech Companies Away from Defense

The Federal Acquisition Regulation (FAR) and its Defense supplement (DFARS) comprise over 5,000 pages of procurement rules governing everything from cost accounting standards to cybersecurity requirements to how contractors track and report their labor hours. Compliance with these regulations requires specialized accounting systems (CAS-compliant), legal teams versed in government contract law, cybersecurity infrastructure meeting NIST 800-171/CMMC standards, and administrative overhead that commercial companies consider incompatible with their business models. This matters because the most innovative technology companies in the world -- the ones building the AI, autonomy, cybersecurity, and advanced computing capabilities that the military desperately needs -- refuse to do business with the Pentagon. Google pulled out of Project Maven. Microsoft employees protested HoloLens for IVAS. Palantir spent years fighting to even be allowed to compete. These high-profile cases are the tip of an iceberg: thousands of commercial tech companies never even consider defense work because the compliance burden would require them to fundamentally restructure their businesses. The consequence is that the military is increasingly reliant on a shrinking pool of traditional defense contractors who specialize in compliance rather than innovation. These firms are excellent at navigating the FAR/DFARS but often deliver technology that is a generation behind commercial state-of-the-art. The soldier in 2025 uses mission planning software that looks and feels like it was designed in 2010 because the companies that build modern software will not endure the compliance gauntlet required to sell it to DoD. The structural reason this persists is that each FAR/DFARS clause exists for a legitimate reason. CAS requirements prevent cost mischarging. DFARS cybersecurity clauses protect classified and controlled unclassified information. Buy American provisions protect domestic manufacturing. Individually, each regulation is defensible. Collectively, they create a compliance environment so burdensome that it functions as a moat protecting incumbent contractors from commercial competition. The CMMC (Cybersecurity Maturity Model Certification) program, intended to strengthen supply chain security, has become a case study in this dynamic. Achieving even Level 2 certification requires investments of $100,000 to $500,000 for a small company, with ongoing annual costs. The Pentagon acknowledges the problem and has created vehicles like Other Transaction Authorities and the DIU to bypass FAR/DFARS, but these remain a tiny fraction of total procurement. The fundamental tension between accountability and agility remains unresolved.