Kiteworks Report Warns Half of Organizations Unprepared for DoD's Finalized CMMC Rule

The rule, which amends the DFARS, takes effect November 9, 2025, initiating a phased rollout over the next three years.
Related To: 
Oct. 9, 2025
4 min read
68e816f2299d3327de6d514a Armytechniciansuselaptopinstallserversecuritysyste

Kiteworks is urging defense contractors to accelerate their cybersecurity and compliance readiness following the Department of Defense (DoD) announcement finalizing the Cybersecurity Maturity Model Certification (CMMC) rule. The rule, which amends the Defense Federal Acquisition Regulation Supplement (DFARS), takes effect November 9, 2025, initiating a phased rollout over the next three years.

The regulation applies to more than 337,000 contractors and subcontractors, including nearly 230,000 small businesses, and mandates certification at CMMC Levels 1–3 based on the type and sensitivity of information managed. Organizations must perform self-assessments, undergo third-party certification, and maintain ongoing reporting through the Supplier Performance Risk System (SPRS).

In its newly released 2025 Data Security and Compliance Risk: CMMC Report, Kiteworks warns that many contractors remain unprepared for the scale and rigor of CMMC 2.0 requirements.

The report, which surveyed 461 organizations across sectors, found several key gaps:

  • 44% lack full end-to-end encryption for sensitive data, a baseline CMMC requirement.

  • 42% lack visibility into their third-party ecosystems, creating blind spots across supply chains.

  • 65% rely on manual security and compliance processes, limiting continuous monitoring and complicating audit readiness.

  • Only 17% have formal AI governance frameworks, even as artificial intelligence tools increasingly handle Controlled Unclassified Information (CUI).

"These findings should sound the alarm for every defense contractor," said Frank Balonis, CISO and SVP of Operations at Kiteworks. "The DoD’s CMMC rule is now final, the clock is ticking, and too many organizations lack the governance controls required to protect CUI. Without urgent action, they face compliance failure, contract loss, and increased risk of breaches.

The new CMMC rule fundamentally transforms defense supply chain cybersecurity, making advanced security and comprehensive data governance essential as nation-state actors increasingly target contractors to access sensitive government systems through inadequate perimeter-based defenses. With Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) flowing through complex multi-contractor supply chains, any compromise directly threatens national security, forcing organizations to implement enterprise-grade protections or face exclusion from DoD contracts.”

Kiteworks' analysis highlights a concerning readiness gap among defense contractors, particularly small and mid-sized firms that often rely on legacy systems and manual workflows. As CMMC enforcement begins to take shape, organizations will be required to demonstrate verifiable compliance through structured assessments, encryption standards, and supply chain oversight.

"Modern defense contractors operate across multiple communication channels, cloud services, and collaboration tools, creating vulnerabilities that only advanced governance frameworks can address through real-time compliance monitoring and comprehensive data visibility," Balonis continued. "This shift recognizes that protecting defense information requires capabilities traditionally reserved for classified environments—basic cybersecurity measures no longer suffice against sophisticated persistent threats targeting the interconnected defense industrial base."

Key Compliance Risks Exposed by Kiteworks Research

  • Incomplete Security Foundations: Nearly half of organizations cannot guarantee CUI protection in transit and at rest.
  • Third-Party Blindness: Large ecosystems face detection delays exceeding 90 days, exposing CUI for months before discovery.
  • AI Governance Gaps: 47-point gap between AI usage tracking and governance risks uncontrolled exposure of CUI.
  • Limited Adoption of Advanced Privacy Technologies: Only 35% or fewer use advanced PETs like Confidential Computing or Zero-Trust Exchange.

CMMC-Ready Governance: Urgent Next Steps for Defense Contractors

To close these gaps before November 9 and beyond, Kiteworks advises organizations to:

  1. Achieve 100% end-to-end encryption across all CUI.
  2. Replace manual workflows with automated governance and monitoring systems.
  3. Inventory and monitor all third-party relationships with CUI exposure.
  4. Establish AI governance frameworks to prevent unmonitored CUI flows.
  5. Adopt layered privacy-enhancing technologies to demonstrate maturity to CMMC assessors.

The company cautions that with the compliance deadline now set, defense contractors have limited time to implement the controls, documentation, and continuous monitoring capabilities needed to retain eligibility for DoD contracts.

Read the full Kiteworks report here: Kiteworks CMMC Report.

Sign up for SecurityInfoWatch Newsletters
Get the latest news and updates.

Related

Trump administration disbands Cyber Safety Review Board
The 2025 Readers' Choice Awards from SecurityInfoWatch
Take Control of Your Physical Security Systems
Sponsored
Are Manual Site Surveys Costing You?
Sponsored

Voice Your Opinion!

To join the conversation, and become an exclusive member of SecurityInfoWatch, create an account today!