Kiteworks recently issued a warning to defense contractors following the Department of Defense (DoD) announcement that it has finalized its Cybersecurity Maturity Model Certification (CMMC) rule, amending the Defense Federal Acquisition Regulation Supplement (DFARS). The rule takes effect November 9, 2025 and will impact compliance mandates that will roll out over the next three years.
The rule impacts more than 337,000 organizations—including nearly 230,000 small businesses—requiring contractors to achieve CMMC Levels 1–3 depending on the sensitivity of information handled, with mandatory flowdown requirements for subcontractors. Contractors must conduct self-assessments, undergo certification, and submit ongoing reporting in the Supplier Performance Risk System (SPRS).
Against this backdrop, Kiteworks’ 2025 Data Security and Compliance Risk: CMMC Report reveals that many defense contractors remain underprepared for CMMC 2.0 requirements. The survey found that:
- 44 percent lack full end-to-end encryption for sensitive data.
- 42 percent lack visibility into their third-party ecosystem, creating blind spots in supply chain security.
- 65 percent rely on manual processes, which undermine continuous monitoring and complicate audit readiness.
- Only 17 percent have AI governance frameworks in place, despite widespread AI adoption that can create undocumented CUI flows.
“These findings should sound the alarm for every defense contractor,” said Frank Balonis, CISO and SVP of Operations at Kiteworks. “The DoD’s CMMC rule is now final, the clock is ticking, and too many organizations lack the governance controls required to protect CUI. Without urgent action, they face compliance failure, contract loss, and increased risk of breaches.”
Balonis added: “The new CMMC rule fundamentally transforms defense supply chain cybersecurity, making advanced security and comprehensive data governance essential as nation-state actors increasingly target contractors to access sensitive government systems through inadequate perimeter-based defenses.
"With Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) flowing through complex multi-contractor supply chains, any compromise directly threatens national security, forcing organizations to implement enterprise-grade protections or face exclusion from DoD contracts.”
Next Steps
To close these gaps before November 9, Kiteworks advises organizations to:
- Achieve 100 percent end-to-end encryption across all CUI.
- Replace manual workflows with automated governance and monitoring systems.
- Inventory and monitor all third-party relationships with CUI exposure.
- Establish AI governance frameworks to prevent unmonitored CUI flows.
- Adopt layered privacy-enhancing technologies to demonstrate maturity to CMMC assessors.
For more information, take a look at the full Kiteworks CMMC Report.
