San Mateo, CA – November 6, 2025 – With just five days remaining until the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) rule goes live on Nov. 10, 2025, Kiteworks is urging defense contractors to act immediately to close critical cybersecurity and governance gaps. The finalized CMMC rule, amending the Defense Federal Acquisition Regulation Supplement (DFARS), embeds mandatory cybersecurity requirements into all applicable DoD contracts, including obligations that flow to subcontractors.
According to Kiteworks’ 2025 Data Security & Compliance Risk: Annual Survey Report, which analyzed 104 organizations actively pursuing CMMC 2.0 certification, critical gaps among defense contractors include:
- 44–56% lack full end-to-end encryption for sensitive data
- 42–39% lack visibility into third-party ecosystems
- 65% rely on manual compliance processes, limiting audit readiness
- Only 17% have formal AI governance frameworks, leaving Controlled Unclassified Information (CUI) exposed
The financial stakes are significant:
- Lost Contract Revenue: Unprepared contractors risk being barred from new and renewed DoD contracts, representing potential millions in lost revenue.
- Legal & Penalty Exposure: Misrepresenting compliance or failing audits can trigger substantial legal and contractual penalties, including potential exclusion from future contracts.
- Operational & Security Costs: Non-compliance increases exposure to cyber breaches, ransomware, and supply chain disruption, leading to millions in remediation costs, lost productivity, and reputational damage.
“With only five days until Nov. 10, contractors can’t afford to wait,” said Frank Balonis, CISO and SVP of Operations at Kiteworks. “CMMC compliance is no longer optional — organizations must implement robust governance, encryption, and monitoring controls immediately or face lost contracts, legal penalties, and operational disruption.”
Immediate Action Steps for Contractors
Kiteworks recommends defense contractors take the following steps to prepare for Nov. 10 and beyond:
- Implement End-to-End Encryption across all CUI and sensitive data flows.
- Replace Manual Compliance Processes with automated governance and continuous monitoring.
- Inventory and Monitor Third-Party Relationships to ensure CUI protection across the supply chain.
- Establish AI Governance Frameworks to track, control, and secure AI-generated CUI.
- Adopt Advanced Privacy and Security Technologies such as zero-trust, confidential computing, and secure file-sharing platforms.
- Document Policies and Controls to provide verifiable evidence for CMMC assessments and SPRS reporting.
Kiteworks Solutions for Rapid Compliance
The Kiteworks Private Data Network delivers nearly 90% of CMMC Level 2 controls out-of-the-box, helping contractors:
- Implement end-to-end encryption and automated governance
- Gain continuous monitoring and audit-ready oversight
- Demonstrate verifiable compliance to prime contractors and CMMC assessors
“Defense contractors who act now don’t just avoid penalties — they gain competitive advantage, strengthen supply chain trust, and protect national security interests,” Balonis added.
Read the full 2025 Data Security and Compliance Risk: Annual Survey Report here.
About Kiteworks
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a Private Data Network that delivers data governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and over 1,500 global enterprises and government agencies.
Media Contact:
David Schutzman
PR Manager, Kiteworks
[email protected]
