Kiteworks warns defense contractors of multi-million dollar risks if CMMC compliance not achieved

Kiteworks is urging defense contractors to act immediately to close critical cybersecurity and governance gaps. The finalized CMMC rule, amending the Defense Federal Acquisition Regulation Supplement (DFARS), embeds mandatory cybersecurity requirements into all applicable DOD contracts, including obligations that flow to subcontractors.

According to Kiteworks’ 2025 Data Security & Compliance Risk: Annual Survey Report, which analyzed 104 organizations actively pursuing CMMC 2.0 certification, critical gaps among defense contractors include:

• 44–56% lack full end-to-end encryption for sensitive data
• 42–39% lack visibility into third-party ecosystems
• 65% rely on manual compliance processes, limiting audit readiness
• Only 17% have formal AI governance frameworks, leaving Controlled Unclassified Information (CUI) exposed
  

The financial stakes are significant:

• Lost contract revenue: Unprepared contractors risk being barred from new and renewed DoD contracts, representing potential millions in lost revenue.
• Legal & penalty exposure: Misrepresenting compliance or failing audits can trigger substantial legal and contractual penalties, including potential exclusion from future contracts.
• Operational & security costs: Non-compliance increases exposure to cyber breaches, ransomware, and supply chain disruption, leading to millions in remediation costs, lost productivity, and reputational damage. 

“Contractors can’t afford to wait,” says Frank Balonis, CISO and SVP of Operations at Kiteworks. “CMMC compliance is no longer optional — organizations must implement robust governance, encryption, and monitoring controls immediately or face lost contracts, legal penalties, and operational disruption.”

Immediate action steps for contractors
Kiteworks recommends defense contractors take the following steps to prepare for Nov. 10 and beyond:
1. Implement End-to-End Encryption across all CUI and sensitive data flows.
2. Replace Manual Compliance Processes with automated governance and continuous monitoring.
3. Inventory and Monitor Third-Party Relationships to ensure CUI protection across the supply chain.
4. Establish AI Governance Frameworks to track, control, and secure AI-generated CUI.
5. Adopt Advanced Privacy and Security Technologies such as zero-trust, confidential computing, and secure file-sharing platforms.
6. Document Policies and Controls to provide verifiable evidence for CMMC assessments and SPRS reporting. 

Kiteworks solutions for rapid compliance
The Kiteworks Private Data Network delivers nearly 90% of CMMC Level 2 controls out-of-the-box, helping contractors:

• Implement end-to-end encryption and automated governance
• Gain continuous monitoring and audit-ready oversight
• Demonstrate verifiable compliance to prime contractors and CMMC assessors 

“Defense contractors who act now don’t just avoid penalties — they gain competitive advantage, strengthen supply chain trust, and protect national security interests,” Balonis adds.

Read the full 2025 Data Security and Compliance Risk: Annual Survey Report here.