Kiteworks, which empowers organizations to effectively manage risk in every send, share, receive, and use of private data, today announced findings from its 2025 Data Security and Compliance Risk: Annual Survey Report revealing significant governance challenges facing defense contractors as they prepare for CMMC 2.0 requirements.
The survey of 461 organizations across industries found that only 56% have fully implemented end-to-end encryption for all sensitive data, and just over 50% have centralized governance processes. These gaps are particularly concerning for defense contractors handling controlled unclassified information (CUI), as CMMC 2.0 demands comprehensive governance and security controls across the entire supply chain.
“The data reveals a fundamental challenge for defense contractors,” said Frank Balonis, CISO and SVP of Operations at Kiteworks. “Without proper governance controls in place, organizations cannot demonstrate the comprehensive CUI protection that CMMC requires. The path to compliance starts with understanding and controlling your data landscape.”
Core Governance Gaps Threaten CMMC Readiness
The research identifies critical gaps that directly impact CMMC compliance:
Incomplete Security Foundations: Defense contractors face significant challenges in implementing basic security controls required for CMMC. The finding that only 56% have achieved full end-to-end encryption means nearly half of organizations cannot guarantee CUI protection in transit and at rest—a fundamental CMMC requirement. The reliance on manual processes by 65% of organizations creates vulnerability, as manual workflows increase the likelihood of human error, make continuous monitoring nearly impossible, and complicate the audit trails CMMC assessors require.
Third-Party Ecosystem Blindness: The 42% of organizations lacking visibility into their third-party relationships represents a critical CMMC compliance gap. Defense contractors must demonstrate control over CUI wherever it resides, including with subcontractors and vendors. The research reveals a troubling pattern based on ecosystem size:
· Small ecosystems (<500 partners): While 43% can detect breaches within seven days, even this “best case” means the majority take longer than a week to identify compromises
· Mid-sized ecosystems (1,001-5,000 partners): Face a perfect storm with 46% reporting increased supply chain vulnerabilities and detection windows stretching 31-90 days
· Large ecosystems (>5,000 partners): 31% require more than 90 days to detect breaches, during which CUI could be exfiltrated, modified, or destroyed without knowledge
These detection delays are particularly problematic under CMMC 2.0, which requires timely incident reporting and response capabilities. For organizations with the largest partner networks, costs frequently exceed $5 million when breaches occur.
Emerging AI Governance Crisis: The gap between AI monitoring and governance presents a new challenge for CMMC compliance. While 64% of organizations track AI-generated content, only 17% have implemented technical governance frameworks to control how AI systems handle data. This 47-point gap is concerning because:
· AI systems can inadvertently process, store, or transmit CUI without proper classification
· Generative AI tools may expose CUI through training data or outputs
· Among organizations unaware of their AI usage, 36% have no privacy-enhancing technologies in place
For defense contractors, this means AI could create undocumented CUI flows that violate CMMC requirements for data inventory and control.
Advanced Privacy Technology Adoption Remains Limited The finding that 9% of organizations have zero privacy-enhancing technology deployment, while 43% use only basic measures like data minimization, reveals a significant gap in defense-in-depth strategies. Advanced technologies like Secure Multi-Party Computation, Zero-Trust Exchange, and Confidential Computing—each under 35% adoption—could provide additional CUI protection layers that demonstrate security maturity to CMMC assessors.
Geographic Distribution and Implications The global distribution of respondents (32% North America, 42% Europe, 17% Asia-Pacific, 10% Middle East/Africa) highlights the international nature of defense supply chains. This geographic spread complicates CMMC compliance as contractors must ensure consistent governance controls across all locations where CUI might be processed or stored.
Building CMMC-Ready Governance: A Practical Roadmap
Based on the findings, defense contractors must take specific actions to address governance gaps:
1. Complete the Encryption Foundation
o Move from 56% to 100% end-to-end encryption coverage
o Implement encryption for data at rest, in transit, and in processing
o Establish key management procedures that meet CMMC requirements
2. Automate Data Governance Processes
o Replace the 65% manual workflows with automated systems
o Implement continuous compliance monitoring
o Centralize audit log trails that demonstrate ongoing control effectiveness
3. Gain Complete Third-Party Visibility
o Address the 42% visibility gap by inventorying all external parties with potential CUI access
o Map data flows between organizations
o Implement contractual controls and regular assessments
o Prioritize based on risk: focus first on partners with direct CUI access
4. Establish AI Governance Frameworks
o Close the 47-point gap between AI tracking (64%) and governance (17%)
o Implement technical controls to prevent AI systems from processing CUI
o Create policies for AI tool approval and usage
o Monitor AI-generated outputs for potential CUI exposure
5. Deploy Layered Privacy Technologies
o Move beyond the 9% with zero PET deployment
o Implement technologies appropriate to data sensitivity levels
o Consider advanced options for high-value CUI protection
“CMMC 2.0 compliance isn’t just about checking boxes—it’s about demonstrating mature, consistent governance across your entire data ecosystem,” concluded Balonis. “The gaps revealed in our research show that many defense contractors have significant work ahead. Those who act now to close these governance gaps position themselves not just for compliance, but for competitive advantage in the defense industrial base.”
Read the full 2025 Data Security and Compliance Risk: Annual Survey Report here.
About Kiteworks
Kiteworks’ mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a Private Data Network that delivers data governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and over 1,500 global enterprises and government agencies.
