Half of Organizations Lack Centralized Data Governance as Defense Contractors Prepare for CMMC 2.0

New Kiteworks Data Security and Compliance Risk: Annual Survey Report reveals critical gaps facing defense industrial base

SAN MATEO, CA, UNITED STATES, September 9, 2025 /EINPresswire.com/ -- Kiteworks, which empowers organizations to effectively manage risk in every send, share, receive, and use of private data, today announced findings from its 2025 Data Security and Compliance Risk: Annual Survey Report revealing significant governance challenges facing defense contractors as they prepare for CMMC 2.0 requirements.

The survey found that only 56% have fully implemented end-to-end encryption for all sensitive data, and just over half have centralized governance processes. These gaps are particularly concerning for defense contractors handling controlled unclassified information (CUI), as CMMC 2.0 demands comprehensive governance and security controls across the entire supply chain. Note: While the full survey examined 461 organizations across industries, analysis of the 104 organizations actively pursuing CMMC 2.0 certification reveals specific challenges for the defense industrial base.

"The data reveals a fundamental challenge for defense contractors," said Frank Balonis, CISO and SVP of Operations at Kiteworks. "Without proper governance controls in place, organizations cannot demonstrate the comprehensive CUI protection that CMMC requires. The path to compliance starts with understanding and controlling your data landscape."

Core Governance Gaps Threaten CMMC Readiness
Incomplete Security Foundations. Defense contractors pursuing CMMC 2.0 face significant challenges in implementing foundational security controls. Among the 104 CMMC organizations surveyed, encryption implementation varies dramatically by organization size, with larger enterprises showing concerning gaps. Only 38% of organizations over 20,000 employees achieve top-tier encryption (76-100% coverage), compared to 59% of mid-market firms (5,000-9,999 employees).

The governance tracking gap reveals heavy reliance on manual processes: While 95% of CMMC organizations track some effectiveness metrics, only 38% have instituted comprehensive governance control and tracking systems. This 57 percentage point gap indicates widespread dependence on manual workflows that increase human error likelihood, complicate continuous monitoring, and create audit trail challenges that CMMC assessors require. Organizations without governance tracking show 5 percentage points higher rates of low-encryption outcomes (20% vs. 15%), directly impacting their ability to demonstrate the comprehensive CUI protection CMMC demands.

Third-Party Ecosystem Blindness. CMMC-pursuing organizations struggle with supplier risk management despite facing identical supply chain complexity to other industries. The 104 CMMC organizations show nearly identical supplier distributions to the general population, yet vendor compliance ranks as their second-highest challenge (73 out of 100 score) with 39% citing it as a top concern—7 percentage points higher than non-CMMC organizations.

Critical gaps emerge in contractual governance: Only 22% of CMMC organizations implement contractual security requirements with suppliers, below the 27% industry average. This represents a fundamental compliance risk, as defense contractors must demonstrate control over CUI across their entire ecosystem.

Emerging AI Governance Crisis: The challenge of data inventory accuracy affects 27% of CMMC organizations, ranking sixth among seven key challenges, suggesting that while most have basic inventory controls, the complexity of tracking AI-generated content and ensuring proper CUI classification remains problematic.

The measurement discipline gap reveals the core concern: Organizations tracking effectiveness metrics show 6 percentage points fewer severe encryption gaps (19% vs. 25%), indicating that unmeasured AI usage could create undocumented CUI flows. This is particularly concerning because:

- AI systems can inadvertently process, store, or transmit CUI without proper classification
- Generative AI tools may expose CUI through training data or outputs
- Organizations without comprehensive governance tracking cannot demonstrate the continuous monitoring of AI-data interactions that CMMC assessors require

Geographic Distribution and Implications. The geographic distribution of CMMC-pursuing respondents (63% North America, 11% Europe, 20% Asia-Pacific, 7% Middle East/Africa) highlights the concentration of defense supply chain activity and reveals significant regional readiness disparities. The regional breakdown reveals concerning preparation gaps: Europe's surprisingly low 11% representation given NATO partnerships suggests potential awareness gaps, while Asia-Pacific's 20% participation is driven primarily by technology and manufacturing partners in allied nations. Middle East engagement remains limited at 7%, reflecting current market dynamics. Critically, 51% of all CMMC respondents managing international data flows report increased complexity in policy development and control implementation, creating additional compliance challenges for organizations operating across multiple jurisdictions where CUI might be processed or stored.

"CMMC 2.0 compliance isn't just about checking boxes—it's about demonstrating mature, consistent governance across your entire data ecosystem," concluded Balonis. "The gaps revealed in our research show that many defense contractors have significant work ahead. Those who act now to close these governance gaps position themselves not just for compliance, but for competitive advantage in the defense industrial base."

Read the CMMC Report: Over Half of DoD Suppliers Fail With Their Governance Controls here.

About Kiteworks
Kiteworks' mission is to empower organizations to effectively manage risk in every send, share, receive, and use of private data. The Kiteworks platform provides customers with a Private Data Network that delivers data governance, compliance, and protection. The platform unifies, tracks, controls, and secures sensitive data moving within, into, and out of their organization, significantly improving risk management and ensuring regulatory compliance on all private data exchanges. Headquartered in Silicon Valley, Kiteworks protects over 100 million end-users and over 1,500 global enterprises and government agencies.

David Schutzman
Kiteworks
+1 203-550-8551
email us here
Visit us on social media:
LinkedIn
Facebook
YouTube
X

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.