Request Demo
Platform CapabilitiesPolicy Creation and ManagementFile Sharing and CollaborationFile Transfer AutomationFully Governed Email DataData Streaming with Next-gen DRMControlled AI Data AccessSecure Data Intake Via Online FormsUse CasesControl Data ExchangeMeet Regulatory RequirementsSafeguard Private AI DataPartnersTechnology PartnersMSP & MSSP PartnersResellers & Channel PartnersResourcesResource CenterDevelopersCustomersCompanyAbout UsManagementInvestorsCareersTechnical SupportNewsroomTrust PageVulnerability CenterContact UsRequest Demo
Mouseover to personalize your Kiteworks website experience

CMMC

Achieve Cybersecurity Maturity Model Certification with tiered security controls protecting controlled unclassified information for defense contractors.

How Kiteworks Supports CMMC

How Kiteworks Supports CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework establishes cybersecurity standards for the Defense Industrial Base (DIB), requiring defense contractors and subcontractors to implement specific security controls to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Kiteworks provides a comprehensive platform that supports organizations in achieving CMMC certification across all three maturity levels, with particular strength in the data protection and communication security domains.

CMMC 2.0 Three-Level Model

CMMC 2.0 streamlines the original five-level model into three distinct levels, each building upon the previous:

LevelDescriptionAssessmentKiteworks Support
Level 1 (Foundational)17 practices from FAR 52.204-21Annual self-assessmentFull coverage of basic safeguarding requirements
Level 2 (Advanced)110 practices aligned with NIST SP 800-171Triennial third-party assessment (C3PAO)Comprehensive support for all 110 security requirements
Level 3 (Expert)110+ practices with additional controls from NIST SP 800-172Government-led assessment (DIBCAC)Advanced security capabilities for highest-sensitivity contracts

CUI Protection and Marking

Protecting Controlled Unclassified Information is at the heart of CMMC. Kiteworks provides comprehensive CUI protection through:

  • Content Classification: Tag and categorize CUI according to the CUI Registry categories and subcategories.
  • Automated Policy Enforcement: Apply appropriate security controls automatically based on CUI markings.
  • Dissemination Controls: Enforce distribution limitations and handling instructions associated with CUI categories.
  • DRM Protection: Prevent unauthorized copying, printing, or redistribution of CUI documents.

NIST SP 800-171 Control Mapping

CMMC Level 2 directly maps to the 110 security requirements in NIST SP 800-171. Kiteworks addresses controls across all 14 families, with particularly strong coverage in the following critical areas:

Access Control (AC Family)

The AC family contains 22 requirements that Kiteworks addresses comprehensively:

  • Limit system access to authorized users, processes, and devices (AC.L1-3.1.1)
  • Limit system access to authorized transaction types and functions (AC.L1-3.1.2)
  • Control the flow of CUI in accordance with approved authorizations (AC.L2-3.1.3)
  • Separate duties of individuals to reduce risk (AC.L2-3.1.4)
  • Employ the principle of least privilege (AC.L2-3.1.5)
  • Use non-privileged accounts for non-security functions (AC.L2-3.1.6)

Audit and Accountability (AU Family)

Kiteworks provides robust audit capabilities meeting all 9 AU family requirements:

  • Create and retain audit records: Comprehensive logging of all CUI access, sharing, and modification events.
  • Ensure individual accountability: All actions tied to authenticated user identities.
  • Review and update audit events: CISO dashboard enables regular review of audit logs and security events.
  • Alert on audit process failure: Automated notifications when audit logging encounters errors.
  • Protect audit information: Immutable, tamper-evident audit records with configurable retention.

Configuration Management (CM Family)

Kiteworks supports configuration management through:

  • Centralized configuration baselines for all system components
  • Change management controls tracking all configuration modifications
  • Security impact analysis of proposed changes
  • Automated enforcement of approved configuration settings

Identification and Authentication (IA Family)

Strong identification and authentication is critical for CMMC. Kiteworks provides:

  • Multi-factor authentication for all CUI access
  • Replay-resistant authentication mechanisms
  • Password complexity and rotation enforcement
  • Integration with enterprise identity providers (SAML, LDAP, Active Directory)

System and Communications Protection (SC Family)

The SC family is one of the largest control families with 16 requirements. Kiteworks addresses these through:

  • FIPS 140-validated encryption: AES-256 at rest and TLS 1.2/1.3 in transit
  • Boundary protection: Built-in WAF, network firewall, and intrusion detection
  • Network segmentation: Secure separation of CUI processing environments
  • Collaborative computing restrictions: Controlled sharing with granular permissions

FedRAMP Equivalence

CMMC 2.0 recognizes FedRAMP authorization as providing equivalent security for cloud service providers. Kiteworks' FedRAMP High authorization demonstrates:

  • Compliance with 421 security controls from NIST SP 800-53
  • Independent third-party assessment by accredited 3PAOs
  • Continuous monitoring and annual reassessment
  • Government-validated security posture for handling CUI in the cloud

DFARS 252.204-7012 Compliance

The Defense Federal Acquisition Regulation Supplement clause 252.204-7012 requires contractors to:

  • Provide adequate security for covered defense information
  • Report cyber incidents to the DoD within 72 hours
  • Submit malicious software to the DoD Cyber Crime Center
  • Preserve and protect images of affected systems for 90 days

Kiteworks supports all of these requirements through its comprehensive security controls, real-time alerting, forensic logging, and incident response capabilities. By deploying Kiteworks, defense contractors can accelerate their path to CMMC certification while ensuring the protection of CUI throughout their supply chain.