Nearly half of the organizations in the defense industrial base (DIB) are unprepared to meet looming cybersecurity standards under the Pentagon’s finalized Cybersecurity Maturity Model Certification (CMMC) rule, a new Kiteworks survey warns.
The Department of Defense’s (DOD) – which the Trump administration has rebranded as the Department of War – CMMC rule goes into effect on Nov. 10, initiating a phased rollout of mandatory cybersecurity standards across the DIB.
After years in development, the DOD finalized a rule earlier this month that formally enforces CMMC standards in defense contracts, marking a pivotal shift from voluntary policy to mandatory requirements across the defense industrial base. Published in the Federal Register for public inspection, the rule amends the Defense Federal Acquisition Regulation Supplement roughly a year after CMMC’s release in October 2024.
The rule, affecting more than 337,000 organizations – nearly 230,000 of which are small businesses – requires defense contractors to implement cybersecurity measures tailored to the sensitivity of the information they manage, from basic protections for Federal Contract Information to stricter safeguards for Controlled Unclassified Information (CUI).
However, a survey of 461 organizations within the defense industrial base by Kiteworks found that nearly half are not yet prepared to meet the new standards. The report shows that 44% of respondents lack full end-to-end encryption for sensitive data, while 42% have limited visibility into their third-party ecosystems – creating potential blind spots in supply chain security.
In addition, 65% of respondents still rely on manual processes to manage compliance, a factor that complicates audit readiness and undermines continuous monitoring.
The report also raises concerns about the growing use of artificial intelligence in contractor environments. Only 17% of organizations reported having AI governance frameworks in place, despite widespread AI adoption that can lead to undocumented flows of sensitive data.
The survey also found that many organizations are still unable to guarantee the protection of CUI during storage and transmission. In larger ecosystems, some contractors reported detection delays exceeding 90 days, meaning potential exposures of sensitive data may go unnoticed for months.
The report also highlights a significant gap between AI deployment and risk oversight, noting that current governance practices are not keeping pace with technological adoption. Furthermore, fewer than 35% of respondents said they use advanced privacy-enhancing technologies such as zero trust exchange or confidential computing.
To close these gaps, the report urges defense contractors to accelerate the adoption of automated governance systems, implement full encryption for all CUI, conduct continuous monitoring of third-party relationships, and establish comprehensive frameworks to govern AI use.
While the Pentagon hails the finalization of CMMC as a major milestone, the program’s development has faced years of industry pushback, multiple revisions, and ongoing concerns over cost and regulatory burden.
Originally introduced during the first Trump administration, CMMC drew criticism for its complexity, prompting the streamlined CMMC 2.0 revision, which reduced certification levels and eased some assessment requirements.
But with the Nov. 10 deadline approaching, defense contractors have limited time to assess their cybersecurity programs and close critical compliance gaps – failure to meet CMMC requirements could jeopardize their eligibility for future DOD contracts.