By Frank Balonis, CISO and SVP of Operations, Kiteworks
The Cybersecurity Maturity Model Certification (CMMC) 2.0 framework represents the Department of Defense’s response to escalating cybersecurity threats targeting the defense industrial base (DIB). As both CISO and SVP of Operations at Kiteworks, we’ve observed firsthand the challenges organizations face when navigating the complex landscape of compliance requirements. Recent research by Kiteworks and Coalfire—which analyzed readiness patterns across the defense sector—reveals a striking finding: organizations that perform thorough gap analysis are three times more likely to successfully implement required security controls for CMMC certification.
This statistic underscores what is at stake for the approximately 300,000 organizations in the defense supply chain. CMMC 2.0 isn’t merely a regulatory hurdle—it’s a critical framework for protecting sensitive defense information and strengthening national security. In this article, we examine the most significant compliance gaps identified in our research and offer actionable strategies for addressing them, drawing from our experience helping defense contractors achieve and maintain CMMC compliance.
Documentation Divide
One of the most concerning findings from our research is the substantial gap between security implementation and documentation. While 83% of organizations could verify compliance with required security controls, only 49% had properly documented their security practices. This 34-percentage-point documentation gap creates significant vulnerabilities and compliance risks.
The consequences of inadequate documentation extend far beyond administrative concerns. Our data reveals that organizations with incomplete documentation are an astounding 30 times more likely to experience material security vulnerabilities. This is particularly troubling given that CMMC assessors will require documented evidence for all security controls.
In our work with defense contractors, we’ve repeatedly encountered the same scenario: security teams implement robust controls but fail to document their configurations, testing procedures, or incident response protocols. When preparing for assessment, these organizations must scramble to recreate documentation, often discovering gaps in their security posture during this process. This documentation gap creates significant challenges during assessment preparation, often revealing previously unidentified security control weaknesses that could have been addressed earlier in the implementation process.
Medium-Sized Contractor Challenges
Medium-sized firms face particularly steep challenges in CMMC readiness. Our research found that enterprises with 500 to 5,000 employees demonstrate a 50% compliance shortfall in external partner engagement. This gap is especially problematic given the interconnected nature of defense supply chains.
These organizations typically face a perfect storm of challenges: They possess complex enough systems to require sophisticated security controls, though they lack the extensive resources of larger defense contractors. Many medium-sized firms struggle to dedicate staff solely to compliance efforts, instead distributing responsibilities across already-stretched IT teams.
At Kiteworks, we’ve developed specific approaches for this segment, focusing on automating documentation processes and streamlining partner risk assessments. By implementing structured information-sharing mechanisms and standardized assessment protocols, medium-sized contractors can significantly improve their compliance posture without overwhelming their resources.
Budget Considerations and ROI
Consistent budgeting emerges as a critical factor in CMMC readiness. Organizations with dedicated and consistent cybersecurity budgets achieve certification readiness 67% faster than those with sporadic funding models. Similarly, our research shows properly resourced CMMC initiatives reduce time-to-compliance by 41%, translating to approximately 12 to 24 months of saved effort.
The ROI calculation extends beyond mere compliance—it encompasses risk reduction, competitive advantage, and business continuity. From our experience helping enterprises develop CMMC budgeting strategies, we’ve observed that the most successful organizations view compliance expenditures as investments rather than costs.
The data clearly demonstrates that organizations following a strategic approach to compliance achieve better outcomes with more efficient resource utilization. By properly planning and consistently funding CMMC initiatives, organizations can avoid the costly cycle of reactive remediation that often follows unplanned or underfunded compliance efforts.
Technical Security Controls
Advanced documentation, encryption, and third-party controls represent another critical area where many organizations fall short. Our research indicates that 75% of organizations with fully documented cybersecurity policies demonstrate stronger security postures and significantly higher assessment readiness.
Encryption represents a particular challenge for many defense contractors. While most implement baseline encryption for data in transit, CMMC requirements for data at rest, proper key management, and implementation documentation present significant hurdles. Additionally, managing third-party security risks through vendor assessments, contract vehicles, and monitoring mechanisms remains a weak point for many organizations.
In our experience, the most effective encryption implementations incorporate both technical controls and governance frameworks. This includes establishing clear data classification schemes, implementing role-based access controls, and creating auditable documentation of encryption methodologies. Organizations that systematically address these elements demonstrate significantly higher CMMC assessment readiness.
Executive Engagement: The Leadership Factor
Executive sponsorship proves to be a decisive factor in successful CMMC implementation. Organizations with active C-suite involvement report higher rates of gap identification, more accurate security assessments, and more efficient remediation processes.
As a CISO, I’ve witnessed dramatic differences in program effectiveness based on leadership engagement. When executives understand CMMC requirements as business imperatives rather than technical mandates, compliance initiatives receive the visibility, resources, and cross-functional support they require. Effective executive sponsors establish clear accountability, remove organizational roadblocks, and align CMMC efforts with broader business objectives.
One approach that has proven particularly effective is the establishment of a CMMC steering committee that includes representation from executive leadership, security teams, operations, legal, and procurement. This structure ensures alignment across the organization while maintaining the visibility needed for sustained progress.
Actionable Recommendations and Real-World Implementation
Based on our research findings and implementation experience, we recommend the following prioritized actions for organizations seeking CMMC certification:
1. Conduct a comprehensive gap assessment against the specific CMMC level requirements applicable to your organization. Remember that organizations with thorough gap analysis are 3x more likely to successfully implement required controls.
2. Establish a documentation framework that captures both existing controls and planned remediation efforts. Close the gap between your 83% implementation rate and your 49% documentation rate.
3. Implement Private Data Networks for secure information sharing and collaboration. A private data network is essential for maintaining data confidentiality while meeting the advanced documentation and third-party control requirements that 75% of successful organizations have mastered.
4. Develop consistent cybersecurity budgeting models that align with your compliance timeline, recognizing that properly resourced initiatives achieve compliance 41% faster.
5. Implement a third-party risk management program that evaluates supplier security practices, particularly for medium-sized organizations where partner engagement shows a 50% compliance shortfall.
6. Secure executive sponsorship for your CMMC program, ensuring leadership understands both compliance requirements and business implications.
By following these recommendations, organizations can systematically address their most critical compliance gaps and build a more robust security posture while preparing for successful certification. The research clearly shows that a methodical approach to CMMC readiness yields significantly better outcomes than ad-hoc compliance efforts.
Conclusion and Future Outlook
The CMMC 2.0 framework represents both a challenge and an opportunity for the defense industrial base. Organizations that approach compliance strategically—emphasizing thorough gap analysis, comprehensive documentation, consistent budgeting, and executive engagement—will not only achieve certification but strengthen their overall security posture.
As the threat landscape continues to evolve, CMMC requirements will likely adapt accordingly. Forward-thinking organizations should prepare for this eventuality by building adaptable compliance frameworks rather than point-in-time solutions.
Frank Balonis is chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Balonis has overseen technical support, customer success, corporate IT, security, and compliance, collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy.