Security and Defense: 2023 Sensitive Content Communications Privacy and Compliance

Global Instability and the Threat of Cyber Armageddon

As the security and defense industry continues to confront evolving cyber threats, it must remain vigilant in fortifying its digital defenses, enhancing information security protocols, and fostering a culture of cybersecurity awareness. The storage, transmission, and exchange of vast volumes of classified data, proprietary technologies, and intellectual property within the security and defense sector contribute significantly to the heightened risk it faces. A report from ISACA earlier this year found that 87% of organizations in the Defense Industrial Base (DIB) do not meet basic cybersecurity regulations and have a Supplier Performance Risk System (SPRS) score below 70. Compliance with NIST 800-171—and therefore Cybersecurity Maturity Model Certification (CMMC 2.0)—is also a problem, with 71% of DIB suppliers indicating they comply via self-assessment while actual Department of Defense assessments of the same organizations reveal only 29% actually comply.¹

Growing Impact of CMMC 2.0 Compliance in the DIB

Kiteworks’ 2023 Sensitive Content Communications Privacy and Compliance Report finds that 93% of respondents said their businesses are directly related to their ability or inability to comply with cybersecurity frameworks and standards—particularly CMMC 2.0 Level 2. For the 7% that did not list CMMC 2.0 as a compliance regulation affecting their businesses, they either plan to shut down operations with the Department of Defense or need to initiate a process immediately to determine their readiness to comply with CMMC 2.0. The survey’s results underscore the pressing need for businesses to prioritize cybersecurity measures and invest in the resources required to achieve compliance with CMMC 2.0.

Too Many Disaggregated Tools for Sensitive Content Communications

One of the takeaways in the report is that security and defense organizations rely on a lot of communication tools to send and share sensitive content: Nearly 6 out of 10 have six or more sensitive content communication systems in place. This disaggregated sensitive communications landscape complicates their ability to protect sensitive data that is sent and shared internally and with the DIB supply chain. It also creates compliance challenges, including their ability to achieve CMMC certification.

Ranking Third-party Content Communications Risk

Risk management of third-party content communications is seen as a problem across industry sectors, and security and defense is not spared. 27% of respondents say they require a new approach, or their current approach requires significant improvement. Another 41% indicate some improvement is needed. And if the ISACA report is correct, survey respondents may be overconfident in their risk capabilities. The number of exploits they reported for the past 12 months is corroboration, with 95% of organizations in the sector experiencing four or more exploits of sensitive content communications.

Better Digital Risk Management Required

All the above translates into significant risk to the DoD supply chain and slows down the CMMC 2.0 certification process. Lack of robust digital rights management is a big part of the problem, though weaknesses across security and defense organizations are not the same. For example, 55% of respondents say they have administrative policies in place for tracking and controlling content collaboration and sharing on-premise but not in the cloud. However, at the same time, 24% expressed the opposite—namely, they have tracking and controls in place for the cloud but not on-premise. More alarmingly, only 13% of them have both the cloud and on-premise covered, which was among the lowest across industries.

When it comes to managing and restricting third-party access to folders and files with capabilities such as content permissions, expiration, locking, and versioning, more than 7 in 10 of security and defense firms indicate they fail to do so across all departments (36% say they do so for certain departments and 39% indicate they do so for only certain content types). Tracking and recording third-party access to files and folders is not much better: nearly 8 in 10 of security and defense firms fail to do so for all content across all departments.

Kiteworks and Security and Defense Organizations

Security and defense firms lack the appropriate governance and security for their file and email data communications. The Kiteworks Private Content Network provides a platform that breaks down silos between disparate communication channels and delivers zero-trust policy management. This delivers lower CapEx and OpEx while enabling dramatically improved risk management. With Kiteworks, security and defense firms can securely share classification in compliance with relevant regulations, collaborate on defense strategies, exchange mission-critical data, share intelligence reports, collaborate on threat assessments, and share nation-state secrets.

Security and defense firms can also accelerate their CMMC 2.0 certification process with Kiteworks, which supports nearly 90% of CMMC 2.0 Level 2 practice requirements. FedRAMP, SOC 2, and ISO 27001, 27017, and 27108 certified, Kiteworks uses a hardened virtual security approach that includes an embedded network firewall, WAF, and antivirus and integrates advanced security capabilities like CDR, DLP, and ATP.

¹ Kirsten Morales, “More than 87% of Pentagon Supply Chain Fails Basic Cybersecurity Minimums,” Cybersheath, November 30, 2022.