DOWNLOAD PDF

Introduction to CMMC

The U.S. Department of Defense (DoD) takes a supply-chain risk-management approach to improving cybersecurity by requiring all third-party partners to obtain the Cybersecurity Maturity Model Certification (CMMC). The CMMC is designed to ensure the protection of sensitive national security information such as Controlled Unclassified Information (CUI) and Federal Contract information (FCI). The certification applies to all DoD contractors and subcontractors, and a contractor that fails to maintain compliance will be unable to bid for DoD contracts. 

Under DFARS and DoD rules and policies, the DoD implemented cybersecurity controls in the CMMC standard to protect CUI and FCI. Thus, the CMMC measures an organization’s ability to protect FCI and CUI. FCI is information not intended for public release and is provided by or generated for the government under a contract to develop or deliver a product or service to the government. CUI is information that requires safeguarding or dissemination controls according to and consistent with federal laws, regulations, and government-wide policies.

Comparison of CMMC 1.0 and 2.0.

Figure 1. Comparison of CMMC 1.0 and 2.0.

CMMC 2.0 

CMMC 2.0 is the updated and comprehensive framework to protect the defense industrial base from frequent and complex cyberattacks. This streamlined version was released in late 2021 to focus on the most critical security and compliance requirements. It reduced compliance levels from five to three, and third-party assessments are only required for Level 2 and 3 partners that manage critical national security information. The model aligns with the widely accepted Federal Information Processing Standards (FIPS) 200 security-related areas and the National Institute of Standards & Technology (NIST) SP 800-171 and 800-172 control families.

The Kiteworks Platform

Kiteworks’ FedRAMP- and FIPS-140-2-compliant platform for privacy and compliance governance enables organizations to send, share, receive, and store sensitive content. Integrating communication channels such as secure email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces (APIs), the Kiteworks platform creates private content networks that track, control, and secure confidential digital communications while unifying visibility and metadata. Capabilities in the Kiteworks platform include:

Secure Email

Kiteworks locks down private email communications and ensures regulatory compliance. Users simply send emails and attachments from any location or device, and the Kiteworks platform automatically protects them.

Secure File Sharing

Kiteworks enables government employees and federal contractors to access and share CUI securely, reducing the risk of data breahes, malware attacks, and data loss.

Managed File Transfer

Government agencies and businesses transferring confidential files can streamline, automate, and secure large- scale file transfers and establish policy controls to prevent compliance violations.

Web Forms

Government agency employees and contractors and third-party business users can upload sensitive information that is governed by privacy and compliance policies.

Application Programming Interfaces (APIs)

Organizations can develop custom content applications and integrations on the Kiteworks platform that enable them to manage the risk of data breaches and compliance violations.

 


The following analysis of CMMC 2.0 reveals that Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box (see Appendix). 

For contractors and subcontractors doing business with the U.S. DoD, this translates into dramatically faster compliance audits and even expanded revenue opportunities. Further, once CMMC 2.0 goes into effect, businesses unable to demonstrate sensitive content communications compliance with CMMC 2.0 cannot compete for and work on DoD projects.

Access Controls

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 1 AC.L1-3.1.1 3.1.1 Access Control Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) Yes, supports compliance The Kiteworks platform enforces strict access controls to protect all content, including CUI, under management.
Level 1 AC.L1-3.1.2 3.1.2 Access Control Limit information system access to the types of transactions and functions that authorized users are permitted to execute Yes, supports compliance System administrators and content owners can control who receives which type of access: view and edit, view only, or access denied.
Level 1 AC.L1-3.1.20 3.1.20 Access Control Verify and control/limit connections to and use of external information systems Yes, supports compliance The Kiteworks platform provides controlled access to cloud enterprise content management systems like Google Drive, Box, Dropbox, Microsoft OneDrive, and Microsoft SharePoint Online.
Level 1 AC.L1-3.1.22 3.1.22 Access Control Control information posted or processed on publicly accessible information systems Yes, supports compliance The Kiteworks platform can be deployed as a private or hybrid cloud or as a private hosted deployment in an isolated environment or AWS, per FedRAMP requirements.
Level 1 AC.L1-3.1.3 3.1.3 Access Control Control the flow of CUI in accordance with approved authorizations Yes, supports compliance Administrators and content owners can ensure that nonauthorized users never gain access to CUI. Kiteworks Automation Agents can be used to route content to approved destinations as part of workflows, ensuring that CUI is not accidentally distributed to unauthorized users.
CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 AC.L2-3.1.4 3.1.4 Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion Yes, supports compliance Administrators can define different roles and access levels for CUI, reducing the risk of collusion.
Level 2 AC.L2-3.1.5 3.1.5 Access Control Employ the principle of least privilege, including for specific security functions and privileged accounts Yes, supports compliance The Kiteworks platform supports a range of user roles and access privileges. System administrators can define access policies that employ the principle of least privilege.
Level 2 AC.L1-3.1.6 3.1.6 Access Control Use non-privileged accounts or roles when accessing non-security functions Yes, supports compliance The Kiteworks platform prevents non-privileged users from executing administrative functions. The platform also logs all access to security functions, enabling the execution of those functions to be audited.
Level 2 AC.L1-3.1.7 3.1.7 Access Control Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs Yes, supports compliance The Kiteworks platform enables administrators to define different types of accounts and access privileges, ensuring that non-privileged users never access privileged content or controls.
Level 2 AC.L1-3.1.8 3.1.8 Access Control Limit unsuccessful logon attempts Yes, supports compliance The Kiteworks platform enables system administrators to set a limit for unsuccessful logon attempts. When that limit is reached, that account can be locked, and an alert sent to administrators and security professionals.
CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 AC.L2-3.1.9 3.1.9 Access Control Provide privacy and security notices consistent with applicable CUI rules Yes, supports compliance The Kiteworks platform can be customized to display privacy and security notices required by an organization.
Level 2 AC.L2-3.1.10 3.1.10 Access Control Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity Yes, supports compliance The Kiteworks platform locks sessions after a period of inactivity, though it does not use pattern-hiding displays.
Level 2 AC.L1-3.1.11 3.1.11 Access Control Terminate (automatically) a user session after a defined condition Yes, supports compliance The Kiteworks platform enables system administrators to define policies that automatically log users out after a set amount of idle time. System administrators can monitor and manually terminate active sessions.
Level 2 AC.L1-3.1.12 3.1.12 Access Control Monitor and control remote access sessions Yes, supports compliance The Kiteworks platform monitors and logs all remote access to CUI. All remote access is governed through strict access control policies. System administrators can monitor and manually terminate active sessions.
Level 2 AC.L1-3.1.13 3.1.13 Access Control Employ cryptographic mechanisms to protect the confidentiality of remote access sessions Monitor and control
remote access sessions
The Kiteworks platform encrypts all transmission of content using Transport Layer Security (TLS). The platform also encrypts content at rest using AES-256 encryption. A FIPS 140-2 Level 1 validated module is also available.
CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 AC.L2-3.1.14 3.1.14 Access Control Route remote access via managed access control points Yes, supports compliance The Kiteworks platform enables system administrators to control which nodes (servers) are available for client access (HTTPS or SFTP).
Level 2 AC.L2-3.1.15 3.1.15 Access Control Authorize remote execution of privileged commands and remote access to security-relevant information Yes, supports compliance The Kiteworks platform provides a separate administrative interface that requires authentication and provides its own IP access restrictions.
Level 2 AC.L1-3.1.16 3.1.16 Access Control Authorize wireless access prior to allowing such connections Out of Scope N/A
Level 2 AC.L1-3.1.17 3.1.17 Access Control Protect wireless access using authentication and encryption Out of Scope N/A
Level 2 AC.L1-3.1.18 3.1.18 Access Control Control connection of mobile devices Yes, supports compliance The Kiteworks platform enables and disables access from the Kiteworks mobile app. System administrators can also manage and terminate user sessions. If a mobile device is lost or stolen, system administrators can perform a remote wipe of all CUI in the Kiteworks secure container on the device.
Level 2 AC.L1-3.1.19 3.1.19 Access Control Encrypt CUI on mobile devices and mobile computing platforms Yes, supports compliance The Kiteworks platform encrypts CUI at rest on mobile devices and mobile computing platforms. In addition, it stores CUI in a secure container, protecting CUI on a mobile device from unauthorized access, data corruption, and malware.
Level 2 AC.L1-3.1.21 3.1.21 Access Control Limit use of portable storage devices on external systems Out of scope N/A

Awareness and Training

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 AT.L2-3.2.1 3.2.1 Awareness and Training Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems Yes, supports compliance Kiteworks FedRAMP operations managers and administration personnel are trained in the security risks and applicable policies, standards, and procedures related to the platform. The system warns customer admins of potentially risky settings, such as access controls that fail to follow the principle of least privilege.
Level 2 AT.L2-3.2.2 3.2.2 Awareness and Training Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities Yes, supports compliance Kiteworks FedRAMP operations personnel are trained in the security risks and applicable policies, standards, and procedures related to the platform.
Level 2 AT.L2-3.2.3 3.2.3 Awareness and Training Provide security awareness training on recognizing and reporting potential indicators of insider threat Yes, supports compliance Kiteworks FedRAMP operations personnel must regularly pass security awareness training.

Audit and Accountability

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 AU.L2-3.3.1 3.3.1 Audit and Accountability Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Yes, supports compliance The Kiteworks platform logs all access to and sharing of content. Administrators and managers can generate reports for use in security investigations.
Level 2 AU.L2-3.3.2 3.3.2 Audit and Accountability Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions Yes, supports compliance The Kiteworks platform assigns each user a unique ID and tracks all activity on a per-user and per-file basis.
Level 2 AU.L2-3.3.3 3.2.3 Audit and Accountability Review and update logged events Yes, supports compliance The logs can be reviewed but not updated or deleted.
Level 2 AU.L2-3.3.4 3.3.4 Audit and Accountability Alert in the event of an audit logging process failure Yes, supports compliance The Kiteworks platform alerts administrators in the event of a logging process failure.
Level 2 AU.L2-3.3.5 3.3.5 Audit and Accountability Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity Yes, supports compliance Logs generated by the Kiteworks platform can be exported to SIEM systems and other security analysis platforms for event correlation and threat hunting. The platform also inherently detects anomalous behavior and includes those alerts as a part of its audit log.
Level 2 AU.L2-3.3.6 3.3.6 Audit and Accountability Provide audit record reduction and report generation to support on-demand analysis and reporting Yes, supports compliance The Kiteworks platform provides comprehensive audit logs that can be exported to a SIEM system and analyzed in on-demand reports. Logs include content-specific audit record fields such as username, email addresses, IP address, file or folder names, and event type. Kiteworks also provides a CISO Dashboard, highlighting system issues of interest to CISOs and other security stakeholders and providing an easily readable, visual presentation of activity and anomalous behavior.
Level 2 AU.L2-3.3.7 3.3.7 Audit and Accountability Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records Yes, supports compliance The Kiteworks platform integrates with Network Time Protocol (NTP) servers to provide authoritative time stamps for audit records.
Level 2 AU.L2-3.3.8 3.3.8 Audit and Accountability Protect audit information and audit logging tools from unauthorized access, modification, and deletion Yes, supports compliance Logs generated by the Kiteworks platform can be exported to SIEM systems and other security analysis platforms for event correlation and threat hunting. The platform also inherently detects anomalous behavior and includes those alerts as a part of its audit log.
Level 2 AU.L2-3.3.9 3.3.8 Audit and Accountability Limit management of audit logging functionality to a subset of privileged users Yes, supports compliance Logs in the Kiteworks platform are protected from editing and deletion.

Configuration Management

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 CM.L2-3.4.5 3.4.5 Configuration Management Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems Yes, supports compliance The Kiteworks platform enforces and logs all logical access restrictions applied to CUI under management.
Level 2 CM.L2-3.4.6 3.4.6 Configuration Management Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities Yes, supports compliance The Kiteworks hardened appliance exposes only a few essential ports and services. The system provides no operating system access for users or administrators.
Level 2 CM.L2-3.4.7 3.4.7 Configuration Management Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services Yes, supports compliance The Kiteworks platform ships as a hardened appliance with nonessential services disabled. All unused ports are blocked. We also provide the ability to enable/disable SFTP/SSH access.
Level 2 CM.L2-3.4.8 3.4.8 Configuration Management Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software Yes, supports compliance The Kiteworks platform enforces whitelisting of apps on mobile devices accessing the platform.
Level 2 CM.L2-3.4.9 3.3.5 Configuration Management Control and monitor user-installed software Yes, supports compliance The Kiteworks platform allows you to control what plugins and apps are made available to the end-user. The platform also enforces mobile app whitelisting, preventing unauthorized third-party apps from accessing CUI.

Identification and Authentication

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 1 IA.L1-3.5.1 3.5.1 Identification and Authentication Identify information system users, processes acting on behalf of users, or devices Yes, supports compliance The Kiteworks platform assigns individual users unique IDs and uses those IDs to track user activity on the platform across all devices.
Level 1 IA.L1-3.5.2 3.5.2 Identification and Authentication Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems Yes, supports compliance The Kiteworks platform assigns individual users unique IDs and uses those IDs to track user activity on the platform across all devices.
Level 2 IA.L2-3.5.3 3.5.3 Identification and Authentication Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts Yes, supports compliance The Kiteworks platform can be configured to require multi-factor authentication for any administrative session. Multi-factor authentication is also enforced through one-time passcodes via email. Alternatively, multi-factor authentication is enforced through integration with third-party authentication solutions that support SMS-based passcodes or the RADIUS protocol. It can also be configured to time out those sessions after a threshold of idle time has been reached.
Level 2 IA.L2-3.5.4 3.5.4 Identification and Authentication Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts Yes, supports compliance The Kiteworks platform can be configured to require multi-factor authentication for any administrative session. Multi-factor authentication is also enforced through one-time passcodes via email. Alternatively, multi-factor authentication is enforced through integration with third-party authentication solutions that support SMS-based passcodes or the RADIUS protocol. It can also be configured to time out those sessions after a threshold of idle time has been reached. This prevents old credential replay. Kiteworks also supports PIV/CAC cards, which use no credentials and are therefore not susceptible to replay.
Level 2 IA.L2-3.5.5 3.5.5 Identification and Authentication Prevent reuse of identifiers for a defined period Yes, supports compliance The Kiteworks platform assigns each user a unique ID and tracks all activity on a per-user and per-file basis.
Level 2 IA.L2-3.5.6 3.5.5 Identification and Authentication Disable identifiers after a defined period of inactivity Yes, supports compliance The Kiteworks platform enables system administrators to set session timeout policies, disconnecting users after a defined period of inactivity. The platform can also remove end-user access altogether after a certain period of time if needed.
Level 2 IA.L2-3.5.7 3.5.7 Identification and Authentication Enforce a minimum password complexity and change of characters when new passwords are created Yes, supports compliance The platform enables managers and system administrators to define password configuration requirements, including requirements for password complexity.
Level 2 IA.L2-3.5.8 3.5.8 Identification and Authentication Prohibit password reuse for a specified number of generations Yes, supports compliance The Kiteworks platform can be configured to prohibit password reuse.
Level 2 IA.L2-3.5.9 3.5.9 Identification and Authentication Allow temporary password use for system logons with an immediate change to a permanent password Yes, supports compliance The Kiteworks platform enables system administrators to reset user passwords and enforce password change upon next logon. Otherwise, users follow an account verification link or password reset link to set or reset their passwords.
Level 2 IA.L2-3.5.10 3.5.10 Identification and Authentication Store and transmit only cryptographically protected passwords Yes, supports compliance The Kiteworks platform encrypts passwords in transit and at rest. Passwords at rest are stored as salted hashes. Passwords are never stored or transmitted unsecurely.
Level 2 IA.L2-3.5.11 3.5.11 Identification and Authentication Obscure feedback of authentication information Yes, supports compliance The Kiteworks platform transmits all authentication information using secure Transport Layer Security (TLS) connections. By default, passwords are not displayed in plain text on screens.

Incident Response

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 IR.L2-3.6.1 3.6.1 Incident Response Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities Yes, supports compliance Logs generated by the Kiteworks platform can be exported to SIEM systems and other security analysis platforms for event correlation and threat hunting. The platform also inherently detects anomalous behavior and includes those alerts as a part of its audit log.
Level 2 IR.L2-3.6.2 3.6.2 Incident Response Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization Yes, supports compliance Logs generated by the Kiteworks platform can be exported to SIEM systems and other security analysis platforms for event correlation and threat hunting. The platform also inherently detects anomalous behavior and includes those alerts as a part of its audit log.
Level 2 IR.L2-3.6.3 3.6.3 Incident Response Test the organizational incident response capability Out of scope N/A

Maintenance

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 MA.L2-3.7.1 3.7.1 Maintenance Perform maintenance on organizational systems Yes, supports compliance Kiteworks personnel perform maintenance on FedRAMP Kiteworks systems per documented and audited processes and procedures.
Level 2 MA.L2-3.7.2 3.7.2 Maintenance Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance Yes, supports compliance Customer personnel can only perform maintenance using the secure, audited administrative user interface, and cannot obtain operating system access. For FedRAMP systems, the Kiteworks organization provides the controls on the tools, techniques, mechanisms, and personnel as defined in the audited Kiteworks FedRAMP processes.
Level 2 MA.L2-3.7.3 3.7.3 Maintenance Ensure equipment removed for off-site maintenance is sanitized of any CUI Yes, supports compliance The Kiteworks platform can perform a remote wipe of the secure containers on mobile devices that have been lost, stolen, or decommissioned.
Level 2 MA.L2-3.7.4 3.7.4 Maintenance Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems Yes, supports compliance The Kiteworks platform scans CUI for viruses and other malware by default, using F-Secure Anti-Virus software. The platform integrates with Check Point SandBlast and APIs enable integration with other Advanced Threat Prevention technologies to scan CUI for advanced persistent threats and zero-day attacks.
Level 2 MA.L2-3.7.5 3.7.5 Maintenance Require multi-factor authentication to establish non-local maintenance sessions via external network connections and terminate such connections when non-local maintenance is complete Yes, supports compliance The Kiteworks platform can be configured to require multi-factor authentication for any administrative session. Multi-factor authentication is also enforced through one-time passcodes via email. Alternatively, multi-factor authentication is enforced through integration with third-party authentication solutions that support SMS-based passcodes or the RADIUS protocol. It can also be configured to time out those sessions after a threshold of idle time has been reached.
Level 2 MA.L2-3.7.6 3.7.6 Maintenance Supervise the maintenance activities of maintenance personnel without required access authorization Yes, supports compliance The Kiteworks platform logs the activities of all users, including maintenance activities of users with varying degrees of privilege.

Media Protection

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 MP.L2-3.8.1 3.8.1 Media Protection Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital Yes, supports compliance Kiteworks FedRAMP systems encrypt all CUI when stored on media, and physical media is procedurally controlled and audited in data centers used by Kiteworks.
Level 2 MP.L2-3.8.2 3.8.2 Media Protection Limit access to CUI on system media to authorized users Yes, supports compliance The Kiteworks platform protects CUI by encrypting content and enforcing access controls.
Level 1 MP.L1-3.8.3 3.8.3 Media Protection Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse Yes, supports compliance The Kiteworks platform can perform a remote wipe of CUI in the secure containers on mobile devices that have been lost, stolen, or decommissioned.
Level 2 MP.L2-3.8.4 3.8.4 Media Protection Mark media with necessary CUI markings and distribution limitations Yes, supports compliance Users can mark CUI in file and folder names, and in email subject lines. Kiteworks also automates policies based on Microsoft MIP sensitivity labels, which can be used to mark CUI.
Level 2 MP.L2-3.8.5 3.8.5 Media Protection Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas Yes, supports compliance The Kiteworks platform enforces access controls on mobile devices regardless of their location.
Level 2 MP.L2-3.8.6 3.8.6 Media Protection Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards Yes, supports compliance The Kiteworks platform encrypts all CUI at rest with AES-256 encryption.
Level 2 MP.L2-3.8.7 3.8.7 Media Protection Control the use of removable media on system components Out of scope N/A
Level 2 MP.L2-3.8.8 3.8.8 Media Protection Prohibit the use of portable storage devices when such devices have no identifiable owner Out of scope N/A
Level 2 MP.L2-3.8.9 3.8.9 Media Protection Protect the confidentiality of backup CUI at storage locations Yes, supports compliance Kiteworks protects the confidentiality of FedRAMP system backups per documented and audited procedures. All CUI is encrypted with a key owned by the customer.

Personnel Security

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 PS.L2-3.9.1 3.9.1 Personnel Security Screen individuals prior to authorizing access to organizational systems containing CUI Yes, supports compliance The Kiteworks platform protects CUI even when employees or contractors are terminated or transferred. CUI can be remotely wiped from mobile devices, and access to private- or public-cloud repositories can be blocked.
Level 2 PS.L2-3.9.2 3.9.2 Personnel Security Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers Yes, supports compliance Logs generated by the Kiteworks platform can be exported to SIEM systems and other security analysis platforms for event correlation and threat hunting. The platform also inherently detects anomalous behavior and includes those alerts as a part of its audit log.

Physical Protection

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 1 PE.L1-3.10.1 3.10.1 Physical Protection Limit physical access to orgranizational information systems, equipment, and the respective operating environments to authorized individuals Yes, supports compliance Kiteworks FedRAMP systems are deployed in controlled environments with strict, audited procedures that limit physical access.
Level 1 PE.L1-3.10.3 3.10.3 Physical Protection Escort visitors and monitor visitor activity Yes, supports compliance Kiteworks FedRAMP systems are deployed in controlled environments with strict, audited procedures that include escorting and monitoring of visitors.
Level 1 PE.L1-3.10.4 3.10.4 Physical Protection Maintain audit logs of physical access Yes, supports compliance Kiteworks maintains audit logs of all physical access of FedRAMP systems.
Level 1 PE.L1-3.10.5 3.10.5 Physical Protection Control and manage physical access devices Yes, supports compliance Kiteworks FedRAMP systems are deployed and managed in controlled environments with strict, audited procedures that control card readers, access cards, and other access devices.
Level 2 PE.L2-3.10.2 3.10.2 Physical Protection Protect and monitor the physical facility and support infrastructure for organizational systems Yes, supports compliance Kiteworks FedRAMP systems are deployed in controlled environments with strict, audited protection and monitoring.
Level 2 PE.L2-3.10.6 3.10.6 Physical Protection Enforce safeguarding measures for CUI at alternate work sites Yes, supports compliance The Kiteworks platform protects CUI at all locations. Remote access to CUI is secured with authentication controls along with other best practices, including the use of secure containers on mobile devices and encryption of all CUI in transit and at rest.

Risk Assessment

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 RA.L2-3.11.1 3.11.1 Risk Assessment Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI Out of scope N/A
Level 2 RA.L2-3.11.2 3.11.2 Risk Assessment Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified Yes, supports compliance Kiteworks security engineers regularly scan the code base to discover new vulnerabilities.
Level 2 RA.L2-3.11.3 3.11.3 Risk Assessment Remediate vulnerabilities in accordance with risk assessments Yes, supports compliance Kiteworks security engineers prioritize and release fixes per a documented secure software development life cycle. Kiteworks products, whether hosted or deployed on the customer’s premises, can detect the availability of new updates and apply them with a click. The Kiteworks organization offers updates as a service as part of the Premium Support package.

Security Assessment

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 2 CA.L2-3.12.1 3.12.1 Security Assessment Periodically assess the security controls in organizational systems to determine if the controls are effective in their application Yes, supports compliance Kiteworks is SOC-2 certified, FedRAMP Authorized, and FIPS 140-2 compliant, following all of the guidelines and reviews therein.
Level 2 CA.L2-3.12.2 3.12.2 Security Assessment Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems Yes, supports compliance Kiteworks is SOC-2 certified, FedRAMP Authorized, and FIPS 140-2 compliant, following all of the guidelines and reviews therein.
Level 2 CA.L2-3.12.3 3.12.3 Security Assessment Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls Yes, supports compliance Kiteworks FedRAMP security controls and incidents are audited yearly by the Third Party Assessment Organization (3PAO).
Level 2 CA.L2-3.12.4 3.12.4 Security Assessment Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems Yes, supports compliance Kiteworks is SOC-2 certified, FedRAMP Authorized, and FIPS 140-2 compliant, following all of the guidelines and reviews therein.

System and Communications Protection

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 1 SC.L1-3.13.1 3.13.1 System and Communications Protection Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems Yes, supports compliance The Kiteworks platform monitors, controls, and protects CUI at rest as well as when shared with internal or external users. The platform ensures the security of CUI shared across organizational boundaries.
Level 1 SC.L1-3.13.5 3.13.5 System and Communications Protection Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks Yes, supports compliance The Kiteworks platform tiered architecture allows web interfaces and other system functions to be deployed outside network DMZs for public access, while ensuring that application logic and CUI storage remain on internal networks.
Level 2 SC.L2-3.13.2 3.13.2 System and Communications Protection Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems Yes, supports compliance The Kiteworks platform has been designed and developed with information security in mind. The platform’s tiered architecture separates functionality, improves scalability, and supports the enforcement of data sovereignty policies. The platform’s source code is routinely analyzed for quality and security. The platform’s availability on a private or hybrid cloud or as a private hosted deployment in an isolated environment on AWS enables customers to adopt the deployment model that best suits their security needs.
Level 2 SC.L2-3.13.3 3.13.3 System and Communications Protection Separate user functionality from system management functionality Yes, supports compliance The Kiteworks platform enforces security controls specific to user roles, including system administrators, CUI managers, and end-users. Unprivileged users never gain access to system management functionality. The Kiteworks platform prevents unauthorized access or sharing of CUI.
Level 2 SC.L2-3.13.4 3.13.4 System and Communications Protection Prevent unauthorized and unintended information transfer via shared system resources Yes, supports compliance Only authorized users and processes can access and share CUI.
Level 2 SC.L2-3.13.6 3.13.6 System and Communications Protection Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception) Yes, supports compliance The Kiteworks platform supports the whitelisting and blacklisting of IP addresses and can be configured to deny network traffic by default.
Level 2 SC.L2-3.13.7 3.13.7 System and Communications Protection Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling) Out of scope N/A
Level 2 SC.L2-3.13.8 3.13.8 System and Communications Protection Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards Yes, supports compliance The Kiteworks platform encrypts CUI in transit using Transport Layer Security. System administrators can configure the platform not to accept TLS 1.0 or 1.1 connections.
Level 2 SC.L2-3.13.9 3.13.9 System and Communications Protection Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity Yes, supports compliance The Kiteworks platform enables system administrators to set session timeout policies, disconnecting users after a defined period of inactivity.
Level 2 SC.L2-3.13.10 3.13.10 System and Communications Protection Establish and manage cryptographic keys for cryptography employed in organizational systems Yes, supports compliance The Kiteworks platform uses keys to encrypt content in transit and at rest. Kiteworks customers have full ownership of their cryptographic keys. Keys can be managed directly within the Kiteworks platform or stored in a Hardware Security Module.
Level 2 SC.L2-3.13.11 3.13.11 System and Communications Protection Employ FIPS-validated cryptography when used to protect the confidentiality of CUI Yes, supports compliance The Kiteworks platform is available in a FIPS 140-2 configuration.
Level 2 SC.L2-3.13.12 3.13.12 System and Communications Protection Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device Out of scope N/A
Level 2 SC.L2-3.13.13 3.13.13 System and Communications Protection Control and monitor the use of mobile code Yes, supports compliance Kiteworks uses secure coding practices and abides by OWASP Top 10 mitigation strategies. Our SDLC is rigorously reviewed and tested, as attested and verified through our SOC 2, FedRAMP, IRAP, and FIPS-140 certifications/audits.
Level 2 SC.L2-3.13.14 3.13.14 System and Communications Protection Control and monitor the use of Voice over Internet Protocol (VoIP) technologies Out of scope N/A
Level 2 SC.L2-3.13.15 3.13.15 System and Communications Protection Protect the authenticity of communications sessions Yes, supports compliance The Kiteworks platform protects the authenticity of communications sessions in compliance with NIST 800-53, SC-23. Specifically, the platform invalidates session identifiers upon user logout or other session termination, generates a unique session identifier for each session with predefined randomness requirements and recognizes only session identifiers that are system generated and uses only predefined certificate authorities for verification of the establishment of protected sessions.
Level 2 SC.L2-3.13.16 3.13.15 System and Communications Protection Protect the confidentiality of CUI at rest Yes, supports compliance The Kiteworks platform protects the confidentiality of CUI at rest through the enforcement of strict access controls and the use of AES-256 encryption. In addition, CUI at rest on mobile devices is stored in a secure container that shields the CUI from access from other applications and processes.

System and Information Integrity

CMMC 2.0 NIST SP 800-171 Domain Practice Description Kiteworks Support Compliance Kiteworks Solution
Level 1 SI.L1-3.14.1 3.14.1 System and Information Integrity Identify, report, and correct information and information system flaws in a timely manner Yes, supports compliance Kiteworks monitors and reviews vulnerabilities in the Kiteworks platform and prioritizes and resolves these vulnerabilities based on impact and severity.
Level 1 SI.L1-3.14.2 3.14.2 System and Information Integrity Provide protection from malicious code at appropriate locations within organizational information systems Yes, supports compliance The Kiteworks platform protects against malicious code by scanning CUI entering or exiting the platform for viruses, advanced persistent threats, and zero-day attacks. On mobile devices, Kiteworks stores CUI in secure containers (protected areas of storage and memory) that shield CUI from malware infection.
Level 1 SI.L1-3.14.4 3.14.4 System and Information Integrity Update malicious code protection mechanisms when new releases are available Yes, supports compliance The Kiteworks platform automatically applies updates to integrated and embedded anti-malware solutions from F-Secure and Check Point.
Level 1 SI.L1-3.14.5 3.14.5 System and Information Integrity Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed Yes, supports compliance The Kiteworks platform scans all uploaded files for infections of malware and indications of zero-day threats. When integrated with a Data Loss Prevention (DLP) service, the platform can also scan content and block or quarantine any CUI transmissions that might violate DLP policies.
Level 2 SI.L2-3.14.3 3.14.3 System and Information Integrity Monitor system security alerts and advisories and take action in response Yes, supports compliance The Kiteworks platform can be configured to export logs to SIEM systems being used for security monitoring and alerts.
Level 2 SI.L2-3.14.6 3.14.6 System and Information Integrity Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks Yes, supports compliance The Kiteworks platform monitors all communications under management for signs of malware and other security anomalies that could signal the presence of an attack.
Level 2 SI.L2-3.14.7 3.14.7 System and Information Integrity Identify unauthorized use of organizational systems Yes, supports compliance The Kiteworks platform identifies access attempts by unauthorized users.

Appendix: Kiteworks Alignment

With CMMC 2.0 Level 2 Practices

Practice Area Kiteworks Compliant Shared Responsibility Out of Scope Total
Access Control 18 1 3 22
Awareness and Training 1 2 3
Audit and Accountability 9 9
Configuration Management 9 9
Identification and Authentication 11 11
Incident Response 1 1 1 3
Maintenance 6 6
Media Protection 7 2 9
Personnel Security 2 2
Physical Protection 6 6
Risk Assessment 2 1 3
Security Assessment 4 4
System and Communications Protection 13 3 16
System and Information Integrity 7 7
Total 96 4 10 110

 

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Share
Tweet
Share
Explore Kiteworks