CMMC 2.0 Compliance Mapping for Sensitive Content Communications

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 AC.L1-3.1.1

3.1.1

Access Control

Limit
information system access to authorized users, processes acting on behalf of authorized users,
or devices (including other information systems)

Yes, supports compliance

The Kiteworks platform
enforces strict access controls to protect all content, including CUI, under management.

Level 1 AC.L1-3.1.2

3.1.2

Access Control

Limit information system access
to the types of transactions and functions that authorized users are
permitted to execute

Yes, supports compliance

System
administrators and content owners can control
who receives which type of access: view and
edit, view only,
or access denied.

Level 1 AC.L1-3.1.20

3.1.20

Access Control

Verify and control/limit connections to and use of
external information systems

Yes, supports compliance

The
Kiteworks platform provides controlled access to cloud enterprise content management

systems like Google Drive,
Box, Dropbox, Microsoft OneDrive, and Microsoft
SharePoint Online.

Level 1 AC.L1-3.1.22

3.1.22

Access Control

Control information posted
or processed on publicly accessible information
systems

Yes, supports compliance

The Kiteworks platform can be deployed as a private or hybrid cloud
or as a private hosted
deployment

in an isolated environment or AWS, per FedRAMP requirements.

Level 2 AC.L2-3.1.3

3.1.3

Access Control

Control the
flow of CUI in accordance with approved authorizations

Yes, supports compliance

Administrators
and content owners can ensure that nonauthorized users
never gain access
to CUI. Kiteworks Automation Agents can be used to route
content to approved destinations as part
of workflows, ensuring that CUI is not accidentally distributed to
unauthorized users.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AC.L2-3.1.4

3.1.4

Access Control

Separate the duties of individuals to reduce the risk of
malevolent activity without collusion

Yes, supports compliance

Administrators can define different roles and access levels for
CUI, reducing the
risk of collusion.

Level 2 AC.L2-3.1.5

3.1.5

Access Control

Employ the
principle of least privilege, including for specific security functions and privileged accounts

Yes, supports compliance

The Kiteworks platform supports a range of user
roles and access privileges. System
administrators can define access
policies that employ
the principle of least
privilege.

Level 2 AC.L2-3.1.6

3.1.6

Access Control

Use non-privileged accounts or roles when accessing non-security functions

Yes, supports compliance

The Kiteworks platform prevents non-privileged users from
executing administrative functions. The platform also logs all access to
security functions, enabling the execution
of those functions to be audited.

Level 2 AC.L2-3.1.7

3.1.7

Access Control

Prevent
non-privileged users from executing privileged
functions and capture the execution of such functions in audit logs

Yes, supports compliance

The Kiteworks platform enables administrators
to define different types of accounts and access

privileges, ensuring that non-privileged users never
access privileged content or controls.

Level 2 AC.L2-3.1.8

3.1.8

Access Control

Limit unsuccessful logon attempts

Yes, supports compliance

The Kiteworks platform enables system administrators to set
a limit for
unsuccessful logon attempts. When
that limit is reached, that
account can be locked,
and an alert
sent to administrators and security
professionals.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AC.L2-3.1.9

3.1.9

Access Control

Provide privacy and security notices consistent with applicable CUI rules

Yes, supports compliance

The Kiteworks platform can be customized to display privacy
and security notices
required by an organization.

Level 2 AC.L2-3.1.10

3.1.10

Access Control

Use session lock
with pattern-hiding displays to prevent access and viewing
of data after a period of inactivity

Partially supports compliance

The
Kiteworks platform locks sessions after a period of inactivity, though
it does not use pattern- hiding displays.

Level 2 AC.L2-3.1.11

3.1.11

Access Control

Terminate (automatically) a user session after a defined condition

Yes, supports compliance

The
Kiteworks platform enables system administrators to define policies that
automatically log users out after
a set amount
of idle time.
System administrators can monitor
and manually terminate active sessions.

Level 2 AC.L2-3.1.12

3.1.12

Access Control

Monitor and control
remote access sessions

Yes, supports compliance

The Kiteworks platform
monitors and logs all remote access to CUI. All
remote access is governed through strict access
control policies. System administrators can
monitor and manually terminate active sessions.

Level 2 AC.L2-3.1.13

3.1.13

Access Control

Employ cryptographic mechanisms to protect the
confidentiality of remote
access sessions

Yes, supports compliance

The Kiteworks platform encrypts all transmission of
content using Transport Layer Security (TLS). The platform also encrypts content
at rest using AES-256 encryption. A FIPS 140-2 Level
1 validated module is also
available.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AC.L2-3.1.14

3.1.14

Access Control

Route remote access
via managed access control points

Yes, supports compliance

The Kiteworks platform enables system administrators to control
which nodes (servers) are available for client access (HTTPS or SFTP).

Level 2 AC.L2-3.1.15

3.1.15

Access Control

Authorize remote execution
of privileged commands and remote access to security- relevant information

Yes, supports compliance

The Kiteworks platform provides a separate
administrative interface that requires authentication and provides its own IP
access restrictions.

Level 2 AC.L2-3.1.16

3.1.16

Access Control

Authorize
wireless access prior to allowing such connections

Out of Scope

N/A

Level 2 AC.L2-3.1.17

3.1.17

Access Control

Protect wireless access using authentication and encryption

Out of Scope

N/A

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AC.L2-3.1.18

3.1.18

Access Control

Control connection of mobile devices

Yes, supports compliance

The Kiteworks platform enables and disables access from the Kiteworks mobile app. System administrators
can also manage and terminate user sessions.
If a mobile device is lost or stolen, system
administrators can perform
a remote wipe of all CUI
in the Kiteworks secure container on the device.

Level 2 AC.L2-3.1.19

3.1.19

Access Control

Encrypt CUI on mobile
devices and mobile computing platforms

Yes, supports compliance

The
Kiteworks platform encrypts CUI at rest on mobile devices and mobile
computing platforms. In addition, it stores CUI in a secure
container, protecting CUI on a mobile device

from
unauthorized access, data corruption, and malware.

Level 2 AC.L2-3.1.21

3.1.21

Access Control

Limit use of portable storage devices on external systems

Out of scope

N/A

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AT.L2-3.2.1

3.2.1

Awareness and Training

Ensure that managers, system administrators, and users of organizational systems
are made aware
of the security risks associated with their
activities and

of the applicable policies, standards, and procedures related to the security of those systems

Yes, supports compliance

Kiteworks FedRAMP operations managers and administration personnel are trained in the security
risks and applicable policies, standards, and procedures
related to the platform. The system warns customer admins of potentially
risky settings, such as access controls that fail to follow the principle of least
privilege.

Level 2 AT.L2-3.2.2

3.2.2

Awareness and Training

Ensure
that personnel are trained to carry out
their assigned information security- related duties and responsibilities

Partially supports compliance

Kiteworks
FedRAMP operations personnel are trained in the security risks and applicable
policies, standards, and procedures related to the platform.

Level 2 AT.L2-3.2.3

3.2.3

Awareness and Training

Provide security awareness training on recognizing and reporting potential
indicators of insider threat

Partially supports
compliance

Kiteworks FedRAMP operations personnel must
regularly pass security awareness training.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AU.L2-3.3.1

3.3.1

Audit and Accountability

Create and retain
system audit logs
and records to the extent needed to enable the monitoring, analysis,
investigation, and reporting of unlawful or
unauthorized system activity

Yes, supports compliance

The Kiteworks platform logs all access to and sharing of content. Administrators and

managers can generate reports for use in security investigations.

Level 2 AU.L2-3.3.2

3.3.2

Audit and Accountability

Ensure
that the actions of individual system users
can be uniquely traced to those
users, so they can be held accountable for their actions

Yes, supports compliance

The
Kiteworks platform assigns each user a unique ID and tracks
all activity on a per-user and per-file basis.

Level 2 AU.L2-3.3.3

3.3.3

Audit and Accountability

Review and update logged
events

Yes, supports compliance

The logs can be reviewed but not updated or deleted.

Level 2 AU.L2-3.3.4

3.3.4

Audit and Accountability

Alert in the
event of an audit logging process failure

Yes, supports compliance

The Kiteworks
platform alerts administrators in the event
of a logging process failure.

Level 2 AU.L2-3.3.5

3.3.5

Audit and Accountability

Correlate audit record
review, analysis, and reporting processes for investigation
and response to indications of unlawful,

unauthorized, suspicious, or unusual activity

Yes, supports compliance

Logs generated by
the Kiteworks platform can be exported to
SIEM systems and other security

analysis platforms for event correlation and threat hunting. The
platform also inherently detects anomalous behavior and includes those
alerts as a part of its audit log.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 AU.L2-3.3.6

3.3.6

Audit and Accountability

Provide audit
record reduction and
report generation to support on-demand analysis
and reporting

Yes, supports compliance

The Kiteworks platform provides comprehensive audit logs that can be exported
to a SIEM system and analyzed
in on-demand reports. Logs include content-
specific audit record
fields such as username, email addresses, IP address, file or folder names, and event
type. Kiteworks also provides a CISO Dashboard,
highlighting system issues
of interest to CISOs and other security stakeholders and providing an easily

readable, visual presentation of activity and anomalous

behavior.

Level 2 AU.L2-3.3.7

3.3.7

Audit and Accountability

Provide a system
capability that compares and synchronizes internal system clocks with an
authoritative source
to generate time stamps
for audit records

Yes, supports compliance

The Kiteworks platform integrates with Network Time
Protocol (NTP) servers to provide authoritative time stamps for audit
records.

Level 2 AU.L2-3.3.8

3.3.8

Audit and Accountability

Protect
audit information and audit logging tools from unauthorized access, modification, and deletion

Yes, supports compliance

Logs generated by the Kiteworks platform can be exported to SIEM systems and other security

analysis platforms for event correlation and threat hunting.
The platform also inherently detects anomalous behavior and includes those
alerts as a part of its audit log.

Level 2 AU.L2-3.3.9

3.3.9

Audit and Accountability

Limit management of
audit logging functionality to a subset of privileged users

Yes, supports compliance

Logs in the
Kiteworks platform are
protected from editing and
deletion.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 CM.L2-3.4.1

3.4.1

Configuration Management

Establish and
maintain baseline configurations
and inventories of organizational systems (including hardware, software, firmware, and documentation)
throughout the respective system development life cycles

Yes, supports compliance

The Kiteworks platform provides one-click compliance
reports that can be used to track the baseline configuration of the Kiteworks system.

Level 2 CM.L2-3.4.2

3.4.2

Configuration Management

Establish and enforce
security configuration settings for information
technology products employed in organizational systems

Yes, supports compliance

System administrators on the
Kiteworks platform can configure security settings for the platform.
Administrators can also
configure security settings for users and their mobile
devices when those users access CUI under the platform’s management.

Level 2 CM.L2-3.4.3

3.4.3

Configuration Management

Track, review, approve or disapprove, and log changes to organizational systems

Yes, supports compliance

The Kiteworks platform enables system administrators to track, review, and control all changes made to the platform.

Level 2 CM.L2-3.4.4

3.4.4

Configuration Management

Analyze
the security impact of changes prior
to implementation

Yes, supports compliance

The Kiteworks platform provides compliance audits that report configuration changes that degrade
security below recommended levels.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 CM.L2-3.4.5

3.4.5

Configuration Management

Define,
document, approve and enforce physical and logical access restrictions
associated with changes to organizational systems

Yes, supports compliance

The Kiteworks platform enforces and logs all logical
access restrictions applied to CUI under management.

Level 2 CM.L2-3.4.6

3.4.6

Configuration Management

Employ
the principle of least functionality by configuring organizational systems to provide only essential capabilities

Yes, supports compliance

The Kiteworks hardened appliance exposes only a few
essential ports and
services. The system provides no operating system
access for users or administrators.

Level 2 CM.L2-3.4.7

3.4.7

Configuration Management

Restrict,
disable, or prevent the use of nonessential programs, functions, ports,
protocols, and services

Yes, supports compliance

The Kiteworks platform ships as a hardened
appliance with nonessential services disabled.
All unused ports are blocked. We also
provide the ability to enable/disable SFTP/SSH access.

Level 2 CM.L2-3.4.8

3.4.8

Configuration Management

Apply
deny-by-exception (blacklisting) policy to prevent
the use of unauthorized
software or deny-all, permit-by-exception (whitelisting)
policy to allow the execution of
authorized software

Yes, supports compliance

The
Kiteworks platform enforces whitelisting of apps on mobile devices
accessingthe platform.

Level 2 CM.L2-3.4.9

3.4.9

Configuration Management

Control and monitor user-installed software

Yes, supports compliance

The Kiteworks platform allows you to control what plugins and apps are made available to the end-user.
The platform also enforces mobile app whitelisting, preventing unauthorized third-party apps from accessing CUI.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support Compliance

Kiteworks Solution

Level 1 IA.L1-3.5.1

3.5.1

Identification and Authentication

Identify information system users, processes acting on behalf of users, or devices

Yes, supports compliance

The Kiteworks platform assigns individual users
unique IDs and uses
those IDs to track user activity on the platform across all devices.

Level 1 IA.L1-3.5.2

3.5.2

Identification and Authentication

Authenticate (or verify) the identities
of those users, processes, or devices,
as a prerequisite to allowing access to organizational information systems

Yes, supports compliance

The Kiteworks platform assigns individual users unique IDs and uses those IDs to track user activity on
the platform across all devices.

Level 2 IA.L2-3.5.3

3.5.3

Identification and Authentication

Use multi-factor authentication for local and network access

to privileged accounts and for network access to non-privileged accounts

Yes, supports compliance

The Kiteworks platform can be configured to require multi- factor authentication for any administrative session. Multi-factor

authentication is also enforced through
one-time passcodes via email.
Alternatively, multi-factor authentication is enforced through integration with
third-party authentication solutions that support SMS-based passcodes or the RADIUS
protocol. It can
also be configured to time out those sessions after a threshold of idle time has been reached.

Level 2 IA.L2-3.5.4

3.5.4

Identification and Authentication

Employ replay-resistant authentication
mechanisms for network access to privileged and non-privileged accounts

Yes, supports compliance

The Kiteworks platform can be configured to require multi- factor authentication for any administrative session. Multi-factor

authentication is also enforced through one-time passcodes via email. Alternatively, multi-factor authentication is enforced through integration with third-party authentication
solutions that support SMS-based passcodes
or the RADIUS
protocol. It can also be configured to time

out those sessions after a threshold of idle time has been reached.
This prevents old credential replay. Kiteworks also supports PIV/CAC cards, which use
no credentials and
are therefore not
susceptible to replay.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 IA.L2-3.5.5

3.5.5

Identification and Authentication

Prevent reuse of identifiers for a defined period

Yes, supports compliance

The Kiteworks platform assigns each user a unique ID and tracks
all activity on a per-user and per-file basis.

Level 2 IA.L2-3.5.6

3.5.6

Identification and Authentication

Disable
identifiers after a defined period of inactivity

Yes, supports compliance

The Kiteworks
platform enables system administrators to set session timeout policies,
disconnecting users after a defined period of inactivity. The platform can
also remove end-user access altogether after a certain
period of time if
needed.

Level 2 IA.L2-3.5.7

3.5.7

Identification and Authentication

Enforce a minimum password complexity and change of
characters when new passwords are created

Yes, supports compliance

The platform enables managers and system administrators to define
password configuration requirements, including requirements for password complexity.

Level 2 IA.L2-3.5.8

3.5.8

Identification and Authentication

Prohibit
password reuse for a specified number of generations

Yes, supports compliance

The
Kiteworks platform can be configured to prohibit
password reuse.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 IA.L2-3.5.9

3.5.9

Identification and Authentication

Allow
temporary password use for system logons with
an immediate change
to a permanent password

Yes, supports compliance

The Kiteworks platform enables system administrators to reset
user passwords and
enforce password change upon next
logon. Otherwise, users follow an account
verification link or password reset link to set or reset
their passwords.

Level 2 IA.L2-3.5.10

3.5.10

Identification and Authentication

Store and
transmit only cryptographically protected passwords

Yes, supports compliance

The
Kiteworks platform encrypts passwords in transit and at rest. Passwords at
rest are stored as salted hashes.
Passwords are never
stored or transmitted unsecurely.

Level 2 IA.L2-3.5.11

3.5.11

Identification and Authentication

Obscure feedback of authentication information

Yes, supports compliance

The Kiteworks platform transmits all authentication information using secure Transport Layer Security
(TLS) connections. By default, passwords are not displayed in plain text on screens.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level
2 IR.L2-3.6.1

3.6.1

Incident Response

Establish
an operational incident-handling capability for organizational systems that
includes preparation, detection, analysis, containment, recovery, and user response activities

Partially supports compliance

Logs generated by the Kiteworks platform can be exported to SIEM systems and other security

analysis platforms for event correlation and threat hunting.
The platform also inherently detects anomalous behavior and includes those
alerts as a part of its audit log.

Level
2 IR.L2-3.6.2

3.6.2

Incident Response

Track, document, and report incidents

to designated officials and/or authorities both internal and external
to the organization

Yes, supports compliance

Logs generated by the Kiteworks platform can be exported to SIEM systems and other security

analysis platforms for event correlation and threat hunting.
The platform also inherently detects anomalous behavior and includes those
alerts as a part of its audit log.

Level
2 IR.L2-3.6.3

3.6.3

Incident Response

Test the organizational incident response capability

Out of scope

N/A

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 MA.L2-3.7.1

3.7.1

Maintenance

Perform maintenance on organizational systems

Yes, supports compliance

Kiteworks personnel perform maintenance on FedRAMP Kiteworks systems per documented and audited processes and procedures.

Level 2 MA.L2-3.7.2

3.7.2

Maintenance

Provide controls on the
tools, techniques, mechanisms, and personnel used to conduct system
maintenance

Yes, supports compliance

Customer personnel can only perform maintenance using the secure, audited administrative user
interface, and cannot obtain operating system access. For FedRAMP systems,
the Kiteworks organization provides the controls on the tools, techniques, mechanisms, and personnel as defined
in the audited Kiteworks FedRAMP processes.

Level 2 MA.L2-3.7.3

3.7.3

Maintenance

Ensure
equipment removed for off-site maintenance is sanitized of any CUI

Yes, supports compliance

The Kiteworks platform can perform a remote wipe of the
secure containers on mobile devices that have been lost, stolen, or
decommissioned.

Level 2 MA.L2-3.7.4

3.7.4

Maintenance

Check
media containing diagnostic and test programs for malicious code before the
media are used in organizational systems

Yes, supports compliance

The Kiteworks platform scans CUI for viruses and other malware
by default, using
F-Secure

Anti-Virus software. The platform integrates with Check Point SandBlast and APIs enable integration with
other Advanced Threat Prevention technologies to scan CUI for advanced persistent threats and zero- day attacks.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 MA.L2-3.7.5

3.7.5

Maintenance

Require multi-factor authentication to establish non-local maintenance sessions via external network connections and
terminate such connections when non- local maintenance is complete

Yes, supports compliance

The Kiteworks platform can be configured to require
multi-factor authentication for any administrative session. Multi-factor authentication is also enforced through one-time passcodes via email. Alternatively, multi-factor authentication

is enforced through integration with third-party authentication solutions that
support SMS-based passcodes or the RADIUS
protocol. It can also

be configured to time out those sessions after a threshold of idle time has been reached.

Level 2 MA.L2-3.7.6

3.7.6

Maintenance

Supervise
the maintenance activities of maintenance personnel without required access authorization

Yes, supports compliance

The
Kiteworks platform logs the activities of all users, including maintenance
activities of users with varying degrees of privilege.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 MP.L1-3.8.3

3.8.3

Media Protection

Sanitize or destroy information system media containing
Federal Contract Information before disposal
or release for reuse

Yes, supports compliance

The Kiteworks platform can perform a remote wipe of CUI
in the secure containers on mobile devices that have been lost, stolen, or
decommissioned.

Level 2 MP.L2-3.8.1

3.8.1

Media Protection

Protect
(i.e., physically control and securely store) system media containing CUI,
both paper and digital

Yes, supports compliance

Kiteworks
FedRAMP systems encrypt all CUI when stored
on media, and
physical media is procedurally
controlled and audited in data centers used by Kiteworks.

Level 2 MP.L2-3.8.2

3.8.2

Media Protection

Limit access to CUI on system media to authorized users

Yes, supports compliance

The Kiteworks platform protects CUI by encrypting
content and enforcing access controls.

Level 2 MP.L2-3.8.4

3.8.4

Media Protection

Mark media
with necessary CUI markings
and distribution limitations

Yes, supports compliance

Users can mark
CUI in file and folder names, and in email subject lines. Kiteworks also
automates policies based on Microsoft MIP sensitivity labels, which can be used
to mark CUI.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 MP.L2-3.8.5

3.8.5

Media Protection

Control access to media containing CUI and maintain accountability for media
during transport outside of controlled areas

Yes, supports compliance

The
Kiteworks platform enforces access controls on mobile devices
regardless of their location.

Level 2 MP.L2-3.8.6

3.8.6

Media Protection

Implement
cryptographic mechanisms to protect the confidentiality of CUI stored on digital media
during transport

unless
otherwise protected by alternative physical safeguards

Yes, supports compliance

The
Kiteworks platform encrypts all CUI at rest with AES-256 encryption.

Level 2 MP.L2-3.8.7

3.8.7

Media Protection

Control
the use of removable media on system components

Out of scope

N/A

Level 2 MP.L2-3.8.8

3.8.8

Media Protection

Prohibit the use of portable storage devices when such
devices have no identifiable owner

Out of scope

N/A

Level 2 MP.L2-3.8.9

3.8.9

Media Protection

Protect the confidentiality of backup CUI at storage locations

Yes, supports compliance

Kiteworks protects the
confidentiality of FedRAMP system backups per documented
and audited procedures. All CUI is encrypted with a key owned by the customer.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 PS.L2-3.9.1

3.9.1

Personnel Security

Screen individuals prior to authorizing access to
organizational systems containing CUI

Yes, supports compliance

Kiteworks
FedRAMP personnel are screened U.S. citizens.

Level 2 PS.L2-3.9.2

3.9.2

Personnel Security

Ensure
that organizational systems containing CUI are protected during and after
personnel actions such as terminations and transfers

Yes, supports compliance

The Kiteworks platform protects CUI even when employees or contractors are
terminated or transferred. CUI can
be remotely wiped
from mobile devices, and access to private- or public-cloud
repositories can be blocked.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 PE.L1-3.10.1

3.10.1

Physical Protection

Limit physical access to orgranizational information systems, equipment, and the respective operating environments
to authorized individuals

Yes, supports compliance

Kiteworks FedRAMP systems are deployed in controlled
environments with strict, audited procedures that limit physical access.

Level 1 PE.L1-3.10.3

3.10.3

Physical Protection

Escort visitors and
monitor visitor activity

Yes, supports compliance

Kiteworks
FedRAMP systems are deployed in controlled environments with strict, audited procedures that
include escorting and
monitoring of visitors.

Level 1 PE.L1-3.10.4

3.10.4

Physical Protection

Maintain audit logs of
physical access

Yes, supports compliance

Kiteworks maintains audit logs of all physical access of FedRAMP systems.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 PE.L1-3.10.5

3.10.5

Physical Protection

Control and
manage physical access devices

Yes, supports compliance

Kiteworks
FedRAMP systems are deployed and managed
in controlled environments with strict, audited
procedures that control card readers, access cards, and other
access devices.

Level 2 PE.L2-3.10.2

3.10.2

Physical Protection

Protect
and monitor the physical facility and support infrastructure for
organizational systems

Yes, supports compliance

Kiteworks FedRAMP systems
are deployed in controlled environments with strict, audited protection and
monitoring.

Level 2 PE.L2-3.10.6

3.10.6

Physical Protection

Enforce safeguarding measures for CUI at
alternate work sites

Yes, supports compliance

The
Kiteworks platform protects CUI at all locations. Remote access to CUI is secured with authentication controls along with
other best practices, including the use
of secure containers on mobile devices and
encryption of all
CUI in transit and at rest.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 RA.L2-3.11.1

3.11.1

Risk Assessment

Periodically assess the risk to organizational operations
(including mission, functions, image, or reputation),
organizational assets, and individuals, resulting from the operation of
organizational systems and the associated processing, storage, or
transmission of CUI

Out of scope

N/A

Level 2 RA.L2-3.11.2

3.11.2

Risk Assessment

Scan for vulnerabilities in
organizational systems and applications periodically and
when new vulnerabilities affecting those
systems and applications are identified

Yes, supports compliance

Kiteworks
security engineers regularly scan the code base to discover new
vulnerabilities.

Level 2 RA.L2-3.11.3

3.11.3

Risk Assessment

Remediate
vulnerabilities in accordance with risk assessments

Yes, supports compliance

Kiteworks security engineers prioritize and release fixes per a documented secure software development life cycle. Kiteworks
products, whether hosted or deployed on the customer’s premises, can detect the
availability of new

updates and apply
them with a click. The
Kiteworks organization offers updates as a service as part of the
Premium Support package.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 CA.L2-3.12.1

3.12.1

Security Assessment

Periodically assess the security controls in organizational systems to determine if
the controls are effective in their application

Yes, supports compliance

Kiteworks is SOC-2
certified, FedRAMP Authorized, and FIPS 140-2 compliant,
following all of the guidelines and reviews therein.

Level 2 CA.L2-3.12.2

3.12.2

Security Assessment

Develop and implement plans
of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational
systems

Yes, supports compliance

Kiteworks is SOC-2 certified, FedRAMP Authorized,
and FIPS 140-2 compliant, following all of the guidelines and reviews
therein.

Level 2 CA.L2-3.12.3

3.12.3

Security Assessment

Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls

Yes, supports compliance

Kiteworks FedRAMP security controls and incidents are
audited yearly by the Third Party Assessment Organization (3PAO).

Level 2 CA.L2-3.12.4

3.12.4

Security Assessment

Develop,
document, and periodically update system security plans that describe system
boundaries, system environments of
operation, how security
requirements are
implemented, and the relationships with or connections to other systems

Yes, supports compliance

Kiteworks is SOC-2 certified, FedRAMP Authorized,
and FIPS 140-2 compliant, following all of the guidelines and reviews
therein.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 SC.L1-3.13.1

3.13.1

System and Communications Protection

Monitor, control, and protect organizational communications (i.e., information
transmitted or received
by organizational information systems) at the external boundaries and key internal
boundaries of the information systems

Yes, supports compliance

The Kiteworks platform monitors, controls, and protects
CUI at rest as well as when shared with internal or external users. The
platform ensures the security of CUI shared across organizational boundaries.

Level 1 SC.L1-3.13.5

3.13.5

System and Communications
Protection

Implement
subnetworks for publicly accessible system components that are physically or logically separated from
internal networks

Yes, supports compliance

The Kiteworks
platform tiered architecture allows web interfaces and other system functions
to be deployed outside network
DMZs for public
access, while ensuring that application logic and CUI storage remain
on internal networks.

Level 2 SC.L2-3.13.2

3.13.2

System and Communications Protection

Employ architectural designs, software development techniques, and systems engineering principles that promote
effective information security within organizational systems

Yes, supports compliance

The Kiteworks platform has been designed and developed with information security in
mind.

The platform’s tiered architecture separates
functionality, improves scalability, and supports the enforcement of data sovereignty policies. The platform’s source
code is routinely analyzed for
quality and security. The platform’s availability

on a private
or hybrid cloud
or as a private hosted deployment in an isolated environment on AWS enables customers to adopt the deployment model that best suits their security
needs.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 SC.L2-3.13.3

3.13.3

System and Communications Protection

Separate
user functionality from system management functionality

Yes, supports compliance

The Kiteworks platform enforces security controls specific to user roles,
including system
administrators, CUI managers, and end-users.

Unprivileged users never
gain access to system
management
functionality. The Kiteworks platform prevents unauthorized access or sharing
of CUI.

Level 2 SC.L2-3.13.4

3.13.4

System and Communications
Protection

Prevent unauthorized and
unintended information transfer via shared system resources

Yes, supports compliance

Only authorized users and processes can access and share
CUI.

Level 2 SC.L2-3.13.6

3.13.6

System and Communications Protection

Deny network communications traffic by default and allow network

communications traffic by exception (i.e., deny all,
permit by exception)

Yes, supports compliance

The Kiteworks platform supports the whitelisting and blacklisting of IP addresses and can be configured to deny network traffic
by default.

Level 2 SC.L2-3.13.7

3.13.7

System and Communications
Protection

Prevent
remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other
connection to resources in external networks (i.e., split tunneling)

Out of scope

N/A

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 SC.L2-3.13.8

3.13.8

System and Communications Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI
during transmission unless otherwise protected by alternative physical safeguards

Yes, supports compliance

The Kiteworks platform encrypts CUI in transit using Transport Layer
Security. System

administrators can configure the platform not to accept
TLS 1.0 or 1.1 connections.

Level 2 SC.L2-3.13.9

3.13.9

System and Communications
Protection

Terminate
network connections associated with communications sessions at the end of the
sessions or after a defined period of inactivity

Yes, supports compliance

The
Kiteworks platform enables system administrators to set session timeout policies, disconnecting users after a defined
period

of inactivity.

Level 2 SC.L2-3.13.10

3.13.10

System and Communications Protection

Establish and manage cryptographic keys for cryptography
employed in organizational systems

Yes, supports compliance

The Kiteworks platform uses keys to encrypt content in transit and at rest.
Kiteworks customers have full
ownership of their
cryptographic keys.

Keys can be managed directly within the Kiteworks platform or stored in a
Hardware Security Module.

Level 2 SC.L2-3.13.11

3.13.11

System and Communications
Protection

Employ FIPS-validated cryptography when used to protect the confidentiality
of CUI

Yes, supports compliance

The Kiteworks
platform is available in a FIPS 140-2 configuration.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 SC.L2-3.13.12

3.13.12

System and Communications Protection

Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users
present at the device

Out of scope

N/A

Level 2 SC.L2-3.13.13

3.13.13

System and Communications
Protection

Control and
monitor the use
of mobile code

Yes, supports compliance

Kiteworks
uses secure coding practices and abides by OWASP
Top 10 mitigation strategies. Our SDLC is rigorously reviewed and tested, as attested and verified through our SOC
2,

FedRAMP,
IRAP, and FIPS-140 certifications/audits.

Level 2 SC.L2-3.13.14

3.13.14

System and Communications Protection

Control and monitor the use of Voice over Internet
Protocol (VoIP) technologies

Out of scope

N/A

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 SC.L2-3.13.15

3.13.15

System and Communications
Protection

Protect the
authenticity of communications  sessions

Yes, supports compliance

The Kiteworks platform protects the
authenticity of communications sessions in compliance with NIST
800-53, SC-23. Specifically, the platform invalidates session
identifiers upon user logout or other session termination, generates a unique session identifier
for each session
with predefined randomness
requirements and recognizes only session identifiers that are system
generated and uses only predefined certificate authorities for verification of the
establishment of protected sessions.

Level 2 SC.L2-3.13.16

3.13.16

System and Communications Protection

Protect the confidentiality of CUI at rest

Yes, supports compliance

The Kiteworks platform protects the confidentiality of CUI at rest through
the enforcement of strict access controls
and the use of AES-256 encryption. In addition, CUI at rest on mobile
devices is stored in a secure container that shields the CUI from access from other applications and
processes.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 1 SI.L1-3.14.1

3.14.1

System and Information Integrity

Identify, report, and
correct information and
information system flaws in a timely manner

Yes, supports compliance

Kiteworks
monitors and reviews vulnerabilities in the Kiteworks platform and
prioritizes and resolves these vulnerabilities based on impact and severity.

Level 1 SI.L1-3.14.2

3.14.2

System and Information Integrity

Provide protection from malicious code at appropriate locations within organizational information systems

Yes, supports compliance

The Kiteworks platform protects against malicious code by scanning CUI
entering or exiting the platform for viruses,
advanced persistent threats, and zero-day
attacks. On mobile
devices, Kiteworks stores
CUI in secure containers (protected areas of storage and memory) that shield CUI from malware
infection.

Level 1 SI.L1-3.14.4

3.14.4

System and Information Integrity

Update
malicious code protection mechanisms when new releases are available

Yes, supports compliance

The Kiteworks platform automatically applies updates to integrated and embedded anti-malware solutions
from F-Secure and Check Point.

Level 1 SI.L1-3.14.5

3.14.5

System and Information Integrity

Perform periodic scans of the information system and
real-time scans of files from external sources as files are
downloaded, opened, or executed

Yes, supports compliance

The Kiteworks platform scans all uploaded files for infections of malware and
indications of zero-day threats. When integrated with a Data Loss Prevention
(DLP) service,
the platform can also scan content and block or
quarantine any CUI
transmissions that might violate DLP policies.

CMMC 2.0

NIST SP 800-171

Domain

Practice Description

Kiteworks Support
Compliance

Kiteworks Solution

Level 2 SI.L2-3.14.3

3.14.3

System and Information Integrity

Monitor system security
alerts and advisories and take
action in response

Yes, supports compliance

The Kiteworks platform can
be configured to export
logs to SIEM systems being
used for security monitoring and alerts.

Level 2 SI.L2-3.14.6

3.14.6

System and Information Integrity

Monitor organizational systems, including
inbound and outbound communications
traffic, to detect
attacks and indicators of potential attacks

Yes, supports compliance

The
Kiteworks platform monitors all communications under management for
signs of malware and other
security anomalies that could signal
the presence of an attack.

Level 2 SI.L2-3.14.7

3.14.7

System and Information Integrity

Identify unauthorized use of organizational systems

Yes, supports compliance

The Kiteworks platform identifies access attempts by
unauthorized users.

Practice Area

Kiteworks Compliant

Shared Responsibility

Out of Scope

Total

Access Control

18

1

3

22

Awareness and Training

1

2

3

Audit and Accountability

9

9

Configuration Management

9

9

Identification and Authentication

11

11

Incident Response

1

1

1

3

Maintenance

6

6

Media Protection

7

2

9

Personnel Security

2

2

Physical Protection

6

6

Risk Assessment

2

1

3

Security Assessment

4

4

System and Communications Protection

13

3

16

System and Information Integrity

7

7

Total

96

4

10

110