Kiteworks CMMC Review (2026): What It Actually Covers for Level 2 — and What It Doesn’t
Welcome to our Kiteworks CMMC review. Here is the bottom line before you scroll. Kiteworks is a genuinely strong fit for one specific CMMC problem—moving Controlled Unclassified Information (CUI, the sensitive-but-unclassified data the government requires you to protect) securely between you, your primes, your subcontractors, and the Department of Defense. Its Federal Cloud is also FedRAMP Authorized at the Moderate impact level, which we confirmed ourselves on the federal FedRAMP Marketplace. But here is the part the sales deck glosses over: Kiteworks will not, by itself, make you CMMC compliant. The “nearly 90% of Level 2, out of the box” figure the company leads with is real—and it is also the single most misread number in CMMC tooling. Below, we show you exactly what it covers, what it doesn’t, what it costs, and what a third-party assessor will still expect from you.
Kiteworks for CMMC — the 30-second verdict
| Question | Fast answer | What to verify yourself |
|---|---|---|
| Is Kiteworks a serious CMMC option? | Yes—for secure CUI exchange (email, file sharing, managed file transfer, SFTP, web forms, APIs) and audit-grade evidence around the data that moves. | The current FedRAMP package, the Customer Responsibility Matrix, your SSP mapping. |
| Is Kiteworks FedRAMP authorized? | Yes—the Kiteworks Federal Cloud is FedRAMP Authorized, Moderate impact, since June 1, 2017. | FedRAMP Marketplace, package F1511167634. |
| Is the FedRAMP High version authorized? | Not yet. The Secure Gov Cloud is Agency Authorization In Process for High—not authorized. | FedRAMP Marketplace, package FR2435353186 (0 authorizations, 0 reuses as of June 17, 2026). |
| Does it cover all of CMMC Level 2? | No. Kiteworks’ own mapping rates most of the 110 requirements as “supported,” and flags others as shared or out of scope. | The control-by-control appendix and your own configuration evidence. |
| Is Kiteworks a C3PAO? | No. It is a secure-content platform, not an assessor or a readiness firm. | A live Cyber AB Marketplace check. (No Kiteworks listing found as of June 17, 2026.) |
| Who should shortlist it? | DIB contractors with real external CUI exchange—recurring technical-data transfers, supplier file flows, MFT/SFTP, scattered audit logs to consolidate. | Your CUI flow, user count, and assessment level. |
| Who should not start here? | Level 1 / FCI-only shops, or anyone whose real gap is readiness, scoping, documentation, or assessment. | Compare provider categories before buying any tool. |
Not sure whether Kiteworks is your platform, just one piece of your stack, or the wrong lane entirely?
Tell us your CMMC level, your CUI flow, and your timeline, and we’ll match you with source-checked provider options for your exact situation.
Get matched with source-checked CMMC provider options →What we verified for this review
Provider category: Secure content / CUI exchange platform (often used as part of a CUI enclave strategy)—not a C3PAO, RPO, or assessor.
Status check: FedRAMP Marketplace — Kiteworks Federal Cloud, package F1511167634, FedRAMP Authorized, Moderate, Rev. 5, authorized since 6/1/2017 (assessed by Coalfire), 15 authorizations / 16 reuses; Kiteworks Secure Gov Cloud, package FR2435353186, Agency Authorization In Process for High (Class D), 0 authorizations / 0 reuses. Confirmed .
Services reviewed: Secure email, file sharing, managed file transfer (MFT), SFTP, web forms, APIs; CMMC control mapping; FedRAMP posture; pricing model; company security history.
Compensation relationship: None as of . The Defense Compliance Report has no financial relationship with Kiteworks.
Evaluation depth: Public-source and primary-source review. We read Kiteworks’ own CMMC mapping guide, cross-checked 32 CFR Part 170, DFARS 252.204-7012 and -7021, and NIST SP 800-171 Rev. 2, and verified FedRAMP status on the Marketplace. We did not run a hands-on deployment of Kiteworks inside a live DIB environment. Where a claim is Kiteworks’ own, we label it “company-stated.”
What we could not verify: Enterprise/CUI-deployment pricing (custom-quoted), a current Cyber AB Marketplace listing for Kiteworks, and any private contractual outcomes.
This article is general information, not legal, contractual, or compliance advice.
Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with the Cyber AB, the CMMC accreditation ecosystem’s training body (CAICO), the Department of Defense, FedRAMP, NIST, or Kiteworks. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or status verification.
Is Kiteworks good for CMMC Level 2?
Kiteworks is a good fit for CMMC Level 2 when your core problem is controlling, encrypting, logging, and proving the movement of CUI across email, file sharing, MFT, SFTP, web forms, and APIs. It is not a complete CMMC program, because Level 2 is assessed against your entire scoped environment, your documentation, your people, and your processes—not a single platform. CMMC Level 2 maps to the 110 security requirements in NIST SP 800-171 Revision 2, organized into 14 control families, per 32 CFR Part 170 (the CMMC Program rule, effective December 16, 2024).
If you strip away the marketing, Kiteworks does one thing exceptionally well: it gives CUI a single, governed place to live and move, with an audit trail. For a defense contractor with CUI scattered across Outlook, consumer file-sharing links, and an aging FTP server, that focus is the value—not a weakness.
Best-fit use cases
- External CUI exchange with primes, subs, suppliers, and DoD customers.
- Recurring managed file transfer of large technical-data packages (drawings, specs, CAD).
- An auditable SFTP replacement where governance and chain-of-custody actually matter.
- A secure email and file portal when ordinary email or consumer sharing is too risky.
- Consolidating logs from multiple content channels into one place for evidence.
Not-best-fit situations
- “We need someone to build our whole CMMC program.”
- “We need an SSP, a POA&M, and a gap assessment.”
- “We need a C3PAO to certify us.”
- “We have one small, occasional CUI transfer and want the lightest possible enclave.”
- “We need full Microsoft-native CUI coverage across Outlook, Teams, SharePoint, OneDrive, identity, and endpoints.”
We’ll route each of those situations to the right lane further down. First, the question that decides everything.
Does Kiteworks make you CMMC compliant?
No single tool makes you CMMC compliant—including Kiteworks. A CMMC Level 2 assessment evaluates the controls implemented across your scoped CUI environment, supported by your own evidence: your System Security Plan (SSP), your Plan of Action and Milestones (POA&M), your configurations, your training records, and your processes. Kiteworks can satisfy or strongly support the controls that govern CUI moving through the platform, but it cannot certify you and cannot stand in for the rest of your program.
The most expensive mistake we see DIB shops make
Buying Kiteworks and believing you are “90% of the way to CMMC” is the most expensive mistake we see DIB shops make. It feels like progress. It quietly isn’t—not until the other work is done.
Now the pivot, because this is exactly why the right buyers love it. The part Kiteworks doescover—secure CUI exchange and audit-grade evidence for the data in motion—is the messy, time-eating part most contractors struggle with. And pulling CUI out of email-and-SharePoint sprawl into one governed boundary is a legitimate, powerful move: it can both shrink your assessment scope and hand your assessor clean evidence for a meaningful chunk of the controls—but only if the architecture actually keeps CUI out of your other systems. A tool reduces scope only when your data flows, your asset inventory, and your users’ habits change with it. Used that way, Kiteworks isn’t the finish line; it’s one of the better starting blocks. The trick is knowing which race it’s actually running.
Why “tool equals compliant” fails, in plain terms:
- Scope is about your assets, not your vendor’s. Under 32 CFR Part 170, your CMMC assessment scope is built from the assets that process, store, or transmit CUI. A platform covers the data flowing through it; it does not define or close your scope for you.
- The assessor grades your implementation.A C3PAO (a CMMC Third-Party Assessment Organization—the independent firm authorized to perform a Level 2 certification assessment) evaluates how youimplemented and evidenced each requirement. A vendor’s brochure is not evidence.
- The clock is real.DoD’s phased rollout began with Phase 1 on November 10, 2025, when DFARS clause 252.204-7021 started appearing in solicitations. Phase 2 begins November 10, 2026: applicable solicitations will require a Level 2 Certification Assessment (the C3PAO track) as a condition of award, though DoD retains discretion and may apply the requirement to an option period in some cases.
You are probably not the only one feeling behind. In vendor-sponsored research from Kiteworks and Coalfire (“State of CMMC 2.0 Preparedness in the DIB,” which we treat as directional, not neutral market fact), 46% of surveyed organizations said they were ready to seek Level 2 and 57% had not completed a thorough gap assessment. Coalfire’s CEO, Tom McAndrew, noted on the record that the complexity is pushing the large majority of DIB contractors to engage outside help—consultants, Registered Provider Organizations (RPOs), or C3PAOs. Translation: needing readiness support isn’t a failure. It’s the norm.
A tool covers the data boundary. A readiness program covers the rest of what an assessor grades. If you’re trying to figure out whether your gap is tooling, documentation, scoping, or assessment, see how the provider categories actually differ before you spend in the wrong lane.
Compare CMMC provider categories →How much of CMMC Level 2 does Kiteworks actually cover? (the “nearly 90%” claim, deconstructed)
Kiteworks’ own CMMC mapping guide states the platform “supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box.” That figure is real, and it comes from a control-by-control appendix that rates each of the 110 requirements as “Kiteworks Compliant,” “Shared Responsibility,” or “Out of Scope.” What it measures is how many requirements the platform can touch for the data-exchange function—not the share of your assessment that is finished when you buy it. Those are two very different numbers, and conflating them is where contractors get hurt.
We read the appendix. Here’s the honest translation.
The arithmetic behind “nearly 90%.” Kiteworks’ published summary lists 96 of the 110 requirements as “Kiteworks Compliant,” 4 as “Shared Responsibility,” and 10 as “Out of Scope” (its count, clearly labeled as company-stated). Do the math two ways: 96 ÷ 110 = 87%; counting the 4 shared, 100 ÷ 110 = 91%. That’s where “nearly 90%” comes from. It is an honest description of platform coverage. It is not a statement that you are 90% certified.
Here’s the catch the percentage hides—and we found it in their own guide. Take Awareness & Training requirement AT.L2-3.2.1, which requires that your managers, admins, and users be trained on the security risks of their work. Kiteworks rates this control as supporting compliance. Read the entry and the support is that Kiteworks trains its own FedRAMP operations staffand that the system warns customer administrators about risky settings. Useful—but neither one trains yourworkforce, which is the obligation an assessor actually grades. That single line is the whole lesson: a “supported” rating can mean the vendor handles its slice while the obligation that lands on your assessment stays with you. “Supported by the platform” is not “done for you.”
So the useful question isn’t “what percentage?” It’s “which families does Kiteworks genuinely carry, and which stay on my plate?” Here’s our reading, family by family.
Kiteworks vs the 14 CMMC Level 2 control families (NIST SP 800-171 Rev. 2)
| Family (NIST count) | Kiteworks’ role | What it genuinely does | What stays on you |
|---|---|---|---|
| Access Control — AC (22) | Strong | MFA, SSO/SAML, certificate auth, AD/Azure AD/LDAP; role-based least privilege; session lock/termination; remote-access encryption (TLS 1.3/1.2); mobile controls incl. remote wipe of CUI | Access control on every other system, endpoint, and network; flagged out of scope in their mapping: wireless access (3.1.16/17), portable storage (3.1.21) |
| Awareness & Training — AT (3) | Largely on you | Trains Kiteworks’ own FedRAMP ops staff; warns customer admins of risky settings | Your workforce security-awareness program, role-based training records, manager training |
| Audit & Accountability — AU (9) | Strong | Tamper-evident audit log for every file/email event; log export; SIEM integrations (Splunk, IBM QRadar, and others); chain-of-custody reporting | Log review policy and cadence; SIEM deployment and rules; audit logging across all other in-scope systems; alert-response procedures |
| Configuration Management — CM (9) | Moderate | Hardened platform deployment; documented configuration baselines for the product; change controls managed by Kiteworks for its cloud service | CM of your endpoints, network devices, and all other systems; your baseline configuration policy; change management records; user-installed software controls |
| Identification & Authentication — IA (11) | Strong | MFA enforcement; SSO/SAML federation; certificate-based auth; AD/Azure AD/LDAP account lifecycle; password policy enforcement at platform level | IA for every other system; managing credentials outside Kiteworks; device authentication on endpoints; authenticator management across your whole environment |
| Incident Response — IR (3) | Largely on you | Platform audit logs support IR evidence; anomaly alerts can feed IR workflow | Your IR plan, reporting procedures, incident-handling training, IR testing, forensics capability, and IR records |
| Maintenance — MA (6) | Largely on you | Kiteworks as a cloud service manages its own maintenance processes and media sanitization at the infrastructure layer | Controlled maintenance of your own assets; remote maintenance authorization and monitoring; maintenance records for your environment |
| Media Protection — MP (9) | Moderate | CUI-in-transit encryption; digital rights management (DRM) options for shared files; access restrictions on stored content | Physical media controls; sanitization and disposal of your storage media; paper CUI handling; portable storage device controls (flagged out of scope in mapping) |
| Personnel Security — PS (2) | Largely on you | Kiteworks screens its own FedRAMP operations staff per its FedRAMP authorization | Screening your own personnel with CUI access; termination and transfer procedures for system access |
| Physical Protection — PE (6) | Largely on you | Kiteworks’ Federal Cloud data centers maintain physical controls per FedRAMP Moderate authorization | Your own facility physical access controls; visitor management; CUI work area controls; unauthorized physical access monitoring at your locations |
| Risk Assessment — RA (3) | Largely on you | FedRAMP authorization and security documentation provide risk evidence for the platform’s own infrastructure | Your organization-level risk assessment; vulnerability scanning of your systems; risk remediation tracking via your POA&M |
| Security Assessment — CA (4) | Moderate | FedRAMP ATOs and the Customer Responsibility Matrix support the cloud-service evidence expectation; platform documentation available for assessor review | Your SSP; your POA&M; system-level security assessment of your scoped environment; ongoing monitoring and annual SPRS score affirmation |
| System & Communications Protection — SC (16) | Strong | TLS 1.3/1.2 in transit; AES-256 at rest; FIPS 140-2/3 validated cryptography; DLP; network segmentation at platform layer; secure API and SFTP channels | SC for endpoints, internal network devices, and non-Kiteworks transmission paths; boundary protection at your perimeter; mobile device management |
| System & Information Integrity — SI (7) | Moderate | Malware protection and scanning within the platform; anomaly and security alerts; security patches managed by Kiteworks on its infrastructure | Malware protection across your endpoint and network environment; security alerts and advisories for your systems; system monitoring outside the platform |
What evidence will your C3PAO expect if Kiteworks is in scope?
If Kiteworks is part of your assessment scope, the evidence conversation won’t stop at “we bought Kiteworks.” Under the Cyber AB CMMC Assessment Process, when an External Service Provider (ESP—an outside provider that stores, processes, or transmits CUI for you) is in scope, the Lead Certified CMMC Assessor (CCA) validates your Level 2 scope, confirms whether a Customer Responsibility Matrix is available, confirms whether the ESP’s personnel are available to support the assessment, and—when the ESP handles CUI—confirms that you can provide evidence such as a FedRAMP Moderate Authorization, FedRAMP Moderate equivalency, or a Level 2 Certificate of CMMC Status, as appropriate.
| Evidence artifact | Owner | Why it matters |
|---|---|---|
| SSP section describing the Kiteworks boundary and data flows | You (or your readiness provider) | Shows how Kiteworks is used in the assessed environment |
| Network / data-flow diagram | You | Shows where CUI is processed, stored, transmitted |
| Asset inventory entry | You | Places Kiteworks-related assets in the correct category |
| Customer Responsibility Matrix | Kiteworks + you | Defines inherited, shared, and customer-owned controls |
| FedRAMP package evidence | Kiteworks | Supports the cloud/ESP evidence expectation |
| Configuration screenshots | You / admin | Shows implementation, not just purchase |
| Access-control / MFA / SSO settings | You / admin | Supports AC and IA claims |
| Audit-log exports | You / Kiteworks | Supports AU evidence and chain-of-custody |
| SIEM / DLP integration evidence | You / admin | Shows monitoring and IR workflow |
| IR procedure integration | You | Shows how Kiteworks events enter your incident-response process |
| Training records | You | Covers the human side of handling CUI correctly |
A tool that actually helps you decide: the CUI Exchange Fit Checker
An AI summary can paraphrase this page. It can’t tell you whether Kiteworks fits yourenvironment, because it doesn’t know your CMMC level, your CUI flow, your user count, your current cloud, or your timeline. The questions that matter: your required CMMC level (Level 1 / Level 2 self-assessment / Level 2 C3PAO / Level 3); CUI type (basic CUI, ITAR/export-controlled, or not sure); current environment (Microsoft Commercial, GCC, GCC High, AWS GovCloud, on-prem, mixed); how CUI moves (email, file share, SFTP, MFT, forms, APIs); user count; and where you are today (no SSP, draft SSP, scored in SPRS, assessment scheduled). Those answers return a straight read: whether Kiteworks is a strong fit, a possible fit, or not your first move; which provider category you likely need next; and the controls a platform won’t close for you.
Not sure which provider category fits your situation? Start with our readiness checklist to map your current state before comparing tools.
Use the CMMC readiness checklist →Kiteworks CMMC review verdict — should you shortlist it?
Shortlist Kiteworks if your CMMC gap is secure CUI exchange—email, file sharing, MFT, SFTP, web forms, API transfers, and auditability across external content. Don’t treat it as your only CMMC solution if you still need scoping, readiness, SSP/POA&M, endpoint controls, training, GRC workflow, SPRS support, or a formal C3PAO assessment. It’s a strong, FedRAMP-authorized piece of the puzzle—not the whole puzzle.
The decision rules, distilled:
- Choose Kiteworks first if external CUI exchange is the operational bottleneck.
- Choose readiness help firstif you don’t yet know your CMMC scope or you have no SSP. See our CMMC readiness assessment services guide.
- Add GRC/evidence software if you have tools but no system for controls and evidence. See CMMC GRC software options.
- Engage a C3PAOonly when you’re assessment-ready—and keep it separate from your readiness work.
- Compare lighter alternatives if you have a small user base or a narrow CUI use case. See Kiteworks / PreVeil alternatives and our PreVeil CMMC review.
If we removed every link on this page, the verdict wouldn’t change—and that’s the test we hold ourselves to. Kiteworks is one of the better answers to a specific, expensive problem in the defense industrial base. Whether it’s youranswer depends on the gap you’re actually trying to close.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Get matched with source-checked options →Frequently asked questions
Is Kiteworks CMMC certified?
No—and no platform should be described that way. CMMC status applies to your assessed information systems and your scoped environment, not to a vendor product. Under 32 CFR Part 170 you define your CMMC assessment scope, and DFARS 252.204-7021 requires you to hold and maintain the required CMMC status for systems that process, store, or transmit FCI or CUI under a contract.
Is Kiteworks FedRAMP authorized?
Yes for the Moderate environment. The FedRAMP Marketplace lists the Kiteworks Federal Cloud as FedRAMP Authorized at the Moderate impact level (package F1511167634), continuously since June 1, 2017. The separate Kiteworks Secure Gov Cloud is Agency Authorization In Process for High (package FR2435353186, 0 authorizations and 0 reuses as of )—not yet authorized for High. Verify current status on the Marketplace.
Does Kiteworks meet CMMC Level 2 requirements?
Kiteworks’ company-stated mapping reports 96 of the 110 Level 2 requirements as “Kiteworks Compliant,” 4 as “Shared Responsibility,” and 10 as “Out of Scope”—which it summarizes as “nearly 90%.” That’s useful for due diligence, but you still have to implement and evidence your own scoped CMMC environment to pass an assessment. See our CMMC Level 2 requirements guide for the full 110.
Is Kiteworks enough by itself to pass CMMC Level 2?
No tool is enough by itself. Level 2 also requires proper scoping, an SSP, training, risk assessment, incident response, POA&M handling, and implementation evidence across your environment. Kiteworks can support important CUI-exchange and audit functions, but the assessment grades your whole program.
Is Kiteworks a C3PAO?
No. Kiteworks is a secure-content/CUI-exchange platform. Authorized and accredited C3PAOs are listed in the Cyber AB Marketplace; confirm current Marketplace status before relying on any provider’s assessor classification. No Kiteworks listing was found on the Cyber AB Marketplace as of .
Is Kiteworks the same company as Accellion?
Yes. Kiteworks was formerly Accellion and rebranded after retiring its breached legacy File Transfer Appliance product in 2021. Citing Mandiant's final report, the company stated the modern Kiteworks platform was not affected by that breach and runs on a different code base.
What does Kiteworks cost for CMMC?
The publicly listed self-serve Business tier (around $25.50 per user per month) is not the FedRAMP-authorized, CUI-grade deployment a CMMC effort needs. The relevant Federal Cloud deployment is custom-quoted—and you should budget separately for readiness, documentation, remediation, and assessment. See our CMMC Level 2 cost guide for the full picture.
What controls does Kiteworks flag as out of scope?
In its mapping, examples include wireless access authorization and protection and portable-storage use, plus procedural controls in areas like incident response and risk assessment. Use those gaps as a checklist for what your internal team, MSP/MSSP, RPO, or GRC workflow still needs to cover.
Can my C3PAO help me fix Kiteworks before the assessment?
Be careful. Under the Cyber AB CMMC Assessment Process, if a C3PAO determines you are not sufficiently prepared, the assessment team must not provide remedial advice, implementation assistance, or recommendations to improve your readiness for the replanned assessment, because doing so would create a conflict for resuming that assessment. Keep readiness/implementation help and formal assessment in separate lanes.
Sources we verified (last verified )
- FedRAMP Marketplace — Kiteworks Federal Cloud, package F1511167634 (FedRAMP Authorized, Moderate, Rev. 5, since 6/1/2017); Kiteworks Secure Gov Cloud, package FR2435353186 (Agency Authorization In Process, High/Class D, 0 authorizations/0 reuses). Cornerstone verification.
- 32 CFR Part 170 — CMMC Program rule (effective December 16, 2024) — Federal Register.
- DFARS 252.204-7021 (CMMC contract clause; effective November 10, 2025) and DFARS 252.204-7012 (CUI safeguarding; cloud/FedRAMP Moderate requirement at (b)(2)(ii)(D)) — Acquisition.gov.
- FedRAMP Rev. 5 baselines — Moderate 323 controls, High 410 controls — FedRAMP Rev. 5 transition materials.
- NIST SP 800-171 Rev. 2 (110 requirements, 14 families) and NIST SP 800-172 (Level 3 enhanced subset) — NIST Computer Security Resource Center.
- Cyber AB CMMC Assessment Process (CAP) — ESP/CRM evidence expectations and assessor independence rules.
- Kiteworks “CMMC 2.0 Compliance Mapping for Sensitive Data Exchanges” — company-stated control mapping (96 compliant / 4 shared / 10 out of scope); we verified the rating methodology and the Access Control family directly.
- CISA/FBI joint advisory (February 2021) on the Accellion FTA vulnerabilities; Mandiant final report (as cited by Accellion/Kiteworks); reporting on the $8.1M Accellion settlement.
- Third-party review platforms (G2, PeerSpot) — attributed, non-regulatory, for user-experience and pricing signals.
The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. This article is general information and is not legal, contractual, or compliance advice. CMMC requirements, FedRAMP statuses, and provider details change—verify current status with the primary sources above before making a decision. Last verified: . Next scheduled review: September 2026, or sooner if the FedRAMP, Cyber AB, DFARS, 32 CFR Part 170, or Kiteworks product picture changes. Read our editorial standards, methodology, and corrections policy.