CUI Compliant
0 NIST 800-171 gaps detected. FedRAMP Moderate authorized. Leading managed file transfer platform for defense contractors. Handles secure file sharing, MFT, SFTP, and email.
Kiteworks
by Kiteworks
FedRAMP Status
FedRAMP Authorized
Impact Level
Moderate
Category
File Sharing
Authorized: November 30, 2017
Overview
Kiteworks (formerly Accellion) is a leading managed file transfer and secure content communications platform for defense contractors. It provides secure file sharing, SFTP, MFT, and email all in one FedRAMP authorized platform. Widely used by mid-size contractors for CMMC compliance.
CUI Risk Assessment
FedRAMP Moderate authorized. Leading managed file transfer platform for defense contractors. Handles secure file sharing, MFT, SFTP, and email.
Using Kiteworks in a Defense Contractor Environment
Kiteworks provides a FedRAMP Moderate authorized platform specifically designed for defense contractors handling CUI categories including technical data packages (TDP), engineering drawings, financial reports, personally identifiable information (PII), and procurement sensitive information. Within CMMC Level 2 authorization boundaries, Kiteworks typically serves as the primary secure file transfer mechanism, replacing legacy FTP/SFTP servers and consumer file sharing tools like Dropbox. The platform's managed file transfer (MFT) capabilities support automated CUI workflows between prime contractors and subcontractors. Compensating controls required include implementing data loss prevention (DLP) policies within Kiteworks, configuring proper user access controls aligned with need-to-know principles, and ensuring audit logging meets NIST 800-171 requirements. DCMA assessors consistently evaluate Kiteworks favorably during CMMC assessments, specifically examining configuration of encryption in transit/at rest, user authentication mechanisms, and audit trail completeness. The platform's FedRAMP authorization significantly streamlines the assessment process, as assessors can reference the existing security package rather than conducting full technical reviews. Recent DCMA compliance reviews have not flagged Kiteworks installations when properly configured, though assessors frequently cite inadequate user training and improper folder permission structures as common implementation deficiencies. The tool's integration capabilities with existing Active Directory infrastructure and its comprehensive API support make it particularly suitable for larger defense contractors with complex CUI handling requirements across multiple program offices.
Deployment & Architecture
Deployment Model: Government Cloud (FedRAMP boundary)
Kiteworks operates within a FedRAMP-authorized boundary. CUI can be processed within the authorization scope, but contractors must verify their specific use case falls within the system's security boundary as documented in the SSP.
Implementation Guide
Defense contractors implementing Kiteworks for CUI compliance should plan for a 12-16 week deployment timeline across four phases: planning (3 weeks), infrastructure setup (4 weeks), migration (6 weeks), and validation (3 weeks). During the planning phase, conduct a complete inventory of existing file sharing mechanisms and CUI repositories, mapping data flows to ensure comprehensive coverage. Infrastructure setup involves configuring Kiteworks within your FedRAMP boundary, establishing AD/LDAP integration, and implementing required security policies including encryption settings and access controls. The migration phase requires careful CUI data transfer using Kiteworks' bulk import tools, with parallel validation of data integrity and access permissions. User training focuses on CUI marking requirements, proper folder structures, and secure sharing protocols. Critical compliance documentation updates include modifying the System Security Plan (SSP) to reflect Kiteworks as the authorized file transfer mechanism, updating authorization boundary diagrams to show data flows, and closing relevant POA&M entries related to secure file sharing. Configuration costs typically range from $75,000-$150,000 for mid-size contractors including licensing, professional services, and integration effort. Annual licensing costs range from $25,000-$100,000 depending on user count and feature requirements. Organizations should budget additional $30,000-$50,000 for annual compliance monitoring and security configuration management to maintain FedRAMP alignment.
Configuration Checklist
- 1ISSO must update the System Security Plan (SSP) to include Kiteworks within the authorization boundary and document its role in CUI data flows per NIST 800-171 requirements.
- 2Systems administrator shall configure Kiteworks encryption settings to meet FIPS 140-2 requirements for data at rest and TLS 1.2+ for data in transit per DFARS 252.204-7012.
- 3ISSO must establish user access controls within Kiteworks aligned with need-to-know principles and document role-based permissions in the access control matrix.
- 4Systems administrator shall integrate Kiteworks with existing Active Directory infrastructure and configure multi-factor authentication for all CUI access.
- 5ISSO must configure audit logging within Kiteworks to capture all CUI access events and establish log retention policies meeting NIST 800-171 AU controls.
- 6Contracts officer shall validate that Kiteworks usage aligns with contract requirements and notify customers of the secure file sharing mechanism.
- 7Systems administrator must establish data loss prevention (DLP) policies within Kiteworks to prevent unauthorized CUI disclosure and configure automated scanning.
- 8ISSO shall conduct user training on CUI handling procedures within Kiteworks including proper marking, sharing protocols, and incident reporting requirements.
- 9Systems administrator must implement backup and disaster recovery procedures for Kiteworks data ensuring CUI protection during recovery operations.
- 10ISSO must update the authorization boundary diagram to reflect Kiteworks data flows and establish continuous monitoring procedures for configuration compliance.
Compliance Cross-References
Kiteworks' FedRAMP Moderate authorization directly supports NIST 800-171 control families including AC (Access Control) through role-based permissions and multi-factor authentication, SC (System and Communications Protection) via FIPS 140-2 encryption and secure transmission protocols, and AU (Audit and Accountability) through comprehensive logging capabilities. The platform specifically addresses DFARS 252.204-7012 requirements for adequate security and 252.204-7021 cybersecurity maturity model certification by providing FedRAMP-authorized infrastructure for CUI processing. Within CMMC Level 2 assessments, Kiteworks impacts multiple domains including Access Control (AC), Audit and Accountability (AU), Configuration Management (CM), and System and Communications Protection (SC). The tool's compliance status directly influences findings in SC.8 (transmission confidentiality), AC.2 (account management), and AU.2 (auditable events). Non-compliance with Kiteworks configuration requirements would cascade to findings in these control families, potentially affecting overall CMMC Level 2 certification. The FedRAMP authorization provides inherited controls that satisfy many NIST 800-171 requirements, reducing the assessment burden on defense contractors during CMMC evaluations.
Other FedRAMP Authorized File Sharing Tools
Frequently Asked Questions
Is Kiteworks FedRAMP authorized?
Yes. Kiteworks holds FedRAMP Moderate authorization and supports CMMC Level 2, DFARS 7012, and ITAR compliance.
What makes Kiteworks different from Box or SharePoint?
Kiteworks combines file sharing, managed file transfer, SFTP, and secure email in a single FedRAMP authorized platform. It provides comprehensive audit logging and DLP specifically designed for CUI compliance.
Run a Full Tech Stack Audit
Check all your enterprise tools at once with our free CUI Compliance Auditor.
Launch CUI AuditorTrack Kiteworks compliance monitoring with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days