The Practical Matters of CMMC: Considerations & Common Challenges in Pursuing Level 2 Certification

With CMMC deadlines approaching and Level 2 certification becoming a requirement for many Department of Defense contracts, organizations are facing a difficult reality: achieving compliance is often far more operationally and technically complex than expected.

From underestimated preparation timelines and scoping challenges to FedRAMP requirements, documentation burdens, and costly remediation efforts, many contractors are discovering that CMMC readiness is not a quick checklist exercise. As of April 2026, only an estimated 1,300 organizations out of more than 104,000 in scope have successfully achieved Level 2 certification.

In this expert led discussion, Tevora’s Federal Compliance team, Jeremiah Sahlberg, Wayne Perry, and Alex Adams, moderated by Erin Badger, break down the practical realities organizations are encountering throughout the certification journey. The session explores how contractors should approach scoping, budgeting, technical remediation, operational planning, and long term compliance strategy before entering an official assessment.

Key Takeaways:

• What organizations should realistically expect during the certification process
• Why scoping mistakes can dramatically increase cost, effort, and timelines
• Common technical challenges involving FIPS validation, FedRAMP, encryption, and CUI handling
• How mature cybersecurity programs can accelerate certification readiness
• What assessors are actually looking for during a Level 2 evaluation
• Why CMMC should be treated as both a cybersecurity initiative and a business decision

Whether your organization is beginning its CMMC journey or preparing for a formal assessment, this session offers practical guidance on navigating one of the most significant compliance shifts facing the defense industrial base today.