Module 14: Building a CMMC Roadmap, Budget, and Business Case

Step 1 – Orienting to the Current CMMC Landscape (2025)

Before you build a roadmap or budget, you must anchor everything in current CMMC reality.

1.1 Where CMMC stands as of late 2025

> Note: This module reflects the CMMC 2.0 rulemaking status as of December 2025 and the DoD’s public rollout plans available to date. Always cross‑check with the latest DoD and CMMC-AB/Cyber AB publications when doing real work.

Key points:

• CMMC 2.0 is the current model, replacing the original CMMC 1.0 framework.
• Focus levels for defense contractors handling sensitive data:
• Level 1 – Foundational: for Federal Contract Information (FCI), based on basic safeguarding controls (FAR 52.204‑21).
• Level 2 – Advanced: for Controlled Unclassified Information (CUI), aligned to NIST SP 800‑171 Rev. 3 (110 controls; Rev. 3 finalized in 2024 and is being integrated into DFARS/CMMC).
• Level 3 – Expert: for the highest-priority CUI programs, aligned to a subset of NIST SP 800‑172 (enhanced security requirements).
• DoD has signaled (in public briefings and draft rules) that CMMC requirements will be phased into contracts over multiple years, with third‑party Level 2 assessments required for higher-risk CUI programs.

1.2 Why roadmap, budget, and business case matter now

CMMC is not a one‑time project; it is a multi‑year capability. For any organization that wants to stay in the DoD supply chain, CMMC is effectively:

• A revenue protection program (protecting existing and future DoD revenue streams).
• A risk‑reduction program (reducing breach, enforcement, and False Claims Act risk).
• A change program (people, processes, and technology over several years).

Your roadmap and budget need to:

1. Cover the full lifecycle – gap analysis → remediation → assessment → continuous compliance.
2. Align to external deadlines – e.g., targeted dates such as November 10, 2026 for organizations needing CMMC Level 2 certifications in time for anticipated contract requirements.
3. Quantify total cost of ownership (TCO) – not just the assessment fee.

In this module, you will build a multi‑year plan that integrates:

• Scope and maturity targets (Level 2 vs. Level 3).
• Cost components (technology, people, processes, assessments, training).
• A phased schedule aligned to DoD rollout and contract lifecycles.
• A business case that can be presented to executives.

> Throughout, assume a medium‑sized contractor (~250 employees) handling CUI, aiming for CMMC Level 2 with some discussion of Level 3 edge cases.

Step 2 – Define Scope and Risk Posture Before You Budget

You cannot estimate costs or design a roadmap without scoping and risk appetite decisions.

2.1 Clarify CMMC level and data scope

1. Determine required CMMC level

• If you handle CUI (technical drawings, test data, controlled specs): assume Level 2.
• If you support high‑criticality programs (e.g., weapons systems, advanced R&D), DoD may require Level 3.

1. Define the CUI environment

• Where does CUI live? (systems, applications, cloud services, facilities)
• Who touches CUI? (roles, teams, subcontractors, MSPs)
• Can you segment into a smaller, tightly controlled enclave?

> Design choice: A segmented enclave (e.g., a dedicated GCC High tenant plus limited workstations) usually lowers TCO but increases architectural complexity.

2.2 Decide risk posture and sourcing strategy

Key decisions that drive cost:

• Build vs. buy
• Internal SOC vs. outsourced MDR/SOC-as-a-Service.
• In‑house compliance team vs. vCISO and compliance consultants.
• Cloud vs. on‑prem for CUI systems (e.g., GCC High/Azure Government vs. on‑prem domain).
• Standardization level
• Highly standardized endpoints and configurations reduce assessment risk and O&M cost.

2.3 Example scoping scenario

> Scenario A – Mid‑size machining contractor

>

> - ~250 staff, ~80 need CUI access.

> - Uses Microsoft 365 Commercial today; will move CUI into a segmented GCC High enclave.

> - Outsources SOC and SIEM to a CMMC‑aligned MSSP.

> - Uses a C3PAO for Level 2 assessment.

>

> Consequences:

> - Lower internal staffing needs for security operations.

> - Higher recurring spend on MSSP and specialized cloud.

> - A cleaner, easier‑to‑explain assessment boundary.

When you later build the budget, you will explicitly tie line items back to these scoping choices.

Step 3 – Enumerate the Full CMMC Total Cost of Ownership (TCO)

Most organizations initially underestimate CMMC cost because they focus on assessment fees only. A realistic TCO covers at least 4–5 years and includes:

3.1 Major cost categories

1. Technology and tools

• Secure cloud (e.g., GCC High, Azure Government, GovCloud, secure file sharing).
• Endpoint protection (EDR/XDR), email security, web filtering.
• Identity and access management (MFA, privileged access, identity governance).
• Logging and monitoring (SIEM, log storage, alerting tools).
• Configuration and vulnerability management (patching, scanning).
• GRC/compliance tooling and evidence repositories.

1. Professional services and assessments

• Gap assessments (readiness reviews, NIST 800‑171 assessments).
• Remediation design (architecture, policy, and process consulting).
• Penetration testing/red teaming (especially for Level 3‑like posture).
• C3PAO assessment fees (for Level 2 certification) and potential re‑assessments.

1. Internal staffing and time

• Security leadership (CISO/vCISO role, security manager).
• System administrators and engineers implementing controls.
• Compliance/governance analysts managing POA&Ms, policies, and evidence.
• Time spent by business units on training, procedure changes, and audits.

1. Training and culture

• Role‑based security training (developers, admins, executives, end users).
• Incident response exercises and tabletop drills.
• Change management and communication.

1. Facility and physical security (if CUI is processed on‑prem)

• Access controls, visitor management, CCTV.
• Secure storage and shredding.

1. Opportunity and disruption costs

• Productivity impact during rollout (e.g., MFA rollout, new processes).
• Temporary slowdown in engineering or production during migrations.

3.2 One‑time vs. recurring costs

You should explicitly separate:

• One‑time / project costs
• Initial gap assessment, architecture redesign, major migrations.
• Initial policy and procedure development.
• Up‑front licensing or hardware.

• Recurring / operational costs
• Annual licensing and cloud subscriptions.
• MSSP/SOC contracts.
• Periodic assessments, penetration tests.
• Ongoing staff time and training.

3.3 Thought structure

When you build your spreadsheet or model, structure it by category × year:

• Rows: tools, services, roles, training, facilities.
• Columns: Year 0 (planning) through Year 4+.

This lets you:

• Show cash flow over time to executives.
• Compare alternative architectures (e.g., heavy MSSP vs. heavier internal staffing).
• Tie cost to roadmap phases (next step).

Step 4 – Activity: Build a First-Pass TCO Structure

Use this thought exercise to translate theory into a concrete cost structure.

4.1 Task

Imagine you are the security lead for the Scenario A company from Step 2 (250‑person machining contractor, planning for CMMC Level 2 with a segmented GCC High enclave and MSSP).

Without worrying about exact dollar amounts, list at least 10 distinct cost line items you would include in a 4‑year CMMC TCO model, and classify each as:

• One‑time (O)
• Recurring annual (R)
• Mixed (M) – e.g., setup plus ongoing subscription

4.2 Example answer structure (don’t peek until you try)

Try first, then compare your list to this example structure:

1. GCC High tenant licensing – M
2. EDR/XDR licenses – R
3. SIEM + log storage – M
4. MSSP/SOC service – R
5. Initial gap assessment by NIST 800‑171 consultant – O
6. C3PAO certification assessment – O (but budget for re‑assessment in 3 years)
7. Internal security engineer (0.5–1 FTE) – R
8. Compliance analyst (0.5 FTE) – R
9. Annual security awareness and role‑based training – R
10. One‑time policy and procedure development workshop – O
11. Vulnerability scanner licensing – R
12. Incident response tabletop exercises with external facilitator – R

Reflect:

• Which items surprised you?
• Which items are heavily influenced by scoping (e.g., enclave size, number of users)?
• Which items might scale non‑linearly with growth (e.g., log storage)?

Step 5 – Phasing the Roadmap: From Gap to Certification to Continuous Compliance

Now translate your cost structure into a sequenced roadmap aligned with:

• Internal constraints (resources, change tolerance).
• External constraints (contract renewals, expected CMMC enforcement dates, e.g., needing Level 2 certification by November 10, 2026 for certain programs).

5.1 Core phases (for Level 2)

1. Phase 0 – Strategy and scoping (Months 0–3)

• Confirm required level (2 vs. 3) and scope.
• Decide on architecture (enclave vs. enterprise‑wide).
• Select key partners (MSSP, cloud provider, consulting support).
• Build initial TCO and business case draft.

1. Phase 1 – Gap analysis and prioritized POA&M (Months 2–5)

• Perform a NIST SP 800‑171 Rev. 3 gap assessment.
• Map findings into a Plan of Actions & Milestones (POA&M).
• Classify gaps by risk and dependency (technical vs. policy vs. training).

1. Phase 2 – Remediation and build‑out (Months 4–18)

• Implement technical controls (MFA, logging, EDR, encryption, segmentation).
• Develop and roll out policies, SOPs, and governance (see Module 12).
• Stand up continuous monitoring and evidence collection.
• Conduct internal audits and mock assessments.

1. Phase 3 – Formal assessment and certification (Months 16–22)

• Engage a C3PAO for Level 2 assessment (lead times can be long; plan early).
• Execute assessment; respond to limited, time‑bounded POA&Ms if allowed.
• Achieve certification before critical contract milestones.

1. Phase 4 – Continuous compliance and improvement (Year 2+)

• Maintain controls, monitoring, and governance.
• Conduct annual internal reviews against NIST 800‑171.
• Refresh training, update policies, and manage supply chain compliance (Module 13).

5.2 Aligning with external deadlines

Work backward from hard business dates, such as:

• Expected RFPs that will include CMMC clauses.
• Contract options or recompetes.
• The organization’s own fiscal year budgeting cycles.

If you must show a Level 2 certificate by November 10, 2026, your planning might look like:

• C3PAO assessment: July–September 2026.
• Internal readiness assessment: January–March 2026.
• Major remediation finished: by December 2025.
• Architecture decisions and MSSP onboarding: by mid‑2025.

5.3 Edge case: Level 3

For Level 3 candidates:

• Add advanced monitoring, threat hunting, and resilience capabilities.
• Expect more frequent and deeper assessments by DoD.
• Plan additional time for:
• Advanced incident response playbooks.
• Integration of NIST SP 800‑172 enhancements.
• Possible classified or highly sensitive test environments.

This usually implies higher recurring O&M cost and longer lead times.

Step 6 – Quiz: Sequencing the Roadmap

Check your understanding of how to sequence major CMMC initiatives.

Step 7 – Translating Roadmap into a Multi-Year Budget

Once phases are defined, you convert them into a time‑phased budget. This is where you move from conceptual TCO to numbers per year.

7.1 Map costs to phases

For each line item from your TCO structure:

1. Identify start and end (which phase and year?).
2. Decide if the cost is front‑loaded, evenly spread, or ramped.
3. Attach assumptions (e.g., number of users, log volume, FTE allocation).

Example (Scenario A, simplified):

| Cost Item | Phase(s) | Year 1 | Year 2 | Year 3 | Year 4 |

|-------------------------------------------|-------------------|--------|--------|--------|--------|

| Gap assessment (consultant) | Phase 1 | $$ | – | – | – |

| MSSP/SOC service | Phases 2–4 | $$ | $$$ | $$$ | $$$ |

| GCC High licensing (80 users) | Phases 2–4 | $$ | $$ | $$ | $$ |

| C3PAO assessment | Phase 3 | – | $$$ | – | – |

| Security engineer (0.5 FTE) | Phases 2–4 | $$ | $$ | $$ | $$ |

| Compliance analyst (0.5 FTE) | Phases 2–4 | $ | $$ | $$ | $$ |

| Training and exercises | Phases 2–4 | $ | $ | $ | $ |

(`$`, `$$`, `$$$` just indicate relative magnitude.)

7.2 Sensitivity and scenario analysis

Executives will ask: “What if…?” You should prepare at least two scenarios:

1. Conservative / high‑assurance scenario

• More internal staff.
• Higher monitoring and testing frequency.
• Earlier assessment dates (more buffer).

1. Lean / cost‑optimized scenario

• Greater reliance on MSSP and standardized SaaS.
• Minimal in‑house security engineering.
• Tighter schedule around assessment.

For each scenario, compute:

• 4‑year net present cost (if you want to be rigorous: discount future cash flows).
• Peak annual spend and how it aligns with fiscal years.

7.3 Integration with enterprise budgeting

Tie your CMMC budget to:

• Existing IT modernization initiatives (e.g., M365 migration, endpoint refresh).
• Risk management and cyber insurance strategy.
• Revenue forecasts for DoD vs. non‑DoD customers.

This allows you to present CMMC not as an isolated cost center but as part of a broader digital and security transformation.

Step 8 – Exercise: Draft a One-Page Roadmap & Budget Summary

Now synthesize your thinking into an executive‑friendly one‑pager.

8.1 Task

For the Scenario A company (Level 2, enclave, MSSP), sketch a one‑page summary that includes:

1. Timeline (Year 1–4), with:

• Major phases (0–4) and key milestones (e.g., “Level 2 certification by Sept 2026”).

1. Budget bands per year, using rough ranges instead of exact numbers:

• Year 1: High (due to gap assessment, build‑out)
• Year 2: Peak (due to assessment and full operations)
• Year 3–4: Stabilized run rate

1. Key assumptions (e.g., 80 CUI users, MSSP chosen, GCC High used, no Level 3 requirement).
2. Top 3 risks to the roadmap (e.g., MSSP onboarding delay, tool integration complexity, staff turnover).

8.2 Suggested structure (outline)

Use this outline to draft your one‑pager:

```text

Title: CMMC Level 2 Roadmap & Budget Summary (2025–2029)

1. Objective

• Achieve and maintain CMMC Level 2 for CUI operations by Sept 2026 to protect $X DoD revenue.

1. Timeline & Milestones

• 2025: Phase 0–2 – Strategy, gap assessment, architecture, initial remediation.
• 2026: Phase 2–3 – Complete remediation, internal readiness, C3PAO assessment by Sept 2026.
• 2027–2029: Phase 4 – Continuous compliance and optimization.

1. Budget Overview (Order-of-Magnitude)

• 2025: $$ – High project spend (build-out, consulting).
• 2026: $$$ – Peak spend (full operations + external assessment).
• 2027–2029: $$ – Stabilized operational run rate.

1. Key Assumptions

• 80 CUI users in GCC High enclave; MSSP provides 24x7 monitoring.
• No Level 3 requirement; NIST 800-171 Rev. 3 alignment.

1. Top Risks & Mitigations

• Risk 1: Assessment scheduling delay → Mitigation: Engage C3PAO 9–12 months early.
• Risk 2: Staff capacity → Mitigation: Use vCISO + MSSP to supplement internal team.
• Risk 3: Scope creep → Mitigation: Strict CUI boundary and change control.

```

Compare your own draft to this outline. Where did you diverge? Could you justify your choices to a skeptical CFO?

Step 9 – Building the Business Case: CMMC as Revenue Protection and Risk Reduction

With roadmap and budget in hand, you now need to justify CMMC investment to executives. The key framing is: CMMC is revenue protection and risk mitigation, not optional overhead.

9.1 Core elements of a CMMC business case

1. Revenue at risk

• Quantify current and projected DoD revenue dependent on CMMC compliance.
• Include realistic growth or attrition scenarios.
• Example: “$40M of annual DoD revenue; 70% expected to require Level 2 certification in the next 3 years.”

1. Competitive positioning

• Early, credible CMMC compliance can be a competitive advantage in bids.
• Late or weak compliance can lead to bid exclusion or lower evaluation scores.

1. Regulatory and legal risk

• False Claims Act and DoD enforcement actions for misrepresenting NIST 800‑171/CMMC compliance.
• Potential incident costs: breach response, downtime, reputational damage, loss of future awards.

1. Cost‑benefit framing

• Compare 4‑year CMMC investment vs. 4‑year DoD revenue.
• Express as % of revenue protected.
• Example: “Total 4‑year CMMC program cost is 4–6% of cumulative DoD revenue, and <1% of total company revenue.”

1. Co‑benefits

• Improved overall cyber resilience (benefiting non‑DoD customers as well).
• Better IT hygiene, reduced downtime, more standardized platforms.
• Potential reductions or stabilizations in cyber insurance costs.

9.2 Structuring the executive message

Executives respond to clear, concise narratives:

1. Problem statement – “Our DoD revenue is at risk due to rising CMMC expectations.”
2. Proposed solution – “A 4‑year CMMC program culminating in Level 2 certification by [date].”
3. Financials – “Total cost, annual profile, and TCO vs. revenue protected.”
4. Risks of inaction – “Lost bids, potential legal exposure, increased incident risk.”
5. Governance – “Clear ownership, metrics, and review cadence (e.g., quarterly CMMC steering committee).”

9.3 Edge case: Arguing for Level 3 investment

If Level 3 is not yet mandated but plausible:

• Present option value: being ready for high‑value programs others cannot bid on.
• Use a staged option approach:
• Invest now in Level 2 with Level 3‑ready architecture.
• Defer some Level 3‑specific controls until a concrete opportunity appears.

This lets executives view Level 3 as a strategic growth option, not a sunk cost.

Step 10 – Quiz: Framing the Business Case

Test your understanding of how to frame CMMC to executives.

Step 11 – Key Term Review

Flip the cards to reinforce core concepts from this module.

Step 12 – Synthesis and Next Actions

You have now connected CMMC controls and governance (Modules 12–13) to a concrete roadmap, budget, and business case.

12.1 What you should now be able to do

• Identify and structure the major cost components of CMMC Level 2/3 over multiple years.
• Sequence initiatives from gap analysis through remediation, assessment, and continuous compliance, aligned with key external dates (e.g., November 10, 2026 for Level 2 certification needs).
• Draft a multi‑year budget and perform basic scenario analysis.
• Articulate a compelling business case framing CMMC as revenue protection and risk reduction.

12.2 Suggested follow‑up activities

1. Build a real spreadsheet model using a hypothetical or real company scenario; include at least two budget scenarios.
2. Draft a 5‑slide executive deck summarizing:

• Scope & level.
• Roadmap & milestones.
• Budget overview.
• Risks and mitigations.
• Ask/decision needed from leadership.

1. Map dependencies with supply chain partners and MSPs (linking back to Module 13) and see how their readiness affects your roadmap.

Your challenge as an advanced learner is not only to understand CMMC technically, but to lead organizational decision‑making about when and how to invest. Treat the roadmap and business case as living documents that evolve with DoD guidance and your company’s strategy.