Questions about CUI? We've got a guide for you. Learn More
    CMMC Phase One started November 10! Here's everything you need to know.

    What CMMC Requirements in Army MAPS Mean for the DIB

    Learn how the Army MAPS solicitation marks a key shift in CMMC requirements, emphasizing the need for Level 2 certification in federal contracts.

    By
    2 Minutes Read

    The U.S. Army has officially released the Marketplace for Acquisition of Professional Services (MAPS) solicitation on SAM.gov.

    For many in the Defense Industrial Base (DIB), this may seem like the moment Cybersecurity Maturity Model Certification (CMMC) moves from an abstract idea to a solid requirement that could win or lose them contracts. If you’re unfamiliar with why MAPS impacts the entire DIB ecosystem, start here.

    What is MAPS?

    MAPS is a $50B 10-year, multi-award contract from the U.S. Army. Like any other federal solicitation, it establishes:

    • Eligibility requirements
    • Deadline to bid (May 1, 2026)
    • How proposals are evaluated

    MAPS is a huge contract, but why are we talking about it? MAPS is among the first high-profile solicitations to include CMMC Level 2 as a requirement.

    How CMMC Certification Affects Eligibility & Scoring

    The MAPS solicitation explicitly incorporates CMMC into eligibility and evaluation:

    • CMMC Level 2 is a base requirement.
    • Contractors may submit with a scheduled assessment if not yet certified.
    • Proof of status must be validated through the Supplier Performance Risk System (SPRS).
    • Joint venture (JV) members handling Controlled Unclassified Information (CUI) must each maintain certification.

    In addition to CMMC Level 2 being a pass/fail requirement, CMMC Third-Party Assessment Organization (C3PAO)-assessed certifications are favored over self-assessed in scoring. In federal solicitations, scoring determines how your proposal ranks against other qualified competitors.

    CMMC Scoring Breakdown

    Small Businesses (fewer than 500 employees):

    • 8,000 maximum points
    • 1,000 points for scheduled Conditional or Final CMMC Level 2 C3PAO Certification
    • 2,000 points for active, approved Conditional CMMC Level 2 C3PAO Certification
    • 3,000 points for active, approved Final CMMC Level 2 C3PAO Certification

    Large Businesses (500 or more employees):

    • 10,500 maximum points
    • 2,000 points for scheduled Conditional or Final CMMC Level 2 C3PAO Certification
    • 2,500 points for active, approved Conditional CMMC Level 2 C3PAO Certification
    • 3,500 points for active, approved Final CMMC Level 2 C3PAO Certification

    While a CMMC Level 2 self-attested is the minimum requirement, it won’t score you any points. Final CMMC Level 2 C3PAO Certification accounts for 38% of the maximum available points for small businesses and 33% for large ones.

    Why It Matters (Even if You’re Not Bidding on MAPS)

    MAPS may be one of the first to require CMMC in such a concrete way, but it reflects a broader shift:

    • Putting off CMMC Level 2 compliance is disqualifying contractors.
    • C3PAO assessments are becoming the standard of credibility.
    • The JV requirement means every participating organization handling CUI must be certified individually.

    As a contractor, this is clear evidence that waiting on certification can disqualify you, and self-attestation as a minimum may get your bid lost in the crowd.

    The Bottom Line

    The MAPS solicitation demonstrates a clear shift to CMMC Level 2 as an active requirement and C3PAO certification as a standard, not the extra mile. It is now part of how the Department of War (DoW) evaluates and selects contractors.

    Reach out to Summit 7’s experts to get compliant and win federal bids ASAP.

    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.

    Author