The U.S. Army has officially released the Marketplace for Acquisition of Professional Services (MAPS) solicitation on SAM.gov.
For many in the Defense Industrial Base (DIB), this may seem like the moment Cybersecurity Maturity Model Certification (CMMC) moves from an abstract idea to a solid requirement that could win or lose them contracts. If you’re unfamiliar with why MAPS impacts the entire DIB ecosystem, start here.
MAPS is a $50B 10-year, multi-award contract from the U.S. Army. Like any other federal solicitation, it establishes:
MAPS is a huge contract, but why are we talking about it? MAPS is among the first high-profile solicitations to include CMMC Level 2 as a requirement.
The MAPS solicitation explicitly incorporates CMMC into eligibility and evaluation:
In addition to CMMC Level 2 being a pass/fail requirement, CMMC Third-Party Assessment Organization (C3PAO)-assessed certifications are favored over self-assessed in scoring. In federal solicitations, scoring determines how your proposal ranks against other qualified competitors.
Small Businesses (fewer than 500 employees):
Large Businesses (500 or more employees):
While a CMMC Level 2 self-attested is the minimum requirement, it won’t score you any points. Final CMMC Level 2 C3PAO Certification accounts for 38% of the maximum available points for small businesses and 33% for large ones.
MAPS may be one of the first to require CMMC in such a concrete way, but it reflects a broader shift:
As a contractor, this is clear evidence that waiting on certification can disqualify you, and self-attestation as a minimum may get your bid lost in the crowd.
The MAPS solicitation demonstrates a clear shift to CMMC Level 2 as an active requirement and C3PAO certification as a standard, not the extra mile. It is now part of how the Department of War (DoW) evaluates and selects contractors.
Reach out to Summit 7’s experts to get compliant and win federal bids ASAP.