The First CMMC Level 2 Certification Requirement Hits SAM.gov: What It Means for the MAPS Procurement and DoD Contractors

Here We Go

The clock is ticking, and the pressure is on. The Department of Defense (DoD) has just raised the bar for contractors eyeing the lucrative Marketplace for the Acquisition of Professional Services (MAPS) contract. As of December 13^th, 2024, if you’re not well on your way to getting CMMC Level 2 certified — you may be left behind.

The cybersecurity landscape for defense contractors has shifted, and the message is clear: Get compliant or get out. This week, the first real-world CMMC Level 2 certification requirement in form of gate criteria to bid officially hit SAM.gov last Friday. The MAPS procurement opportunity is now front and center for hundreds of Army support organizations — and it’s already shaking up the industry.

If you’re wondering what all the fuss is about, buckle up. We’re diving into everything you need to know about MAPS, the new CMMC 2.0 Level 2 (L2) requirement, its impact on the industry, and, most importantly, how your organization can stay ahead of the curve.

What is the MAPS Procurement Opportunity?

The Marketplace for the Acquisition of Professional Services (MAPS) is a massive Indefinite Delivery/Indefinite Quantity (IDIQ) contract. In plain terms, it’s a “mega-contract” that allows the Army to streamline the acquisition of professional support services like training, logistics, and consulting. Instead of issuing multiple smaller contracts for different needs, the Army will use MAPS as an umbrella contract to bring multiple support needs under one roof.

For defense contractors, MAPS is a golden opportunity. But with the release of Draft 2 of Sections L&M last Friday, that golden opportunity suddenly comes with a catch: all bidders must provide proof of a CMMC Level 2 certification or proof that they’ve scheduled a CMMC L2 audit with a Certified Third-Party Assessment Organization (C3PAO).

This requirement is a game-changer. Here’s why.

What’s New in Sections L&M?

In its initial release, MAPS was already a competitive opportunity for DoD contractors. But the update to Draft 2 of Sections L&M changed the game. The new language reads:

“Please provide proof of your CMMC Level 2 or higher Certification or documentation showing that you have contacted a Certified Third-Party Assessment Organization and scheduled your CMMC Level 2 review.”

This means that, as of now, contractors can’t even submit a bid for MAPS without meeting this basic gate criteria. Without CMMC Level 2 certification or, at the very least, a scheduled assessment, you’re simply not in the running. No exceptions.

To put this in perspective, the final bid date for MAPS is expected to be around March 2025, with the award date set for August 2025. Even though the Army doesn’t plan to release its first task orders under MAPS until 2027, bidders need to prove their CMMC L2 status before August 2025. Essentially, contractors are being asked to meet a requirement today for a contract that won’t put a single task order against it for another two or three years.

If your organization hasn’t started the CMMC process, this timeline is daunting. Here’s why.

How Long Does It Take to Get CMMC Level 2 Certified?

If you’re hoping to get CMMC Level 2 certified in the next few months, prepare for a reality check. The average timeline for CMMC certification can range from 12 to 18 months for most organizations. That includes:

• Scoping
• Gap assessments
• Flaw and Gap Remediation
• Document and Artifact creation
• Internal audits
• Implementation of Mature Cybersecurity Practices
• Staffing or Vendor Selection
• Software and Hardware Investments
• Personal and Physical Security Enhancements
• Security and Awareness Training
• Final assessment by a Certified Third-Party Assessment Organization (C3PAO)

With the final MAPS bid deadline somewhere around March and the award date in August, bidders of this solicitation as well as the ones to come have very little time to get their house in order.

If you’re not already well into this process, you’re behind. But all is not lost. There’s still time to act — if you move quickly and can come up with the resources needed to get it done.

The Clock is Ticking: What Should Contractors Do Now?

If you’re serious about bidding on MAPS or any other DoD solicitations coming out in the future, here’s what you should do right now:

1. Scope IT
   Start by understanding what’s in scope for your CMMC certification. Skipping this step will result in costly missteps down the line. Use the official scoping guide to avoid confusion, and if you’re stuck, reach out to a trusted partner (Like, hello, inDirectIT).
2. Conduct a Gap Analysis
   If you’re not sure where your company stands, conduct a CMMC gap analysis. This process will highlight weak spots in your cybersecurity practices and help you prioritize your remediation efforts.
3. Schedule Your CMMC Assessment
   Reach out to a Certified Third-Party Assessment Organization (C3PAO) Availability is limited, and you’ll need to prove you’re on the schedule to submit your bid for MAPS. Book it now for the future, but don’t let anyone talk you into putting down more than 10%.
4. Remediate Deficiencies
   Address the gaps found in your assessment, trust me you have gaps. This may involve updating or migrating your IT infrastructure, training employees, and implementing technical and administrative controls to meet CMMC Level 2’s 320 control objectives.
5. Document Everything
   From security policies to incident response plans, documentation is critical. If it’s not documented, it didn’t happen.
6. Engage a Trusted Partner
   The fastest path to CMMC certification is with the help of experienced partners like Indirect IT.

How Indirect IT Can Help You Get and Stay CMMC 2.0 L2 Compliant

Getting to CMMC Level 2 isn’t just about technology — it’s about process, policy, and people. It’s a complex, time-consuming journey, but Indirect IT makes it easier.

Here’s how Indirect IT can help:

• Migration Projects: We’ll help you transition to a compliant IT foundation like Microsoft GCC or GCC High.
• CMMC Readiness Assessments: Assess your current state and create a roadmap to full compliance.
• Policy, Procedure, and Plan Development: Develop essential documents like your System Security Plan (SSP) and Incident Response Plan (IRP).
• Audit Preparation and Support: Conduct a “mock audit” so you’re ready when the C3PAO shows up.
• Managed IT and Security Services: Partner with inDirectIT to achieve and maintain compliance with over 240 critical objectives, leveraging industry best practices to safeguard your data, boost productivity, and ensure business continuity. Our support extends beyond certification, providing ongoing protection and operational efficiency.
• Ongoing Compliance Management: Stay compliant even after certification with our ongoing administrative and compliance focused support.

With Indirect IT, you can position yourself to bid on DoD opportunities like MAPS with confidence.

Why is This Requirement Here to Stay

The DoD has been crystal clear: CMMC will become the standard for all defense contracts. The MAPS requirement is just the beginning. Contractors that fail to meet CMMC 2.0 requirements are locking themselves out of future opportunities.

Final Thoughts: The Path to MAPS Starts with CMMC L2

The February 2025 RFP deadline for MAPS is closer than it seems, and the August 2025 certification requirement may be a hard deadline. If you’re not already working toward CMMC Level 2 certification, you’re at risk of being shut out DoD Contracting.

But you don’t have to face it alone. Indirect IT can streamline your process, avoid costly mistakes, and help you meet these new requirements.

Don’t wait. Get started today. Large opportunities like MAPS are exciting, but only for those ready to meet the challenge.

If you want or need help navigating the path to CMMC Level 2, contact IndirectIT today.