#governmentcontractors — Public Fediverse posts

Contractor Convicted for Destroying Dozens of Federal Databases

A contractor's reckless actions led to the destruction of dozens of federal databases, showcasing a staggering disregard for the security and integrity of sensitive government information. After being terminated on February 18, 2025, the contractor and his twin brother intentionally caused chaos by accessing…

https://osintsights.com/contractor-convicted-for-destroying-dozens-of-federal-databases?utm_source=mastodon&utm_medium=social

#DataDestruction #FederalDatabases #InsiderThreat #GovernmentContractors #EmergingThreats

Tips For Small Business In Teaming With Prime Contractors

“WASHINGTON TECHNOLOGY” – By Mike Lisagor

Adapted from the book: How to Win in the Government Market (co-authored with Mark Amtower)

“There are plenty of pitfalls and possible mistakes when you form partnerships.There is no such thing as a risk-free proposition as a subcontractor. But here are eleven guidelines that can increase your chances of picking the winning prime contractor.”

_______________________________________________________________________________________________

1. While established relationships often influence teaming decisions, business associates can be re-assigned or leave their company. Having a definitive teaming agreement is one of the few ways you can mitigate this risk.
2. Your company’s technical role and work percentage should be clearly defined in a written teaming agreement (usually Attachment A). Avoid terms like “best efforts” or “goals.” These rarely pan out. On IDIQ and GWAC bids where work content is guaranteed, get an agreement on which technical areas you will lead…something like “all the work in our core competency.”
3. It is a good practice to request a Dun & Bradstreet credit report on a potential small business prime contractor to assess whether they will be deemed financially credible in the eyes of the client. I’ve seen the government throw out bids because the small business prime couldn’t pay their bills. This was incredibly frustrating for subs.
4. Ask the client what they think of potential teammates – the worst that can happen is they’ll decline to comment.
5. Most acquisitions require either the prime contractor or the entire team to provide a certain number of project citations. Confirm that the prime has the necessary past performance and relevant projects to cite in the proposal.
6. Look for a prime that has subject matter experts who meet the key personnel requirements. Negotiate having some of these be from your company.
7. Many government acquisition re-competes assume the winning team will hire some or all the incumbent contractor’s staff. This will need to be considered as part of your teaming and win strategy.
8. Make sure the potential prime contractor has the resources and ability to develop a professional winning proposal. Find out up front how much effort you will be expected to expend.
9. Discuss pricing strategy up front so you know whether the rates you will have to bid will fit within your company’s pricing model. This means you need to know whether the target agency has a history of best value or lowest price ‘barely’ technically capable awards. And the prime’s ability to be competitive.
10. Avoid companies that have a reputation for treating their subcontractors unfairly especially when negotiating a subcontract after the award and sharing the resulting work. Query your industry partners for their experience teaming with the prime. And, just as you should when hiring someone, trust your instincts. It won’t get better after the award.
11. One final suggestion — use a decision matrix to evaluate the teaming landscape for each specific new business opportunity. This will take some of the emotion out of the selection process. First, develop the important win strategy criteria (column 1). These should be based on both stated and perceived procurement needs as a result of client discussions and reading procurement documentation. Next assess your own company’s ability to meet these criteria and any gaps you can’t fill (column 2). Then, evaluate each candidate prime against the same criteria using colors; high, medium, low; or a numerical score to determine the best fit (one column for each company).

And, above all, avoid teaming just because it’s someone you already know…team to win!

Tips On Teaming With Prime Contractors

ABOUT THE AUTHOR:

Mike Lisagor

A (usually) retired writer, gov’t contractor BD & PM expert, and blues musician, Mike Lisagor is the founder of Celerity Works and a co-founder of GovFlex.com. His books include the just released, How to Win in the Government Market (with Mark Amtower), The Essential Guide to Managing a Government Project, and How to Develop a Winning SBIR Proposal (with Eric Adolphe). He can be reached at LinkedIn.com/in/mikelisagor and [email protected]

The First 100 Days of CMMC And What Comes Next

NATIONAL DEFENSE MAGAZINE By Ryan Heidorn

“The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

____________________________________________________________________________________________________

“Following a multi-year rulemaking process, the Defense Department’s Cybersecurity Maturity Model Certification program crossed the regulatory finish line on Nov. 10.

For much of the defense industrial base, that moment carried a simple question — now that CMMC had moved from concept to reality, what would change first?

In the weeks that followed, there was no sudden surge of solicitations carrying CMMC requirements and no visible disruption to contracting operations.

Immediate disruption, however, was never the signal to watch. Nov. 10 was not a switch-flip moment where every contract suddenly changed, but the final regulatory step that collapsed uncertainty into inevitability, transforming CMMC from a long-debated future requirement into a permanent feature of defense acquisition.

The absence of visible disruption in the first weeks of CMMC was not surprising. What had changed was certainty — that a verified cybersecurity posture is now a condition of doing business with the department, not a sudden wave of enforcement actions.

For organizations that had already leaned into existing cybersecurity requirements, this marked a shift from designing for compliance to collecting, validating and organizing objective evidence in preparation for assessment.

For those that had maintained a wait-and-see approach, November carried a tangible cost. Qualified service providers and third-party assessors were already in high demand, and the timeline to move from minimal readiness to assessment-ready — often 12 to 18 months — remained unchanged. Organizations that delayed action risked entering 2026 at a competitive disadvantage.

Those early weeks began to expose which organizations had established effective operational governance, and which had deferred ownership decisions or assumed accountability would come later.

By the second month, pressure began to surface. This didn’t stem from deadlines, but from supply chain dynamics.

Prime contractors began communicating expectations to their supplier bases, asking whether organizations were prepared and what actions were underway. Under Defense Federal Acquisition Regulation Supplement 252.204-7021, primes must ensure that subcontractors handling federal contract information or controlled unclassified information hold a current CMMC certificate or status at the required level prior to award.

An unprepared supplier base can undermine performance or expose the prime to risk, driving urgency well before solicitations appear. Because primes do not know in advance which contracts will include CMMC requirements or at what level, ensuring preparation for all potential suppliers must happen ahead of demand.

Organizations that move the fastest prioritize repeatable processes and clear ownership rather than one-time remediation. One-off fixes may satisfy a checklist, but repeatable processes are what stand up to verification.

By the 96-day mark, a clear divide began to emerge between organizations that could say they had implemented the requirements and those that could withstand scrutiny. Proving compliance is not a step that occurs after implementation — it is a permanent operating condition.

In practice, CMMC readiness is rarely constrained by technology. Documentation, consistency and governance are more often the limiting factors. Security tooling without evidence of governance becomes invisible during assessment.

Critics of CMMC 2.0 have pointed to its shift away from maturity levels toward more blunt enforcement of existing requirements. But demonstrating conformity to the many perform-type assessment objectives in Level 2 requires operational maturity, not just tools.

Self-attestation has repeatedly failed to produce durable cybersecurity outcomes. Verification is therefore inevitable, and it is quickly becoming the standard currency of trust.

This model is not unique to defense and will propagate into other regulated ecosystems. The scale of this shift is significant.

The next phase will test operational discipline. Rather than a single enforcement trigger, the final rule embeds CMMC into acquisition through multiple discretionary decision points exercised by program offices and requiring activities. This structure makes uniform application unlikely and accelerates urgency unevenly across the market as the rule integrates into real acquisition workflows.

Some organizations will face intense pressure quickly, while others may feel little immediate impact. That inconsistency is not evidence of failure, but it reflects a program being applied inside day-to-day acquisition activity with varying levels of risk tolerance, mission criticality and data sensitivity.

Supply chain pressure will continue to concentrate where mission impact is high, data sensitivity is significant and the pool of qualified suppliers is limited. This asymmetry determines who feels pressure first and who has time to adapt.

Demand for third-party certification assessments will continue to grow, exposing capacity constraints not only among assessors but also across the broader implementation ecosystem. Organizations that wait to see a Level 2 certification requirement in a solicitation may find themselves competing for limited resources on timelines that cannot be compressed.

CMMC shifts accountability away from point-in-time compliance events toward continuous operational discipline. The pre-CMMC mindset no longer holds. Discrepancies between paperwork and practice are already the most common reason for those “Not Met” determinations during assessment.

Friction in the early rollout is already acting like a sorting mechanism, distinguishing organizations that operationalize compliance from those that rely on static documentation.

The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

Ryan Heidorn is chief technology officer at C3 Integrated Solutions.

The First 100 Days of CMMC And What Comes Next

NATIONAL DEFENSE MAGAZINE By Ryan Heidorn

“The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

____________________________________________________________________________________________________

“Following a multi-year rulemaking process, the Defense Department’s Cybersecurity Maturity Model Certification program crossed the regulatory finish line on Nov. 10.

For much of the defense industrial base, that moment carried a simple question — now that CMMC had moved from concept to reality, what would change first?

In the weeks that followed, there was no sudden surge of solicitations carrying CMMC requirements and no visible disruption to contracting operations.

Immediate disruption, however, was never the signal to watch. Nov. 10 was not a switch-flip moment where every contract suddenly changed, but the final regulatory step that collapsed uncertainty into inevitability, transforming CMMC from a long-debated future requirement into a permanent feature of defense acquisition.

The absence of visible disruption in the first weeks of CMMC was not surprising. What had changed was certainty — that a verified cybersecurity posture is now a condition of doing business with the department, not a sudden wave of enforcement actions.

For organizations that had already leaned into existing cybersecurity requirements, this marked a shift from designing for compliance to collecting, validating and organizing objective evidence in preparation for assessment.

For those that had maintained a wait-and-see approach, November carried a tangible cost. Qualified service providers and third-party assessors were already in high demand, and the timeline to move from minimal readiness to assessment-ready — often 12 to 18 months — remained unchanged. Organizations that delayed action risked entering 2026 at a competitive disadvantage.

Those early weeks began to expose which organizations had established effective operational governance, and which had deferred ownership decisions or assumed accountability would come later.

By the second month, pressure began to surface. This didn’t stem from deadlines, but from supply chain dynamics.

Prime contractors began communicating expectations to their supplier bases, asking whether organizations were prepared and what actions were underway. Under Defense Federal Acquisition Regulation Supplement 252.204-7021, primes must ensure that subcontractors handling federal contract information or controlled unclassified information hold a current CMMC certificate or status at the required level prior to award.

An unprepared supplier base can undermine performance or expose the prime to risk, driving urgency well before solicitations appear. Because primes do not know in advance which contracts will include CMMC requirements or at what level, ensuring preparation for all potential suppliers must happen ahead of demand.

Organizations that move the fastest prioritize repeatable processes and clear ownership rather than one-time remediation. One-off fixes may satisfy a checklist, but repeatable processes are what stand up to verification.

By the 96-day mark, a clear divide began to emerge between organizations that could say they had implemented the requirements and those that could withstand scrutiny. Proving compliance is not a step that occurs after implementation — it is a permanent operating condition.

In practice, CMMC readiness is rarely constrained by technology. Documentation, consistency and governance are more often the limiting factors. Security tooling without evidence of governance becomes invisible during assessment.

Critics of CMMC 2.0 have pointed to its shift away from maturity levels toward more blunt enforcement of existing requirements. But demonstrating conformity to the many perform-type assessment objectives in Level 2 requires operational maturity, not just tools.

Self-attestation has repeatedly failed to produce durable cybersecurity outcomes. Verification is therefore inevitable, and it is quickly becoming the standard currency of trust.

This model is not unique to defense and will propagate into other regulated ecosystems. The scale of this shift is significant.

The next phase will test operational discipline. Rather than a single enforcement trigger, the final rule embeds CMMC into acquisition through multiple discretionary decision points exercised by program offices and requiring activities. This structure makes uniform application unlikely and accelerates urgency unevenly across the market as the rule integrates into real acquisition workflows.

Some organizations will face intense pressure quickly, while others may feel little immediate impact. That inconsistency is not evidence of failure, but it reflects a program being applied inside day-to-day acquisition activity with varying levels of risk tolerance, mission criticality and data sensitivity.

Supply chain pressure will continue to concentrate where mission impact is high, data sensitivity is significant and the pool of qualified suppliers is limited. This asymmetry determines who feels pressure first and who has time to adapt.

Demand for third-party certification assessments will continue to grow, exposing capacity constraints not only among assessors but also across the broader implementation ecosystem. Organizations that wait to see a Level 2 certification requirement in a solicitation may find themselves competing for limited resources on timelines that cannot be compressed.

CMMC shifts accountability away from point-in-time compliance events toward continuous operational discipline. The pre-CMMC mindset no longer holds. Discrepancies between paperwork and practice are already the most common reason for those “Not Met” determinations during assessment.

Friction in the early rollout is already acting like a sorting mechanism, distinguishing organizations that operationalize compliance from those that rely on static documentation.

The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

Ryan Heidorn is chief technology officer at C3 Integrated Solutions.

The First 100 Days of CMMC And What Comes Next

NATIONAL DEFENSE MAGAZINE By Ryan Heidorn

“The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

____________________________________________________________________________________________________

“Following a multi-year rulemaking process, the Defense Department’s Cybersecurity Maturity Model Certification program crossed the regulatory finish line on Nov. 10.

For much of the defense industrial base, that moment carried a simple question — now that CMMC had moved from concept to reality, what would change first?

In the weeks that followed, there was no sudden surge of solicitations carrying CMMC requirements and no visible disruption to contracting operations.

Immediate disruption, however, was never the signal to watch. Nov. 10 was not a switch-flip moment where every contract suddenly changed, but the final regulatory step that collapsed uncertainty into inevitability, transforming CMMC from a long-debated future requirement into a permanent feature of defense acquisition.

The absence of visible disruption in the first weeks of CMMC was not surprising. What had changed was certainty — that a verified cybersecurity posture is now a condition of doing business with the department, not a sudden wave of enforcement actions.

For organizations that had already leaned into existing cybersecurity requirements, this marked a shift from designing for compliance to collecting, validating and organizing objective evidence in preparation for assessment.

For those that had maintained a wait-and-see approach, November carried a tangible cost. Qualified service providers and third-party assessors were already in high demand, and the timeline to move from minimal readiness to assessment-ready — often 12 to 18 months — remained unchanged. Organizations that delayed action risked entering 2026 at a competitive disadvantage.

Those early weeks began to expose which organizations had established effective operational governance, and which had deferred ownership decisions or assumed accountability would come later.

By the second month, pressure began to surface. This didn’t stem from deadlines, but from supply chain dynamics.

Prime contractors began communicating expectations to their supplier bases, asking whether organizations were prepared and what actions were underway. Under Defense Federal Acquisition Regulation Supplement 252.204-7021, primes must ensure that subcontractors handling federal contract information or controlled unclassified information hold a current CMMC certificate or status at the required level prior to award.

An unprepared supplier base can undermine performance or expose the prime to risk, driving urgency well before solicitations appear. Because primes do not know in advance which contracts will include CMMC requirements or at what level, ensuring preparation for all potential suppliers must happen ahead of demand.

Organizations that move the fastest prioritize repeatable processes and clear ownership rather than one-time remediation. One-off fixes may satisfy a checklist, but repeatable processes are what stand up to verification.

By the 96-day mark, a clear divide began to emerge between organizations that could say they had implemented the requirements and those that could withstand scrutiny. Proving compliance is not a step that occurs after implementation — it is a permanent operating condition.

In practice, CMMC readiness is rarely constrained by technology. Documentation, consistency and governance are more often the limiting factors. Security tooling without evidence of governance becomes invisible during assessment.

Critics of CMMC 2.0 have pointed to its shift away from maturity levels toward more blunt enforcement of existing requirements. But demonstrating conformity to the many perform-type assessment objectives in Level 2 requires operational maturity, not just tools.

Self-attestation has repeatedly failed to produce durable cybersecurity outcomes. Verification is therefore inevitable, and it is quickly becoming the standard currency of trust.

This model is not unique to defense and will propagate into other regulated ecosystems. The scale of this shift is significant.

The next phase will test operational discipline. Rather than a single enforcement trigger, the final rule embeds CMMC into acquisition through multiple discretionary decision points exercised by program offices and requiring activities. This structure makes uniform application unlikely and accelerates urgency unevenly across the market as the rule integrates into real acquisition workflows.

Some organizations will face intense pressure quickly, while others may feel little immediate impact. That inconsistency is not evidence of failure, but it reflects a program being applied inside day-to-day acquisition activity with varying levels of risk tolerance, mission criticality and data sensitivity.

Supply chain pressure will continue to concentrate where mission impact is high, data sensitivity is significant and the pool of qualified suppliers is limited. This asymmetry determines who feels pressure first and who has time to adapt.

Demand for third-party certification assessments will continue to grow, exposing capacity constraints not only among assessors but also across the broader implementation ecosystem. Organizations that wait to see a Level 2 certification requirement in a solicitation may find themselves competing for limited resources on timelines that cannot be compressed.

CMMC shifts accountability away from point-in-time compliance events toward continuous operational discipline. The pre-CMMC mindset no longer holds. Discrepancies between paperwork and practice are already the most common reason for those “Not Met” determinations during assessment.

Friction in the early rollout is already acting like a sorting mechanism, distinguishing organizations that operationalize compliance from those that rely on static documentation.

The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

Ryan Heidorn is chief technology officer at C3 Integrated Solutions.

The First 100 Days of CMMC And What Comes Next

NATIONAL DEFENSE MAGAZINE By Ryan Heidorn

“The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

____________________________________________________________________________________________________

“Following a multi-year rulemaking process, the Defense Department’s Cybersecurity Maturity Model Certification program crossed the regulatory finish line on Nov. 10.

For much of the defense industrial base, that moment carried a simple question — now that CMMC had moved from concept to reality, what would change first?

In the weeks that followed, there was no sudden surge of solicitations carrying CMMC requirements and no visible disruption to contracting operations.

Immediate disruption, however, was never the signal to watch. Nov. 10 was not a switch-flip moment where every contract suddenly changed, but the final regulatory step that collapsed uncertainty into inevitability, transforming CMMC from a long-debated future requirement into a permanent feature of defense acquisition.

The absence of visible disruption in the first weeks of CMMC was not surprising. What had changed was certainty — that a verified cybersecurity posture is now a condition of doing business with the department, not a sudden wave of enforcement actions.

For organizations that had already leaned into existing cybersecurity requirements, this marked a shift from designing for compliance to collecting, validating and organizing objective evidence in preparation for assessment.

For those that had maintained a wait-and-see approach, November carried a tangible cost. Qualified service providers and third-party assessors were already in high demand, and the timeline to move from minimal readiness to assessment-ready — often 12 to 18 months — remained unchanged. Organizations that delayed action risked entering 2026 at a competitive disadvantage.

Those early weeks began to expose which organizations had established effective operational governance, and which had deferred ownership decisions or assumed accountability would come later.

By the second month, pressure began to surface. This didn’t stem from deadlines, but from supply chain dynamics.

Prime contractors began communicating expectations to their supplier bases, asking whether organizations were prepared and what actions were underway. Under Defense Federal Acquisition Regulation Supplement 252.204-7021, primes must ensure that subcontractors handling federal contract information or controlled unclassified information hold a current CMMC certificate or status at the required level prior to award.

An unprepared supplier base can undermine performance or expose the prime to risk, driving urgency well before solicitations appear. Because primes do not know in advance which contracts will include CMMC requirements or at what level, ensuring preparation for all potential suppliers must happen ahead of demand.

Organizations that move the fastest prioritize repeatable processes and clear ownership rather than one-time remediation. One-off fixes may satisfy a checklist, but repeatable processes are what stand up to verification.

By the 96-day mark, a clear divide began to emerge between organizations that could say they had implemented the requirements and those that could withstand scrutiny. Proving compliance is not a step that occurs after implementation — it is a permanent operating condition.

In practice, CMMC readiness is rarely constrained by technology. Documentation, consistency and governance are more often the limiting factors. Security tooling without evidence of governance becomes invisible during assessment.

Critics of CMMC 2.0 have pointed to its shift away from maturity levels toward more blunt enforcement of existing requirements. But demonstrating conformity to the many perform-type assessment objectives in Level 2 requires operational maturity, not just tools.

Self-attestation has repeatedly failed to produce durable cybersecurity outcomes. Verification is therefore inevitable, and it is quickly becoming the standard currency of trust.

This model is not unique to defense and will propagate into other regulated ecosystems. The scale of this shift is significant.

The next phase will test operational discipline. Rather than a single enforcement trigger, the final rule embeds CMMC into acquisition through multiple discretionary decision points exercised by program offices and requiring activities. This structure makes uniform application unlikely and accelerates urgency unevenly across the market as the rule integrates into real acquisition workflows.

Some organizations will face intense pressure quickly, while others may feel little immediate impact. That inconsistency is not evidence of failure, but it reflects a program being applied inside day-to-day acquisition activity with varying levels of risk tolerance, mission criticality and data sensitivity.

Supply chain pressure will continue to concentrate where mission impact is high, data sensitivity is significant and the pool of qualified suppliers is limited. This asymmetry determines who feels pressure first and who has time to adapt.

Demand for third-party certification assessments will continue to grow, exposing capacity constraints not only among assessors but also across the broader implementation ecosystem. Organizations that wait to see a Level 2 certification requirement in a solicitation may find themselves competing for limited resources on timelines that cannot be compressed.

CMMC shifts accountability away from point-in-time compliance events toward continuous operational discipline. The pre-CMMC mindset no longer holds. Discrepancies between paperwork and practice are already the most common reason for those “Not Met” determinations during assessment.

Friction in the early rollout is already acting like a sorting mechanism, distinguishing organizations that operationalize compliance from those that rely on static documentation.

The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

Ryan Heidorn is chief technology officer at C3 Integrated Solutions.

The First 100 Days of CMMC And What Comes Next

NATIONAL DEFENSE MAGAZINE By Ryan Heidorn

“The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

____________________________________________________________________________________________________

“Following a multi-year rulemaking process, the Defense Department’s Cybersecurity Maturity Model Certification program crossed the regulatory finish line on Nov. 10.

For much of the defense industrial base, that moment carried a simple question — now that CMMC had moved from concept to reality, what would change first?

In the weeks that followed, there was no sudden surge of solicitations carrying CMMC requirements and no visible disruption to contracting operations.

Immediate disruption, however, was never the signal to watch. Nov. 10 was not a switch-flip moment where every contract suddenly changed, but the final regulatory step that collapsed uncertainty into inevitability, transforming CMMC from a long-debated future requirement into a permanent feature of defense acquisition.

The absence of visible disruption in the first weeks of CMMC was not surprising. What had changed was certainty — that a verified cybersecurity posture is now a condition of doing business with the department, not a sudden wave of enforcement actions.

For organizations that had already leaned into existing cybersecurity requirements, this marked a shift from designing for compliance to collecting, validating and organizing objective evidence in preparation for assessment.

For those that had maintained a wait-and-see approach, November carried a tangible cost. Qualified service providers and third-party assessors were already in high demand, and the timeline to move from minimal readiness to assessment-ready — often 12 to 18 months — remained unchanged. Organizations that delayed action risked entering 2026 at a competitive disadvantage.

Those early weeks began to expose which organizations had established effective operational governance, and which had deferred ownership decisions or assumed accountability would come later.

By the second month, pressure began to surface. This didn’t stem from deadlines, but from supply chain dynamics.

Prime contractors began communicating expectations to their supplier bases, asking whether organizations were prepared and what actions were underway. Under Defense Federal Acquisition Regulation Supplement 252.204-7021, primes must ensure that subcontractors handling federal contract information or controlled unclassified information hold a current CMMC certificate or status at the required level prior to award.

An unprepared supplier base can undermine performance or expose the prime to risk, driving urgency well before solicitations appear. Because primes do not know in advance which contracts will include CMMC requirements or at what level, ensuring preparation for all potential suppliers must happen ahead of demand.

Organizations that move the fastest prioritize repeatable processes and clear ownership rather than one-time remediation. One-off fixes may satisfy a checklist, but repeatable processes are what stand up to verification.

By the 96-day mark, a clear divide began to emerge between organizations that could say they had implemented the requirements and those that could withstand scrutiny. Proving compliance is not a step that occurs after implementation — it is a permanent operating condition.

In practice, CMMC readiness is rarely constrained by technology. Documentation, consistency and governance are more often the limiting factors. Security tooling without evidence of governance becomes invisible during assessment.

Critics of CMMC 2.0 have pointed to its shift away from maturity levels toward more blunt enforcement of existing requirements. But demonstrating conformity to the many perform-type assessment objectives in Level 2 requires operational maturity, not just tools.

Self-attestation has repeatedly failed to produce durable cybersecurity outcomes. Verification is therefore inevitable, and it is quickly becoming the standard currency of trust.

This model is not unique to defense and will propagate into other regulated ecosystems. The scale of this shift is significant.

The next phase will test operational discipline. Rather than a single enforcement trigger, the final rule embeds CMMC into acquisition through multiple discretionary decision points exercised by program offices and requiring activities. This structure makes uniform application unlikely and accelerates urgency unevenly across the market as the rule integrates into real acquisition workflows.

Some organizations will face intense pressure quickly, while others may feel little immediate impact. That inconsistency is not evidence of failure, but it reflects a program being applied inside day-to-day acquisition activity with varying levels of risk tolerance, mission criticality and data sensitivity.

Supply chain pressure will continue to concentrate where mission impact is high, data sensitivity is significant and the pool of qualified suppliers is limited. This asymmetry determines who feels pressure first and who has time to adapt.

Demand for third-party certification assessments will continue to grow, exposing capacity constraints not only among assessors but also across the broader implementation ecosystem. Organizations that wait to see a Level 2 certification requirement in a solicitation may find themselves competing for limited resources on timelines that cannot be compressed.

CMMC shifts accountability away from point-in-time compliance events toward continuous operational discipline. The pre-CMMC mindset no longer holds. Discrepancies between paperwork and practice are already the most common reason for those “Not Met” determinations during assessment.

Friction in the early rollout is already acting like a sorting mechanism, distinguishing organizations that operationalize compliance from those that rely on static documentation.

The first 100 days of CMMC were never meant to be dramatic. The signal lies not in what happened immediately, but what is now unavoidable.

In its first year, expect imperfect translation, conservative interpretation and inconsistent execution. These are not signs of failure; they are signs that CMMC has moved from policy theory into operational reality.”

Ryan Heidorn is chief technology officer at C3 Integrated Solutions.

SDVOSB Contract Opportunities: Where $28.6 Billion Actually Goes

“FEDSPEND”

“Service-Disabled Veteran-Owned Small Business contracts hit $28.6B in FY2025. Here’s the agency-by-agency, NAICS-by-NAICS breakdown — and why 35% of those dollars went sole-source.“

______________________________________________________________________________________________________

“$28.6 Billion. The Veteran Advantage Is Real — If You Know Where to Look.

The federal government’s SDVOSB (Service-Disabled Veteran-Owned Small Business) program is the second-largest set-aside category by dollar volume, behind only general small business. In FY2025, agencies awarded $28.6 billion across approximately 52,000 contract actions to SDVOSB firms.

But the distribution is brutally uneven. A small percentage of SDVOSB firms capture the majority of those dollars. The difference is not capability or service quality — it is business development discipline and knowing where the money flows.

Which Agencies Award the Most SDVOSB Contracts?

The top 8 agencies account for over 82% of all SDVOSB dollars:

| Agency | FY2025 SDVOSB Awards | % of Total |

| Department of Defense | $12.8B | 45% |

| Department of Veterans Affairs | $5.2B | 18% |

| Department of Homeland Security | $2.1B | 7% |

| General Services Administration | $1.8B | 6% |

| Department of Health & Human Services | $1.4B | 5% |

| Department of Energy | $1.1B | 4% |

| Department of Interior | $890M | 3% |

| Department of Agriculture | $680M | 2% |

The VA Advantage

The VA deserves special attention. Unlike other agencies, the VA operates under the Veterans First Contracting Program, which gives SDVOSB (and VOSB) firms priority over all other set-aside types for VA contracts. This is not just a goal — it is a statutory mandate under 38 U.S.C. 8127.

What this means practically: when a VA contracting officer has a requirement, they must first consider SDVOSB firms before opening it to 8(a), HUBZone, or general small business. If two or more SDVOSB firms can perform the work, the contract must be set aside for SDVOSB competition.

If you are an SDVOSB firm not actively pursuing VA contracts, you are leaving your strongest legal advantage on the table.

Top NAICS Codes for SDVOSB Awards

| NAICS Code | Description | FY2025 SDVOSB Awards | Competition Level |

| 541512 | Computer Systems Design | $3.9B | Very High |

| 561210 | Facilities Support Services | $2.8B | High |

| 541330 | Engineering Services | $2.4B | High |

| 236220 | Commercial Building Construction | $2.1B | Moderate |

| 561612 | Security Guards | $1.6B | Moderate |

| 541611 | Admin Management Consulting | $1.3B | Very High |

| 541519 | Other Computer Services | $1.1B | High |

| 238220 | Plumbing/HVAC/AC Contractors | $890M | Low |

| 562910 | Remediation Services | $780M | Low |

| 237310 | Highway/Street Construction | $720M | Low |

Where the Smart Money Competes

The pattern from 8(a) data repeats here: IT services (541512) attracts the most competition per dollar. But look at the bottom of the table — Plumbing/HVAC (238220), Remediation (562910), and Highway Construction (237310) have significantly fewer competing SDVOSB firms relative to award volume.

Construction-related NAICS codes perform disproportionately well in the SDVOSB program. Veteran-owned construction, environmental remediation, and facilities maintenance firms have roughly 4x less competition per dollar than IT services firms.

If you hold SDVOSB certification and a construction or trades-related NAICS, your competitive position is stronger than you think.

The Sole-Source Advantage: $5 Million Threshold

The SDVOSB sole-source threshold is $5 million for both services and manufacturing — higher than the 8(a) threshold of $4.5M.

FY2025 Sole-Source vs. Competitive Split

~35% of SDVOSB dollars were sole-sourced ($10B)~65% were competitive SDVOSB set-asides ($18.6B)Sole-source average value: $1.4MCompetitive average value: $640K

The math is clear: sole-source contracts are worth more than double the average competitive award. And they require zero competition — just a contracting officer who knows your firm can perform the work.

How to Position for SDVOSB Sole-Source Awards

Target agencies behind on SDVOSB goals. When an agency is under its 3% SDVOSB statutory goal heading into Q4 (July-September), contracting officers are motivated to sole-source to SDVOSB firms to close the gap. This creates a predictable annual window.

Build PM relationships, not just CO relationships. Program Managers define requirements. Contracting Officers execute paperwork. The decision to sole-source happens at the PM level.

Register in VetBiz (VA) and SAM.gov. VA sole-source awards require VetBiz verification. All federal sole-source awards require active SAM.gov registration. Sounds obvious — but expired registrations are the #1 reason SDVOSB firms miss sole-source opportunities.

Submit unsolicited capability statements. Target agencies in your NAICS codes 6-12 months before contract expirations. Include past performance, key personnel, and specific relevance to the agency’s mission.

VA vs. DoD: Different Strategies Required

VA Strategy (Veterans First Program)

*SDVOSB firms get statutory priority over all other set-aside types

*VA must set aside for SDVOSB competition if two or more SDVOSB firms can perform

*VetBiz certification required (separate from SAM.gov SDVOSB self-certification)High concentration in healthcare IT (541512), facilities management (561210), and medical staffing

*Attend VA OSDBU National Veterans Small Business Engagement events

DoD Strategy (Standard SDVOSB Set-Aside)

*DoD follows standard FAR set-aside rules (no Veterans First priority)

*SDVOSB competes alongside 8(a), HUBZone, and general small business for set-aside goals

*Massive volume in engineering (541330), IT services (541512), and construction (236220)

*Security clearances dramatically narrow the competitive field — cleared SDVOSB firms have a significant advantage

*Pursue IDIQ vehicles: OASIS SB, STARS III, Alliant 3 SB

Recompete Opportunities: The Predictable Pipeline

Approximately 32% of FY2025 SDVOSB awards were recompetitions of expiring contracts. These are not surprises — they are predictable events with known timelines.

What recompete tracking gives you:

Contract expiration dates — know exactly when an incumbent’s period of performance endsCurrent contract value — understand the budget envelope before you bidIncumbent identity — research their past performance to identify vulnerabilitiesHistorical set-aside type — if it was SDVOSB last time, it is likely SDVOSB again

The Timeline Advantage

Most SDVOSB firms discover recompete opportunities when the solicitation posts on SAM.gov. By then, the incumbent has been positioning for months. The firms winning recompetes:

Identified the opportunity 12-18 months before solicitation

Submitted capability statements to the contracting office

Met with the Program Manager to understand evolving requirementsTeamed with complementary firms to strengthen their proposal

Fed-Spend tracks 85,000+ recompete opportunities with automated alerts when contracts in your NAICS codes approach expiration. 

The SBA Certification Change: What SDVOSB Firms Must Know

As of January 2023, SDVOSB certification transferred from VA’s VetBiz to SBA’s VetCert program. Key changes:All SDVOSB firms must now be certified through SBA (not just VA contractors)Self-certification is no longer sufficient for most contract opportunitiesSBA VetCert uses the same portal as 8(a) and HUBZone certificationsProcessing time: approximately 90 daysRe-certification required annually

If you are relying on self-certification alone, you may be ineligible for an increasing number of SDVOSB set-asides. Check your certification status at vetcert.sba.gov.

5 Mistakes That Cost SDVOSB Firms Contracts

Mistake 1: Ignoring the VA

The Veterans First program is the strongest legal advantage any set-aside category has. SDVOSB firms that skip VA contracting are leaving their best card unplayed.

Mistake 2: Competing Only in IT

NAICS 541512 has the highest award volume but also the highest competition density. Firms in construction, environmental, facilities, and trades NAICS codes face dramatically less competition per dollar.

Mistake 3: Letting Certifications Lapse

Expired SAM.gov registration, expired VetCert, expired GSA Schedule — any of these kills your eligibility. Set calendar reminders 90 days before every expiration.

Mistake 4: Waiting for SAM.gov Postings

By the time a solicitation is posted, the positioning phase is over. The winners identified the opportunity months earlier through recompete tracking and agency engagement.

Mistake 5: Going It Alone on Large Contracts

Mentor-protege agreements and joint ventures allow SDVOSB firms to pursue contracts above their individual capability. The SBA’s All Small Mentor-Protege Program and the VA’s Mentor-Protege Program both allow SDVOSB joint ventures to maintain SDVOSB status for set-aside eligibility.

FAQ: SDVOSB Contract Opportunities

How much does the federal government spend with SDVOSB firms?

In FY2025, federal agencies awarded approximately $28.6 billion to SDVOSB firms across ~52,000 contract actions. The statutory goal is 3% of all federal contracting dollars.

What is the SDVOSB sole-source threshold?

$5 million for both services and manufacturing contracts. Below this threshold, a contracting officer can award directly to an SDVOSB firm without competition, provided the price is determined to be fair and reasonable.

Do I need SBA certification to bid on SDVOSB contracts?

Yes. As of January 2023, SBA VetCert certification is required. Self-certification is being phased out. Apply at vetcert.sba.gov. Processing takes approximately 90 days.

What is the difference between SDVOSB and VOSB?

SDVOSB requires the owner to have a service-connected disability rated by the VA. VOSB requires only veteran status. SDVOSB firms receive sole-source and set-aside preferences that VOSB firms do not. Under the VA’s Veterans First program, SDVOSB firms receive priority over VOSB firms.

Can I search SDVOSB contract opportunities for free?

Yes. SAM.gov lists active solicitations filterable by SDVOSB set-aside type. USAspending.gov shows historical SDVOSB awards. Fed-Spend offers a free tier with 10 searches per month across all set-aside types and full contract data.”

SDVOSB Contract Opportunities: Where $28.6 Billion Actually Goes

Your Capability Statement For Small Business Government Contracting

“SMALLTOFEDS” By Ken Larson

“Focused and direct, your CAPE must be informative, concise and a snapshot of the very best you can offer.”

_________________________________________________________________________________________________________

“Federal government contracting is all about relationship development.  Marketing to influential agency personnel, industry partners, prospective team members, employees, associate contractors and others who can help you requires a hard hitting synopsis of what your firm brings to the table.

Place into a capability statement (CAPE) the specific information others need to know for a sound decision about your company qualifications. This information includes such items as a D&B Number, government registration numbers, North American Industrial Classification System (NAICS) codes and the like. These items are elected or determined when you register your company for government contracting.

KEEP IT SHORT

An electronic capability statement (CAPE) for government contracts should be short and hard-hitting. It should be 1 -2 pages and should highlight the salient points of products and offerings, personnel and qualifications.

Below are examples of two good capability statements in the public domain.  The first is a services company, the second example is for a company selling off-the-shelf products.

CLICK ON IMAGES OR DOWNLOAD TO ENLARGE 

CLICK ON IMAGES OR DOWNLOAD TO ENLARGE

MAKE IT PROMOTIONAL

A good CAPE  will be a promotional brochure that on paper and through the electronic media advertises who you are, what you do and why the government or prime contractors should buy from you. Major elements of your capability statement, in addition to your small business designation and certifications, are as follows: 

(1) Company overview

(2) Supplies and services description couched utilizing your marketing ideas and strategy.

(3) Past performance of your enterprise or your personal background and qualifications 

(experience, education, etc.).

(4) Facilities or capabilities overview (How you perform your service couched in a manner that will appeal to your target market).

(5) Explanation of the positive results the client should expect.

(6) Points of contact and ways to contact you for meetings, placing an order and contracting your services. 

INCLUDE GRAPHICS

The document itself should be created with graphics, photos, themes and sales pitches. A picture of your product and your personnel adds dynamics. 

DISTRIBUTION

Your capability statement should be distributed on paper to your target market as a brochure, emailed as an attachment and linked into related industry web sites or partner marketing to get the word out about your product or service. Your CAPE targets contracting officers and prime contractor buyers who are seeking to fulfill their small business buying goals. It is a way to get you in the door and speak to, or correspond with, the management and technical personnel who are the decision makers in sourcing small business buys. 

SUMMARY

A good quality CAPE is the spearhead of your marketing campaign and your visual image;  focused and direct, it must be informative, concise and a snapshot of the very best you can offer.”

https://www.smalltofeds.com/2011/05/your-capability-statement-cape-for.html

#books #Business #CapabilityStatement #CAPE #DigitalMarketing #governmentContracting #GovernmentContractors #MarketingSuccess #news #technology

Will the Supreme Court Hand Government Contractors Blanket Immunity?

https://murica.website/2025/10/will-the-supreme-court-hand-government-contractors-blanket-immunity/

No ICI member intends to resign, says executive director

https://web.brid.gy/r/https://news.bomboradyo.com/no-ici-member-intends-to-resign-says-executive-director/?utm_source=rss&utm_medium=rss&utm_campaign=no-ici-member-intends-to-resign-says-executive-director

Pentagon officially implements CMMC REQUIREMENTS IN CONTRACTS requiring Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) standards moving forward.
https://rosecoveredglasses.wordpress.com/2025/09/16/pentagon-officially-implements-cmmc-requirements-in-contracts/
#governmentcontractors #CMMC

#Musk #Neuralink falsified federal forms, claims to qualify for #racial #diversity program. The company, owned by the world's wealthiest man #billionaire, says it is a "small disadvantaged business" #maga #trump #corruption #contract https://popular.info/p/musks-neuralink-falsified-federal #smallbusiness #SBD https://substack.com/redirect/352493d7-c32a-4a28-84ee-9ae2973f2e5b?j=eyJ1IjoiMnliem0ifQ.jl2EKOVyOPcNm6pSkik7c__ELp0wTV9MF7hA5UXef5U #governmentcontractors

#Musk #Neuralink falsified federal forms, claims to qualify for #racial #diversity program. The company, owned by the world's wealthiest man #billionaire, says it is a "small disadvantaged business" #maga #trump #corruption #contract https://popular.info/p/musks-neuralink-falsified-federal #smallbusiness #SBD https://substack.com/redirect/352493d7-c32a-4a28-84ee-9ae2973f2e5b?j=eyJ1IjoiMnliem0ifQ.jl2EKOVyOPcNm6pSkik7c__ELp0wTV9MF7hA5UXef5U #governmentcontractors

#Musk #Neuralink falsified federal forms, claims to qualify for #racial #diversity program. The company, owned by the world's wealthiest man #billionaire, says it is a "small disadvantaged business" #maga #trump #corruption #contract https://popular.info/p/musks-neuralink-falsified-federal #smallbusiness #SBD https://substack.com/redirect/352493d7-c32a-4a28-84ee-9ae2973f2e5b?j=eyJ1IjoiMnliem0ifQ.jl2EKOVyOPcNm6pSkik7c__ELp0wTV9MF7hA5UXef5U #governmentcontractors

#Musk #Neuralink falsified federal forms, claims to qualify for #racial #diversity program. The company, owned by the world's wealthiest man #billionaire, says it is a "small disadvantaged business" #maga #trump #corruption #contract https://popular.info/p/musks-neuralink-falsified-federal #smallbusiness #SBD https://substack.com/redirect/352493d7-c32a-4a28-84ee-9ae2973f2e5b?j=eyJ1IjoiMnliem0ifQ.jl2EKOVyOPcNm6pSkik7c__ELp0wTV9MF7hA5UXef5U #governmentcontractors

#Musk #Neuralink falsified federal forms, claims to qualify for #racial #diversity program. The company, owned by the world's wealthiest man #billionaire, says it is a "small disadvantaged business" #maga #trump #corruption #contract https://popular.info/p/musks-neuralink-falsified-federal #smallbusiness #SBD https://substack.com/redirect/352493d7-c32a-4a28-84ee-9ae2973f2e5b?j=eyJ1IjoiMnliem0ifQ.jl2EKOVyOPcNm6pSkik7c__ELp0wTV9MF7hA5UXef5U #governmentcontractors

CMMC Cyber And Supply Chain Standard Poised To Disrupt Industry in the midst of a phased rollout ahead of the rule’s inevitable finalization and addition to contracts this year.

https://rosecoveredglasses.wordpress.com/2025/03/31/cmmc-cyber-and-supply-chain-standard-poised-to-disrupt-industry/
#governmentcontractors #CMMC