SDVOSB Set-Asides and the Capability Gap: What Federal Buyers Actually Need From Managed IT Subs

The Veterans Benefits Act (38 USC 8127-8128) and FAR 19.1405 create a mandatory source preference for SDVOSB (Service-Disabled Veteran-Owned Small Business) certified firms on VA (Department of Veterans Affairs) procurements. When a contracting officer has a reasonable expectation that at least two qualified SDVOSBs will submit offers at fair and reasonable prices, the acquisition must be set aside for SDVOSB competition. The order of precedence at VA puts SDVOSB first, before VOSB (Veteran-Owned Small Business), HUBZone, WOSB (Women-Owned Small Business), and every other socioeconomic category. This is a real statutory advantage, and federal buyers are required to use it. For a comprehensive overview, see SDVOSB Federal IT Contracting: The Definitive Guide.

But certification alone does not win contracts, and it does not protect the government from a performance failure. Federal buyers routinely award to SDVOSB firms and later find themselves managing a delivery problem they did not anticipate, because the gap between "certified" and "capable" is larger than the certification paperwork implies. SDVOSB status is a procurement eligibility determination, not a technical qualification. Understanding what certification actually verifies, and what it does not, changes how federal buyers should structure their pre-award evaluation.

What Does SDVOSB Certification Actually Verify?

SDVOSB certification, administered by the SBA (Small Business Administration) under 13 CFR Part 128 through the VetCert portal at certifications.sba.gov, verifies two things: ownership and control. The certifying analyst confirms that one or more service-disabled veterans unconditionally and directly own at least 51 percent of the business and that the veteran holds the highest officer position, controls day-to-day management, and makes long-term strategic decisions. The program transferred from the VA's CVE (Center for Verification and Evaluation) to the SBA effective January 1, 2023. Certification is valid for three years and requires triennial renewal with documentation.

What certification does not verify is equally important to understand. The SBA does not assess technical capability, past performance quality, cybersecurity posture, staffing depth, financial capacity for surge, or compliance documentation maturity. A firm can hold current SDVOSB certification, appear on the VA OSDBU (Office of Small and Disadvantaged Business Utilization) approved vendor list, and still be operationally unprepared to deliver a federal managed IT services contract. The certification process is an ownership eligibility gate. Technical qualification must be established through the solicitation and evaluation process.

The Rule of Two and What It Creates

The VA Rule of Two, codified at 38 USC 8127, is the mechanism that makes SDVOSB status valuable at VA. When two or more certified SDVOSBs can be expected to offer at fair and reasonable prices, the contracting officer has no discretion: the acquisition must be set aside. This applies to the VA specifically. At DoD (Department of Defense), HHS (Health and Human Services), and other agencies, SDVOSB set-asides operate under standard SBA thresholds with more discretion. The VA Veterans First contracting program, implemented under Sections 502 and 503 of Public Law 109-461, elevates SDVOSB status from a preference to a primary mandate within the VA acquisition system.

What the Rule of Two creates, in practice, is a pool of SDVOSB bidders competing against each other rather than against larger, more established IT firms. That is the policy intent: give veteran-owned small businesses a protected market. The unintended consequence is that the pool can include firms with widely varying operational depth, and the evaluation criteria in a set-aside competition does not automatically surface that variation. A contracting officer relying on certification status as a proxy for capability is not protected by the rule.

Five Capability Dimensions Federal Buyers Should Probe

For managed IT and cybersecurity subcontracts, the following five dimensions have the highest predictive value for delivery performance. None of them appear on a certification certificate, and all of them can be probed without a formal pre-award survey.

1. Past performance documentation. The question is not whether the firm has past performance, but whether it is documented in a form the government can verify. Ask for CPARS (Contractor Performance Assessment Reporting System) references for contracts of similar scope and dollar value. If the firm has federal past performance, the assessments are in CPARS and accessible to the contracting officer. If the firm has commercial-only past performance, ask for client references with specific scope descriptions and outcomes. Vague assertions of "15 years of experience" are not past performance documentation.

2. CMMC and NIST 800-171 assessment readiness. Managed IT subcontractors with access to CUI (Controlled Unclassified Information) on DoD contracts are subject to NIST SP 800-171 requirements and, for Level 2 contracts, will require a third-party CMMC assessment. Ask the subcontractor for their current SPRS (Supplier Performance Risk System) score and a summary of their most recent self-assessment. A firm that cannot produce an SPRS score or that has never conducted a formal gap assessment against the 110 controls in NIST SP 800-171 is not assessment-ready. As covered in our post on the CMMC enforcement timeline for small primes and subs, the compliance window for subcontractors is shorter than most assume.

3. Key personnel continuity. Small SDVOSB firms are often built around a founder and one or two senior technical staff. If those individuals are named in the proposal but not actually allocated to the contract, delivery risk is high. Ask for resumes with current employment confirmation, ask how many concurrent contracts the named personnel are supporting, and ask what the succession plan is if a key person departs during the period of performance. Prime contractors who accept thin bench depth from SDVOSB subs during proposal and then discover it during delivery own the resulting performance risk.

4. Financial capacity for surge. Federal managed IT contracts can require rapid scaling: incident response, emergency deployments, or staff augmentation during a facility conversion. A small SDVOSB with tight cash flow may not be able to absorb surge labor costs that are reimbursed on a net-30 or net-60 cycle. Ask for a brief financial capability statement addressing available credit, subcontracting relationships for surge staffing, and how the firm has handled unexpected scope expansion on past contracts. This is proportionate due diligence, not unusual scrutiny.

5. Subcontractor management capability. This dimension is the one that surprises federal buyers most often. SDVOSBs performing as primes or high-tier subs may themselves need to manage lower-tier subcontractors to deliver the full scope. The Commercially Useful Function requirement under federal small business regulations requires the SDVOSB to perform at least 50 percent of the work with its own employees for service contracts, and the firm is responsible for flowing security requirements down to any subcontractors with CUI access. Ask the subcontractor directly: who are your subs, what security requirements flow down to them, and how do you verify compliance? An SDVOSB that cannot answer that question is a supply chain risk, regardless of its certification status.

What SDVOSBs Should Put in Their Capability Statements

From the other side of this equation: SDVOSB firms competing in managed IT set-asides that differentiate on technical capability rather than certification status alone will consistently outperform firms that lead with their socioeconomic designation. Federal buyers see hundreds of capability statements that list "SDVOSB" in the header and then offer generic IT services descriptions. The statements that generate meetings and teaming conversations are the ones that answer the five questions above before the buyer asks them.

Specific elements that demonstrate genuine capability: a CPARS-verifiable past performance section with dollar values and outcome metrics; a clear statement of CMMC or NIST 800-171 posture with a current SPRS score; named key personnel with actual resumes attached, not placeholder descriptions; a subcontractor management section that identifies how security flowdown is handled; and evidence of active threat intelligence or continuous monitoring capability. On the last point, the kind of operational depth described in our post on nation-state tradecraft observed in our commercial honeypot is exactly the differentiator that separates a certification-only competitor from an operationally mature one. Similarly, the technical specificity demonstrated in posts like our SSH persistence and NIST 800-171 compliance analysis signals a level of security engineering depth that a generic IT firm cannot replicate.

The capability statement is not a brochure. It is a pre-qualification document, and federal buyers read it as one. Every section should answer a question a contracting officer or prime contractor business development lead would ask in a pre-award evaluation.

How to Vet Capability Without a Formal Pre-Award Survey

Contracting officers and prime contractor teaming leads do not always have time or authorization to conduct formal pre-award surveys. The following steps are proportionate, low-overhead, and legally appropriate for evaluating SDVOSB subcontractor capability before award.

First, pull the firm's CPARS record. Any federal prime or agency with a valid government account can search CPARS. If the firm has federal past performance, it is there. If the CPARS record is absent or thin, the firm is effectively presenting commercial work as its primary performance evidence, which requires more direct verification.

Second, request a sample compliance artifact. Ask for a redacted SSP (System Security Plan) or a POA&M (Plan of Action and Milestones) from a current engagement. These documents are standard deliverables under NIST SP 800-171 and any firm with genuine compliance capability produces them routinely. A firm that cannot produce a sample, even a heavily redacted one, has not operationalized compliance beyond the self-assessment checkbox.

Third, verify key personnel. Ask for confirmation that the named personnel are currently employed full-time by the firm, not on a consulting arrangement, and are not already committed to other contracts at the proposed utilization rate. This is a single phone call or email and takes less time than reviewing a proposal.

Fourth, ask the subcontractor flowdown question directly in writing: how do you handle security requirement flowdown to your own subcontractors, and what documentation do you provide? The answer reveals immediately whether the firm has thought through its supply chain obligations or is treating them as a checkbox.

These four steps can be completed in less than a week without a formal survey, without additional procurement action, and without creating a paper trail that complicates the award. They also give the SDVOSB an opportunity to demonstrate capability that a proposal alone may not fully convey.

The Bottom Line for Federal Buyers

The SDVOSB set-aside program serves a legitimate policy purpose, and the Veterans First authority at VA reflects a genuine statutory commitment to veteran-owned businesses. Using it correctly means treating certification as the eligibility gate it is, not as a technical qualification. The firms that deliver on federal managed IT contracts are the ones that have built real infrastructure, documented it, and can demonstrate it on demand. The capability gap is real, it is measurable, and the questions above are how you close it before award rather than after.