SDVOSB Federal IT Contracting: The Definitive Guide for Government Buyers and Teaming Partners

Federal IT contracting through the Service-Disabled Veteran-Owned Small Business (SDVOSB) program is one of the most well-defined small business preference programs in the federal acquisition system, and also one of the most misunderstood by both buyers and participants. This guide covers the statutory framework, certification requirements, how the Department of Veterans Affairs (VA) Veterans First program works in practice, what federal buyers actually evaluate beyond certification status, and what separates an SDVOSB with genuine IT capability from a certification-only shop pursuing set-aside vehicles.

What Is an SDVOSB and Why Does It Matter for Federal IT Contracting?

An SDVOSB is a small business that is at least 51% unconditionally owned and controlled by one or more service-disabled veterans. Defined under 13 CFR Part 128, certified through the Small Business Administration (SBA) VetCert program at certifications.sba.gov, and subject to mandatory source preference at the VA under 38 USC 8127-8128, it creates a competitive advantage in IT set-aside programs that no other small business designation replicates.

For federal IT contracting specifically, SDVOSB status matters for three distinct reasons. First, the VA is the single largest buyer of managed IT services, cybersecurity assessments, and infrastructure support among federal agencies that operate mandatory SDVOSB set-asides. Second, non-VA agencies can apply SDVOSB set-asides under standard FAR Part 19.1405 thresholds, creating competitive leverage across the broader civilian agency market. Third, large prime contractors on unrestricted federal contracts are required to meet SDVOSB subcontracting plan goals, creating a consistent demand for qualified SDVOSB teaming partners that exists independently of direct set-aside competition.

The IT-specific value of SDVOSB status is that managed IT and cybersecurity services are among the highest-dollar recurring spend categories at the VA and other health-related agencies, the same agencies where Veterans First creates the strongest statutory preference. A certified SDVOSB IT provider is not competing on equal footing with a large integrator for that work. It is competing in a ring-fenced market where the contracting officer is legally required to prefer it first.

What Is the VA Veterans First Contracting Program?

The VA Veterans First Contracting Program is the statutory framework that makes the VA the primary federal buyer for SDVOSB IT services. Under 38 USC 8127-8128, codified by Sections 502 and 503 of Public Law 109-461 (the Veterans Benefits, Health Care, and Information Technology Act of 2006), the VA operates under a unique Rule of Two that differs materially from the Rule of Two that applies at other federal agencies under standard FAR Part 19 authority.

At the VA, the Rule of Two works as follows: when a contracting officer has a reasonable expectation that two or more certified SDVOSBs will submit offers at fair and reasonable prices, the contracting officer must set aside the acquisition for SDVOSBs. This is mandatory, not discretionary. Only if the SDVOSB Rule of Two cannot be met does the contracting officer proceed to check whether it can be met with Veteran-Owned Small Business (VOSB) firms. Only after both checks fail does the acquisition open to other small business categories or full and open competition. SDVOSBs hold absolute priority in the VA hierarchy, above all other small business designations including 8(a), HUBZone, and Women-Owned Small Business.

For IT services at the VA, the practical implications are significant. VISN (Veterans Integrated Service Network) IT support, cybersecurity risk assessments, network infrastructure projects, help desk services, and endpoint management all fall within scope. The VA Office of Small and Disadvantaged Business Utilization (OSDBU) at va.gov/osdbu is the central resource for contracting officers and vendors navigating the Veterans First program, including vendor verification, forecast tools, and subcontracting plan guidance.

What Does SDVOSB Certification Actually Require?

SDVOSB certification through the SBA VetCert program requires satisfying two distinct legal standards: ownership and control. Both are audited independently, and failing either disqualifies the applicant regardless of how well the other standard is met. Understanding the distinction matters because the most common certification challenges arise from control deficiencies, not ownership deficiencies.

On ownership, the statute requires that one or more service-disabled veterans hold at least 51% unconditional ownership of the business. Unconditional means the ownership interest cannot be subject to conditions, agreements, or arrangements that would limit the veteran's ownership rights, including buyout provisions, mandatory transfer clauses, or minority investor veto rights that effectively dilute control. The service-connected disability must be documented through a rating decision from the Department of Veterans Affairs or a disability determination from the Department of Defense for veterans who were discharged due to a service-connected disability before VA rating.

On control, the certification requires that the service-disabled veteran who owns the majority interest also manage the company's day-to-day operations and make or have the authority to make all long-term strategic decisions. The SBA scrutinizes arrangements where a non-veteran manager or board member exercises effective control through operational authority, hiring/firing decisions, or contract authority, even when the veteran holds the required ownership percentage. Management consulting agreements, shared services arrangements with affiliated companies, and situations where a non-veteran handles all business development while the veteran owner is otherwise employed can all raise control questions.

The SBA assumed responsibility for SDVOSB certification from the VA Center for Verification and Evaluation (CVE) effective January 1, 2023. All certifications are now issued through the VetCert portal at certifications.sba.gov. Firms previously certified through VA CVE were required to transition to SBA VetCert; firms that did not complete the transition by the applicable deadline lost their certified status. Annual recertification is required to maintain eligibility. Firms must also recertify following certain business changes, including ownership transfers, significant revenue threshold changes that affect small business size standard eligibility, and changes to the veteran's day-to-day management role.

How Does SDVOSB Status Create Value Beyond the VA?

The VA Veterans First program is the strongest SDVOSB preference mechanism in the federal acquisition system, but SDVOSB status creates competitive advantages at other agencies through standard FAR Part 19 authority. Under FAR 19.1405, contracting officers at non-VA agencies may set aside acquisitions for SDVOSBs above the simplified acquisition threshold when there is a reasonable expectation that at least two SDVOSB firms will submit offers at fair and reasonable prices. Unlike the VA, this is discretionary rather than mandatory, but it is used regularly for IT services acquisitions at civilian agencies with veterans-serving missions and at DoD components.

At the Department of Defense (DoD), SDVOSB set-asides interact with CMMC (Cybersecurity Maturity Model Certification) requirements in ways that create both opportunity and risk. DoD SDVOSB set-asides for IT contracts increasingly require that the performing organization demonstrate compliance with NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171) and CMMC readiness. An SDVOSB that holds certification but cannot demonstrate cybersecurity posture aligned to CMMC Level 2 is at a disadvantage in DoD-specific set-aside competitions even when the Rule of Two would otherwise favor it. See our complete coverage of the CMMC compliance framework at CMMC Compliance for Small Defense Contractors: The Complete Guide.

GSA (General Services Administration) Schedule contracts represent another value layer. An SDVOSB on GSA Schedule benefits from the certification in agency task order competitions where contracting officers apply SDVOSB preference within the Schedule vehicle. For IT managed services, this creates a path to recurring task orders at civilian agencies that do not run standalone SDVOSB set-asides but that use GSA Schedule vehicles with small business ordering requirements.

Subcontracting as a teaming partner to large prime contractors is the fourth value channel and is frequently undervalued by SDVOSB firms. Large businesses awarded federal contracts above $750,000 (or $1.5 million for construction) are required to submit subcontracting plans with SDVOSB goals. Primes that miss their SDVOSB subcontracting goals face reporting consequences and reputational risk at agencies that track subcontracting plan performance. A qualified SDVOSB IT subcontractor that can credibly perform managed services, cybersecurity assessments, or help desk work under a prime's contract is filling a procurement compliance need that the prime is motivated to satisfy. The demand for capable SDVOSB subs exists independent of any set-aside competition.

What Is the Capability Gap Federal Buyers Actually Evaluate?

SDVOSB certification proves the ownership and control structure of the business. It does not prove technical capability, delivery maturity, or security posture. Federal buyers and prime contractor business development leads consistently report that the most common failure mode among SDVOSB IT firms is treating certification as the differentiator rather than as table stakes. Federal buyers evaluate five capability dimensions that go entirely unaddressed by the certification itself.

Past performance in CPARS (Contractor Performance Assessment Reporting System). The federal government tracks contractor performance through CPARS, and evaluating officers have direct access to performance ratings from prior contracts. An SDVOSB IT firm with no federal past performance record is asking a program manager to accept execution risk that a competitor with documented CPARS ratings does not represent. Building a federal past performance record -- even through subcontracts on small task orders -- is the single most durable investment an SDVOSB IT firm can make in its competitive position. See our detailed analysis at The SDVOSB Capability Gap: What Federal Buyers Actually Evaluate.

CMMC and NIST SP 800-171 readiness. Federal IT contracts increasingly require documented compliance with NIST SP 800-171 controls for handling Controlled Unclassified Information (CUI). An SDVOSB IT subcontractor that cannot produce a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and basic evidence of implemented controls is an execution risk that program managers document and contracting officers remember. CMMC Level 2 assessment readiness is becoming an implicit qualification requirement even on contracts that do not explicitly mandate it.

Key personnel continuity. Federal program managers evaluate whether the people named in a proposal will actually perform the work. An SDVOSB that proposes a senior engineer as key personnel and then substitutes a junior employee at task order start creates a performance issue that ends up in CPARS. Personnel continuity plans, named backup resources, and demonstrated organizational depth all address this evaluation dimension.

Financial capacity. Federal contracts often require upfront investment in equipment, personnel, and facilities before the first invoice is paid. An SDVOSB IT firm that cannot demonstrate financial capacity to sustain operations through a 60- to 90-day payment cycle is a risk that contracting officers will document in their source selection records. Audited financials, banking references, and bonding capacity evidence are concrete signals of financial stability.

Subcontractor management. On contracts that require the SDVOSB to manage subcontractors or vendors, the ability to demonstrate a supply chain management process matters. This includes how the SDVOSB vets subcontractors for security compliance, how it flows down DFARS (Defense Federal Acquisition Regulation Supplement) clauses, and how it tracks subcontractor performance. Federal buyers who have had prime-to-sub coordination failures on prior contracts will probe this area directly.

What Does a Strong SDVOSB Capability Statement Include?

A capability statement is the primary marketing document an SDVOSB IT firm uses with federal buyers and prime contractor business development teams. It has a specific structure that contracting officers and BD leads expect, and deviating from that structure signals inexperience. A strong capability statement for an SDVOSB IT firm includes five components.

Company data. This section leads the document and includes the CAGE (Commercial and Government Entity) code, UEI (Unique Entity Identifier) registered in SAM.gov, primary and secondary NAICS (North American Industry Classification System) codes with associated size standards, business address, and a one-line description of the firm's socioeconomic classifications. For TDS-IS, this data is: CAGE 8J6T6, UEI H883URPYC4J7. Verified at SAM.gov.

Core competencies. Three to five specific technical areas where the firm delivers work, stated in terms that map to agency mission language. For an IT managed services provider, this means not "we provide managed services" but "managed endpoint security and patch management for healthcare networks handling PHI (Protected Health Information) under HIPAA (Health Insurance Portability and Accountability Act)." The language should reflect the agency's vocabulary, not the vendor's marketing copy.

Differentiators. What this SDVOSB IT firm does that ten others do not. Differentiators that are verifiable and specific outperform generic claims. Examples that hold up: operates own threat intelligence honeypot infrastructure, holds specific contract vehicles with relevant past performance, maintains staff with active security clearances, has documented CMMC readiness with a completed SSP. Claims that do not differentiate: "customer-focused," "responsive support," "experienced team."

Past performance summary. Concise entries listing prior contract work with agency name, contract number if unclassified, dollar value, period of performance, and one-sentence description of work delivered. Federal buyers use this section to validate CPARS data and to assess whether the firm has performed work at relevant scale. Dollar values matter: a firm that has performed a $45,000 subcontract task order is not demonstrating readiness for a $2 million prime contract without additional substantiation.

Contact information. Name, title, email, and phone for the person the contracting officer or prime BD lead should contact. Capability statements that route inquiries to a general mailbox or website contact form signal organizational immaturity. The contact should be a principal or the individual with actual authority to execute teaming agreements and respond to sources-sought notices.

TDS-IS maintains a current capability statement at tds-is.com/capability-statement.

How Do Primes Use SDVOSB Teaming Partners?

Understanding how large prime contractors use SDVOSB subcontractors is critical for SDVOSB firms positioning themselves for teaming opportunities, and for federal buyers who want to verify that subcontracting plan commitments are being fulfilled with substantive work rather than pass-through arrangements.

Large business prime contractors on unrestricted federal contracts above applicable thresholds are required to submit Individual Subcontracting Plans that include percentage goals for SDVOSB subcontracting. These goals are negotiated with the contracting officer during source selection and tracked throughout contract performance via the Electronic Subcontracting Reporting System (eSRS). Primes that consistently miss their SDVOSB goals face scrutiny in future proposal evaluations and risk negative source selection history at the agencies where they compete most. This creates genuine demand for SDVOSB IT subs that can perform meaningful work and deliver clean invoicing.

The most important regulatory concept for SDVOSB teaming is the Commercially Useful Function (CUF) requirement. An SDVOSB subcontractor on a federal contract must perform a real and substantial role in contract performance. The SBA defines this as the SDVOSB being responsible for the execution of a distinct element of work and actually performing that work using its own resources, not merely passing a percentage of contract value to a larger non-SDVOSB firm while providing minimal actual services. An SDVOSB that serves primarily as a revenue pass-through violates the CUF requirement, risks debarment, and exposes the prime to False Claims Act liability.

The 51% rule for services contracts under FAR 19.1405 and SBA regulations requires that on SDVOSB set-aside contracts for services, the SDVOSB prime must perform at least 50% of the work using its own employees. This rule constrains how much of a set-aside services contract a prime can subcontract to non-SDVOSB firms, and it applies to SDVOSB primes, not just to subcontracting arrangements. An SDVOSB IT firm that wins a managed services set-aside and then subcontracts the majority of delivery work to a non-SDVOSB IT provider is violating the performance of work requirement and risks contract termination and debarment.

On the teaming agreement side, SDVOSB firms must be careful about affiliation findings that can threaten eligibility. The SBA may find affiliation between an SDVOSB and a large business teaming partner if the relationship gives the large business effective control or unusual reliance. Common triggers include exclusive teaming agreements that prevent the SDVOSB from working with other primes, arrangements where the large business provides more than 70% of the SDVOSB's revenue, and situations where the SDVOSB relies on the large business for bonding, financing, or management support that it could not function without. Affiliation findings result in loss of small business status for the affected contract, which on an SDVOSB set-aside means the contract is ineligible for award.

What Cybersecurity Posture Does the Federal Government Expect from SDVOSB IT Subcontractors?

The cybersecurity bar for federal IT subcontractors has risen materially since the 2021 cybersecurity executive order and will continue rising as CMMC enforcement moves into full effect. An SDVOSB IT firm that cannot demonstrate basic cybersecurity posture documentation is not just failing a compliance checkbox -- it is signaling to federal buyers that it may represent supply chain risk on contracts where the prime is accountable for subcontractor security under DFARS clause 252.204-7012.

DFARS 252.204-7012 applies to any defense contractor or subcontractor that processes, stores, or transmits CUI on their own information systems. It requires compliance with NIST SP 800-171, completion of a self-assessment with a score posted to the Supplier Performance Risk System (SPRS), and 72-hour cyber incident reporting to DoD. The clause flows down through prime-to-sub contracts, meaning a prime whose SDVOSB IT sub handles any CUI on subcontract work is responsible for ensuring the sub has completed its NIST 800-171 self-assessment and posted a SPRS score.

For SDVOSB IT firms that want to remain competitive in the DoD supply chain and increasingly in the broader civilian agency market where NIST 800-171 is becoming a de facto standard, the cybersecurity posture documentation set includes: a current System Security Plan covering all 110 NIST 800-171 controls, a Plan of Action and Milestones for any controls not yet fully implemented, a SPRS self-assessment score posted and current, a documented incident response plan, and evidence of basic threat monitoring capability. See our detailed treatment of CMMC compliance requirements at CMMC Compliance for Small Defense Contractors: The Complete Guide, and our analysis of the enforcement timeline at The CMMC Timeline Is Real: What Small Primes and Subs Need to Do Before Q4 2026.

Beyond documentation, federal buyers are increasingly asking IT subcontractors to demonstrate operational threat intelligence capability. The reasoning is straightforward: a subcontractor whose IT provider has never observed a real attack in a controlled environment is not positioned to detect the same attack pattern on a federal system. Our nation-state tradecraft analysis from our honeypot infrastructure documents why antivirus-dependent detection misses SSH key persistence attacks with 0% detection rates. Federal buyers who ask subcontractors how they detect SSH key tampering on Linux systems handling CUI are asking the right question. An answer of "we use antivirus" is a risk signal.

What Are the Common Mistakes SDVOSBs Make in Federal IT Pursuits?

The SDVOSB firms that struggle in federal IT pursuits consistently make the same categories of mistakes. Identifying them in advance allows a firm to avoid the multi-year CPARS penalties that follow poor execution.

Bidding without past performance. Source selection officials evaluating SDVOSB IT proposals assign significant weight to past performance as a predictor of future execution. An SDVOSB that bids a $2 million managed services prime contract with no federal contract history is asking the program manager to accept risk that a competitor with three relevant CPARS entries does not represent. The path to building federal past performance is through subcontract work, not by skipping directly to prime contracts at dollar values the firm has never performed.

Proposing key personnel who will not actually perform the work. It is common for small IT firms to list the most credentialed person in the organization as key personnel in a proposal and then assign junior staff to actual task order performance. Federal program managers who catch this mid-performance document it in CPARS. This failure pattern is a proposal strategy decision that becomes an execution and reputational problem.

Confusing CAGE code with contract vehicle. A CAGE (Commercial and Government Entity) code is a company identifier registered in SAM.gov. It does not grant access to any contract vehicle. SDVOSB firms regularly present their CAGE code to prime contractor BD teams as if it substitutes for a GSA Schedule contract number or a contract vehicle on-ramp. A CAGE code is a prerequisite to competing for federal work; it is not the work itself.

Missing subcontracting flowdown in teaming agreements. When an SDVOSB IT firm acts as a subcontractor under a prime's federal contract, the prime's contract clauses flow down to the sub. DFARS 252.204-7012, applicable cyber incident reporting requirements, and applicable small business subcontracting provisions all flow down by regulation or by prime contract clause. SDVOSB subs that sign teaming agreements without reviewing the flowdown clause list end up bound by NIST 800-171 and cyber incident reporting requirements they did not budget or plan for.

Failing to maintain CMMC readiness between assessment cycles. CMMC Level 2 assessments are periodic events, but the controls they assess must be continuously maintained. SDVOSB IT firms that achieve assessment readiness and then allow controls to drift during contract performance face findings during surveillance assessments and risk losing their authorization. Continuous monitoring, regular internal reviews against the SSP, and prompt remediation of identified gaps are operational requirements, not one-time project activities.

Ignoring AI tool governance before federal customers ask about it. Federal buyers are beginning to ask IT subcontractors about how they use AI tools in service delivery and whether those tools expose CUI. An SDVOSB IT firm that uses AI-assisted ticket triage, documentation generation, or monitoring analysis without an explicit policy on CUI handling in AI systems is one program manager question away from an uncomfortable answer. See our architectural treatment of this issue at How We Built an AI-Augmented MSP Without Shipping CUI to OpenAI.

TDS-IS as an SDVOSB Managed IT Partner

Trinity Data Solutions and IT Services, LLC (TDS-IS) is a certified SDVOSB managed IT services provider based in Colorado Springs, Colorado. CAGE 8J6T6. UEI H883URPYC4J7. Registered in SAM.gov with SDVOSB and VOSB socioeconomic designations current.

TDS-IS has prior VA contract performance and brings specific operational differentiators that address the capability dimensions federal buyers evaluate beyond certification status. On cybersecurity posture, TDS-IS operates its own threat intelligence honeypot infrastructure and has produced published technical findings documenting SSH persistence attack campaigns with 0% commercial antivirus detection rates. That operational experience is directly applicable to the behavioral monitoring controls required under NIST SP 800-171 and CMMC Level 2. On AI tool governance, TDS-IS uses AI-augmented service delivery architectures that process client data locally without shipping it to third-party AI services, a specific architectural decision that addresses the CUI exposure risk that most AI-enabled IT providers have not resolved. On CMMC readiness, TDS-IS maintains a current System Security Plan and has completed NIST 800-171 self-assessment with a posted SPRS score.

TDS-IS is available for teaming as an SDVOSB subcontractor on prime contracts where managed IT services, cybersecurity assessments, or infrastructure support are in scope, and for direct pursuit through SDVOSB set-asides at the VA and other federal agencies. For prime contractor business development leads evaluating SDVOSB teaming partners for subcontracting plan goals, TDS-IS can provide a full capability package including CAGE and UEI verification, past performance references, and a current SSP summary on request.

View the TDS-IS capability statement at tds-is.com/capability-statement or contact us directly through the contact page to discuss teaming or direct pursuit opportunities.