How Should an SDVOSB IT Firm Approach VA IT IDIQ Prime Awardees for Subcontracting?

Approaching a VA Technology Acquisition Center (TAC)-class prime requires three things most SDVOSB outreach lacks: a specific reason this prime needs your particular capability, a credible compliance posture documented before the first call, and a teaming structure that does not threaten the prime's small-business plan goals or affiliation status. This guide covers the prime-targeting framework for the population of large primes carrying SDVOSB subcontracting plan goals on VA Indefinite Delivery, Indefinite Quantity (IDIQ) vehicles such as Transformation Twenty-One Total Technology Next Generation 2 (T4NG2).

This guide does not name specific primes. The T4NG2 awardee list is publicly available at va.gov and on contract-database aggregators. The framework below is what to do with that list, not the list itself. Read the complete guide: How Do Primes Evaluate, Structure, and Contract with an SDVOSB IT Subcontractor?

How Do You Identify the Right Primes to Target?

The post-protest awardee list on a major IDIQ contains more primes than any single SDVOSB IT firm can credibly approach. Targeting begins with public-data triangulation across four sources, narrowing a 30+ awardee list to a working set of 5-10 primes worth direct outreach.

Primary public-data sources: SAM.gov award detail pages (the official record of contract awards), USAspending.gov for parent-company hierarchy and historical task-order activity, the agency's Office of Small and Disadvantaged Business Utilization (for VA: va.gov/osdbu), and individual awardee press releases or trade-press coverage at outlets such as Washington Technology, Federal News Network, and OrangeSlices.

The first triangulation question is set-aside structure: which awardees are in the SDVOSB pool of the IDIQ versus the unrestricted pool? Multi-pool IDIQs such as T4NG2 have separate competitions for the SDVOSB pool slots and the unrestricted pool slots, and the subcontracting-plan demand profile at each is different. Unrestricted-pool primes carry SDVOSB subcontracting plan goals and need SDVOSB subs to meet them. SDVOSB-pool primes already qualify as SDVOSB themselves at the prime level, so they do not need an SDVOSB sub for set-aside qualification but may still want one for capacity, capability, or geographic reach.

The second triangulation question is prime structure: standalone SDVOSB prime, SDVOSB Joint Venture (Mentor-Protege or otherwise), large unrestricted prime. Each structure has a different sub-tier appetite. A standalone SDVOSB prime competing in the SDVOSB pool may have limited need for an SDVOSB sub because the 50% rule under FAR 52.219-14 requires the prime itself to perform half the work. A Mentor-Protege JV needs SDVOSB-tier subs less than a non-JV prime because the JV's qualifying status is already in the JV structure. A large unrestricted prime in the unrestricted pool is the highest-probability target for SDVOSB sub-tier teaming.

The third triangulation question is task-order pipeline: which awardees are actively winning task orders versus which are on the contract but quiet? USAspending.gov publishes obligation data for individual task orders and lets you track activity per prime. A prime that has won and obligated multiple task orders in the past 12 months has live demand. A prime that holds the IDIQ but has won zero or one task orders is either struggling to win competitions or scoping into a different niche, and is a lower-priority target.

What Capability Gap Should You Lead With?

Generic SDVOSB availability is not a capability differentiator. Every awardee on a VA IT IDIQ already has SDVOSB availability through the awardee's own subcontractor pool. The question is what specific capability gap your firm fills that the prime's existing pool does not.

Common gaps for SDVOSB IT subs at T4NG2-class primes:

• Site-level Health Insurance Portability and Accountability Act (HIPAA) endpoint coverage. Many large primes are strong on enterprise architecture and weak on the operational reality of clinical-site endpoint management. Community Living Centers (CLCs), VA outpatient clinics, and VISN site-level operations need a sub that can deliver endpoint security and patch management at the granularity of an individual nursing-station workstation.
• Audit-evidence binder generation for clinical workstreams. The HIPAA Security Rule and the Joint Commission's compliance evidence requirements produce documentation demands at the site level that enterprise security operations centers (SOCs) are not staffed to produce. An SDVOSB sub that can deliver compliance binders for clinical sites on a defined cadence fills a gap that the prime's central architecture team cannot.
• HIPAA Security Rule operationalization. Many subs claim HIPAA capability but implement it as policy documentation only. Operationalized HIPAA includes a maintained Risk Analysis, a Risk Management Plan with closed POA&M items, evidence of Workforce Management training, and Business Associate Agreements with downstream vendors. The HHS HIPAA Security Rule guidance at hhs.gov is the authoritative source.
• NIST SP 800-171 and CMMC posture for VA-flowed contracts. Contracts that flow Department of Defense (DoD) cybersecurity clauses through to VA work require Cybersecurity Maturity Model Certification (CMMC) posture and National Institute of Standards and Technology (NIST) SP 800-171 alignment. A sub with documented CMMC readiness is a structural advantage to the prime's compliance package. See our complete guide at CMMC Compliance for Small Defense Contractors.
• Past-performance recency at clinical-site scale. A sub that has performed managed services or compliance work at a senior-living community, a long-term care facility, or a similar clinical-site environment in the past 12 months brings recency that pure infrastructure-only firms cannot. Recency matters because VA program managers evaluate whether the sub has operational currency, not just historical credentials.

The capability statement should lead with the specific gap, not with the SDVOSB designation. The SDVOSB designation answers the prime's subcontracting-plan question; the capability gap answers the prime's delivery-confidence question. See the SDVOSB pillar's capability-statement guidance at SDVOSB Federal IT Contracting.

What Compliance Posture Is Table Stakes Before the Call?

The first call with a prime BD lead or capture manager goes 30 minutes faster if the compliance posture is documented and shareable on the spot. The minimum table-stakes set:

• SDVOSB certification verified in SAM.gov and the Dynamic Small Business Search (DSBS), with a screenshot dated within the past 90 days
• NIST SP 800-171 self-assessment with a current Supplier Performance Risk System (SPRS) score posted at sprs.csd.disa.mil
• System Security Plan (SSP) summary or full SSP available under NDA
• HIPAA Security Rule artifacts: Risk Analysis date, last Risk Management Plan update, Workforce Management training records, Business Associate Agreement template
• Cyber liability, Errors and Omissions (E&O), general liability, and Workers' Compensation insurance certificates with limits
• Past-performance summary with at least one verifiable federal reference (CPARS lookup or direct reference from a prior prime)
• Original threat-research artifact when available (a public honeypot brief, a vulnerability disclosure, or a threat intelligence summary signals technical depth that compliance documentation alone cannot)

Compliance posture as table stakes is not optional. Primes screening sub candidates for upcoming task-order proposals are looking for reasons to disqualify quickly so they can focus on the surviving candidates. A sub that cannot produce a current SPRS score is disqualified before the technical conversation even starts. See our complete CMMC compliance guide for detail on what each artifact needs to look like.

What Do You Send Before the First Call?

The pre-call package is short and audience-specific. Send four items, no more:

1. Audience-specific capability statement. One to two pages, customized for the prime's vehicle and agency. A capability statement formatted for VA primes differs from one formatted for DoD or civilian-agency primes. The capability statement is the document the BD lead forwards internally, so it has to communicate the firm's value in 60 seconds of reading.
2. Past-performance summary. One page, three to five projects, each with agency name, contract number (if unclassified), dollar value, period of performance, and one-line description of the work delivered. The page becomes the source for any past-performance citations the prime may use in a Sources Sought response.
3. Compliance posture one-pager. SDVOSB certification status, NIST SP 800-171 SPRS score, CMMC posture, HIPAA artifacts (when relevant), insurance limits, and bonding capacity (when relevant). This is the document that enables the prime to vet the sub against subcontracting-plan and flow-down requirements.
4. Optional: a recent original-research artifact. A published threat brief, a public vulnerability disclosure, a peer-reviewed honeypot finding, or any artifact that demonstrates technical depth beyond the compliance baseline. This is the differentiator that separates "another SDVOSB IT firm" from "this SDVOSB IT firm has done work I haven't seen before."

For Sources Sought and RFI response integration with a prime, see Drafting an SDVOSB Sub's Content into a Sources Sought or RFI Response.

What Does the First Call Cover?

The first call is 30 minutes. It is not a sales pitch. It is a structural conversation between two parties evaluating whether to invest in a teaming relationship. Cover four topics:

• Prime's current task-order pipeline and known capability gaps. What is the prime working on now? What gaps are they actively trying to fill? Specific upcoming task orders are off-limits at this stage (Procurement Integrity Act, see 41 USC 2102); broad pipeline shape is not.
• Subcontracting plan goal pressure. Is the prime tracking against its SDVOSB goals or behind? A prime behind on SDVOSB goals has stronger demand for new SDVOSB subs than a prime that is on track. The eSRS data at esrs.gov may not be visible to the sub directly, but the prime's BD lead knows.
• Pool-slot status. Is the prime in the SDVOSB pool slot or the unrestricted slot of the relevant IDIQ? This affects whether the prime needs SDVOSB subs for set-aside structural reasons (unrestricted pool) or only for capability reasons (SDVOSB pool).
• Workshare expectation calibration. Typical SDVOSB sub workshare on IDIQ task orders ranges from 10% to 30% of task-order value. Larger workshare requires Joint Venture structure or Mentor-Protege Agreement support; sub-tier teaming alone does not support 50%+ workshare without affiliation risk under 13 CFR 121.103.

How Do You Avoid Pass-Through and Affiliation Traps?

The first conversation is also where the sub establishes its position on Commercially Useful Function (CUF) and affiliation. Both topics are owned by the sub, not the prime: an SDVOSB that allows itself to be set up as a pass-through risks debarment, and an SDVOSB that signs an exclusive teaming arrangement risks affiliation findings that disqualify it from set-aside competition.

CUF expectations are concrete. Under 13 CFR 125.6, the SDVOSB sub must perform a real, distinct scope of work using its own employees and resources. A subcontract that reads "Subcontractor will provide IT services as directed by Prime" is not CUF-compliant. A subcontract that reads "Subcontractor will operate the endpoint security stack across the named sites and deliver monthly compliance evidence" is. An SDVOSB sub that hears workshare language during the first call that sounds like pass-through is right to push back.

Exclusive teaming agreements are a common affiliation trap. A Teaming Agreement that prohibits the SDVOSB from working with any other prime, or that gives the prime a right of first refusal on the SDVOSB's future work, is a primary trigger for affiliation findings. Defensible drafting limits exclusivity to the named solicitation only and explicitly preserves the SDVOSB's right to pursue other opportunities. See the NDA versus Teaming Agreement decision guide.

Revenue concentration is the third trap. SBA Office of Hearings and Appeals (OHA) decisions consistently flag situations where one customer accounts for more than 70% of an SDVOSB's revenue. An SDVOSB sub that grows aggressively under one prime should monitor concentration explicitly and proactively diversify before crossing the threshold. The prime should support diversification, not resist it; an SDVOSB sub that loses certification mid-performance is a problem for the prime as well.

What Comes After the First Successful Conversation?

The post-call sequence is structured. Each step has a defined deliverable and a defined timeline.

1. Mutual NDA, signed within 1-2 weeks. Required before any non-public capability detail or pricing moves. Two-year term, five-year confidentiality survival is standard.
2. Capability deep-dive call (technical), within 2-3 weeks of the NDA. The technical lead from the prime evaluates the sub's actual delivery capability. Reference calls with prior primes happen in this window.
3. Co-authored Sources Sought response on the first qualifying notice. The prime drafts the lead and integrates the sub's content per the response strategy detailed in the Sources Sought / RFI guide. This is the first joint deliverable and a strong signal of fit.
4. Teaming Agreement on the first qualifying solicitation. Executed before proposal submission, with workshare percentages and key personnel exhibits. See the NDA versus Teaming Agreement decision guide for sequencing.
5. Definitive Subcontract Agreement post-award. Within 60-90 days of the prime's award. Flow-down clauses incorporated.

Frequently Asked Questions

Should you approach the prime directly or via a Small Business Liaison Officer? Both, in sequence. Start with the Small Business Liaison Officer (SBLO) listed on the prime's federal small-business plan. The SBLO's job is to source qualified small-business subs for the prime's subcontracting plan goals. After the SBLO has reviewed the capability statement and confirmed potential fit, the SBLO typically introduces a relevant capture manager or BD lead. Going directly to a capture manager without the SBLO referral is possible but usually slower because the capture manager will route the inquiry to the SBLO anyway.

How does the prime decide between two SDVOSB IT subs with similar capability? Three factors typically decide between similar SDVOSB candidates: documented compliance posture (current SSP, SPRS score, CMMC status), past-performance recency at the relevant agency or vehicle, and operational maturity of the firm's response cadence. A sub that responds to a Sources Sought notice in 24 hours, with substantive content tied to specific PWS elements, ranks higher than a sub with similar capability whose response is generic or late. CPARS records and direct references from prior primes are tiebreakers.

Is it acceptable to be teamed with multiple primes on the same IDIQ? Yes, on the IDIQ contract level. SDVOSB IT firms commonly team with multiple IDIQ primes on the same vehicle because each IDIQ supports many task orders and primes structure subcontracting plans across the contract life. At the individual task-order level, however, exclusivity is appropriate: the SDVOSB sub is named in one prime's task-order proposal and not in any competing proposal for the same task order. Teaming Agreements should explicitly preserve the right to team with other primes outside the named solicitation.