How Do Primes Evaluate, Structure, and Contract with an SDVOSB IT Subcontractor?

Prime contractors team with Service-Disabled Veteran-Owned Small Business (SDVOSB) IT subcontractors for two structural reasons: to satisfy small-business subcontracting plan goals on unrestricted Indefinite Delivery, Indefinite Quantity (IDIQ) contracts, and to access set-aside competitions where the prime is not eligible to compete directly. A defensible teaming relationship requires verified certification, capability due diligence, the right legal vehicle, and Commercially Useful Function (CUF) compliance. This guide covers all four for prime contractor business development leads, capture managers, contracts officers, and Small Business Liaison Officers (SBLOs) at federal IT integrators.

This guide is the inverse of our SDVOSB Federal IT Contracting guide. That guide is written for the SDVOSB firm positioning to buyers and primes. This one is written for primes evaluating SDVOSB subs. The two are complements, not duplicates.

Why Do Primes Need SDVOSB IT Subcontractors?

Prime contractors carry small-business subcontracting plan goals on every unrestricted federal contract above the dollar threshold defined in FAR 19.704: $750,000 for most acquisitions, $1.5 million for construction. Plans are negotiated at award and reported through the Electronic Subcontracting Reporting System (eSRS) at esrs.gov. SDVOSB is a discrete category in every plan, with negotiated percentage targets that the prime is expected to meet through actual subcontracted work. Primes that consistently miss SDVOSB goals face documented scrutiny in source selection on the next pursuit at agencies that track subcontracting plan performance.

The second structural reason is set-aside ineligibility. Under FAR Subpart 19.14 and 38 USC 8127, SDVOSB set-aside competitions are limited to certified SDVOSBs as primes. A large prime cannot bid the SDVOSB pool of a multi-pool IDIQ. The only path into that pool's task orders is through a teaming relationship with an SDVOSB prime, typically with the large prime contributing capability as a subcontractor or as a Mentor-Protege Joint Venture partner. On VA Technology Acquisition Center IDIQs (the T4NG2-class vehicles), the SDVOSB pool exists in parallel with the unrestricted pool, and unrestricted-pool primes routinely team with SDVOSB pool primes to address task-order requirements that span both.

The third driver is recertification risk on already-awarded SDVOSB IDIQ task orders. Some large IDIQs include set-aside reservations that the contracting officer can use to direct task orders only to SDVOSB primes. A large prime carrying a strong sub-tier SDVOSB partner is positioned to participate as a subcontractor when those task orders flow. The prime that has not invested in an SDVOSB teaming relationship is locked out for the duration.

What Should Primes Verify About an SDVOSB Sub Before Signing an NDA?

Verification before signing a Mutual Non-Disclosure Agreement (NDA) protects the prime against three discrete failure modes: certification loss mid-performance, capability misrepresentation, and supply-chain cybersecurity exposure. The verification list is concrete and finishable in under a week.

SDVOSB certification status. Confirm active certification in the Small Business Administration (SBA) VetCert system at certifications.sba.gov and search the firm in the Dynamic Small Business Search at dsbs.sba.gov. Certification under 13 CFR Part 128 requires at least 51% unconditional ownership by one or more service-disabled veterans, with the qualifying veteran controlling day-to-day management. Take a dated screenshot of the certification record on the verification day; this becomes part of the contracting file.

SAM.gov registration. Confirm the firm has an active System for Award Management (SAM) registration at sam.gov with a current Unique Entity Identifier (UEI) and Commercial and Government Entity (CAGE) code. SAM registrations expire annually. A lapsed registration disqualifies the firm from federal award and is a signal of operational maturity issues.

NAICS alignment. The firm's primary North American Industry Classification System (NAICS) code should match the target opportunity's NAICS, with the firm coded as small under that NAICS size standard. Common IT NAICS for federal teaming: 541512 (Computer Systems Design Services), 541513 (Computer Facilities Management Services), 541519 (Other Computer Related Services), 541511 (Custom Computer Programming Services), 518210 (Data Processing, Hosting, and Related Services), 541611 (Administrative Management and General Management Consulting Services), and 541330 (Engineering Services). Size standards are published in 13 CFR Part 121.

Past performance at relevant scale. Past performance verifiable in the Contractor Performance Assessment Reporting System (CPARS), by reference to a contract number in USAspending.gov, or via direct reference from a prior prime. A firm that cannot produce a single federal contract reference at the relevant order-of-magnitude is asking the prime to underwrite execution risk that is materially higher than a competing sub with three documented references.

Cybersecurity posture. A System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and a current self-assessment score posted to the Supplier Performance Risk System (SPRS). For DoD work, this is a regulatory requirement under DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC) program at dodcio.defense.gov/CMMC. For VA work, Health Insurance Portability and Accountability Act (HIPAA) Security Rule alignment is the practical baseline because clinical workstreams handle Protected Health Information (PHI). For broader federal work, National Institute of Standards and Technology (NIST) Special Publication 800-171 is the floor. See our companion guide at CMMC Compliance for Small Defense Contractors.

Insurance coverage. Errors and Omissions (E&O), cyber liability, general liability, and Workers' Compensation coverage at limits compatible with prime flow-down. A typical IT subcontract on a federal contract requires E&O at $1-2 million per occurrence, cyber at $1-5 million per occurrence depending on data sensitivity, and general liability at $1-2 million per occurrence with $2-4 million aggregate. Confirm Certificates of Insurance with the prime as additional insured before scope kickoff, not at award.

Bonding capacity. Relevant when the prime contract carries performance or payment bond requirements. Many federal IT services contracts do not. When they do, the SDVOSB sub's bonding capacity affects the overall team bond.

Document each verified item with a date, the source URL, and a screenshot or downloaded report. The SBA, the agency, or the Department of Justice (False Claims Act inquiries) can reasonably ask the prime to produce this verification record years after award.

What Are the Four Legal Vehicles for SDVOSB Teaming?

Prime-sub teaming structures fall into four discrete legal vehicles, each governed by different authority and each carrying different commitments. Choosing the wrong vehicle creates real exposure.

Mutual NDA. The Mutual NDA is an information-exchange instrument with no commitment to team. Either party may walk after exchanging information. NDAs are the entry point for almost every federal teaming relationship and should always precede capability-statement-level disclosures, pricing discussions, or proposal-content sharing. Typical term is two years, with five-year survival of confidentiality obligations. The NDA does not create teaming exclusivity, does not bind the parties to the same proposal, and does not flow down any FAR or DFARS clauses.

Teaming Agreement (TA). A Teaming Agreement is a binding pre-award contract between the prime and the subcontractor that defines the structure of the eventual subcontract. The legal basis is FAR Subpart 9.6 (Contractor Team Arrangements). The TA addresses workshare percentages, key personnel, labor rates, proposal-preparation responsibilities, exclusivity for the named solicitation, and the path to a definitive subcontract following award. TAs typically include automatic termination if the prime is not awarded the contract and a 60-90 day window to negotiate a definitive subcontract following award.

Contractor Teaming Arrangement (CTA). A Contractor Teaming Arrangement is a General Services Administration (GSA) Schedule construct, governed by GSA guidance at gsa.gov. Both parties are prime to the agency, both invoice separately, and there is no flow-down between them. The CTA is operationally distinct from the prime-sub model. CTAs are useful when both parties already hold GSA Schedule contracts and want to combine offerings on a task order without one party becoming the other's sub. CTAs are not available outside the GSA Schedule context.

Joint Venture (JV). A Joint Venture is a separate legal entity formed by two or more parties to pursue federal contracts. SDVOSB JVs are governed by 13 CFR 125.18. The SDVOSB partner must own at least 51% of the JV, must designate a service-disabled veteran as the responsible manager, and must perform at least 40% of the JV's work. Mentor-Protege JVs (under 13 CFR 125.9) are exempt from affiliation, which is why they are the most common structure for large-prime-plus-SDVOSB pursuits of major IDIQ vehicles.

For a complete decision matrix and ordering, see our companion spoke at NDA vs. Teaming Agreement vs. CTA vs. Joint Venture for SDVOSB Federal Work. For SDVOSB JV regulatory detail, see SDVOSB Joint Venture Rules Under 13 CFR 125.18.

What Is the Commercially Useful Function Requirement?

The Commercially Useful Function (CUF) requirement is the qualitative test that distinguishes legitimate small-business participation from revenue pass-through. 13 CFR 125.6 requires that on small-business set-aside contracts the prime perform a substantial portion of the work using its own employees and resources. The same logic applies to subcontracting plan credit on unrestricted contracts: the SDVOSB sub must perform real, distinct work, not serve as a billing pass-through to a non-SDVOSB performer.

The companion regulation is the ostensible subcontractor rule under 13 CFR 121.103(h). Under this rule, the SBA may treat a small-business prime as affiliated with its subcontractor if the subcontractor is performing the primary and vital requirements of the contract or if the small-business prime is unduly reliant on the subcontractor. An ostensible subcontractor finding is a size-status violation that disqualifies the team from the contract.

The 50% rule under FAR 52.219-14 (Limitations on Subcontracting) is the quantitative complement: on services contracts set aside for small business, the small-business prime must perform at least 50% of the cost of contract performance with its own employees. The rule is enforced at contract close and is reportable to the contracting officer.

For prime contractors, CUF compliance shows up as flow-down rigor in the subcontract. The subcontract must define a distinct, performable scope for the SDVOSB sub, with named labor categories, named deliverables, and named performance metrics. A subcontract that reads "Subcontractor will provide IT services as directed by Prime, billing at the labor rates in Exhibit B" is not CUF-compliant on its face. A subcontract that reads "Subcontractor will operate the endpoint security stack across the 27 listed sites, deliver monthly compliance reports for the named NIST control set, and respond to Tier 2 escalations within the named SLA" is CUF-compliant because the scope is concrete, distinct, and performable.

The False Claims Act exposure for non-CUF compliance falls primarily on the prime, not the sub. Pass-through arrangements that overstate SDVOSB participation expose the prime to 31 U.S.C. 3729 liability. Cases prosecuted by the Department of Justice in this area include both criminal indictments of contractors and civil settlements in the seven- and eight-figure range, with the Small Business Administration Office of Hearings and Appeals (OHA) publishing affiliation and ostensible-subcontractor rulings as case law.

How Should Primes Avoid Affiliation Findings on SDVOSB Teaming?

Affiliation is a size-status concept. Under 13 CFR 121.103, two or more entities may be treated as affiliates when one controls the other or when a third party controls both. Affiliation results in the combined size of the affiliated entities being applied to the small-business size determination. For an SDVOSB sub, an affiliation finding with a large prime may push the SDVOSB above the size standard for its primary NAICS, which terminates SDVOSB eligibility for the affected contract.

The triggers most relevant to prime-SDVOSB teaming are listed below. Drafting decisions in the Teaming Agreement and the subcontract directly affect each one.

• Exclusive teaming. A Teaming Agreement that prohibits the SDVOSB from teaming with other primes on any opportunity, or that gives the prime a right of first refusal on the SDVOSB's future work, is a primary affiliation trigger. Defensible drafting limits exclusivity to the named solicitation and explicitly preserves the SDVOSB's right to pursue other work outside the solicitation.
• Revenue concentration. A SBA OHA decisions consistently flag situations where one customer (here, the prime) accounts for more than 70% of the SDVOSB's revenue. Primes that aggregate task orders aggressively can drive their SDVOSB sub past this threshold. Tracking concentration explicitly during contract performance and proactively engaging the SDVOSB to diversify is a defensive practice for both parties.
• Operational dependence. Arrangements where the SDVOSB depends on the prime for bonding, financing, key management personnel, or back-office services that the SDVOSB could not perform without the prime constitute operational dependence. Each of these creates an inference that the prime controls the SDVOSB's ability to operate.
• Ostensible subcontractor. When the prime contract is set aside for SDVOSB and the prime is the SDVOSB, an arrangement where a non-SDVOSB sub performs the primary and vital work is an ostensible subcontractor violation under 13 CFR 121.103(h). The relationship is the inverse of typical prime-sub teaming, but the rule applies whenever the small business prime is operationally dependent on its subcontractor.

The Mentor-Protege Program at 13 CFR 125.9 is the safe harbor. An SBA-approved Mentor-Protege Agreement (MPA) and any joint venture between the mentor and protege are exempt from affiliation. The All-Small Mentor-Protege Program merged into a single program in 2020 and is now the primary mechanism for large prime + SDVOSB JV pursuits of major IDIQs.

What Cybersecurity Posture Should the SDVOSB Sub Demonstrate?

Federal IT primes are accountable for the cybersecurity posture of their subcontractors under DFARS 252.204-7012, the CMMC program, the HIPAA Security Rule (where applicable), and increasingly under agency-specific clauses. The flow-down means the prime's CMMC certification or NIST 800-171 score is contingent on the sub's posture for any system or process the sub touches. A weak sub posture creates a real risk to the prime's contract performance.

The minimum documentation an SDVOSB IT sub should produce on request is the same documentation a prime would produce for its own contract: a current SSP covering the controls applicable to the relevant authority (NIST SP 800-171 Rev 3, CMMC Level 1 or 2, HIPAA Security Rule), a POA&M for any controls not yet implemented, a current SPRS score, an incident response plan with evidence of testing (tabletop exercises, after-action reports), a documented supply chain risk management plan, and Workforce Management evidence (background-check program, security training records). For DoD work, see our coverage of the CMMC enforcement timeline and the complete CMMC compliance reference.

For VA-bound work, the HIPAA Security Rule at hhs.gov/hipaa applies anywhere PHI moves through the sub's systems. Community Living Centers (CLCs), outpatient clinics, and the VA's broader clinical workstreams treat any IT support that touches clinical workstations or scheduling systems as PHI-adjacent. The sub's HIPAA artifacts (Risk Analysis, Risk Management Plan, Workforce Management evidence, Business Associate Agreements with downstream vendors) should be available on request.

An emerging differentiator is the sub's threat-research posture. Federal program managers increasingly ask whether the sub operates any kind of original threat-detection or intelligence-generation capability, because purely receive-only postures (consuming vendor feeds without generating any of their own) signal an organization that has not internalized continuous monitoring. Our honeypot research is one example of how an SDVOSB IT firm can demonstrate operational depth that goes beyond compliance documentation.

How Do Primes Approach SDVOSB IT Firms They Don't Already Know?

Sourcing new SDVOSB IT subs for an unfilled subcontracting plan slot or a forecasted set-aside competition is not the same problem as managing an existing teaming relationship. Sources Sought notices, RFIs, and capability-statement triage all play roles, but the sequence matters.

The single most efficient sourcing channel is reading capability statements responsive to the prime's published Sources Sought notices and pre-RFI communications. SDVOSB IT firms who actively respond to SAM.gov Sources Sought notices are demonstrating both capture-process maturity and live-pursuit alignment. A firm that can respond to a Sources Sought with a substantive 5-page capability response within 24-72 hours is operationally further along than a firm whose capability statement is two years old. For a prime sourcing subs, scanning the responses to your own Sources Sought notices is a cheap way to identify candidates at the moment they are most operationally engaged.

Second-best is direct outreach via small-business advocacy organizations: the National Veteran Small Business Coalition (nvsbc.org), the National Veterans Business Development Council, and the Department of Veterans Affairs Office of Small and Disadvantaged Business Utilization at va.gov/osdbu. These organizations curate vendor directories and host matchmaking events that are denser with capable SDVOSB IT firms than any cold-search would yield.

Third is reference checks via prior primes. Most large primes carrying SDVOSB subs have visibility on the same pool of candidate firms. A reference call to a peer prime BD lead or a peer SBLO often yields more useful information about a candidate sub's actual delivery posture than a CPARS review.

The 30-minute capability call should cover four things: the sub's current task-order pipeline (where else are they working, who else are they teamed with), the sub's compliance posture (CMMC/NIST/HIPAA documentation availability), the sub's key-personnel bench depth, and the sub's constraints (capacity ceilings, conflict-of-interest restrictions, geographic limits). A sub that cannot articulate any of these clearly is a sub that has not yet operationalized its federal pursuit. For the agency-specific approach to T4NG2-class IDIQs, see How an SDVOSB IT Firm Should Approach VA IT IDIQ Prime Awardees.

What Does a Defensible SDVOSB Teaming File Look Like?

The teaming file is the contracting record the prime maintains to defend the relationship against any future inquiry: SBA size protests, ostensible-subcontractor reviews, DCAA audit, agency contracting officer surveillance, or False Claims Act litigation. The file should be assembled at award and maintained throughout performance. The list below is not aspirational. It is the documentation that will be requested if the relationship is ever questioned.

• Executed Mutual NDA, with signature dates and survival period documented
• Executed Teaming Agreement, with workshare percentages and key personnel exhibits
• Executed definitive Subcontract Agreement post-award, with flow-down clauses listed and aligned to the prime contract
• SDVOSB certification screenshots from SAM.gov and dsbs.sba.gov on the date of award (and on each annual recertification)
• SAM.gov registration screenshots showing active status with current UEI and CAGE
• NAICS size confirmation under the relevant 13 CFR 121 size standard
• CMMC self-assessment summary or C3PAO assessment letter, with a current SPRS score
• Insurance certificates showing the prime as additional insured at the required limits
• Workshare tracking artifacts: timecards, invoice-level evidence, monthly performance reports sufficient to demonstrate that the sub is actually performing the scoped work
• Annual recertification confirmations and notification of any change in certification status
• eSRS reports reconciled to the prime's subcontracting plan
• Past performance documentation supporting any sub-contributed past performance cited in the prime's proposal

For a structured pre-send checklist that aligns to capability-response and proposal artifacts, see Drafting an SDVOSB Sub's Content into a Sources Sought or RFI Response.

Frequently Asked Questions

What is the difference between a Teaming Agreement and a Joint Venture for SDVOSB work? A Teaming Agreement is a binding pre-award contract between a prime and a subcontractor that defines the workshare and structure of an eventual subcontract. A Joint Venture is a separate legal entity formed by two or more parties to pursue federal contracts. Under 13 CFR 125.18, an SDVOSB Joint Venture must be at least 51% owned by the SDVOSB partner, must have a service-disabled veteran as the responsible manager, and the SDVOSB partner must perform at least 40% of the JV's work.

Can a prime require an SDVOSB sub to work exclusively on the prime's opportunities? No. Exclusive teaming arrangements that prevent the SDVOSB from working with other primes are a primary trigger for affiliation findings under 13 CFR 121.103. The SBA may determine that the SDVOSB is unduly reliant on the prime, which results in loss of small business status for the affected contract. A defensible Teaming Agreement is opportunity-specific, not relationship-exclusive, and allows the SDVOSB to pursue other opportunities outside the named solicitation.

How does the Commercially Useful Function requirement differ from the 50% rule? The 50% rule under FAR 52.219-14 requires that on a services contract set aside for SDVOSBs, the SDVOSB prime perform at least 50% of the cost of contract performance with its own employees. The Commercially Useful Function (CUF) requirement under 13 CFR 125.6 is broader and qualitative: the SDVOSB must perform a distinct, substantial scope of work using its own resources rather than serving as a revenue pass-through. CUF applies even when the 50% rule is technically met.

Does the SDVOSB sub need CMMC certification before teaming? It depends on the contract. For DoD contracts where the subcontractor will handle Controlled Unclassified Information (CUI), DFARS 252.204-7021 requires the appropriate CMMC level at the subcontractor. The prime cannot certify on behalf of the sub. For non-DoD work, NIST SP 800-171 alignment is the practical baseline. Primes increasingly require evidence of cybersecurity posture, including a current System Security Plan and Supplier Performance Risk System score, before signing teaming agreements.

What happens to the prime if the SDVOSB loses certification mid-performance? On SDVOSB set-aside contracts, mid-performance loss of certification can trigger size-status recertification, contract modification, or in serious cases termination. On unrestricted contracts where the SDVOSB sub is contributing to subcontracting plan goals, the prime loses the credit on Electronic Subcontracting Reporting System filings. The prime should obtain annual recertification confirmation and include a notification clause in the subcontract requiring the sub to disclose any change in certification status promptly.

TDS-IS as an SDVOSB IT Teaming Partner

Trinity Data Solutions and IT Services, LLC (TDS-IS) is a certified SDVOSB managed IT services provider headquartered in Colorado. CAGE 8J6T6. UEI H883URPYC4J7. SDVOSB and VOSB designations active in SAM.gov. TDS-IS holds prior VA contract performance under VA Contract 36C25821P0341, is pre-qualified under Lexington-Fayette Urban County Government RFP #5-2021 (renewal RFP #12-2026 submitted), and delivered same-day SLED civilian-government incident response at the Montgomery County Fiscal Court in June 2025.

TDS-IS is teaming-ready with current insurance, documented compliance posture, an active threat-intelligence capability via our honeypot infrastructure, and verifiable past-performance records on USASpending.gov and through public SLED procurement files. We respond to Sources Sought notices within 24 hours of receipt and maintain audience-specific capability statements for VA, DoD, civilian agency, GovCon prime, and state/local audiences. For prime contractor BD leads evaluating SDVOSB teaming partners for subcontracting plan goals or for set-aside pursuits, we can produce the full pre-NDA verification package on request.

View the TDS-IS capability statement at tds-is.com/capability-statement, or contact us through the contact page to discuss a specific opportunity.