10.0 Collect Them Merit Badges

Collect Them Merit Badges

So, there's a lot of regulatory requirements in Government Contracting.

It can be overwhelming.

So many folks throw up their hands and say "it's too hard to work with the government".

But let's reframe the issue.

It all comes down to risk to the government buyers. Can you deliver the goods and services they need without winding them up on the front page of the newspaper.

Remember, regulators don't just sit around thinking up new ways to make your life hell, there's for the rules, maybe everyone forgot why the rule was originally made, but it was almost certainly made because someone screwed up majorly.

You might look over at folks who have been in the game a while and say "how'd you get all those merit badges?!"

"this is impossible"

But it's not, they're cumulative.

You don't need them all at once, but you do need to collect them.

Because here's the thing: merit badges open up opportunities, not having them closes off opportunities.

Subcontract Awards

Love it or hate it, this is how most get started in this game. Find an opportunity, find a non-incumbent, offer to help them win, then follow through.

Why do I say non-incumbent?

Simple: if there's an incumbent, they already have a team, or don't need one. In either case, unless you offer some wild value-add you are asking them to slice their pie thinner. Also, there's something like 60% incumbent bias, so there's not a great reason to rock a boat that's floating just fine.

If there's no incumbent, great! Find someone who is bidding on it and help them win.

Don't know who's bidding?

Look on LinkedIn or if you pay for GovWin IQ, you can look at the interested vendor's list.

Still don't know, look for industry days, attend, and then look around. The other people in the room are looking to build a TEAM.

How Much They Cost to Get

A heck of a lot less than prime contracts.

Here's the thing: if you're the prime on a bid, the responsibility (and cost) of building and submitting the bid is on you. What's more, if you do it poorly and fail, it's on you.

Rest assured, if you build a team, run a crappy proposal, and then LOSE, people will talk and your prospects will start dwindling because no one will want to team with a disorganized loser.

If you build a team, run a crappy proposal, and then WIN, people will still talk, this time it will sound like "we barely pulled it off, it was terrible" and your prospects will start dwindling because no one will want to team with a disorganized winner either.

On the flip side, if you build a team, run a great proposal, and then WIN or LOSE, people will talk and your prospects will start growing because losing is part of the game, either way people just want to work with good people who have their poop in a group.

Why They Matter

#1 Revenue

#2 Reputation

Subcontract Past Performance

Subcontract past performance is a useful (and often unavoidable) first step on the road of growth in GovCon. It is difficult to win prime contracts without some degree of performance history. Supporting a prime contractor as a sub is a good way to do that.

Is it as valuable as prime past performance? No.

In fact many MAC IDIQ contracts preclude or discount subcontractor past performance in their grading.

However, if you want to show the government that you're a safe bet for prime work, a strong history of being a good sub, and doing work of a relevant scope and scale as a subcontractor is a great way.

How Much They Cost to Get

Time and effort, plain and simple. You have to build relationships with large companies and then OFFER THEM VALUE. Remember, a large company doesn't have to work with you, while they're always looking for good smalls with which to work, there's other you's out there.

Why They Matter

Like I said, sub PP turns into Prime wins, turns into Prime PP.

DCAA Audited Accounting System

In DoD government contracting, Defense Contract Audit Agency (DCAA) audited systems are crucial. They cover accounting, purchasing, and property management. These systems show that a company meets federal rules and keeps clear, honest financial records. For example, a DCAA-approved accounting system enable contractors to separate cost pools, differentiate projects, CLINs, SLINs, etc. This is not an intro to cost-plus accounting, but you get the idea; Quickbooks does not cut it (out of the box). This is also true for purchasing systems, which are checked to make sure they buy goods fairly and efficiently, and for property systems, which manage government-owned assets properly. Setting up and keeping these systems costs a lot (think $100k+ all-in). They need strong internal controls and regular audits (that's paperwork). That said. if you want to play in the varsity game and perform on cost-plus contract you're going to need to have this audit done.

How Much They Cost to Get.

The cost of achieving DCAA compliance for accounting, purchasing, and property systems can vary significantly, based on the size and complexity of a company. Small businesses might face initial costs in the range of tens of thousands of dollars, while larger companies could incur expenses that run into hundreds of thousands or more. Keep in mind that the cost of the software is less than the price of the consultants you have to pay to implement and deploy them. The number of DCAA-compliant accounting system options are few, like Deltek Costpoint or Unanet. Additionally, there are ongoing expenses include training staff to proficiently operate these systems and conducting regular audits to ensure sustained compliance. You need a bookkeeper who is proficient at running these systems, they're not as user-friendly and foolproof as commercial accounting tools. There's also all of the policies you have to maintain; want the government to pay for your travel? you better have the JTRS incorporated in your corporate travel policy. The systems also take over most, if not all of your back-office operations; timekeeping, invoicing, and accounting all have to be integrated and compliant. Despite the high initial investment, aligning with DCAA standards is a strategic move for firms aiming to secure government contracts, particularly in the defense sector, where compliance is often a prerequisite.

To be clear, is does not cost the contractor anything to have DCAA conduct the audit. There is however a Catch-22 in the process:

• You typically need an audited accounting system in order to bid on cost-plus contracts that require such a system
• You typically need a contracting officer to initiate the audit
• KOs typically wont initiate an audit for a company unless they have a contract that requires an audit
• There's some exceptions, like MAC/IDIQs, and some solicitations allow for compliance vs. audit advance of award. But lets be real, if it comes down to your company who lacks an audit and another company who has one, who is lower risk?

Why They Matter

DCAA compliance is vital for companies targeting cost-type contracts in government work. These contracts, unlike fixed-price ones, reimburse expenses and pay a fee (profit). The government wont pay said expenses unless they can track a line from the people and materials delivered all the way back through timekeeping and purchasing, through CLINs/SLINs, to contracts. Therefore, having a DCAA-audited system is key to winning these contracts. It shows the government that a company can accurately track and report costs. This is crucial as cost-type contracts require detailed financial reporting and audits. A DCAA-compliant system reassures government clients that a company can handle the complex financial management these contracts demand. Essentially, DCAA compliance is not just about meeting standards; it's a critical factor in both securing and successfully managing cost-type government contracts. Please review this revised section and let me know if it aligns with your expectations, or if any further changes are required before proceeding to the next topic.

CMMC and NIST 800-171

Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171 represent key cybersecurity standards in government contracting. CMMC, a standard specific to the Department of Defense (DoD), mandates varying levels of cybersecurity practices and processes. NIST 800-171 (which is the underpinning of CMMC) addresses the protection of controlled unclassified information in non-federal systems, crucial for defense contractors. According to the DoD CIO "Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements."

Brass Tacks:

• If you win a government contract these days it will almost always have the requirement to comply with NIST 800-171 so you can store and process CUI
• If you're doing DoD work, it's going to up soon to CMMC, which is mostly the same but not entirely

How's that work? well, your contract will almost certainly have a clause related to/referencing DFARS 252.204, which basically says you have to do what's in CMMC, which means if you DON'T then you're in breach of contract.

How Much They Cost to Get

Obtaining cybersecurity compliances like CMMC or NIST 800-171 can be a significant financial and effort undertaking, depending on the company's size, current cybersecurity posture, and the specific certification: Costs can range from tens of thousands of thousand dollars for smaller companies at lower levels to hundreds of thousands or millions for larger companies or higher levels of certification. When I did it I think it cost about $100k between the migration, licensing, consultants, etc and the ongoing cost of compliance and just the markup on licenses is significant. If you're an IT company and you know how to do it yourself then you can probably pull it off, but you either pay in time or money.

Why They Matter

Bottom line: they're contractually required, so if you're not compliant and you sign a contract you run the risk of being debarred.

Facility Security Clearance

Facility Security Clearance (FCL) is a crucial requirement for companies engaging in government contracts that involve access to classified information or secure facilities. This clearance, granted by the Department of Defense and other government agencies, verifies that a company has the necessary physical and information security measures in place to handle sensitive government materials. FCL is not just about securing the premises; it also involves vetting personnel and implementing strict security protocols. For companies in defense and intelligence contracting, having an FCL is often a binary qualification for bidding on contracts; no clearance - no bid.

How Much They Cost to Get

The FCL does not cost the contractor money to obtain, just like obtaining a personnel security clearance does not cost the individual money - this is a myth. There is however a Catch-22 in the process, just like the DCAA audit:

• You typically need an FCL in order to bid on contracts that requirement access to sensitive information
• You typically need to be sponsored by the government to be granted an FCL
• The government typically wont sponsor a company for an FCL unless they have a contract that requires an FCL

Don't worry, the same is typically true for individual personnel security clearances too, the government is full of paradoxes.

A practical solution to this challenge is subcontracting or industry sponsorship. Companies can sub to an already cleared defense contractors or seek sponsorship from a government agency. This approach allows companies to participate in classified projects under the umbrella of a cleared contractor and gradually build their portfolio and credibility to eventually qualify for their own FCL. This can be tricky to sell to another company since you're offloading administrative burden onto their security staff. It's also important to note that, while the government funds the processing of FCLs, there are inherent costs associated with compliance and preparation, such as upgrading security measures and personnel vetting, managing your company and personnel's presence in the multiple government security systems (DISS, NISS, etc). This investment is crucial for companies aiming to participate in high-security projects, as having an FSC is often a determining factor in contract awards.

Why Do They Matter

Pretty obvious, if you don't have one then you can't to classified prime work.

You can frequently get away with working as a sub without an FCL, you just have to ask your prime to carry the clearances for your cleared folks, but that's pretty tricky and really doesn't work for anything but a temporary stop gap.

Prime Contract Award

Prime contract awards, real ones, not SBIR awards, real no kidding contract awards with a base plus options. Past performance is something you build over time (obviously) and the government often evaluates multiple aspects:

- Scope: did you do one thing, or multiple things, and are they relevant to what you're bidding on?

- Scale: how many dollars did you EXECUTE (invoice and get paid for)?

- Complexity: did you do it yourself or with subs, did you do it in one place or in multiple locations, basically how hard was your contract to do well?

The other key with Prime contracts is subcontractor relations, particularly with larger companies. If you play nice with others, they will want to keep playing with you, and you can thus build a long-term relationship on which to win.

IL4/IL5 ATO (for cloud products)

In the world of working with the Department of Defense (DoD), think of Impact Level 4 (IL4) and Impact Level 5 (IL5) as two levels of security for keeping unclassified information safe. IL4 is a cloud platform, owned by a contractor (could be on AWS GovCloud, Azure GCC-H, Google Cloud, whatever) and is spec'ed out to comply with NIST 800-171.

• IL4 is designed for controlled unclassified information (CUI) and non-CUI, non-critical mission information, and non-national security systems, providing a moderate level of confidentiality and integrity. It applies to a wide range of information types, including defense, financial, law enforcement, and privacy, following the guidelines of the National Institute of Standards and Technology (NIST) SP 800-171 and the Committee on National Security Systems Instruction No. 1253 (CNSSI 1253).
• IL5, on the other hand, is intended for CUI that demands a higher level of protection than IL4. It encompasses the same broad categories of information as IL4 but includes national security systems (NSS) as well. IL5 follows the same NIST and CNSSI 1253 guidelines but is tailored for information and systems requiring more stringent security measures, including intelligence activities, cryptologic activities related to national security, and command and control of military forces.

The primary difference between IL4 and IL5 is the level of protection required for the information and systems they cover. IL5 is suited for higher sensitivity operations, including those involving national security, requiring stricter security controls compared to IL4. The selection between IL4 and IL5 depends on the specific security needs, with IL5 being the choice for scenarios demanding more rigorous protection measures.

How Much Does it Cost to Get

It can cost a lot, to be honest.

You have to develop the ATO package and submit it to an authorizing official to gain approval. Those AO's are typically assigned to organizations that need products approved. So, if you don't yet have a contract with a government customer who (1) has an AO; and (2) want's to push your packet to get approved, it's candidly very difficult. Even if you have 1 and 2, it's still difficult.

There are of course third party companies offering to get you an ATO quick, fast, and in a hurry for the low low price of hundreds of thousands of dollars per year.

That's just the cloud license cost, that's not counting the normal cloud costs and the fair amount you'll pay your folks (or your consultants) to produce the reams of policy documents required to get ATO'ed or the actual engineering required to institute the security controls.

Why They Matter

Bottom line, the government cant use (and often wont pay you for) your system until you get this stamp of approval.

Prime Past Performance

Prime past performance is crucial for winning government contracts, serving as a demonstrable proof of a company's capability and reliability in managing similar projects efficiently and effectively. It enables government agencies to assess a company's track record in quality, timeliness, budget compliance, and overall project management, which is crucial for risk mitigation and ensuring prudent use of public funds. A strong history of successful contract completions not only reduces project risks such as delays and cost overruns but also gives companies a competitive edge in bidding processes, effectively making prime past performance a vital asset in the government contracting market.

How Much They Cost to Get

It can cost a lot. If you do the math on the amount of resources that go into a typical govcon proposal, there's typically a linear function of time and dollars per page of proposal. There's also the opportunity cost to consider: if you spend your finite resources on one proposal you typically have pass on another, which drives PWIN and Bid/No-Bid decisions. Honestly this is one of the reasons we started UseRogue.com

Why They Matter

Catch 22: To win prime contracts, one typically needs prime past performance.

Not in all cases, but you can go through a hundred Section M's, most of them weight prime past performance higher than sub. There is a good reason for that: being a prime, particularly on a CPFF contract is 10x harder than being a sub, so be careful what you wish for.

But, if you want to be a prime, need prime experience, which is hard to get if you've never been a prime.

Large Scale Projects with Multiple Subcontractors

Dovetailing on 5.0 above, being a "prime" is one thing. Technically speaking, all of those SBIR awardees out there have "prime" past performance. However, your PP often needs to be "recent and relevant" in order for it to be considered. "Relevant" in this context often relates to "scope and scale".

Here's a big tip: try to get large primes to back you on bids. The government sees a large backing a small as risk reduction and third-party validation that you have your poop in a group.

Brass tacks:

If the PP you're using doesn't look like what you're bidding on, it'll be thrown out. Bidding on a $50M contract and trying to use a micro purchase contract as PP? good luck.

How Much They Cost to Get:

The costs of executing large-scale projects with multiple subcontractors in government contracting can vary significantly depending on several factors. These factors include the complexity of the project, the number and types of subcontractors involved, and the specific requirements of the contract.

Key cost elements include:

• Project Management and Oversight: Coordinating the activities of multiple subcontractors requires robust project management, which can be a significant cost factor. This includes costs associated with project managers, oversight personnel, and related administrative support.
• Compliance and Quality Assurance Costs: Ensuring that all subcontractors comply with government regulations and contract requirements can lead to additional costs, including quality assurance and compliance monitoring.
• Technology and Infrastructure Investment: Large-scale projects may require significant investment in technology and infrastructure to manage the project effectively and ensure seamless coordination among all parties.
• Risk Management: Managing risks associated with coordinating multiple entities, along with the potential for delays or quality issues, can lead to increased insurance and contingency costs.
• Subcontractor Rates: The rates charged by subcontractors, which will vary depending on their expertise and the market demand for their services, also contribute to the overall project cost.

Why They Matter

Large-scale projects with multiple subcontractors play a major role in winning similar large-scale contracts AND qualifying to bid on large MAC IDIQ's.

Glowing CPARS

The Contractor Performance Assessment Reporting System (CPARS) is a web-based system used by the U.S. government to document and evaluate the performance of contractors on PRIME federal contracts. That's right folks, subs don't get CPARS, neither do SBIRs or OTAs.

CPARS serve as a critical component in ensuring accountability and quality in the procurement process, providing a standardized assessment tool for evaluating contractor performance against contractual obligations. They also serve as a key evaluation factor when bidding on contracts.

With just about any contract (including SBIRs) the government will ask about past performance. Well, if you have CPARS, you can just show them the CPARS - gold standard.

If you DON'T have CPARS then you typically have to do this thing where you send a form to your current/past customers called a Past Performance Questionnaire (PPQ), you have to ask them to fill it out. Does this always work? of course not.

Meanwhile, if you have CPARS, you just pop into the system, download the ones you want to use, everything is easy.

Here's the rubs:

1. CPARS are only for Prime Past Performance - so subs are SOL

2. Government folks see CPARS as a chore - so they often ask for help in writing them (from you)

3. They are typically only done a couple-few times a year for each contract - so if you get a bad one, it takes a while to get a better one

In other words

How CPARS are Graded:

CPARS evaluations are based on several key factors, including quality of product or service, schedule/timeliness, cost control, management or business relations, and, if applicable, other additional specific areas relevant to the contract. Each of these areas is graded on a scale that typically includes the following ratings:

1. Exceptional: Performance exceeds all contractual standards.
2. Very Good: Performance meets contractual standards and exceeds some to the government's benefit.
3. Satisfactory: Performance meets contractual standards.
4. Marginal: Performance does not meet some contractual standards.
5. Unsatisfactory: Performance does not meet most contractual standards and recovery is unlikely.

Why CPARS Matter:

1. Future Contract Awards: CPARS ratings are critical in future contract awards, as they provide a historical record of a contractor’s performance that is considered in the source selection process for new contracts. A history of strong performance can enhance a contractor's competitive position.
2. Reputation: High ratings in CPARS can bolster a contractor's reputation within the industry and with the government, facilitating trust and potentially leading to more business opportunities.
3. Feedback for Improvement: CPARS provide valuable feedback to contractors on areas of strength and areas needing improvement. This feedback can guide contractors in refining their operations and performance on future contracts.
4. Accountability and Transparency: CPARS support accountability and transparency in government procurement by documenting contractor performance over time, aiding in the decision-making process for contract renewals, extensions, and follow-on contracts.
5. Risk Management: For government agencies, evaluating contractors through CPARS helps manage risk by identifying contractors that may pose a performance risk on future contracts.

DCAA Audited Purchasing System

Basically a rerun from DCAA audited accounting system ,but purchasing systems become much more important once you have Cost-Plus Fixed Fee subcontractors.

Take a minute and think about that: if you get a CPFF contract from your customer, your subs may also want a CPFF subcontract. Depending on what you're buying from subs, this can get complex, and if you're billing CPFF to your customer, they may want to ensure you're doing it properly.

Why They Matter

Again, growing up is hard to do, but if you want to play in the big leagues, you'll have to do it eventually. The more of these core business systems you have blessed by the folks at DCAA, the less risk you pose to your customers and the easier it is to award you a contract.

MAC ID/IQ Contracts WITH TOs

Multiple-Award Indefinite Delivery/Indefinite Quantity contracts are a massive differentiator, MASSIVE.

What's a MAC IDIQ? I talk about it like a hunting license for a game preserve. If you have a license then you have access to some choice hunting that those without a license do not, in this analog that hunting is for task orders - or paying contracts. There are a TON of MAC IDIQs for all different sorts of products and services, you have the massive GSA GWACs (government-wide acquisition contracts), you have agency-specific MACs, like Seaport VETS, some are relatively small with only a a few dozen awardees like OASIS, others are huge with thousands of awardees.

Here comes the but: having a hunting license only gets you access the hunting ground, you still have to hunt, namely do all the same capture and BD processes.

So having a MAC ID/IQ prime means little, the big deal is when you have task orders. There are plenty of companies out there sitting on a bunch of prime IDI/IQ awards and little-no awards, not sure why.

How Much They Cost to Get

A Lot, generally. Now getting onto a GSA schedule is pretty cheap, you can pay a consultant to get you on a vehicle for $5-10k or you can do it yourself. It is time consuming but not overly expensive.

For the large MAC IDIQs, like OASIS+, PACTS III, STARS, CIOSP, T4NG, companies spend A LOT. Think thousands of labor hour and consultant dollars over multiple years. What's more, these large contracts have become self-scoring drills that are seemingly won or lost on a spreadsheet, based on little more than past performance and CPARs ratings

Why They Matter

Bottom line: spend is moving more and more to MAC ID/IQs, all the animals are moving into the preserve; if you don't have a license then you're going hungry.

Why? it's easier for government. For procuring contracting officers, soliciting to a smaller pre-qualified pool of companies means they can focus mainly on technical and price. Also, the smaller pool means they'll get fewer proposals to review.

There's also the who "category management" thing where OMB instructed agencies to start buying things from "best in class multiple award contracts".

Either way, get on a MAC or go hungry.

CPFF (Cost Plus Fixed Fee) Past Performance

Just like prime PP, CPFF PP is major differentiator that shows a contractor's maturity and sophistication. CPFF contracts are a type of government contract where the contractor is reimbursed for allowable costs and paid a fixed fee (profit margin). Past performance in these contracts is critical as it demonstrates the contractor's ability to manage and execute projects within the stipulated budget while ensuring quality and compliance with contractual terms.

How Much They Cost to Get

The costs associated with securing and managing CPFF contracts are mostly listed above: you need to win the contract, to do so you often need some other form of prime past performance and you need an audited accounting system, at a minimum.

In addition to those basic things, to do it successfully you need to consider:

• Cost Estimation and Management: The ability to accurately estimate and manage costs is crucial. This includes investment in cost accounting systems and expertise in cost estimation.
• Regulatory Compliance: Compliance with government regulations, such as the Federal Acquisition Regulation (FAR), incurs costs related to maintaining up-to-date knowledge and adhering to strict reporting and auditing requirements.
• Project Management: Effective project management to control costs and meet project milestones requires investment in skilled personnel and potentially project management software. Quality Assurance: Ensuring high-quality outputs to meet government standards can lead to costs associated with quality control systems and processes.
• Risk Management: Managing the risks associated with cost overruns and project delays requires robust risk management strategies, which can include insurance and contingency planning. For detailed guidance on managing CPFF contracts, including cost considerations, the Defense Contract Management Agency (DCMA) and the Defense Contract Audit Agency (DCAA) provide resources and guidelines.

Why They Matter

The longest term and most valuable contracts are typically prime CPFF contracts. From a business perspective they provide the most stable and predictable cashflow opportunities with a guaranteed, albeit often low profit margin.

This Is Going to Take SOOOO Long

Yeah, it is.

It's also going to cost you, either in time or money.

There are almost always consultants available who can accelerate your process and lower your risk of failing to gain one of the merit badges.

At the end of the day, certain things take time, and in the government, most things take a lot of time. At the end of the day they want to know a few simple things:

1. Can this company do the work?

2. Can they do the work without breaking the law?

3. Can they do the work without a data/information breach?

How will they know unless someone give you a stamp of approval.

One parting thought: suck it up cupcake.

This is hte way the game is played, there's a ton of rules, plenty of barriers, tons of head winds.

Save the complaints, there's a library-worth of studies, reports, and white papers talking about how bad the system is.

You have two options:

1. learn the rule and play the game better than the next person

2. go find an easier industry