Five Fundamentals of the CTA that Small Businesses Need to Understand Now

Photo caption: © royalty –

As part of the 2021 National Defense Authorization Act, small businesses will now need to comply with the new Corporate Transparency Act (CTA). This is meant as an additional preventative measure against money laundering and funding of terrorist organizations.  

Small business owners will need to provide basic identifying information and comply by January 1, 2022. It’s important to comply as the penalties are significant and raise daily until the information is provided. Don’t forget to put this new requirement on your calendar!

This is a guest post by Laura Sims of PilieroMazza PLLC.

On January 1, 2021, Congress enacted the 2021 National Defense Authorization Act. In an effort to strengthen the fight against money laundering and the funding of terrorist activities, it included broad amendments to the U.S. Anti-Money Laundering Act, the most significant of which was the Corporate Transparency Act (CTA). 

The CTA will greatly impact the way businesses are formed and how they operate, and it will require regular reporting practices that businesses need to prepare for before the CTA takes effect. Below are five fundamentals of the CTA that small businesses need to understand now.

1. What is the CTA?

The CTA is legislation that requires privately held U.S. businesses to report certain identifying information for all beneficial owners of such businesses to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). The CTA was passed to identify and prevent formation of shell companies with no legal U.S. connections that were created solely for illicit financing purposes, including money laundering and terrorist organization funding. 

To provide greater transparency into who owns and controls small businesses in the U.S., the CTA will require each beneficial owner of qualifying entities to report his or her full name, date of birth, current address, and unique identification number, such as social security number, passport ID number, or driver’s license ID number, to FinCEN, unless exempt. Under the CTA, a “beneficial owner” is any individual who directly or indirectly owns or controls at least 25% of the ownership interests of, or exercises substantial control over, a qualifying entity.

Some of the individuals exempt from beneficial owner reporting include:

  • Creditors of entities unless the creditor independently qualifies as a beneficial owner;
  • Employees of entities if the “control” over the entity is based solely on their employment status;
  • Minor children, if their parent / guardian information is reported; and
  • Those who own or control interest in an entity solely through inheritance.

2. Who is subject to the CTA?

All privately held business entities either formed or registered to do business under the laws of any State or jurisdiction in the U.S., unless exempt, will be subject to the CTA reporting requirements.

A few examples of exempt entities include:

  • Non-profit organizations;
  • Publicly traded companies, banks, credit unions, and other financial institutions heavily regulated by government agencies, such as the Securities and Exchange Commission; and
  • Companies with over twenty (20) full-time employees with reported gross receipts or sales over $5 million on the previous year’s tax returns and an operating physical office address in the U.S.

3. When does it go into effect?

The start date for reporting requirements under the CTA are tied to when the Treasury adopts regulations under the CTA, which must take place no later than January 1, 2022. All qualifying U.S. business entities formed after the regulations are adopted will be required to report at the time of formation. 

Qualifying business entities formed before the regulation adoption date will be required to submit reports no later than two (2) years after the regulation adoption date. All businesses, whether formed before or after the regulations are adopted, will be required to update any change in their previously reported information within one (1) year of such change.

4. How will this affect businesses?

The most obvious answer is that qualifying entities will need to completely and correctly submit required beneficial owner information to FinCEN within the applicable reporting window and ensure that any changes in the previously reported information are updated in a timely manner. In many instances, business entities will need to start collecting the required information from beneficial owners well in advance of the reporting deadline. 

All qualifying entities will need to build beneficial owner information collection into their regular operations with the realization that, where there are multiple qualifying beneficial owners, the reporting and update deadlines might be logistically burdensome. Similarly, future business transactions, such as mergers and acquisitions, may need to include additional due diligence and representations and warranties specific to a target entity’s CTA reporting.

5. Why is it important, and what should you do to prepare?

Under the CTA, failure to report beneficial owner information, reporting incorrect information, or failure to update previously reported information will have serious consequences. These may include civil penalties up to $500 per day until the violation is corrected, as well as criminal fines up to $10,000 and imprisonment up to two (2) years. 

While CTA regulations are not mandated until January 1, 2022, business entities should stay informed about regulatory insights released before the regulation adoption date to ensure that all required information is properly collected and submitted when reporting is due. 

Finally, there are still ambiguities in several critical aspects of the CTA, including how ownership and control will be determined, as well as what the reporting requirements will be for certain partnerships and trusts. Because of these ambiguities, privately held business entities should work with legal counsel in advance of the CTA regulation adoption to fully understand whether they will be subject to the reporting requirements, and if so, what those reporting requirements will be.

If you have questions about how the CTA could impact your business or would like to learn more, please contact Laura Sims, the author of this blog, or any member of PilieroMazza’s Business & Transactions Group or Corporate and Organizational Governance Group.

This post originally appeared on the PilieroMazza blog at and was reprinted with permission.

Strategic Planning for the Small Business

© stockasso –

For small businesses, the strategic planning process is multi-faceted. We have to think about where the company is, and where it needs to be, as far as its capabilities, infrastructure, and direction, but we also have to think about strategic planning in terms of growing the business and growing revenue. And though they’re very much tied together, you have to have a direction in order to focus your growth.

As a small business, it’s imperative to figure out your areas of expertise and focus, before you say we’re going to go out and grow, and by how much. What are you going to grow? A new capability? Maybe. It could be part of your corporate strategic goal to add this capability to your repertoire. Or, maybe, you’re going to expand your existing capabilities because you’re very good at them, and you want to leverage your strengths.

Strategic planning is an iterative process. It is important to take care of your overarching strategic plan before you plan your growth, because your areas of growth and the things you want to accomplish should be governed by the overarching goals of your company. 

In a series of posts, we’ll look at these different areas of strategic planning and what you need to consider. 

Strategic planning is not a point of time, but your plan is continuously revised as you get new information, and as things change in your organization. It’s always a working plan, and a work in progress.

Are IDIQs All They are Made Out to Be?

IDIQs are absolutely critical to the growing small business. Whether chasing a re-compete to existing work or growing your portfolio of contracts, IDIQs often provide that “access” that is just not available without them. Either as a Prime IDIQ contract holder or a subcontractor/teaming partner these are the way to success. The fish don’t jump in the boat, but these IDIQ tips will help you land them.

This is a guest post from our friends at Proposal Helper.

© iqoncept –

Indefinite Delivery Indefinite Quantity (IDIQs) are here to stay and are going to get more and more popular. For any company doing business with the United States Government, pursuing and winning a spot on an IDIQ is not an option, it’s an absolute necessity.  In fact, the government agencies are almost mandated to use Best In Class IDIQs for common procurements (OMB Memorandum M-19-13, issued March 20, 2019).

But are IDIQs all they are made out to be? Not all IDIQs are made alike. Knowing which one to pursue – and why – is an important consideration for any business. What are the pros and cons of IDIQs for your business?

Increases Access to Unique Opportunities

The contracting agencies (NITAAC, GSA, etc.) are marketing the IDIQs to their internal customers, which allows the IDIQ contractors to gain access to some very unique opportunities. It is also a great way for small businesses to learn about and pursue contracts that might otherwise be too competitive.

Limited and Known Competition

Perhaps the most attractive aspect of an IDIQ is limited and known competition. IDIQ winners are part of the “winner’s circle,” generally every company gets to know who they are competing with for task orders. The number of companies you are competing against is smaller than with other procurement opportunities, and they are all known to you. This significantly propels your capture efforts and allows you to fine-tune your strategy. You can plan your win themes and differentiators and establish your unique qualifiers ahead of time. 

Companies that invest time to learn their competition are able to not only speak to their differentiators but also align their company’s capabilities to push forward and reap the benefits of the IDIQ. However, lately, it may appear that everyone who submits a proposal is awarded, which erodes some of the IDIQ luster. This does not mean companies should not pursue IDIQs — it only means that you need to be selective in which IDIQs to bid and win.

Increase Market Valuation

With Category Management, IDIQs fall under different Tiers, and the value of the IDIQ to your company will vary. Understand the IDIQ Tiers (Tier 0 – Tier 3) before you make a bid decision. Some companies amass IDIQs to increase their market value before getting ready to exit (sell the company). 

If increasing market valuation is your primary goal for pursuing IDIQs, companies should profile their ‘ideal’ buyer and focus on pursuing IDIQs that will make their company attractive to that buyer demographic. It is not always BIC (Tier 3) IDIQs that fetch the most value. Your company’s capabilities will dictate which IDIQ makes the most sense.

Stretch the Finish Line – 8(a) Category

When it comes to socio-economic privileges, IDIQs that extend your socio-economic status beyond your original graduation date (currently only applies to companies in the 8(a) category) – may be important. For example, the GSA 8(a) STARS III was recently recompeted and any 8(a) company that wins a seat at this table will likely be able to extend their 8(a) status through the life of the contract. 

This is especially important if your current 8(a) contract clients would like to continue working with you—with an “extended” graduation date, you will be able to offer your clients a prolonged platform to continue working with your company. On this note, GSA publicized their latest efforts to create an IDIQ just for Woman-Owned Small Business and HUBZone Small Businesses via the announcement of the latest IDIQ – GSA POLARIS.

At the end of the day, IDIQs are what companies make of them. There’s no denying that they are very popular in the world of government contracting. Oftentimes, once companies have secured the IDIQs, most let them fall by the wayside, for one of two reasons: they went after the wrong types or they have too many of them and are too overwhelmed to keep up with task orders. 

Bidding on IDIQs can be expensive, but the return on investment (ROI) will come from bidding on actual task orders. For that to be successful, companies should be prepared and have the infrastructure in place to bid on task orders, recruit key personnel, estimate and price your services competitively, and—most importantly—be prepared to successfully deliver on the contracts.

How to Take Advantage of IDIQs

Since there are many benefits of IDIQs, it’s wise for your small business to make them a priority. If you don’t, you’ll miss out on a -billion-dollar industry of tasks and orders for the government.

So how do you get started? Before you decide to pursue an IDIQ, be sure to answer the following types of questions so you can set realistic expectations:

●      Why is the IDIQ important to your company?

●      How will your company respond to task orders?

●      How will you work with partners?

The answers to these questions should help you determine exactly why you’d like the IDIQ. Maybe your goal is to boost your company’s sales value or, perhaps, you’d like the peace of mind of having a guaranteed amount of work.

Be sure you understand the value of the IDIQ, whether or not it is used by your target audience, and the type of outcome you expect. If you’re interested in using IDIQs to your advantage, check out ProposalHelper’s IDIQ Reports and follow us on LinkedIn to learn about upcoming IDIQs every Friday.

This post was originally published on the Proposal Helper blog at and was reprinted with permission.

9 “Pieces” to Diminish Cyber Risk for Small Companies, Part II

This is a guest post by Stewart Wharton, TAPE VP of Operations.

Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.

© ArturVerkhovetskiy –

In Part I of this post, Stewart “Stu” Wharton explained that defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. He noted that even if you are outsourcing this task, corporate leadership must be aware of the risks. 

He has already discussed network security, user education and awareness, and malware prevention. In today’s post he will reveal the rest of his 9-piece plan to diminish cyber risk for small businesses.

4. Removable media controls. Make a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system. Removable media bring three main risks: 

Data security – Because removable media devices are typically small and easy to transport, they can easily be lost or stolen. In fact, every time you allow an employee to use a USB flash drive or other small storage device, your organization’s critical or sensitive information could fall into the wrong hands. What’s more, even if you encrypt your removable storage devices, you will not be able to recover lost files once the USB flash drive or other device is lost.

Malware – Simply put, when employees use removable media devices, they can unknowingly spread malware between devices. This is because malicious software can easily be installed on USB flash drives and other storage devices. In addition, it just takes one infected device to infiltrate your company’s entire network.

Media failure – Despite its low cost and convenience, removable media is inherently risky. This is because many devices have short life spans and can fail without warning. As such, if a device fails and your organization doesn’t have the files backed up, you could lose key files and data.

5. Secure configuration. Apply security patches and ensure to maintain the secure configuration of all systems. Create a system inventory and define a baseline build for all devices. Web server and application servers are two entry points for configuration vulnerabilities in your organization’s network. According to the Open Web Application Security Project® (OWASP), these security vulnerability types happen through:

Improper file and directory permissions

Unpatched security flaws in server software

Enabled or accessible administrative and debugging functions

Administrative accounts with default passwords

SSL certificates and encryption settings that are not properly configured.

6. Managing user privileges. Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs. How can you mitigate the risk of privileged account abuse? To tackle the threat of privileged users in accordance with industry best practices, you need the following:

Efficient privileged account management – Ensure that privileged users in your information technology environment have only the access rights they need to do their jobs.

Control over access to privileged user accounts – Protect your privileged accounts from unauthorized use with strong password management and techniques such as multi-factor authentication.

Privileged user monitoring – Gain visibility into the actions of privileged users to catch abuse or external attacks quickly and limit the damage. Simply letting users know that user activity monitoring is in place can also go a long way toward deterring misbehavior and even preventing accidental misuse, since users are likely to be more careful about their actions.

User behavior analytics – Identify the privileged users with the most suspicious behavior so you can respond in time by discovering and investigating anomalies in user behavior patterns.

7. Incident management. Most small business do not have the means to establish complex incident management processes. Some simple steps to take include:

Establish an incident response and disaster recovery capability 

Develop a simple communications plan to ensure to contact all stakeholders 

Make sure to include third party vendors as part of your plan

As part of your training of employees, test your incident management plans.  

8. Monitoring. Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. There are a variety of continuous monitoring software available both for on premise and in the cloud. Once you have the monitoring capability you can analyze logs for unusual activity that could indicate an attack. This may seem like overkill for a small company, but consider these eight reasons why small businesses should implement a network monitoring system:

Visually document your growing network 

Do more with less

Monitor from anywhere

Troubleshoot issues more easily

Plan for future growth 

Improve network security

Track trends without hours of data digging

Improve the bottom line

9. Home and mobile working. Especially with the advent of COVID-19, remote working is becoming more the norm than an exception. Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices. Protect data both in transit and at rest.

I hope these simple pieces will allow you to take the actions necessary to make your small business more secure. I will follow up with a piece on how small companies can achieve compliance with National Institute of Standards and Technology NIST 171 standards and the Department of Defense’s Cyber Maturity Model Certification (CMMC) process.

9 “Pieces” to Diminish Cyber Risk for Small Companies, Part I

This is a guest post by Stewart Wharton, TAPE VP of Operations.

Mr. Wharton is a cybersecurity expert, having spearheaded the cyber capability at TAPE and serving in a variety of cyber roles, including Defense and Intelligence Cyber Sector Lead, at KPMG and with the Office of the Chief of Naval Operations N6 as the Deputy Chief Information Officer for Information Assurance and Enterprise Architecture.

© pressmaster –

Regardless of the type of small business, cyberattacks are virtually inevitable. While the bad news is that 81% of cyber-attacks happen to small and medium-sized businesses, the good news is that 97% of these attacks are preventable by implementing recommended security practices and raising security awareness among employees. 

Recognizing this fact, businesses across the globe are willing to spend more on cybersecurity that ever before. According to research firm Cybersecurity Ventures, the cost of cyber-crime will exceed $6 trillion worldwide this year.

Defining and communicating your company’s cyber risk management regime is central to your company’s overall cybersecurity strategy. To maximize the effectiveness of your regime, senior leadership must support efforts.

Many companies cannot afford a chief information officer or a chief information security officer to lead cybersecurity tasks and strategy. In many cases, companies may outsource information technology infrastructure with very little corporate oversight. Even in the case of outsourcing, corporate leadership must be aware of the risks. 

So where should a small company start? 

If you are a small company looking to solidify your cybersecurity posture, I’ve created a simple 9-piece approach for creating a cyber risk management regime. I use the term “piece” instead of “steps” because you can implement these strategies in almost any order. When implementing these pieces, assess the risks to your corporate information and systems with the same vigor you would for legal, regulatory, financial, or operational risks. 

Here are the 9 pieces:

  1. Network security. Protect your networks from attack. Defend the network perimeter and filter out unauthorized access and malicious content. Monitor and test security controls. To perform this step, you must know what operating systems and devices you have and ensure to keep up to date with the latest version and patching. Encrypt your data in transit and at rest and use strong passwords. 
  1. User education and awareness. Produce user security policies covering acceptable and secure use of your systems. Include in staff training. Maintain awareness of cyber risks. The Small Business Administration offers free online cyber awareness training
  1. Malware prevention. Produce relevant policies and establish anti-malware defenses across your organization. Some typical anti-malware practices include:
    1. Backing up or archiving business data is essential to recover from cyberattacks, theft of devices, or loss of equipment or media resulting from a flood or fire. Archiving data is also quite easy since the rise of cloud storage. Cloud storage is a simple, fast, and an affordable way to back up your data. Saving your data in the cloud means that your business is protected from certain serious cyber-attacks such as ransomware. Why is this so important for your business? A ransomware attack encrypts all your data and files, making them inaccessible to you. Cyber criminals will demand money in exchange for unlocking these files, ranging from $100 to $2,000 for each infected system. This form of extortion can be devastating on a small business when several or more computers are infected by ransomware. 
    2. Making your business data useless when it falls into the wrong hands is an effective protection strategy. You can do this by encrypting your data. Full-disk encryption software is available from all major computer and mobile operating systems to encrypt all the data you manage and make sure all your company devices have this software activated and updated. When you use data encryption, you must take measures to protect encryption keys from corruption, loss, and unauthorized access. You must also manage activities such as changing keys regularly, controlling and managing how to assign keys and to whom. Small businesses that do not have information technology staff with data encryption skills should consult with professional information technology services providers to identify and deploy their data encryption needs and solutions.  
    3. Conducting regular risk assessment involves identifying, analyzing, and evaluating risk and ensuring that you have picked appropriate cybersecurity controls to protect your business from cyberattacks. 
    4. Consider buying cybersecurity insurance. Cyber criminals work tirelessly to find more targets and breach different security defenses. They can harm any business, even the most security conscious. According to research conducted on data breaches in 2017, the global average cost of one data breach incident was $3.6 million. To mitigate the losses due to data breaches, it is imperative for businesses to invest in cyber-security insurance. 

Continue reading Part II of this post to learn Stu’s other cybersecurity tips.

How the CMMC is Changing Culture One Company at a Time

Note from John: Seems like every time I have a conversation with another colleague or company the topic of CMMC comes up. The Cybersecurity Maturity Model Certification is not going away…for many good reasons. As defense contractors we have to protect our assets, resources and those of our clients. It is in OUR best interest. Here is another great article from Jason Miller.

© Skorzewiak –

This is a guest post by Jason Miller, executive editor, Federal News Network.

Let’s set the record straight: The Cybersecurity Maturity Model Certification, or CMMC, accreditation body is not part of the Defense Department.

Of all the misconceptions out there about CMMC, Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield, said that is the one he hears the most.

So 18 months into the CMMC development and roll out, Golden said industry and agencies still need to grasp why this initiative matters so much.

“We’re losing a lot of intellectual property as a country to our adversaries through gaps in cybersecurity practices and maturity throughout the supply chain. And right now, that’s focused on DoD supply chain, but it will very quickly go out,” Golden said in an interview. “If you look at the Air Force, Navy, Marine Corps F-35 aircraft, and then you look at the Chinese J-31 aircraft, and you wonder why those airplanes look exactly the same? You wonder how that happened. That’s the problem we’re trying to fix.”

Golden said the idea behind CMMC, and supply chain security more broadly, is changing one company’s culture at a time.

“As each company does their assessment, they’re going to get a little bit better. And hopefully, the next time they have their next assessment, they’re going to be a little bit better,” he said. 

“We’re just going to slowly change the culture, where companies are going to start looking at cyber the way they look at human resources. Most people that start a company are not experts on local, federal and state labor laws. So what do they do? They hire an expert to help set up a HR office to handle all that stuff for them to do everything right to keep them out of jail. Cyber has got to be seen as the same thing. It’s just part of doing business in the modern global enterprise. What we’re trying to do is we’re trying to get the point where people don’t forget about it or whitewash it or whatever the case is, but actually take it seriously as a part of doing business.”

That culture change has to happen with just more than defense industrial base companies. This is why the Department of Homeland Security and the General Services Administration are starting to consider how they can use CMMC.

Click the link below to read the full article and listen to Jason’s interview with Chris Golden, a former member of the CMMC accreditation body and the director of information security for Blue Cross, Blue Shield:

Small Business Start-Up Infrastructure

© elenabs –

What should a small business’s back office look like, and how should it function? I sat down with TAPE’s Executive Vice President/General Manager Ted Harrison and we put some thoughts together.

A small start-up business has evolving needs as they begin and grow their business. These needs are ever changing but here are just a few functional areas that will need some attention and thought from the beginning. 

IT: Information technology is probably an easy thing to keep simple in the beginning. Each employee should have their own email on a company domain name (e.g.,, and this can be set up fairly cheaply. 

You can implement a shared cloud-based suite for collaboration such as Google Drive or Apple iCloud. These solutions are often enough to support a very small business’s needs. You can also take advantage of the benefits of Microsoft Office 365, which can grow with you. 

As the company begins to grow and protection of IP against cyber threats becomes more important, you will want to look at investing in an IT network either through outsourcing or internal support. (CMMC is just around the corner!)

F&A: In the beginning, your finance and accounting needs can be managed through QuickBooks or other rudimentary finance software. 

When payroll and AP become more complex and the company requires bank capital to operate, management by a dedicated accountant will become necessary. 

Once the accounting department grows to several people, it will be time to consider oversight by a controller. Outsourcing this function may be most cost effective in the early stages as you grow. 

HR: The human resources function can be outsourced from the beginning, if needed, to ensure that all Federal and State regulations are satisfied. It is fairly inexpensive to outsource the recruiting function. 

Once requirements increase including payroll, recruiting, and employee relations, it may be beneficial to have an HR director to manage the function. 

Contracts: A small company can often rely on expertise from the SBA, PTACs or other small business support entities, but once contracts grow it will be beneficial to have a dedicated contracts manager to ensure compliance with FARs and DFARs.

Your small business’s infrastructure will grow and change as your business evolves. Pay attention to where you’re feeling stretched so you can get the right support in place well before it’s needed.

New Government-Wide SDVOSB Certification Requirement and Process

Note from John: The VA’s role in certifying veteran-owned small businesses seems to be gone and the transfer of that role to the SBA appears to be underway. This really makes sense as they are the entity that certifies all the other socio-economic programs such as 8(a), HUBZone and ED/WOSB. 

Once the process is put into place I’m hopeful this will help streamline the process for new companies to get certified. Those companies that are currently self-certifying will have one year from the Go Live date to apply for the certification. After that date the self-certification is not valid even for Government requirements outside the VA.

© garagestock –

This is a guest post by Steven Koprince of Koprince Law LLC. It was originally published on Dec 4, 2020, and the 2021 NDAA was signed into law on Jan 1, 2021.

The House and Senate have agreed to eliminate service-disabled veteran-owned small business self-certification and adopt a government-wide SDVOSB certification requirement, while transferring control of the certification process from the VA to the SBA.

The Conference Report on the 2021 National Defense Authorization Act would require government-wide SDVOSB certification (eventually) and transfer control of the Center for Verification and Evaluation from the VA to the SBA. Assuming the President signs the bill into law (which, unlike the typical NDAA, remains to seen), SDVOSB self-certification–which is still the law for non-VA contracts–is on its way out.

If you’re not the sort to read an entire National Defense Authorization Act, you can skip right to Section 862, where the SDVOSB changes are set forth. Here are some of the most important pieces of Section 862:

  • Government-Wide SDVOSB Verification Won’t Happen Overnight. The 2021 NDAA calls for the certification requirement to kick in “2 years after the date of enactment of this Act.” 
  • The SBA Will Be in Charge. Under the 2021 NDAA, the SBA, not the VA, will run the Government-wide SDVOSB certification program. The VA’s Center for Verification will be abolished and its functions transferred to the SBA. This move makes sense, given that the SBA runs all of the other Government-wide socioeconomic programs, and that SBA judges already provide oversight over SDVOSB and VOSB applications. The VA, however, will continue to determine whether an individual qualifies as a veteran or service-disabled veteran.
  • Self-Certified SDVOSBs Get a Grace Period. The 2021 NDAA says that once the program goes live (an event the bill calls the “transfer date”), a self-certified SDVOSB will have one year to file an application for certification.  If the application is filed within the one-year period, the company can continue to rely on its self-certification for non-VA contracts until the SBA makes a decision on the application.  Failing to apply within one year, however, will render the self-certification invalid. 

After the grace period ends, self-certified SDVOSBs will no longer be eligible for set-aside and sole source contracts, government-wide. The 2021 NDAA adds this language to the Small Business Act:

A contracting officer may only award a sole source contract to a small business concern owned and controlled by service-disabled veterans or a contract on the basis of competition restricted to small business concerns owned and controlled by service-disabled veterans if such a concern is certified by the Administrator as a small business concern owned and controlled by service-disabled veterans.

So there you have it: under the 2021 NDAA, government-wide SDVOSB certification will happen, and the SBA will take control of the certification (not “verification,” anymore) program. As I alluded to earlier, the President has threatened to veto the 2021 NDAA for reason unrelated to SDVOSB certification. But even if Congress accedes to the President’s requests, it seems unlikely that Section 862 is going away. Our best bet is that it becomes law in the next several weeks.

This post originally appeared at and was reprinted with permission.

Federal Contracting in 2021 – My Thoughts

© iCreative3D –

From COVID-19 to politics to protests, our world has changed a lot over the past year. Thankfully it does appear we can expect the potential for returning to some sort of normalcy on the COVID front toward the end of 2021. 

While some things may never return to what we once knew as “normal,” let’s look to some more positive things we can leverage moving forward: 

  1. Working from home is working. Over the past year, most of us have become quite proficient at working remotely from the comforts of home. After an initial learning curve, many of us have noticed a dramatic uptick in productivity and creative ways of accomplishing results in our new environments. As COVID gets more under control and the vaccine becomes available to the masses, I do believe our workforce will start to migrate back to the office, or more likely a hybrid approach where we will work from the office maybe 2-3 days a week and remotely the remainder. 
  2. We can make do with less space. As a small business one of our largest expenses is work space for employees. By adopting a more permanent work-from-home or hybrid approach, many companies will be able to reduce their office space square footage when re-negotiating their leases. Employees that are required to come into the office may “hot desk” their work spaces with other employees on alternate days. I’ve seen some of our Government clients transitioning to this model with great success.
  3. We can expand our recruitment nationwide. Of course our other major expense is our employees. Not only have our overhead employees been working remotely but so have many of our direct employees. This has allowed us to expand our search for top quality employees from all areas of the country. Since they may not reside in extremely high cost of living areas such as Northern Virginia or the DC Metro area, their salaries are often far less demanding, allowing us to be more cost competitive. 
  4. We can be team players. I see the continuation of the trend of moving requirements to established GWACs and multiple-award contract vehicles. Just a couple that come to mind for this year are CIO SP4 and Polaris. These contract vehicles provide the necessary access to the customers and their requirements and are excellent opportunities for the small business community to work with our large business counterparts to build the best teams. 
  5. Better virtual conferences and meetings. While I do see some events opening up toward the end of this year, it seems most will remain virtual. Over the past year there have been great improvements to virtual event platforms, with features like breakout rooms and other virtual introduction tools. It’s hard to beat face-to-face interactions, but we have come a long way. 

While no one can predict the future, one thing is certain – change is something that will continue.

Court of Federal Claims (COFC) Finds in Favor of the Small Business Community

Note from John: This is potentially huge news for the small business community. In recent years, the government has often put new or existing requirements directly onto a multiple-award large business IDIQ contract vehicle without doing an analysis to see if there are two viable small business entities capable of providing those services. This COFC finding mandates that the government do a Rule of Two analysis prior to moving the requirement onto the large business IDIQ. This will provide more opportunities for us…possibly many more. 

© AndreyPopov –

This is a guest post by Nicole Pottroff of Koprince Law, LLC.

The United States Court of Federal Claims (COFC) has ruled that an agency has to conduct a small business Rule of Two analysis before it can use an existing multiple-award indefinite delivery indefinite quantity (MAIDIQ) contract vehicle to procure services.  This is a landmark decision, given that GSA Schedule contracts are exempt from the Rule of Two. 

The COFC’s decision in Tolliver Grp., Inc. v. United States, No. 20-1108C, 2020 WL 7022493 (Fed. Cl. Nov. 30, 2020), arose out of the Department of the Army’s decision to cancel two General Services Administration (GSA) Federal Supply Schedule (FSS) support staffing solicitations, which were 100% set aside for service-disabled veteran owned small businesses (SDVOSB). The solicitations sought fire support specialists training services for the Fires Center of Excellence field artillery school at Fort Sill. The Army had previously procured these services through a long-term omnibus MAIDIQ contract.

The Army first awarded the solicitations to two SDVOSBs. But it subsequently cancelled the solicitations and the awards for the purpose of transferring the work to an existing MAIDIQ. According to the Army, this Training Management Support (TMS) MAIDIQ would “provide a potentially better procurement vehicle for this requirement” than the GSA FSS contract.

Two SDVOSBs brought this lawsuit under the Tucker Act, arguing that the Army’s actions violated two laws: (1) the Administrative Procedure Act (more on that issue in an upcoming blog); and (2) the Rule of Two (the subject of this blog). Specifically, the plaintiffs argued that the Army violated the Rule of Two by “mov[ing] the unchanged requirements to the New Ft. Sill IDIQ, where only large businesses are eligible for award[.]”

The court explained:

The Rule of Two . . . is straightforward, and provides that the contracting officer shall set aside any acquisition over the simplified acquisition threshold for small business participation when there is a reasonable expectation that – (1) Offers will be obtained from at least two responsible small business concerns; and (2) Award will be made at fair market prices.

According to the court, the Army did not dispute that there were “at least two responsible business concerns capable of performing the work at fair market prices, or that, in general, the Rule of Two is mandatory.” The Army, instead, argued that the Small Business Act and the FAR gave it the discretion “to make use of a multi-award contract without first conducting a rule of two analysis to determine whether the task order should be set aside for small business.” The Army cited the following statutory language:

Federal agencies may, at their discretion:

(1) set aside part or parts of a multiple award contract for small business concerns . . . ;

(2) notwithstanding the fair opportunity requirements under section 2304c(b) of title 10 and section 4106(c) of title 41, set aside orders placed against multiple award contracts for small business concerns. . .; and

(3) reserve 1 or more contract awards for small business concerns under full and open multiple award procurements . . . .

The Army also cited the FAR clause for “[p]artial set-asides of multiple-award contracts[,]” which similarly says that “contracting officers may, at their discretion, set aside a portion or portions of a multiple-award contract” under certain circumstances.

Based on these sources, the Army argued that, since it “exercised its discretion not to set-aside any portion of the TMS MAIDIQ scope or any of the TMS MAIDIQ‘s contract awards for small business,” it could now “utilize the TMS MAIDIQ for any acquisition – and avoid the Rule of Two – so long as the contemplated scope of work is within the TMS MAIDIQ’s scope.”

But the court rejected this “sweeping inference.” The FAR and Small Business Act provisions the Army cited, instead, tell the agency “how a multiple award contract may be structured or how a task order competition under a multiple award contract may be competed.” They do not address whether the agency may ignore the Rule of Two simply because the agency prefers to use a MAIDIQ that already has been awarded. As the court explained:

[T]he fact that an agency has the discretion to partially set-aside “a portion” of a multiple award contract for small business does not lead to the ineluctable conclusion that having decided not to engage in a partial set-aside, an agency may thereafter dispense with the Rule of Two. The latter does not follow from the former. To the contrary, the grant of discretion applies even where the Rule of Two does not require a set-aside, but the grant of discretion does not somehow, by negative implication, eliminate the Rule of Two requirement.

As such, the court concluded that “[t]he Rule of Two unambiguously applies to ‘any’ ‘acquisition,’ FAR 19.502-2, without any loophole for MAIDIQ task orders.” The court noted, “where the FAR intends to make the Rule of Two entirely inapplicable to the selection of a particular procurement vehicle, the FAR knows how to do so,” and it cited FAR subpart 8.4, which expressly exempts FAR Part 8 FSS procurements from the Rule of Two requirements. The indefinite delivery contract regulations in FAR subpart 16.5, however, do no such thing.

Because there was no legal exemption from the Rule of Two for MAIDIQs, the court turned to the specific question of “whether the agency has any obligation to apply the Rule of Two to a particular scope of work that is covered by the scope of an already-issued multiple-award contract[]” before it can leverage the existing MAIDIQ.

To this, the court answered “yes.” Interestingly enough, its decision was actually based on a GAO decision, LBM, Inc., B-290682, where GAO found that the “Army violated FAR § 19.502-2(b) when [it] did not consider continuing to acquire the Fort Polk motor pool services under a total small business set-aside[.]” GAO’s decision there–and therefore, the court’s decision here–centered around the definition of an “acquisition.” The FAR defines an acquisition as:

the acquiring by contract with appropriated funds of supplies or services (including construction) by and for the use of the Federal Government through purchase or lease, whether the supplies or services are already in existence or must be created, developed, demonstrated, and evaluated. Acquisition begins at the point when agency needs are established and includes the description of requirements to satisfy agency needs, solicitation and selection of sources, award of contracts, contract financing, contract performance, contract administration, and those technical and management functions directly related to the process of fulfilling agency needs by contract.

According to GAO, the purchasing of services with appropriated funds in LBM was an acquisition, “regardless of the fact that the agency anticipated acquiring those services through their transfer to the [IDIQ] scope of work.” GAO said, “[h]ad the agency complied with the requirements of [the Rule of Two], it might have concluded that the [IDIQ] contracts were not the appropriate vehicle for this acquisition.” Thus, GAO concluded that “the agency’s intent to use a task order under [a multiple award contract] as the contract vehicle did not eliminate the legal requirement that the agency undertake that analysis.”

The COFC followed suit, stating:

The bottom line from this Court’s perspective is that the cancelled solicitations at issue here are themselves acquisitions. The government’s identification of a need – of a scope of work – that it must procure itself begins an acquisition. Accordingly, we view the identification of the continued need for [the two solicitations’] requirements as either part of in-process acquisition or a new acquisition.

According to the court, either way the acquisition is viewed, the Rule of Two applies. The court said, even if the Army had “satisfied its small business set aside obligations with respect to the TMS MAIDIQ acquisition in 2018,” that did not mean that it also satisfied those obligations with respect to the acquisitions of the requirements set forth in the 2020 solicitations. The court said:

In sum, the government’s failure to apply the Rule of Two prior to deciding to cancel the solicitations at issue is fatal to that decision, whether because that failure undermines the central rationale of the cancellation decision or whether because the decision to move the work to the TMS MAIDIQ prior to conducting a Rule of Two analysis constitutes an independent violation of law.

In the end, the COFC enjoined the agency from cancelling the solicitations and transitioning the work to the MAIDIQ (or to any other procurement vehicle) without first complying with the Rule of Two.

This is truly a landmark decision by the COFC–with the potential to affect a multitude of federal contracts. Especially of late, we have seen many federal agencies attempt to shuffle new requirements to existing IDIQs, often to simplify their acquisition procedures or avoid certain rules or litigation. At least now, those agencies will not be able to escape the small business Rule of Two in doing so.

This post was originally published on the SmallGovCon blog at and was reprinted with permission.