Government Programs & — Certifications

FedRAMP provides a standardized approach to security authorizations for cloud products and services used by federal agencies. It uses a "do once, use many times" framework, meaning a single authorization can be reused across all government agencies.

CMMC establishes cybersecurity standards for DoD contractors and subcontractors handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It replaced self-attestation with third-party assessments at higher levels.

ISO 9001 is the international standard for quality management systems (QMS). It provides a framework for consistent quality in products and services, emphasizing customer satisfaction, process improvement, and evidence-based decision making.

ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). It helps organizations manage and protect information assets systematically.

SOC 2 reports evaluate a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Type 2 reports cover the operating effectiveness of controls over a period of time, typically 6-12 months.

FISMA requires federal agencies and their contractors to develop, document, and implement information security programs for systems that process federal data. It mandates risk-based security controls aligned with NIST standards.

NIST SP 800-171 provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Its 110 security requirements span 14 families including access control, incident response, and system integrity.

Section 508 of the Rehabilitation Act requires federal agencies to ensure that their electronic and information technology (EIT) is accessible to people with disabilities. This extends to all technology procured, developed, maintained, or used by the government.

The 8(a) Business Development Program assists small, disadvantaged businesses compete in the federal marketplace. It provides access to sole-source contracts, mentoring, technical assistance, and a nine-year developmental period.

The Historically Underutilized Business Zones program helps small businesses in distressed urban and rural communities gain preferential access to federal procurement opportunities. It stimulates economic development through federal contracting dollars.

The WOSB/EDWOSB program provides federal contracting opportunities for women-owned small businesses. EDWOSB certification requires an additional showing of economic disadvantage, unlocking contracts in additional NAICS industries.

The SDVOSB and VOSB programs provide federal contracting advantages to small businesses owned by service-disabled veterans and veterans. The VA maintains its own verification program (VA VetBiz) in addition to SBA certification.

The SBA Mentor-Protege Program enables experienced firms (mentors) to provide technical and management assistance to small disadvantaged businesses (proteges). Mentor-protege pairs can form joint ventures that combine the protege's small business status with the mentor's capabilities.

The SBA Surety Bond Guarantee Program helps small and emerging contractors who cannot obtain surety bonds through regular commercial channels. SBA guarantees a portion of the bond, reducing the surety company's risk.

SCORE is an SBA resource partner providing free business mentoring and education to aspiring entrepreneurs and established small businesses. Its volunteer mentors include retired executives and experienced business owners with government contracting expertise.

SBIR is a competitive program that encourages small businesses to engage in federal R&D with commercialization potential. Eleven agencies with R&D budgets exceeding $100M participate, awarding over $4 billion annually across three phases.

STTR facilitates cooperative R&D between small businesses and research institutions (universities, federal labs, nonprofits). Unlike SBIR, STTR requires a formal partnership with a research institution that performs at least 30% of the work.

The GSA MAS program is the government's premier commercial buying program. It provides federal agencies with a simplified method to acquire commercial products and services at volume-discounted pricing from pre-vetted vendors.

AbilityOne is a federal program that creates employment for people who are blind or have significant disabilities through the manufacture of products and provision of services to the government. Products on the Procurement List have mandatory source requirements.

The Buy American Act requires the federal government to prefer domestic end products and construction materials in its procurements. It applies to direct federal purchases and establishes a price preference for domestic products over foreign offers.

The TAA implements U.S. trade agreements by waiving Buy American requirements for products from designated countries. For acquisitions above certain thresholds, TAA-compliant products from designated countries receive equal treatment to domestic products.

The Berry Amendment requires the Department of Defense to give preference to domestically grown, produced, or manufactured food, clothing, textiles, and specialty metals. It is more restrictive than the Buy American Act for these specific product categories.

The Davis-Bacon Act requires contractors and subcontractors on federal construction contracts exceeding $2,000 to pay workers prevailing wages and fringe benefits as determined by the Department of Labor for the locality where the work is performed.

The Service Contract Act requires contractors and subcontractors performing services on federal contracts exceeding $2,500 to pay service employees prevailing wage rates and fringe benefits, or the wages and benefits from a predecessor contractor's collective bargaining agreement.

CICA establishes the requirement for full and open competition in federal procurement, with limited exceptions for sole-source awards. It also created the GAO bid protest system, giving disappointed offerors a mechanism to challenge award decisions.

TINA requires contractors to submit certified cost or pricing data for negotiated contracts, subcontracts, and modifications exceeding $2M when price competition is not adequate. It ensures the government pays fair and reasonable prices for non-competitive procurements.

An Authority to Operate is a formal declaration by an agency authorizing official that an information system is approved to operate at an acceptable level of risk. It is the culmination of the Risk Management Framework (RMF) security assessment process.

The Risk Management Framework replaced DIACAP as the DoD's process for managing cybersecurity risk. It aligns DoD security authorization with the federal civilian approach, using NIST SP 800-37 as its foundation for a six-step lifecycle process.

Common Criteria is an international standard (ISO/IEC 15408) for evaluating IT product security. In the U.S., NIAP manages the Common Criteria Evaluation and Validation Scheme (CCEVS), which validates products against defined Protection Profiles.

FIPS 140 specifies security requirements for cryptographic modules used in IT products that protect sensitive information. FIPS 140-3 (effective since 2020) aligns with ISO/IEC 19790 and introduces updated testing requirements.

OMB Memorandum M-21-07 requires federal agencies to complete the transition to IPv6-only networks by the end of fiscal year 2025. All new federal IT acquisitions must be IPv6-capable, and agencies must develop and execute IPv6 transition plans.

ITAR controls the export and import of defense-related articles, services, and technical data on the United States Munitions List (USML). It restricts access to defense technology to U.S. persons unless specifically authorized.

The EAR controls the export of dual-use items (commercial items with potential military applications) listed on the Commerce Control List (CCL). It applies to a broader range of items than ITAR and includes deemed export provisions for technology shared with foreign nationals.

NISPOM (32 CFR Part 117) establishes requirements for protecting classified information disclosed to or generated by contractors. It covers all aspects of industrial security including personnel clearances, physical security, information system security, and insider threat programs.

A Facility Clearance is granted to a contractor facility that needs to access, store, or produce classified information. FCLs are issued at the Confidential, Secret, and Top Secret levels and require sponsorship by a government contracting activity.

Personnel security clearances are granted to individuals who need access to classified national security information. Clearance levels include Confidential, Secret, and Top Secret, with additional access designations like SCI and SAP for compartmented programs.

CFIUS is an interagency committee that reviews foreign investment transactions to determine their effect on U.S. national security. Following FIRRMA (2018), CFIUS has expanded jurisdiction over real estate transactions near military installations and critical technology investments.

SAPs and SCI programs impose additional access controls beyond standard classification levels. SAPs protect the most sensitive military technologies and operations, while SCI controls intelligence sources and methods. Both require additional personnel vetting and specialized facilities (SCIFs).

The Federal Acquisition Regulation (FAR) is the primary regulation governing federal procurement. It establishes uniform policies and procedures for all executive agencies in acquiring supplies and services. Compliance with applicable FAR clauses is mandatory for all federal contractors.

DFARS supplements the FAR with DoD-specific acquisition policies and procedures. It implements statutory requirements unique to defense acquisition, including cybersecurity (DFARS 252.204-7012), specialty metals, and foreign acquisition restrictions.

CAS establishes uniform cost accounting principles for defense and other negotiated contracts. It ensures contractors use consistent, transparent methods for measuring, assigning, and allocating costs to government contracts.

OCI rules prevent contractors from obtaining unfair competitive advantages or being unable to render impartial advice due to their other government work. Three types exist: unequal access to information, biased ground rules, and impaired objectivity.

The Anti-Kickback Act prohibits providing, soliciting, or receiving kickbacks in connection with federal contracts and subcontracts. Kickbacks include money, fees, commissions, gifts, or anything of value exchanged for favorable treatment in the award or performance of government contracts.

The Procurement Integrity Act prohibits the disclosure of contractor bid or proposal information and source selection information during federal procurements. It also restricts post-government employment for acquisition officials involved in contracts over $10M.