Regulation isn't
the obstacle.
Misreading it is.
Comply Consulting LLC
Federal compliance counsel for government contractors, procurement officers, and agency directors navigating the full spectrum of acquisition and regulatory obligation.
FAR / DFARS
Acquisition Compliance
48 CFR Parts 1–53CMMC / FISMA
Cybersecurity Frameworks
32 CFR Part 2002Financial Audit
A-123 / GAGAS
2 CFR Part 200Environmental
NEPA / EO 14057
40 CFR Parts 1–1517
Margaret Holloway
Senior Acquisition Counsel · 18 years federal procurement
The IDIQ Trap: Why Small Contractors Lose Awards They Should Win
The Indefinite Delivery, Indefinite Quantity contract remains the federal government's preferred vehicle for recurring services — and the most reliably misunderstood instrument in a small contractor's portfolio. The problem is rarely price. It's proposal compliance.
Under FAR 16.504(a)(1), agencies must establish a guaranteed minimum — but that figure tells you almost nothing about task order volume. What matters is the ordering period ceiling, the competition structure for individual task orders, and whether the base IDIQ was awarded under full-and-open or set-aside authority. Most small businesses conflate the vehicle award with the revenue. They are not the same document.
The correctable error we see most often: a contractor submits a technically superior proposal but fails to address the government's Minimum Guarantee clause correctly under FAR 52.216-22. The source selection board doesn't score intent. They score compliance.
GAO B-416900 (Task Order Competition Protest Precedent)
DFARS 216.504 (DoD-specific IDIQ thresholds)
"Most small businesses conflate the vehicle award with the revenue. They are not the same document."
Common Compliance Gaps
- Incorrect Minimum Guarantee language (FAR 52.216-22)
- Missing Section L/M cross-reference in technical volume
- Price realism analysis not addressed in cost proposal
- Failure to identify subcontracting plan (FAR 19.704)
- No past performance relevancy narrative (FAR 15.305)
94%
of clients who completed a pre-submission compliance review received a technical evaluation score above the competitive range.
David Achterberg
Director, Cybersecurity Compliance · CISSP · Former NSA Technical Advisor
CMMC 2.0 Level Structure
17 practices · Self-assessment · FAR 52.204-21
110 practices · C3PAO or self-assess · NIST SP 800-171
110+ practices · Government-led · NIST SP 800-172
"A System Security Plan written after the audit notice is a confession, not a defense."
DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment)
DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
See also: CMMC Final Rule, 32 CFR Part 170 (Dec. 2024)
CMMC Level 2: The Gap Between Self-Assessment and Survivable Audit
When the Department of Defense published the CMMC 2.0 Final Rule in December 2024, it resolved years of contractor uncertainty — and introduced a new category of exposure for defense industrial base companies that had been managing their own NIST SP 800-171 assessments informally.
Level 2 certification now applies to any contractor handling Controlled Unclassified Information. The requirement isn't new. The consequence is. Under DFARS 252.204-7021, contracts subject to Level 2 require either a current C3PAO assessment or a validated self-assessment score in SPRS — and that score must be accurate. DoD auditors are not reading your SSP. They are comparing your SPRS submission to your actual technical controls.
The most common finding in our gap analyses: organizations have documented 102 of 110 NIST 800-171 practices but have not implemented 3.13.10 (Establish and manage cryptographic keys) or 3.3.1(Create and retain system audit logs). These are not edge cases. They are the practices most frequently overstated in self-assessments.
A gap analysis that precedes your C3PAO assessment is not overhead. It is insurance against a finding that delays award by six months.
Adjacent Risk: Section 889 Supply Chain
FAR 52.204-25 prohibits use of covered telecommunications equipment from Huawei, ZTE, and four other designated entities. Representation requirements apply to all federal contractors regardless of contract value. Many Level 2 CMMC candidates are simultaneously non-compliant with Section 889 because their IT asset inventories are incomplete.
Priya Nambiar
Senior Advisor, Federal Financial Compliance · CPA · Former OMB Senior Examiner
Audit Season Without a Playbook: What State Agencies Get Wrong About FISMA
FISMA compliance is not an IT problem. It is a governance problem with IT symptoms. State agencies receiving federal grants are bound by 44 U.S.C. § 3554 and must maintain information security programs consistent with NIST SP 800-53. Most do not have a current Plan of Action and Milestones. Many cannot produce their last Authority to Operate documentation.
The OMB annual FISMA reporting cycle creates a predictable pressure point: agencies scramble in Q3, submit incomplete metrics in Q4, and receive Inspector General findings in Q1 of the following fiscal year. The finding is rarely about technology. It is about the absence of documented management controls under NIST SP 800-53 CA-2 (Security Assessments) and CA-7 (Continuous Monitoring).
The corrective action plan is not complicated. It requires an agency information security officer with actual authority, a current system inventory, and a risk acceptance process that doesn't terminate at the IT department. What it requires most is someone willing to read the Inspector General's prior-year findings and treat them as a roadmap.
2 CFR Part 200 Uniform Guidance — Common Audit Findings
"The IG finding is rarely about technology. It is about the absence of documented management controls."
OMB Memorandum M-22-05 (FY2022 FISMA Guidance)
NIST SP 800-53 Rev. 5 (Security Controls)
NIST SP 800-137 (Continuous Monitoring)
OMB Circular A-123 (Internal Control)
3.2x
faster POA&M closure rate with structured remediation plan
67%
of FISMA findings repeat from prior year without external review
17
Years in Practice
since 2009
340+
Federal Audits Supported
across 14 agencies
$2.8B
IDIQ Awards Supported
total contract value
120+
CMMC Assessments
Level 1 through Level 2
Professional Memberships
- National Contract Management Association (NCMA)
- American Bar Association — Public Contract Law Section
- Information Systems Security Association (ISSA)
- Association of Government Accountants (AGA)
Client Profile
Small Business Contractors
SDVOSB, 8(a), HUBZone — pursuing first IDIQ or GWACs
State & Local Agencies
CFO-level audit preparation, FISMA program remediation
Mid-Cap Defense Firms
DFARS gap analysis, CMMC readiness, CUI management
Schedule a Compliance Review
A structured 45-minute consultation with a named Comply advisor. We read the regulation before the call. You describe the situation. We tell you exactly where the exposure is and what it costs to close it.
Intake review
We review your challenge description before the call
Structured consultation
45 minutes with a named advisor in your compliance area
Written gap summary
Delivered within 3 business days of the consultation
Not ready to schedule?
Federal Compliance Readiness Checklist
A 47-point self-assessment covering FAR, CMMC, FISMA, and financial audit readiness. Used by our consultants as the baseline for every engagement. Available free with email registration.