[ FEDERAL CONSULTING ] // SDVOSB SOFTWARE DELIVERY

Veteran-owned software consulting for agencies that need it shipped, not slide-decked.

Q: Are you actually SDVOSB-certified, or just self-attested?

We hold an active SDVOSB certification through the SBA's Veteran Small Business Certification (VetCert) program — the unified certification that replaced VA CVE Vets First in 2023. That means we're eligible for SDVOSB sole-source and set-aside awards across all federal agencies, not just VA. Verification is public via SAM.gov and the SBA certification database. Happy to send the cert letter and our UEI on request.

Q: Which contract vehicles can you work under directly or as a sub?

Directly, we hold GSA MAS under IT Professional Services (formerly 54151S) and pursue SDVOSB set-asides. As a sub, we partner with primes on SEWP V/VI, CIO-SP3 Small Business, GSA Alliant 2 SB, 8(a) STARS III, and agency BPAs. We're a clean teaming partner because we're small enough to move fast but mature enough to handle DCAA-compliant timekeeping, CPSR-ready subcontracts, and FAR 52.204-21 cyber baselines.

Q: What's your experience with FedRAMP and FISMA Moderate/High systems?

Our standard pattern is to inherit controls from a FedRAMP-authorized platform — typically AWS GovCloud, Azure Government, or Google Assured Workloads — which collapses the agency-side ATO scope significantly. We've shipped systems through FISMA Moderate ATO using NIST 800-53 Rev. 5 control sets, with continuous monitoring via the agency's eMASS or Xacta instance. We don't sell our own FedRAMP package; we build on top of one.

Q: How do you handle CMMC requirements for DoD work?

For CUI-handling systems we architect to CMMC 2.0 Level 2 (the 110 controls from NIST SP 800-171 Rev. 2). That means GCC High or AWS GovCloud for storage, FIPS 140-2/3 validated crypto, documented SSP and POA&M, and a clear flow-down for any subcontractors. We don't claim to be a C3PAO — we build the system and the artifacts, then your assessor validates. We've supported clients through Joint Surveillance Voluntary Assessments.

Q: Can a small SDVOSB really handle a multi-million dollar program?

For prime work, our sweet spot is task orders in the $250K–$5M range where senior engineering matters more than headcount. For larger programs we sub to established primes and bring the SDVOSB credit plus the technical delivery. The Rule of Two (FAR 19.502-2) makes us a viable prime for set-aside work that primes can't touch directly. We're transparent about what we can and can't carry alone.

Q: What failure modes do you see in typical GovCon software engagements?

Three patterns repeat: (1) primes staffing junior engineers at senior bill rates because the LCAT label allows it; (2) ATO treated as a paperwork phase at month 10 instead of a design constraint at month 1, leading to re-architecture; (3) deliverables structured to require the incumbent's continued presence — proprietary build tooling, undocumented infra, knowledge silos. We design out all three from the SOW stage.

Q: Do you support state and local government, not just federal?

Yes. State and local — particularly state CIO offices, DMVs, health and human services, and municipal IT — have similar compliance pressures (StateRAMP, IRS Pub 1075 for tax data, CJIS for law enforcement, HIPAA for HHS) but faster procurement. We work under state master contracts, NASPO ValuePoint, and cooperative purchasing agreements. The veteran-owned status often qualifies us for state-level small business preferences as well.

Q: How do you price federal work — T&M, FFP, or LH?

Depends on the scope clarity. For well-defined modernization or integration work we prefer Firm Fixed Price with milestone-based invoicing — the government likes the cost certainty and we like the margin discipline. For discovery, R&D, or staff augmentation we run Time & Materials or Labor Hour against published GSA rates. We do not do Cost Plus; we're not staffed for the DCAA accounting overhead it requires.

Q: What's a realistic timeline from contract award to working software?

For a greenfield FISMA Moderate system on an inherited FedRAMP platform: 30 days to provisional architecture and SSP draft, 60-90 days to a working system in a dev/test enclave, 4-9 months to ATO depending on agency AO responsiveness. For modernization of an existing authorized system, we can often ship inside the existing ATO boundary within 6-12 weeks via a significant change request rather than a full re-authorization.

SDVOSB-certified prime and subcontractor. We build FISMA Moderate systems on FedRAMP-authorized platforms (AWS GovCloud, Azure Government), deliver under GSA MAS and SEWP, and exit clean with documented runbooks.

Veteran-Owned SDVOSB

[001 / 005] Field Conditions

Most federal software engagements fail the same three ways — and none of them are technical.

// SITUATION

The pattern is predictable. A prime wins on past performance, staffs the work with junior engineers under senior LCATs, and treats ATO as a documentation exercise that starts in month nine. By the time the SCA finds the architecture won't pass NIST 800-53 AC-4 or SC-7, the budget is gone and the agency is asking for a no-cost extension. Meanwhile the codebase lives on a contractor laptop, the Terraform is undocumented, and the only person who understands the deployment is a 1099 who's already on their next gig. The agency owns nothing it can run.

▸ Bait-and-switch staffing: senior resumes in the proposal, mid-level engineers on the actual standup call.
▸ ATO treated as an end-of-project document drop instead of a design constraint shaping every architectural choice.
▸ Vendor lock-in by neglect: undocumented infra, proprietary build scripts, no runbooks the agency can execute alone.
▸ Scope creep absorbed into modifications nobody priced, then surfaced as a 'discovery' six months in.

SDVOSB

VetCert-certified, SAM.gov verified

100%

US-based senior engineers, no offshoring

< 90 days

Typical time to working system in dev enclave

[002 / 005] Operational Approach

How a veteran-owned shop runs a federal engagement without the usual theater

STEP-01
Start with the ATO path, not the demo

Before writing code, we map the System Security Plan, control inheritance from FedRAMP Moderate or High platforms (GovCloud, Azure Government), and the agency's specific overlays. ATO timelines drive architecture decisions — not the other way around.
STEP-02
Pick the right vehicle on day one

GSA MAS IT 54151S, SEWP V/VI through a prime, CIO-SP3, or direct SDVOSB sole-source under the Rule of Two. We tell you which path is fastest for your ceiling and PoP, and we don't pretend every contract fits every vehicle.
STEP-03
Ship in 2-week increments under FISMA

We run sprint cadence with documented evidence artifacts — SCA scans, STIG checklists, POA&M updates — generated as part of the build, not bolted on at the end. Continuous monitoring hooks into agency SIEM (Splunk, Elastic) from sprint one.
STEP-04
Hand off with runbooks, not slide decks

Every engagement closes with a working system, source in the agency's GitHub Enterprise or GitLab, infra-as-code in Terraform, and runbooks a GS-12 can execute on a Tuesday. No hostage knowledge, no rate-card extension games.

// YAML PATTERN

# .github/workflows/fisma-evidence.yml
# Generates control evidence on every merge to main.
name: FISMA Evidence Pipeline
on:
  push:
    branches: [main]

jobs:
  controls:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: SCA - dependency vulnerabilities (RA-5)
        run: |
          trivy fs --severity HIGH,CRITICAL --format sarif \
            --output evidence/ra5-trivy.sarif .

      - name: STIG compliance scan (CM-6)
        run: |
          oscap xccdf eval --profile stig \
            --results evidence/cm6-stig.xml \
            /usr/share/scap/ssg-rhel9-ds.xml || true

      - name: IaC policy check (CM-2, AC-3)
        run: |
          checkov -d terraform/ -o sarif \
            --output-file-path evidence/cm2-checkov.sarif

      - name: Push to agency eMASS via API
        env:
          EMASS_KEY: ${{ secrets.EMASS_API_KEY }}
          EMASS_USER_UID: ${{ secrets.EMASS_USER_UID }}
        run: python scripts/emass_upload.py evidence/

      - name: Update POA&M with new findings
        run: python scripts/poam_sync.py --system-id ${{ vars.EMASS_SYSTEM_ID }}

Control evidence — RA-5, CM-2, CM-6, AC-3 — gets generated and pushed to eMASS on every merge, so the SCA isn't a 6-week panic at the end of the project.

[003 / 005] Common Questions

Field FAQ.

→ Are you actually SDVOSB-certified, or just self-attested?

We hold an active SDVOSB certification through the SBA's Veteran Small Business Certification (VetCert) program — the unified certification that replaced VA CVE Vets First in 2023. That means we're eligible for SDVOSB sole-source and set-aside awards across all federal agencies, not just VA. Verification is public via SAM.gov and the SBA certification database. Happy to send the cert letter and our UEI on request.

→ Which contract vehicles can you work under directly or as a sub?

Directly, we hold GSA MAS under IT Professional Services (formerly 54151S) and pursue SDVOSB set-asides. As a sub, we partner with primes on SEWP V/VI, CIO-SP3 Small Business, GSA Alliant 2 SB, 8(a) STARS III, and agency BPAs. We're a clean teaming partner because we're small enough to move fast but mature enough to handle DCAA-compliant timekeeping, CPSR-ready subcontracts, and FAR 52.204-21 cyber baselines.

→ What's your experience with FedRAMP and FISMA Moderate/High systems?

Our standard pattern is to inherit controls from a FedRAMP-authorized platform — typically AWS GovCloud, Azure Government, or Google Assured Workloads — which collapses the agency-side ATO scope significantly. We've shipped systems through FISMA Moderate ATO using NIST 800-53 Rev. 5 control sets, with continuous monitoring via the agency's eMASS or Xacta instance. We don't sell our own FedRAMP package; we build on top of one.

→ How do you handle CMMC requirements for DoD work?

For CUI-handling systems we architect to CMMC 2.0 Level 2 (the 110 controls from NIST SP 800-171 Rev. 2). That means GCC High or AWS GovCloud for storage, FIPS 140-2/3 validated crypto, documented SSP and POA&M, and a clear flow-down for any subcontractors. We don't claim to be a C3PAO — we build the system and the artifacts, then your assessor validates. We've supported clients through Joint Surveillance Voluntary Assessments.

→ Can a small SDVOSB really handle a multi-million dollar program?

For prime work, our sweet spot is task orders in the $250K–$5M range where senior engineering matters more than headcount. For larger programs we sub to established primes and bring the SDVOSB credit plus the technical delivery. The Rule of Two (FAR 19.502-2) makes us a viable prime for set-aside work that primes can't touch directly. We're transparent about what we can and can't carry alone.

→ What failure modes do you see in typical GovCon software engagements?

Three patterns repeat: (1) primes staffing junior engineers at senior bill rates because the LCAT label allows it; (2) ATO treated as a paperwork phase at month 10 instead of a design constraint at month 1, leading to re-architecture; (3) deliverables structured to require the incumbent's continued presence — proprietary build tooling, undocumented infra, knowledge silos. We design out all three from the SOW stage.

→ Do you support state and local government, not just federal?

Yes. State and local — particularly state CIO offices, DMVs, health and human services, and municipal IT — have similar compliance pressures (StateRAMP, IRS Pub 1075 for tax data, CJIS for law enforcement, HIPAA for HHS) but faster procurement. We work under state master contracts, NASPO ValuePoint, and cooperative purchasing agreements. The veteran-owned status often qualifies us for state-level small business preferences as well.

→ How do you price federal work — T&M, FFP, or LH?

Depends on the scope clarity. For well-defined modernization or integration work we prefer Firm Fixed Price with milestone-based invoicing — the government likes the cost certainty and we like the margin discipline. For discovery, R&D, or staff augmentation we run Time & Materials or Labor Hour against published GSA rates. We do not do Cost Plus; we're not staffed for the DCAA accounting overhead it requires.

→ What's a realistic timeline from contract award to working software?

For a greenfield FISMA Moderate system on an inherited FedRAMP platform: 30 days to provisional architecture and SSP draft, 60-90 days to a working system in a dev/test enclave, 4-9 months to ATO depending on agency AO responsiveness. For modernization of an existing authorized system, we can often ship inside the existing ATO boundary within 6-12 weeks via a significant change request rather than a full re-authorization.

[004 / 005] Adjacent Files

Continue recon.

REL-01

Have a federal program that needs to actually ship? Let's talk.

Talk to a VooStack operator. We respond within one business day.

Open a Channel Full Services

Veteran-owned software consulting for agencies that need it shipped, not slide-decked.

Most federal software engagements fail the same three ways — and none of them are technical.

How a veteran-owned shop runs a federal engagement without the usual theater

Start with the ATO path, not the demo

Pick the right vehicle on day one

Ship in 2-week increments under FISMA

Hand off with runbooks, not slide decks

Field FAQ.

Continue recon.

Consulting Services

Delivery Case Studies

About VooStack

Start a Conversation

Have a federal program that needs to actually ship? Let's talk.