IT is one of the largest single categories the federal government buys. One code alone, NAICS 541519 (Other Computer Related Services), accounts for billions in annual awards covering cybersecurity, infrastructure support, and managed services. The catch is that "IT" is not one market. It's a dozen NAICS codes, several buying vehicles, and a set of set-aside programs that decide who you compete against. Get the classification right and you cut your competition. Get it wrong and you're bidding against firms ten times your size for work that was never meant for you.
Here's the path, in the order that matters.
Pick the right NAICS codes firstEverything downstream depends on this. Your NAICS code tells the government what you do and which size standard applies. The IT codes you'll use most:
- 541511 — Custom Computer Programming Services. Application and software development.
- 541512 — Computer Systems Design Services. Systems integration, network design, cloud architecture, enterprise IT consulting.
- 541519 — Other Computer Related Services. The catch-all for cybersecurity consulting, IT project management, helpdesk, data backup, and hosting.
- 541513 — Computer Facilities Management Services. Running a client's IT operations under contract.
You can and should register under more than one. A firm that builds software and manages the infrastructure it runs on legitimately fits 541511, 541512, and 541519. Pick the code that matches the specific solicitation you're bidding, because the size standard travels with the code.
Know your size standard before you call yourself smallFor the design and consulting IT codes, the SBA size standard is $34 million in average annual receipts over the preceding five fiscal years. That's the 541512 threshold, effective March 2023. Under it, you're "small" for that code and eligible for small business set-asides. Over it, you compete in full and open.
That $34M number is generous by small-business standards, which is the point. It means a firm doing $8M or $12M a year in IT services is comfortably small and competing against other small firms, not against the primes. Verify your status with the SBA's Size Standards Tool against each code you register, because revenue and the standard both change. Our certification guides walk through how size status interacts with the demographic certifications below.
The set-asides that apply to ITThe government is required by law to direct at least 23% of prime contract dollars to small businesses. IT is one of the categories where it routinely uses set-asides to hit that goal. If you qualify as small, these stack on top of your size status:
- 8(a) Business Development — for socially and economically disadvantaged owners. 8(a) sole-source and competitive awards are heavily active in 541512 and 541519. This is one of the strongest IT lanes for minority-owned firms.
- WOSB / EDWOSB — women-owned and economically disadvantaged women-owned small business.
- SDVOSB — service-disabled veteran-owned. The VA, a top IT buyer, has its own SDVOSB preference under the "Vets First" rules.
- HUBZone — for firms headquartered in and hiring from historically underutilized business zones.
A set-aside doesn't change what you do. It changes who you're allowed to compete against. An 8(a) cybersecurity firm bidding an 8(a) set-aside is competing only against other 8(a) firms, which is a far smaller pool. Certification is what unlocks those pools. If you're sorting out which one fits, CertifyAll captures your business details once and handles the federal applications.
Who actually buys ITConcentrating your outreach matters more than blanketing every agency. The largest federal buyers under the computer systems design code are the Department of Defense, Department of Homeland Security, GSA, Department of Veterans Affairs, and the IRS. DoD and its components alone drive enormous IT volume across cyber, cloud migration, and systems modernization.
Look at where your capability already maps. A firm with healthcare data experience should weight the VA and HHS. A team with security clearances and a cyber bench should weight DoD and DHS. Past performance in a vertical is worth more than a generic "we do IT" pitch.
Where the opportunities liveSAM.gov is the front door. You must have an active registration there to win any federal contract, and it's the official posting site for solicitations above the micro-purchase threshold. Set up saved searches by your NAICS codes and read the solicitations even when you can't bid yet. You learn the buyers' language that way.
For IT specifically, much of the spend flows through pre-competed vehicles rather than one-off postings:
- GSA Multiple Award Schedule (MAS), IT category. The schedule organizes IT offerings under Special Item Numbers (SINs) that map to your NAICS codes. Getting on the IT schedule gives agencies a fast, pre-vetted way to buy from you.
- GWACs (government-wide acquisition contracts). GSA's Alliant 3 has a small-business path that requires you to be small under the 541512 $34M standard. 8(a) STARS III is a GSA GWAC reserved for 8(a) firms. NASA's SEWP vehicle handles IT products and services government-wide.
These vehicles are competitive to get onto and take real effort, so they're usually a year-two or year-three move, not a day-one one. Confirm which are currently open before you build a capture plan around them, because award and on-ramp windows shift.
Start as a subcontractor, not a primeIf you have no federal past performance, bidding a prime contract cold is a long shot. The faster route is subcontracting to a prime that already holds the work. Large IT contracts carry subcontracting plans with small-business and diverse-supplier targets the prime has to meet, which gives them a direct reason to bring you on.
This is how most IT firms get their first federal line item. You deliver a clean scope under a prime, you build documented past performance, and you use that record to bid as a prime later. Our subcontract finder surfaces primes with active subcontracting obligations that match your codes and certifications, which is a more direct path than cold-emailing prime contractor portals.
What primes and contracting officers want to seeBefore any of this converts, you need a one-page capability statement they can forward internally. It should carry your NAICS codes, your size and certification status, your CAGE and UEI from SAM, two or three concrete past-performance examples with measurable results, and a tight description of your core competencies. Vague statements get deleted. A statement that says "migrated 1,400 users to Azure for a 600-bed hospital system, zero downtime" gets a callback. You can build one with our capability statement builder.
A reasonable next stepPin down your NAICS codes, confirm your size status against the $34M standard, and figure out which set-aside you qualify for. Then look at who's already holding IT work you could support. The subcontract finder is a low-commitment way to see which primes have open subcontracting obligations that fit your codes, so your first federal conversation is with a buyer who actually has a reason to talk.
---
Sources: SBA Table of Size Standards · US Federal Contractor Registration — Top IT NAICS Codes · GovConToday — NAICS 541512 · Baker Tilly — Alliant 3 RFP first look
