Guide

· 8 min read

Supplier diversity in cybersecurity: opportunities for diverse firms in a high-growth market

The federal government spends over $20 billion per year on cybersecurity, and set-aside vehicles like STARS III and CIO-SP4 reserve a large share specifically for small and diverse firms.

Federal cybersecurity spending passed $20 billion annually in FY2023 and has grown every year since 2016. The agencies driving that spend—DoD, DHS/CISA, NSA, FBI, Treasury—have active supplier diversity requirements baked into their acquisition strategies. For diverse-owned firms with the right certifications and technical skills, this is one of the most accessible high-dollar markets in federal contracting.

The catch: clearances, compliance frameworks, and incumbent primes create real barriers. This guide explains the dollar figures, the vehicles, the buyers, and the practical path in.

The size of the opportunity

The Office of the National Cyber Director's FY2024 budget request pegged federal civilian cybersecurity spending at $13 billion. Add DoD's $11.2 billion cyber budget request for the same year and you're past $24 billion before counting classified programs. That total has grown at roughly 12–15% annually since 2019.

Small businesses captured about 23% of federal IT spending in FY2023, per the SBA's annual goaling report. Cybersecurity sits within NAICS codes 541512 (Computer Systems Design), 541519 (Other Computer Related Services), and 541690 (Other Scientific and Technical Consulting)—all categories where the SBA sets small business prime contracting goals above 20%.

The set-aside pool is real money. STARS III, the GSA's small business IT GWAC, had $50 billion in ceiling across all pools when it launched in 2022. CIO-SP4, NIH's GWAC, has a $50 billion ceiling with dedicated pools for small businesses, 8(a) firms, women-owned small businesses, and service-disabled veteran-owned small businesses. When agencies issue task orders against these vehicles, they're required to compete within the appropriate pool first.

Which certifications matter most in cyber—and why

SDVOSB (Service-Disabled Veteran-Owned Small Business) is the single most valuable certification for DoD cyber work. CYBERCOM, NSA, and DISA have strong SDVOSB utilization goals, and veterans with technical backgrounds (military cyber operators transitioning out of NSA TAO or Army Cyber Command) carry built-in credibility with contracting officers. Sole-source awards up to $4.5 million are available to SDVOSB firms without competition. The VA's VOSB/SDVOSB verification program completed its migration to SBA in January 2023—get verified through SBA.gov, not the old VA portal.

SBA 8(a) gives you nine years of preference including sole-source awards up to $4.5 million for services and competitive set-asides up to $25 million. In cyber, 8(a) sole-source contracts are how many small diverse firms land their first agency relationship—a contracting officer at CISA or Treasury can award a $2M network monitoring contract to an 8(a) firm without going through full competition. The tradeoff is the application process takes 3–6 months and requires demonstrating social and economic disadvantage.

WOSB (Women-Owned Small Business) is most valuable at NIH (CIO-SP4 WOSB pool), DHS/CISA, and civilian agencies with strong WOSB utilization goals. CISA explicitly tracks WOSB spend in its annual small business report. The WOSB pool in CIO-SP4 covers IT services broadly, which includes cybersecurity assessments, security operations center (SOC) staffing, and compliance consulting.

HUBZone adds geographic preference on top of any other certification. If your firm is located in a HUBZone (check the SBA map at certify.sba.gov), stacking HUBZone with 8(a) or SDVOSB gives you preference on set-asides where HUBZone firms get a 10-point price evaluation preference.

Key contract vehicles for cyber work

STARS III: GSA's IT GWAC restricted to small businesses. Five functional areas cover cybersecurity work directly (Functional Area 2: IT Infrastructure and Cloud; FA5: Cybersecurity). Agencies issue task orders against it—DoD, DHS, Treasury, and intelligence community agencies are all authorized users. To compete for STARS III task orders, your firm must hold a STARS III contract. Applications open periodically; watch GSA's website. Current contract holders are listed in GSA eBuy.

CIO-SP4: NIH's GWAC with nine small business pools. Pool 4 is SDVOSB, Pool 5 is WOSB, Pool 8 is 8(a). All cover the full scope of IT services. The NIH Information Technology Acquisition and Assessment Center (NITAAC) administers it. Over 300 agencies are authorized users, including DoD and DHS. Task order sizes range from $100K to $100M+. If you're an 8(a) firm, getting on CIO-SP4's 8(a) pool is one of the highest-leverage moves you can make in federal cyber.

OASIS+: GSA's professional services GWAC (successor to OASIS) has a small business pool that covers cybersecurity consulting, program management, and professional services related to IT. Useful for consulting-heavy cyber work rather than technical implementation.

Agency-specific IDIQs: DISA issues its own multiple-award contracts (ENCORE III is one example, though it's winding down). NSA has classified vehicles. CISA has issued solicitations for SOC support, incident response, and vulnerability assessment services. These are often more targeted and harder to get on, but task orders can be larger than GWAC-based work.

Corporate buyers: named programs

Several Fortune 500 defense and IT firms run supplier diversity programs specifically relevant to cyber subcontracting:

Leidos generated $15.1 billion in revenue in FY2023, with federal cyber work a large share. Their supplier diversity team actively recruits small and diverse subcontractors for large prime contracts. Contact their supplier diversity office directly at leidos.com/suppliers.

Booz Allen Hamilton reported $10.7 billion in revenue in FY2023, heavily weighted toward defense and intelligence cyber. They post subcontracting opportunities on their supplier portal and participate in NMSDC and National Veterans Small Business Coalition events.

CACI International and SAIC both maintain active small business subcontracting plans as required by their federal prime contracts over $750,000. These plans include percentage goals for SDVOSB, 8(a), WOSB, and HUBZone spend.

ManTech, now owned by Carlyle, focuses on defense cyber. Their supplier diversity outreach targets SDVOSB firms specifically given the DoD customer base.

Approach primes at industry events: the AFCEA Cybersecurity Summit, NDIA Cyber, and the Annual Small Business and Supplier Diversity Virtual Summit (hosted by DHS) are the right rooms.

Typical contract sizes and entry paths

First contracts for diverse cyber firms typically fall in the $250K–$2M range, usually through one of three paths:

Subcontracting is the most common entry. A large prime wins a $50M DoD cyber contract with subcontracting goals. They need to hit their SDVOSB or 8(a) goal. You provide specific SOC analyst FTEs, a compliance assessment, or a training module. You don't need clearances for unclassified portions. This path takes 6–18 months of relationship-building before the first subcontract award.

8(a) sole-source is the fastest path to a direct prime contract. A contracting officer at a civilian agency—say, Treasury's OCC or a regional DHS office—has a $1.5M requirement for NIST 800-171 compliance consulting. They can sole-source it to your 8(a) firm if no other 8(a) firm is a reasonable alternative. These deals move fast: sometimes 60–90 days from conversation to award.

GWAC task orders require holding a contract vehicle first. Winning a spot on CIO-SP4 or STARS III takes 12–18 months from application to award but then opens you to task order competitions across hundreds of agencies for the life of the vehicle (typically 10 years).

Industry-specific barriers

Security clearances block access to classified programs, which represent a substantial portion of NSA, CYBERCOM, and intelligence community cyber spend. Getting a facility clearance (FCL) takes 6–18 months and requires a cleared employee sponsor. The path: hire one cleared individual (often a veteran transitioning from DoD cyber), win an unclassified contract with an agency that can sponsor the FCL, then apply for facility clearance through DCSA.

CMMC (Cybersecurity Maturity Model Certification) is becoming mandatory for all DoD contractors handling Controlled Unclassified Information. Level 1 covers basic FAR 52.204-21 practices. Level 2 maps to NIST SP 800-171 (110 controls). Level 3 adds NIST SP 800-172 requirements. The final CMMC rule was published in December 2023 with phased implementation starting in 2025. If you're pursuing DoD subcontracting, you need to be on the Level 2 path now—it takes 12–18 months to achieve. The cost runs $50K–$200K for a Level 2 assessment. For diverse firms, this is both a barrier and a differentiator: most small firms haven't started, so those that achieve CMMC Level 2 become sought-after subcontractors for primes facing their own compliance deadlines.

Incumbent advantage is real in cyber. Agencies build trust with vendors who have cleared employees, established relationships with the ISSM/ISSO, and existing system access. Breaking in requires either a prime relationship (subcontracting) or a sole-source vehicle (8(a) or SDVOSB).

Practical first steps

  1. Get certified first. If you're a veteran-owned firm, start the SBA SDVOSB verification process. If you're socially and economically disadvantaged, apply for 8(a). These take 3–6 months minimum. Don't wait until you have a contract lead—certifications unlock vehicles and sole-source conversations.
  1. Target unclassified cyber work. Network monitoring, compliance assessments (NIST, FISMA, FedRAMP), security awareness training, and vulnerability scanning don't require clearances. CISA, Treasury's Office of Cybersecurity and Critical Infrastructure Protection, and civilian agency CISOs are good starting points.
  1. Register in SAM.gov and get a DUNS/UEI. This is a prerequisite for any federal work. It's free and takes 1–2 weeks. Make sure your NAICS codes include 541512, 541519, and 541690.
  1. Attend one prime's supplier diversity event. Leidos, Booz Allen, and SAIC all hold annual events. Bring a two-page capability statement focused on your specific cyber capabilities—not a generic IT services pitch. Name the agency customers you want to support and the technical domains you know cold.
  1. Start the CMMC Level 2 process. Hire a Registered Practitioner Organization (RPO) to do a gap assessment against NIST 800-171. The assessment costs $5K–$20K and tells you exactly where you stand. If you're more than 60 controls deficient, budget 18 months. If you're close, you could achieve Level 2 in 6–9 months.

The federal cyber market will keep growing regardless of budget cycles—the threat environment guarantees it. Diverse firms that get certified, get compliant, and get on the right vehicles will be competing for task orders for the next decade.

Tools that pair with this article

Confirm which certifications fit your business.

The quiz checks ownership, location, revenue, and NAICS codes against the eligibility rules for every federal, national, and state certification we track. The result is a ranked list with the buyers each one opens and the order to pursue them in.