The size of the opportunity
Federal IT is the single largest category of diverse supplier spend in the U.S. government. The federal government spends roughly $100 billion annually on IT products and services, and a significant share flows through set-aside vehicles designed explicitly for small and diverse businesses.
The GSA's STARS III GWAC — a governmentwide acquisition contract for IT services — is an 8(a) set-aside vehicle with a $50 billion ceiling. SEWP V, NASA's solutions vehicle for IT products and services, has a $20 billion ceiling and includes pools for small disadvantaged businesses. CIO-SP3 (and its successor CIO-SP4) from NIH has a $20 billion ceiling with dedicated small business and 8(a) pools. OASIS covers professional services including IT consulting with similar tiered small business access.
These are not aspirational programs. Agencies are required to compete task orders within these vehicles, and contracting officers regularly use the 8(a) pools to meet agency small business goals. If your firm is 8(a) certified and holds a position on one of these vehicles, you are in the active pipeline for federal IT contracts.
On the corporate side, Fortune 500 technology and financial services companies spend over $100 billion annually on external IT services. Diverse IT firms enter primarily through NMSDC and WBENC corporate programs at IBM, Accenture, Deloitte, JPMorgan Chase, and Bank of America. These firms each run formal supplier diversity programs with dedicated sourcing portals and annual spend targets.
Which certifications matter most in IT
SBA 8(a) is the highest-value certification for federal IT. It allows sole-source awards up to $4.5 million and competitive set-aside awards up to $22 million through GWAC vehicles. For a firm with the technical capability to execute, 8(a) status plus a GWAC vehicle position is the most direct path to federal IT revenue. The nine-year program window gives firms time to build past performance before graduating into unrestricted competition.
The catch: 8(a) requires passing SBA's social disadvantage, economic disadvantage, and control tests. Firms owned by veterans, women, or members of ethnic minority groups are presumed socially disadvantaged, but economic disadvantage thresholds are strict. Individual net worth must be below $850,000 (excluding primary residence and business equity) at the time of application.
SDVOSB (Service-Disabled Veteran-Owned Small Business) is the strongest certification for VA and DoD IT work. The VA has a mandatory set-aside program called Veterans First Contracting that requires contracting officers to prioritize SDVOSB and VOSB firms before any other competitive method. VA IT spend is substantial — the agency is one of the largest federal IT buyers. DoD also heavily uses SDVOSB set-asides for IT support at military installations and defense agencies.
WOSB (Women-Owned Small Business) sees strong usage at NIH, FDA, and USDA for IT services. These agencies have historically high WOSB utilization rates in the 541511 (custom computer programming) and 541512 (computer systems design) NAICS codes. WOSB set-asides can be used in industries where women are underrepresented, and IT qualifies.
For corporate programs, NMSDC's MBE certification is the most recognized credential at major tech primes. WBENC certification is the parallel for women-owned firms. IBM, Accenture, and Deloitte all list these certifications as preferred or required for their tier-1 diverse supplier programs.
Key corporate buyers and their programs
IBM runs one of the oldest corporate supplier diversity programs in IT. IBM's program spans global procurement and specifically tracks diverse spend in IT consulting, software development, and infrastructure services. Entry is through IBM's supplier registration portal. IBM holds first-tier NMSDC relationships and sources directly from MBE-certified IT firms for subcontracting on its federal contracts.
Accenture sets a public diverse supplier spend target and publishes annual progress reports. Their supplier diversity team actively recruits NMSDC- and WBENC-certified IT firms for project-based subcontracting, particularly in cloud migration, cybersecurity, and data analytics work. Subcontracting is the primary entry point — Accenture rarely sources directly from small diverse firms for prime contracts, but subcontract volume can be substantial.
Deloitte similarly sources diverse IT subcontractors for federal work. As a major federal systems integrator, Deloitte has active small business subcontracting plans on most of its large federal contracts, which are public documents filed with the contracting agency. Firms can review these plans and approach Deloitte's supplier diversity team with specific capability matches.
JPMorgan Chase and Bank of America are among the largest corporate buyers of IT services outside the federal space. Both have formal supplier diversity programs targeting NMSDC and WBENC certified vendors for infrastructure, application development, and cybersecurity services. Contract sizes at financial services firms tend to run larger than federal IT task orders — multi-year managed service agreements in the $2M-$15M range are common for mid-sized diverse IT firms with relevant financial sector experience.
Typical contract sizes and entry points
Federal IT set-aside task orders on STARS III and SEWP V typically range from $500,000 to $5 million for small firms. Sole-source 8(a) awards under $4.5 million are common for agencies with urgent or specific needs. Firms starting out on these vehicles often win their first task orders in the $250,000-$750,000 range for staff augmentation or IT support services.
Direct federal prime contracting requires a GWAC vehicle position, which means winning a spot on STARS III, SEWP V, or CIO-SP4 during an open season. These competitions happen periodically. Missing the window means waiting — or entering as a subcontractor to an existing prime until the next on-ramp.
Subcontracting to large federal prime contractors (Leidos, SAIC, Booz Allen, CACI, Accenture Federal) is the faster entry path for firms without vehicle positions. Large prime contracts include mandatory small business subcontracting plans. Firms can search SAM.gov for prime contractor subcontracting plans and approach the prime's small business liaison officer directly.
For corporate IT work, the most common entry structure is a vendor-of-record (VOR) agreement, typically for staff augmentation or project-based consulting. These agreements are negotiated annually and can be renewed. Initial contracts in corporate programs often range from $100,000 to $500,000 for a specific project or resource placement, with repeat work following if execution is strong.
Industry-specific barriers
FedRAMP authorization is the most significant federal IT barrier for cloud and SaaS firms. The Federal Risk and Authorization Management Program requires cloud service providers to obtain authorization before federal agencies can use their products. Full FedRAMP authorization costs $500,000 to $2 million and takes 12 to 24 months. For small diverse firms selling cloud-based IT services, the fastest workaround is partnering with an authorized cloud platform (AWS, Azure, Google Cloud all carry FedRAMP authorizations) and structuring services on top of that infrastructure rather than seeking independent authorization.
Past performance requirements create a circular barrier: agencies want to see federal IT past performance, which you can only get after winning federal IT work. The practical solution is to accumulate past performance through subcontracting before pursuing prime contracts. Document every subcontract carefully — CPARS ratings from your prime contractor become your past performance record.
Security clearances are required for a significant share of federal IT work, particularly at DoD, intelligence agencies, and law enforcement. Secret clearances take 6 to 18 months. Top Secret/SCI clearances take longer. Firms without cleared personnel are locked out of this work. The practical approach is to hire personnel who already hold clearances, or to acquire a small firm with an existing cleared workforce.
Cybersecurity certifications are an emerging barrier and an opportunity. CMMC (Cybersecurity Maturity Model Certification) is now required for DoD contractors and subcontractors. Firms that achieve CMMC Level 2 certification ahead of competitors gain a real sourcing advantage. Cybersecurity is also the fastest-growing IT category for diverse firms — DoD cybersecurity spending is rising and agencies are actively trying to diversify their cyber vendor base.
Practical first steps
If you are a diverse IT firm under $5M in annual revenue and want to enter federal or corporate supplier diversity programs, the sequencing matters.
First, confirm your NAICS codes. The primary codes for IT services are 541511 (custom computer programming), 541512 (computer systems design services), 541519 (other computer-related services), and 519210 (data processing, hosting, related services). Your SBA size standard is based on average annual receipts over three years — for most IT NAICS codes, the small business threshold is $30 million or $34 million.
Second, register on SAM.gov. Federal contracting requires an active SAM registration. It takes two to four weeks and must be renewed annually.
Third, determine which certification to pursue. If you are 8(a)-eligible, apply before you hit the revenue or net worth thresholds — many firms wait too long and age out of eligibility. If you are a service-disabled veteran, SDVOSB is faster to obtain and specifically valuable for VA work. NMSDC or WBENC certification opens corporate programs.
Fourth, target a GWAC vehicle. Review the open season schedules for STARS III and CIO-SP4. Preparing a competitive GWAC proposal requires understanding the technical evaluation criteria, which are published in the solicitation. Consider teaming with an existing GWAC holder while you wait for the next on-ramp.
Fifth, identify two or three federal prime contractors with active subcontracting plans in your NAICS code. Approach their small business liaison officers with a one-page capability brief and your SAM registration number. This is a long sales cycle, but a single subcontracting relationship can generate $500,000 or more in annual revenue once established.
The firms that win in federal and corporate IT supplier diversity are not necessarily the largest or most technically sophisticated. They are the ones that understand the procurement structure, hold the right certifications, and show up consistently in front of the right buyers.
