USFCR Blog

Primary vs Secondary NAICS Codes: What Actually Matters in SAM

Aug 5, 2025 12:00:00 AM / by USFCR posted in USFCR Academy, NAICS

What Your Primary NAICS Code Controls
Let’s start with the basics. Your primary NAICS code is the one that SAM officially ties to your registration. It defines your core business activity, determines size standards, and can impact set-aside eligibility. If you’re an SDVOSB, 8(a), WOSB, or HUBZone, the primary code must align with the opportunity you're targeting.

Find your NAICS Codes here

Read More

NSIPS Tips for Government Contractors

Jul 31, 2025 10:30:00 AM / by USFCR posted in USFCR Academy

Why NSIPS Matters More Than You Think

NSIPS is the Navy’s official personnel database. It tracks everything from training records to service history to access permissions. If your contract supports the Navy, this system can affect how your staff get onboarded, cleared, or even paid.

NSIPS stands for Navy Standard Integrated Personnel System. It’s a centralized, web-based platform used to manage the personnel records, training compliance, and administrative actions of active and reserve sailors. While it was built for military use, many contractors are now required to interface with it, especially in HR, IT, or administrative roles that support commands like NAVSEA.

Not every contractor needs access, but when NSIPS is in scope, missing steps can cause serious delays.

Read More

CMMC Levels Explained: What Contractors Need to Know in 2025

Jul 23, 2025 9:00:00 AM / by USFCR posted in News, cmmc

What Is CMMC and Why It Matters in 2025

The Cybersecurity Maturity Model Certification, or CMMC, is the Department of Defense’s framework for protecting sensitive information in the federal contracting space. Starting in October 2025, CMMC requirements will begin appearing in DoD solicitations. The rollout will occur in phases through 2028.

CMMC applies to both prime contractors and subcontractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). Even if it’s not yet written into your current contract, many prime contractors are already requesting proof of compliance or system readiness from their subs.

If you want to stay eligible for DoD opportunities over the next few years, understanding your required CMMC level and the assessment path that comes with it is critical.

The Origin of CMMC: From 1.0 to 2.0

CMMC was introduced in January 2020 as a five-level certification model aimed at improving cybersecurity across the Defense Industrial Base. The original framework required all contractors to undergo third-party assessments. While this was a step toward stronger security, it created delays and compliance hurdles for small businesses.

In November 2021, the DoD announced CMMC 2.0. This new version reduced the framework to three levels, aligned with existing NIST standards, and introduced the possibility of self-assessment for Level 1 and some Level 2 contracts.

The final rule under 32 CFR was published on October 15, 2024. In July 2025, the DoD submitted the acquisition-focused 48 CFR rule to the Office of Information and Regulatory Affairs. This second rule allows CMMC to be written into federal contracts. While not finalized, the 48 CFR rule targets an implementation date of October 1, 2025.

How Has CMMC 2.0 Changed from Version 1.0?

Feature CMMC v1.0 CMMC v2.0
Levels 5 Levels 3 Levels
Assessment Model All third-party Mix of self and third-party
Certification Renewal Unclear Level 1 annually, Level 2 every 3 years
Implementation Speed Slower pre-COVID Final Rule effective Dec. 2024

CMMC 2.0 streamlines the framework without removing core security requirements. Here's how it compares to the original:

Levels
• 3 instead of 5

Assessment model
• Mix of self and third-party, depending on contract type

Certification renewal
• Level 1 annually
• Level 2 every 3 years

Implementation
• Targets October 2025 start under the 48 CFR rule


CMMC Consultation


Breakdown of CMMC Levels 1–3

Level 1 – Foundational

Level 1 applies to contractors handling only Federal Contract Information. These companies typically provide services like custodial work, groundskeeping, deliveries, or basic maintenance.

Requirements include 15 security practices outlined in FAR 52.204-21. These cover:

• Access control for authorized users
• Password policy enforcement
• Use of antivirus and antimalware software
• Restricting physical access to systems
• Keeping software and devices updated
• Documented system security plans (SSPs)

Level 1 contractors must also:

• Complete an annual self-assessment
• Maintain internal documentation
• Report results in the Supplier Performance Risk System (SPRS)

Level 2 – Advanced

Level 2 applies to contractors who handle Controlled Unclassified Information. This level requires implementation of all 110 controls in NIST SP 800-171 Revision 2. Although Revision 3 was released in 2024, the DoD has locked current compliance requirements to Revision 2 under DFARS 252.204-7012.

Key security requirements include:

• Documented System Security Plans
• Access control and logging
• Secure data transmission
• Incident response and recovery policies
• Multi-factor authentication

Assessment process:

• Phase 1 (October 2025): Some contracts allow self-assessment for non-prioritized CUI
• Phase 2 (October 2026): Most Level 2 contracts require third-party assessments
• Assessment results submitted via SPRS or eMASS (when available)

Other considerations:

• Level 2 certification typically takes 12 to 18 months
• Limited number of Certified Third Party Assessment Organizations (C3PAOs)
• Delaying preparation increases the risk of missing future opportunities

Level 3 – Expert

Level 3 is intended for contractors supporting the most sensitive national security programs. It requires full implementation of NIST SP 800-171 Revision 2 and additional protections from NIST SP 800-172.

Examples of advanced protections include:

• Continuous monitoring
• Behavioral analytics and anomaly detection
• Creation of secure enclaves
• Adaptive network segmentation
• Insider threat detection

Assessment for Level 3 is:

• Conducted directly by DoD personnel
• Required only for high-impact, mission-critical contracts

How Much Does CMMC Compliance Cost?

Level 1
• Internal documentation and minor system upgrades
• Estimated cost: a few thousand dollars, depending on existing infrastructure.

Level 2
• Third-party audits typically range from $50,000 to $80,000
• Additional costs may include system remediation, staff training, and policy development.

Level 3
• Requires enterprise-level security investment
• Costs often exceed six figures annually

CMMC Rollout Timeline

The phased implementation plan begins in October 2025. Here's the breakdown:

• Phase 1 (Oct 2025): Level 1 and some Level 2 contracts allow self-assessment
• Phase 2 (Oct 2026): Most Level 2 contracts require third-party assessment
• Phase 3 (Oct 2027): Level 3 compliance begins for selected contracts
• Phase 4 (Oct 2028): Full enforcement across eligible DoD contracts

Full enforcement is expected by the end of fiscal year 2028.

Tips to Stay Contract-Ready

• Identify whether you handle FCI or CUI
• Confirm your CMMC level and self-assessment eligibility
• Start developing your System Security Plan and documentation
• Budget for future audits and technical improvements
• Monitor NIST SP 800-171 Revision 3 for future transition
• Ask your primes about their current flow-down requirements

FAQs

Is NIST SP 800-171 Revision 3 required for CMMC?
No. The DoD has locked current requirements to Revision 2. However, Revision 3 is available and should be reviewed in preparation for future changes.

When do third-party assessments start for Level 2?
Most Level 2 contracts will require third-party certification beginning in October 2026. Some lower-risk contracts in 2025 may still allow self-assessment.

Why are there two rules?
32 CFR defines the technical security standards. 48 CFR makes those requirements enforceable in government contracts.

Is CMMC already showing up in contracts?
Yes. As of late 2025, several agencies have started including CMMC requirements in solicitations. Primes are also requesting SPRS scores and readiness documentation from subs.

What happens if I wait?
The pool of approved assessors is limited. Waiting until a solicitation requires CMMC could result in delays or disqualification. Early preparation gives you more control and better positioning.

CMMC Consultation

Top Articles

The 17 Most Common Types of Government Contracts Explained

Writing a Winning Capabilities Statement in 2025

Understanding Federal Set-Asides

Read More

Prime Time for Subcontractors: Mastering the Q4 Teaming Window

Jul 21, 2025 10:00:00 AM / by USFCR posted in Guides, Subcontracting & Teaming

Many prime contractors begin identifying teaming partners in July. This timing aligns with Q4 contract deadlines, which peak before the federal fiscal year ends on September 30. August is when capability statements are reviewed, teaming discussions happen, and decisions get made.

Read More

FY2026 Federal Contracting Forecast: Position Yourself for October’s Fresh Start

Jul 17, 2025 8:00:00 AM / by USFCR posted in News, Federal Spending

October 1 is more than a date. It’s a starting point for smart contractors.

Every year, the federal government resets its budget starting October 1st. The mistake most contractors make is waiting until then to act. The real preparation happens three months before.

From July through September, you can still capture final FY2025 awards while setting yourself up for FY2026. If you wait until Q1 to start thinking about strategy, you’re already behind.

Here’s what we know is coming, and what you should be doing right now.

Read More

SAM.gov Registration in 2025: What They Don't Tell You About the Process

Jul 10, 2025 10:00:00 AM / by USFCR Academy posted in News, Registration & Compliance Management

SAM.gov Registration in 2025: What They Don't Tell You About the Process

Last quarter, a contractor in Maryland called us after three failed SAM.gov registration attempts. When we looked at the file, the issue jumped out immediately. Their legal business name didn’t match IRS records by one character. This kind of problem is not rare. It’s common, it’s preventable, and SAM doesn’t warn you about it. After assisting with over 300,000 registrations since 2010, we know exactly where these registrations fall apart.

Read More

Texas Flooding Disaster Prompts Immediate Federal Contracts

Jul 9, 2025 11:00:00 AM / by USFCR posted in News, Disaster Relief

The Flood That Triggered Federal Action

On July 4, 2025, historic flooding struck Kerr County, Texas, following heavy rainfall that began late the night before. The Guadalupe River rose rapidly, overtaking roads, homes, and critical infrastructure. More than 100 people lost their lives across the region, making it the deadliest flash flood Texas has seen in over 20 years.

Read More

Negotiating Better Terms in Teaming Agreements (Without Burning the Bridge)

Jul 7, 2025 10:00:00 AM / by USFCR posted in USFCR Academy, News

If primes are reaching out to you for teaming, it means you bring something valuable. But too many small businesses say yes to the first offer, even when the terms are one-sided. If your role is unclear and the percentage is low, it might not be a partnership at all. It might just be a placeholder.

Here’s how to recognize a bad deal, negotiate a better one, and decide when it’s worth saying no.

Why Primes Want You on the Team

Federal rules give primes strong incentives to work with certified small businesses. If you're an SDVOSB, WOSB, HUBZone, or 8(a) firm, you qualify them for set-aside contracts they couldn’t pursue alone. You might also bring niche skills, past performance in a target agency, or simply a stronger proposal under FAR 15.305.

For contracts over $750,000, primes are required to submit a subcontracting plan under FAR 19.702. That’s why teaming isn’t just about capability—it’s also about compliance. When you show up with certification, experience, and availability, you’re solving three problems for the prime at once.

But when that value is met with a 3% share and no access to the proposal, it’s time to ask what you’re really getting.

What a Fair Teaming Agreement Looks Like

There’s no fixed formula, but there are patterns we’ve seen across hundreds of real contracts:

  • If they want your status only (with little or no work): 5 to 10% may be fair.

  • If you’re doing 30 to 40% of the labor: Your share should reflect that directly.

  • If you’re contributing to the proposal or providing past performance: You deserve input into the scope and revenue split.

If there’s no written scope of work, that’s a red flag. SBA affiliation rules (13 CFR 121.103) and FAR 52.219-14 require clear delineation of roles. Without that, you risk compliance issues—and you may get boxed out of the actual work.

How to Counter the Low Offer Without Burning the Bridge

Most primes will expect some pushback. If you come prepared, they’ll respect the approach:

  • “Can we walk through the labor breakdown and how the percentage was calculated?”

  • “Since we’re providing 40% of the staffing and technical deliverables, can we revisit the proposed share?”

  • “Are we able to review the proposal before submission or sign a letter of intent outlining our scope?”

You’re not demanding. You’re clarifying. That’s the difference between being a passive sub and a real teaming partner.

Jesse Carlow’s Example: Start Smart, Then Scale

Jesse Carlow launched a healthcare supply firm in Austin, Texas. With no prior contracts, he started teaming with well-established primes like Ecolab and Job Corps. He used USFCR to get certified as an SDVOSB, build a compliant profile, and access simplified acquisitions. Within nine months, he had six contracts awardedUSFCR Case Study Summar….

Teaming gave him a runway—but he knew when to switch from support role to prime.

When It Makes More Sense to Go Prime

You may not need the prime. Many small businesses win their first awards directly by targeting simplified acquisition contracts under $250,000. These are faster, less competitive, and designed for small vendors.

That’s how Jean-Max Charles landed a $65,880 VA contract just three months after registration. He used his SDVOSB status, trained weekly through USFCR Academy, and focused on contracts he could handle soloUSFCR Case Study Summar….

If you’re already doing the work, already qualified, and already known in the agency, going prime gives you full control—and full payout.

What’s Next?USFCR Vendor Management Service
Teaming works best when both parties win. If your share doesn’t match your value, it’s time to negotiate—or prepare your own bid. USFCR helps businesses do both. We’ll review teaming offers, prep counter proposals, or guide you through simplified acquisitions if you’re ready to go prime.

Let’s map out the smartest next move for your business.


FAQ
View full FAQ page

What should be in a teaming agreement?
It should include proposal responsibilities, workshare, payment terms, timelines, and protections if the bid is awarded.

What percentage should I expect?
It depends on your role. For status only, 5 to 10% is common. If you’re doing the work, your share should reflect it.

Can I say no to a teaming offer?
Yes. If the terms are vague or undervalue your contribution, a professional “no” protects your reputation and future opportunities. 

Read More

Up to $26 Million in Grants Available for National Outreach and Communications Program for Recreational Boating & Fishing Activities

Jul 2, 2025 4:12:50 PM / by Mari Crocitto posted in News, Hot Grants

The U.S. Fish and Wildlife Service, through the Department of the Interior, is expected to award funds to up to 15 applicants for innovative programs in relation to recreational boating and fishing activities under its National Outreach and Communications Program (NOCP). Be aware that eligible applicants must demonstrate experience with the following: 

Read More

From SAM Registration to Government Contracts: The Next Steps That Actually Matter

Jun 30, 2025 11:00:00 AM / by USFCR posted in News, cmmc

Your SAM registration cost you time and paperwork. Now it's sitting there doing nothing while your competitors are winning contracts. Here's how to fix that.

Read More