Insights

Selling Security Solutions to the Federal Government

About the Author: Tim Newberry is an EIR at Ten Eleven Ventures and was previously the Founder and CSO of BlackHorse solutions, a cybersecurity software provider that has sold more than $XXM in federal government contracts. In this guide, he explains how selling to the government is fundamentally different from other enterprise sales and lays out a roadmap for finding the right buyer, securing a funding source, and navigating the acquisition process.

How are federal government buyers different from other enterprise buyers?

Because it’s “taxpayer money” there will almost always be a competitive process

For many contracts, government customers have an idea of where they want to get their technology from, but it’s not as simple as picking a vendor. They have to have a competitive process to evaluate the value of the software being procured. Legally, any exception requires “sole source justification” (SJA), which is a significant lift for the government buyer.

The government needs to show that they’re getting the highest value

That doesn’t always mean the best product on the market. Often contracts will be based on LPTA “lowest price, technically acceptable”. Procurement might say, “when it comes to capability, I would love a 9/10, but we can’t justify spending that much taxpayer money, and I would accept a 6/10. If you meet the 6/10, we’ll buy it based on the lowest price.”

If you see “LPTA,” the opportunity generally isn’t worth pursuing

Government buyers are extremely risk-averse

It’s a common adage that no acquisition officer ever gets fired for awarding a project to Raytheon. But if they choose the small startup with only 20 people, even if it’s a better provider and a better price if something goes wrong down the line, the question is “Why did we just spend this million dollars on this unproven startup?” and somebody gets fired. If Raytheon fails, it’s just “Oh, that was that was just a bad contract.”

To overcome risk aversion, you need past performance with projects of similar size and scope

Make it easy for them to “check the box” quickly. You don’t want them to have to interpret–you want to show a deployment that’s the same size and scope. The more apples-to-apples the previous projects appear, the better. For example, when pitching a DIA IT infrastructure project, a company might make a comparison to a previous Veteran’s Affairs IT infrastructure project, and abstract away differences in specifics, so that at the higher level, that past performance looks identical in size and scope.

100 things need to go right to get a contract in place, and 1 mistake can lose a contract

You need to jump through a lot of hoops to land a government deal, and missing any one of them could cost you success. For example:

  • Missing deadlines or opportunities to show interest – you may target an acquisition office like FEDSIM that has huge amounts of money to allocate. If you’re not paying attention to the dashboard, you might miss the deadline to register for “industry day”, or you might not attend the informational webinar. Even if you’re not going to be the prime contractor, to be a validated sub-contractor, you need to have shown interest along the way.
  • Errors from copying and pasting old information – you might send your RFP in, copy and paste from the last version of the proposal, and not include the most recent NIST definition. Because things change so fast, you have to go back to the reference and have your process of checks and balances.

What rules and structures dictate the government buying process?

Once the formal process begins, the customer can’t “help” you too much

If you make a mistake, there’s almost nothing that can be done to recover. Even if your customer wants to, they can’t go back and lobby for you because it’s a competitive bid, and that would be undermining a fair and reasonable open process. Some laws govern this, and people stay far away from gray areas.

Before the formal process, you can have more full and open communications

Before the RFP, you should be shaping the requirement, asking for details about what the deployment would be, and getting an idea of the budget. All along the way, you need to be smart in the questions, so you don’t put your customer in a bad position.

Once the RFP drops and the formal process begins, everything goes through the Contracting Officer

Technically it’s the “CO” for “Contracting Officer”, but people call it the “KO”. This is someone who has received a ton of training and is the only person who can go soup to nuts on administering taxpayer money.

Only go into the formal proposal process if you’re confident

You should very rarely go into the proposal process if you don’t think you have an 80% chance of winning. Don’t waste your time if you don’t meet all of the criteria (size and scope etc.) or there are really strong competitors (check the interested vendors who are listed on sam.gov, and call them up to check if they’re bidding)

What systems, registrations, and certifications do you need to be aware of when selling to the government?

SAM.gov

The System for Award Management (SAM.gov) is a centralized place to register to do business with the U.S. government and find contract opportunities. There’s a little bit of an art to finding opportunities in these massive databases. By law, everything has to be published on SAM in some way, but the buying agents are very sophisticated and can provide an advantage to their preferred vendor. For example, they might let their preferred vendor know on a Monday that the opportunity will be posted on Tuesday and responses are due on Thursday.

Acquisition.gov for FAR and DFARS

The reference to access the Federal Acquisition Regulation (FAR), the primary regulation used by all executive agencies in their acquisition of supplies and services with appropriated funds. Acquisition.gov also includes a subsection for the Defence Federal Acquisition Regulation Supplement (DFARS), which governs defense spending. One example of how you might use Acquisition.gov is to clarify data rights under the law. You might say “you’ve got five licenses for this use, and my rights on this are that we own everything, and you can’t take it and turn around and provide it to all your customers.”

FedRAMP

A certification that you need if you sell a cloud product. The Federal Risk and Authorization Management Program (FedRAMP) standardizes security assessment and authorization for cloud products used by U.S. federal agencies to make sure federal data is consistently protected in the cloud.

NIST

A set of standards that you sign off that you’re compliant with. The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency that tests and measures technology products. The NIST Cybersecurity Framework measures cybersecurity risk, including a 4-tiered system for evaluating how cybersecurity risk is managed by an organization.

Depending upon the contract, there may be many other requirements.

What are the three “legs of the stool” that you need to execute government transactions?

Selling to the federal government involves multiple stakeholders

There’s the customer (the person with the pain), the funding source (the group with the money), and an acquisition method (the entity that will contract the process).

Many times these three are not in the same office or org.

“Leg of the stool”What it isResources for finding relevant entities or understanding this “leg”
CustomerThe person or group who wants your product
  • SOFWERX
  • AFWERX
  • Defense Innovation Unit (diu.mil)
     
  • National Security Agency/Central Security Service > Business (nsa.gov)
  • Broad Agency
  • Doing Business With CISA | CISA
  • Announcements (socom.mil)
  • Funding SourceThe program where the dollars come from, e.g. Program Element codes, Programs of Record, R&D line items 
  • A Guide to OTA Proposals – Defense Acquisition Solutions Group
     
  • Business Process (cttso.gov)
  • Acquisition MethodThe entity or organization that is going to “contract” the process – from requirements definition, to pre-solicitation, to formal request for proposals, to evaluation, to award
  • GSA FAS FEDSIM
  • A Guide to OTA Proposals – Defense Acquisition Solutions Group
     
  • GSA FAS FEDSIM Opportunities Dashboard
    Industry (darpa.mil)
  • Business Process (cttso.gov)
  • Broad Agency Announcements – DEVCOM Army Research Laboratory
  • There are questions you should consider when engaging with each party
    The Customer – the person who wants your product or service. This is the “conventional” customer you would recognize from regular B2B sales.

    • Who this is: There’s not a specific level or title for this; it’s the person who experiences the pain daily.
    • What they’re testing for: Can this product solve my problem?

    The funding source is the program that has the budget – it’s not usually the customer because you’re going for bigger sales. Your customer might have discretion over a small budget for a proof of concept, but then you’ll move into a formal funding process. The funding source is usually 1 to 10 lines up in the federal budget from your customer advocate. As a seller, knowing that budget line item and how it gets down to your end-user is really advantageous.

    • Who this is: Program of Record, Line of Accounting, etc.
    • What they’re testing for: “Can I use this type of money for this kind of solution?” For example, software money can’t be used for labor hours and services. So the “color of the money” (a term the government uses) has to align with the problem that’s being solved.

    The acquisition method is the entity that’s going to contract the process – it’s possible that your buyer’s office is allocated $50 million a year, but your buyer has to compete for that money with 10 other buyers in their office. So, they’ll engage in a very formal, legally authorized acquisition on behalf of the taxpayer, overseen by a contracting officer (KO). To succeed in this process, it’s very important to demonstrate value.

    • Who this is: Contracting Officer (KO)
    • What they’re testing for: that you have a viable US business, you’re registered in SAM, you’ve got a DMV number, you’ve got a tax number, etc. They also check that you can meet the requirements of the scope of the project. They’re the last signature.
    How should you think about building sales relationships and originating deals?
    Start by building relationships with the people whose problem you’re solving

    Almost 100% of the time, the right place to start is with the true customer. But don’t stop there.

    Next, you need to start building relationships with the other 2 legs of the stool

    Use your relationship with the customer to get insights into the funding source and the contracting method. Don’t leave funding and acquisition all to the advocate; they’re never going to have the same amount of expertise or energy as your sales team to get the job done.

    What are best practices for efficiently and successfully responding to government RFPs?

    Occasionally, you’ll see and then win a posted RFP when you’re trolling, but that’s rare for large programs

    It usually only happens when it’s a smaller amount, and when it does happen, it doesn’t tend to lead to scaling. If the customer doesn’t know who you are before the formal process begins, it doesn’t matter how good of a writer you are or how good your technology is, there’s a low chance that you get the job.

    Start “left” of the formal process and informally help shape the RFP

    For example, you might submit a statement of objective that, three versions later, will turn into the statement of work inside of an RFP. Some tips for how to engage tactfully:

    •  Don’t give them intellectual property the second you hand over information, it essentially becomes public. It doesn’t matter if you put a trademark on it. So don’t introduce trade secrets or anything proprietary to the company in your exchanges leading up to the RFP process.
    • Do plant requirements that play to unique aspects of your technology – allude to the value of your technology, IP, patents, pricing, delivery models, or service engagements. This is the hard part, but if you do it well, later in the formal process you will be writing proprietary and trade secret responses that only you can give to RFP requirements. This will help your company stand out.
    • Don’t step over the line by conveying that you have some inside knowledge – if you do, you could be disqualified. For example, don’t tell them that you know their exact budget.

    How do you need to prepare your sales org (aligning leadership, hiring specialized reps) before getting into federal sales?

    Hire people who have experience with the 3 legs of the stool

    You need people on your team who have:

    • Relationships with the right customers
    • Experience navigating government funding (sometimes the same people who have relationships also have experience with finding government money)
    • Experience with highly complex acquisition processes (government sales, or sometimes experience with master service agreements or contracting processes at big financial institutions also works)
    Going after federal government contracts is a big-time commitment

    This is long-term money, with multi-year cycles. An efficient procurement process could take at least a year. And even then, federal sales are iterative. Past performance is important, and your track record builds over time. The government tends to be a risk-averse bureaucracy, so a contracting officer isn’t going to be fired for awarding a $50 million program to a company that’s had 25 of those projects, but they could if they give it to one company who’s never done a project anywhere near that amount.

    I recommend starting with contracts valued at $500K-$1M if you’re just entering this market, then start to climb and use your past performances to build up your scope. Even if you have the best technology, you won’t be able to speed this up very much.

    Building a mature government selling practice will take at least 2 years

    For your organization, you have to internally validate that this resource allocation is worthwhile. You probably won’t be able to tell for sure whether it’s working until you’re 18 to 24 months in.

    What are the most important pieces to get right?

    Use stakeholders to influence each other

    Get in a scenario where your customer is advocating for you, and arm them with everything you have. Then the customer goes to the funding source and says “I really want this thing.” At the same time, you’re telling the funding source “hey, I’m the thing the customer wants and this is why they want it.”

    What is the most common pitfall?

    Not paying appropriate weights to all three legs of the stool

    You have to determine the right weight for each leg because the dynamic can change from deal to deal. The easiest trap to fall into is focusing just on the pain point (the customer).

    Appendix:

    Here’s a list of key procurement terminology to help you navigate the government space.

    Source: Leadership Connect’s Federal Acronym Guide

    ATO (Authority to Operate) – Designated Approving Authority (DAA) authorizes operation of a Business Product and accepts the risk to agency operations

    BAA (Broad Agency Announcement) – A general announcement of an agency’s research interest including criteria for selecting proposals and soliciting the participation of all offerors capable of satisfying the Government’s needs

    BAFO (Best and Final Offer) – The last offer a contractor submits after negotiations

    BOA (Basis of Award) – The customer or customer class that most resembles the purchasing habits of the federal government upon which GSA pricing was negotiated

    BPA (Blanket Purchase Agreement) – An agreement between a government buyer and a contractor to fill repetitive needs for supplies or services. Under a BPA, administrative/paperwork costs are reduced because terms are established up-front for subsequent repeat orders.

    CO (Contracting Officer) – A person with the authority to enter into, administer, and/or terminate contracts and make related determinations and findings

    COR (Contracting Officer’s Representative) – A person designated in writing and authorized by the contracting officer to perform technical and administrative functions in the management of contracts. CORs work alongside program managers and contracting officers to monitor contract operation and performance. ACOR is the alternate for the COR.

    COTR  (Contracting Officer’s Technical Representative) – A person designated in writing and authorized by the contracting officer to perform technical and administrative functions in the management of contracts. CORs work alongside program managers and contracting officers to monitor contract operation and performance.

    DAA (Designated Approving Authority) – Senior official or executive with the authority to formally assume responsibility for operating a system at an acceptable level of risk to organizational operations.

    F/O (Full and Open) – When companies of any size may respond to an RFP

    FAR (Federal Acquisition Regulation) – The primary document that codifies uniform policies and procedures for acquisition by all executive agencies. Additional agency-specific procedures are established in related documents such as DFARs for Defense federal acquisition.

    FAS (Federal Acquisition Service)

    FBO (FedBizOpps) – FBO data moved to SAM and is now known as Contract Opportunities

    FPDS (Federal Procurement Data System) – All federal contracts worth over $10,000, and their modifications, are recorded in FPDS

    FSS Federal Supply Schedule

    GWAC (Governmentwide Acquisition Contract) – A multiple award, multiple delivery contract in which multiple agencies can purchase goods and services on a rolling basis within an established timeframe. GWACs are most commonly used for the purchasing of technology solutions for the purpose of lowering cost and increasing efficiency.

    IAC (Information Analysis Center)

    ICD (Interagency Contract Directory) – A directory of all awarded IDVsIDC (Indefinite Delivery Contract) – Where the timing and quantities are unknown when the contract is awarded

    IDIQ (Indefinite Delivery/Indefinite Quotient) – Contract for an indefinite quantity of supplies or services during a fixed period of time

    IDV (Indefinite Delivery Vehicle) – Includes BPA, GWAC, and IDIQ; commonly used for service agreements and Interagency acquisitions

    LPTA (Lowest Price Technically Acceptable)

    MAS (Multiple Award Schedule) – A type of long-term indefinite-quantity contract which is awarded to several contractors from a single solicitation, also known as Federal Supply Schedule (FSS)

    NAICS (North American Industry Classification System) – Federal agencies use NAICS codes as the standard for classifying businesses. The two-digit version is most general, while the six-digit version is the most specific. Businesses may be assigned multiple NAICS codes, especially when varied products or services are offered.

    RFI (Request for Information) – An agency asking for general information about how a problem can be solved

    RFP (Request for Proposal) – An agency asking for vendors to submit a formal document for how they can solve a problem, when many factors are under consideration

    RFQ (Request for Quote) – A quote is the estimated cost for meeting a specific need

    SAM (System for Award Management) – In beta until April 2021, SAM is the official U.S. government website for federal contract opportunities and awards

    SBSA  (Small Business Set Aside) – When only small businesses may respond to an RFP

    SOW (Statement of Work) – The activities, deliverables, and timelines for a service

    SS (Sources Sought) – Similar to RFI, helps agency determine types of sources

    SSJ (Sole Source Justification) – The reason why a contract is sole source, which means it may be issued without a bidding process because there is only one possible vendor

    VOSB  (Veteran-Owned Small Business) – Some contracts are set aside for these small businesses that are at least 51% owned and controlled by a veteran