Federal teaming FAQ — civilian software sub channel

A civilian software subcontractor delivers unclassified software inside a prime’s existing federal vehicle, without holding the vehicle.

Under FAR 52.219-14, an 8(a) services prime must self-perform at least 50% of contract labor cost. The remaining roughly 50% can flow to non-similarly-situated subs — firms that aren’t themselves 8(a) certified. OlenArc operates in this lane: taking a discrete software module (a portal, a dashboard, an AI-assisted review layer) off the prime’s task-order plate and shipping it inside the prime’s invoice and compliance posture. The prime keeps the agency relationship, the vehicle, and the contract; the sub delivers the bounded module on a fixed scope.

Sources: Federal Subcontracting · FAR 52.219-14 · 13 CFR 125.6

The 8(a) services prime must self-perform at least 50% of personnel cost; the remaining ~50% can be subcontracted to non-similarly-situated entities.

Under FAR 52.219-14 and 13 CFR 125.6, materials and other direct costs are excluded from the calculation — only personnel labor counts. A non-8(a) sub like OlenArc therefore has roughly $4–5M of addressable scope on a $10M task order. Subs that are themselves 8(a) certified count as "similarly situated entities" and their work counts toward the prime’s self-performance. Compliance is increasingly evaluated per task order, not only over the base period.

Sources: FAR 52.219-14 (acquisition.gov) · 13 CFR 125.6 (Cornell)

Civilian-only subs work on unclassified civilian-agency software and do not require personnel clearances; cleared subs handle DFARS-7012, CMMC L2, or classified DoD work.

A civilian-only sub like OlenArc focuses on IHS, BIA / BIE, DOI, GSA, HHS task orders. The compliance bar is NIST SP 800-171 alignment for CUI handling, FedRAMP-Moderate deployment via inheritance on AWS GovCloud or Azure Government — not personnel clearances. Cleared subs add CMMC Level 2 certification, DFARS 252.204-7012 compliance, and personnel investigations — raising cost and timeline substantially. For civilian, public-facing, or internal-program work, a civilian-only sub is the cleaner fit.

Sources: Federal Subcontracting › Compliance Posture

A sub that explicitly does not hold their own vehicle avoids competing for the agency relationship and stays cleanly inside the prime’s task-order structure.

OlenArc explicitly does not hold OASIS+, 8(a) STARS III, GSA MAS IT, NITAAC CIO-SP, or GSA Polaris as a prime. The vehicles belong to the prime; OlenArc delivers a bounded software module inside the prime’s invoice and compliance posture. This model reduces the prime’s competitive risk: the sub has no incentive to grab the agency relationship, no parallel pipeline at the same agency, and no off-vehicle "we’ll just go direct" leverage.

Sources: Vehicles We’re Sub-Ready Under

Ask for self-assessment status, target SPRS score-submission date, and how the sub deploys CUI workloads.

The standard pattern for a small civilian software sub: NIST 800-171 self-assessment scheduled, SPRS submission planned within 6 months of the self-assessment, and FedRAMP-Moderate deployment via inheritance on AWS GovCloud or Azure Government (not pursued as a CSP). OlenArc’s published timeline:

• NIST SP 800-171 self-assessment: targeted Q4 2026
• SPRS submission: targeted Q1 2027
• FedRAMP-Moderate posture: via inheritance from AWS GovCloud / Azure Gov — we do not pursue FedRAMP authorization as a Cloud Service Provider
• Personnel: no clearances pursued; staffing matches each task order’s compliance requirements

Sources: Compliance & security posture

The five canonical NAICS codes for civilian software subcontracting are 541511, 541512, 541519, 541715, and 518210.

OlenArc’s pursued NAICS codes, with descriptions:

• 541511 — Custom Computer Programming Services
• 541512 — Computer Systems Design Services
• 541519 — Other Computer Related Services
• 541715 — Research and Development in the Physical, Engineering, and Life Sciences
• 518210 — Computing Infrastructure Providers, Data Processing, Hosting, and Related Services

Management-consulting NAICS (541611, 541618, 541690) are deliberately excluded — they don’t fit a discrete-software-delivery positioning, and a sub that lists them sometimes signals "we’ll bid anything."

Sources: Candidate NAICS Codes

Not until SAM activation. UEI is active (QDL3BAL1NLY3); CAGE and SAM are pending. Pre-activation teaming conversations and proposal-capture support are available now.

OlenArc’s registration status: UEI is active (QDL3BAL1NLY3); CAGE Code and SAM.gov registration are pending. A formal sub-PO requires SAM activation. What a prime can do today: engage OlenArc on capture-phase work (SOW co-draft, sample prototypes, sub-paragraph for the prime’s task-order proposal), and book a 25-minute partner call to scope a future engagement that starts after SAM activation.

Sources: Procurement Readiness · Federal teaming inquiries

OlenArc frames its work as Relevant Project Experience, not CPARS-defined Federal Past Performance.

The strongest deployed engagement is the Arctic Slope Community Foundation grant management platform — production-deployed across all 8 North Slope Iñupiat villages, covering applicant portal, admin and review dashboard, AI navigator chatbot, impact reporting, and role-based data separation. This is direct foundation work, not a federal subcontract; the case is framed as evidence of platform shape and Iñupiat-region delivery capacity, not as CPARS Past Performance. Same module shape lifts directly into prime task orders at IHS DGM, BIA / BIE Grants Management, or HHS sub-agency reporting.

Sources: Project Experience

FedRAMP-Moderate via cloud inheritance, NIST 800-171 alignment in progress, and data-sovereignty-aware design built into every engagement.

OlenArc deploys CUI workloads on FedRAMP-Moderate-authorized cloud (AWS GovCloud or Azure Government), inheriting cloud controls; we do not pursue FedRAMP authorization as a Cloud Service Provider. NIST SP 800-171 self-assessment is targeted Q4 2026 with SPRS submission targeted Q1 2027.

Data sovereignty-aware design principles applied to every engagement:

• Client data remains under client ownership and control
• Documented data lineage — what is collected, where it lives, who can access it, and how it is used
• Role-based access separating public / internal administrative / sensitive program data
• Cross-agency data sharing requires explicit user consent (modeled in Olen Hub’s intake flow)
• Existing Tribal, agency, funder, or organizational data policies are followed where they exist; co-developed where they are still emerging

Sources: Risk, Security & Data Practices

No. We operate in the civilian / unclassified lane only.

If your task order requires CMMC Level 2 certification, DFARS 252.204-7012 cyber posture for DoD CUI, or personnel security clearances, we’re not the right fit. We disqualify ourselves early so your compliance officer doesn’t spend a week vetting us only to discover the mismatch. We can refer cleared subs in our network when asked.

Sources: Compliance & security posture › What we deliberately do not pursue · Risk, Security & Data Practices