Getting selected as a technology subcontractor on a defense cloud program is a significant win — but the work isn't done at contract signature. Defense subcontractor onboarding involves security clearance processing, DCAA accounting compliance, system access provisioning, and integration into the prime's program management cadence. Understanding what to expect prevents delays that cost credibility and money.
Why Defense Subcontractor Onboarding Is Different
Commercial software subcontracting starts when you get a signed contract and access to the code repository. Defense subcontracting involves layers of compliance, investigation, and access control that can take weeks to months before your team is actually productive on the program.
Understanding this timeline prevents three common mistakes: 1. Understaffing onboarding — Treating it as a back-office activity rather than a dedicated effort 2. Cash flow surprises — Starting work before onboarding costs are recovered, creating working capital gaps 3. Understating setup time in proposals — Promising delivery milestones that don't account for onboarding duration
Personnel Security Clearance Requirements
The clearance requirements for your assigned personnel are specified in the contract or subcontract. Common levels for defense cloud programs:
Secret (NACLC/SSBI): The baseline for most defense IT programs. Initial investigation for a Secret clearance currently takes 3–9 months for new clearance cases. If your assigned personnel already hold active Secret clearances (verified in JPAS/DISS), onboarding can happen within days of contract award.
TS/SCI: Sensitive Compartmented Information access for programs handling intelligence-related data. Full-scope polygraph may be required for certain SCI access levels. TS/SCI investigations take 12–24 months for new cases. Planning that assumes cleared personnel are readily available at hire is a common proposal mistake.
COMSEC (Communications Security) access: Programs involving cryptographic equipment or key material require COMSEC responsibilities and associated training. Designate a Primary COMSEC Responsible Officer (PCRO) per DISA guidance.
Practical approach: For proposals, identify all currently cleared personnel you plan to assign and verify their clearance level and activity in DISS before proposing them. Cleared staff available for immediate assignment is a significant teaming advantage.
Facility Security Clearance (FCL) Mechanics
Your company must hold an FCL at the appropriate level to access classified information. If your company doesn't have an FCL:
- The prime initiates the FCL sponsorship request through the Defense Counterintelligence and Security Agency (DCSA)
- Your Facility Security Officer (FSO) applicant completes FSO training (available through DCSA)
- DCSA conducts a facility assessment and personnel investigation for key management
- FCL is granted at the appropriate level
The FCL process takes 3–12 months. If your company anticipates defense technology contracts, begin the FCL process before a contract requires it — not after award. Identify a candidate for the FSO role and have them complete DCSA FSO training proactively.
DCAA Accounting Compliance
The Defense Contract Audit Agency (DCAA) audits contractors billing to defense cost-type contracts. If your subcontract is cost-type (CPFF, CPAF, CPIF) rather than firm-fixed-price (FFP), your accounting system must be DCAA-compliant before billing.
DCAA accounting system requirements:
- Segregation of direct vs. indirect costs: Direct costs (labor and materials traceable to specific contracts) must be kept separate from indirect costs (overhead, G&A, fringe benefits)
- Job cost tracking: Labor must be tracked by employee, by contract, by CLIN (Contract Line Item Number)
- Timekeeping system: All employees must track time by contract and by CLIN. Time records must be contemporaneous (recorded daily), accurate, and retained
- Unallowable cost identification: Costs specifically prohibited under FAR Part 31 (entertainment, lobbying, certain marketing) must be identified and excluded from billing
Recommended systems: - QuickBooks Enterprise (not QuickBooks Online) with job costing: Affordable for small contractors, well-understood by DCAA - Deltek Costpoint: The government contractor standard for mid-size and large contractors. More expensive but purpose-built for FAR Part 31 compliance and DCAA audit support - Unanet: A growing alternative to Costpoint for government contractors
Pre-award accounting system survey: DCAA may conduct a pre-award accounting system survey before you begin billing on cost-type contracts. The survey verifies that your system can meet billing requirements. Having your accounting system demonstrably set up before the survey significantly reduces the time to first invoice.
Security System Access Onboarding
Once personnel clearances are verified in DISS, provisioning access to program-specific systems begins:
Program network / IT system access: Classified systems (SIPRNET, JWICS for classified networks, or program-specific enclaves) require: - Cleared computer workstation with applicable STIG hardening - PKI certificate from an approved CA for login - VPN or network access approval from the system ISSO - Acceptable Use Policy (AUP) acknowledgment
Unclassified program systems: GovCloud environments, Software Factory access, and program management tools typically require: - CAC/PIV-based authentication or MFA - Role-based access provisioning by the program ISSO - Completion of annual cybersecurity awareness training
Timeline for access provisioning: Budget 2–4 weeks from clearance verification to functional system access for most programs, assuming the prime's ISSO is responsive. Delays in ISSO responsiveness are a common source of sub onboarding delay — follow up consistently without being adversarial.
Integration into Program Management Cadence
Defense programs run on formal program management rhythms that subcontractors must understand and participate in:
IPTs (Integrated Product Teams): Topic-specific working groups. Your technical staff will be assigned to relevant IPTs and must attend and actively contribute. IPT meeting preparation is not optional.
Monthly status reports (MSRs): Subcontractors typically submit status against contract deliverables, completed work, upcoming milestones, risk items, and financial status. Establish your MSR template and reporting schedule in the first week of performance.
Earned Value Management (EVM): Cost-plus contracts above certain thresholds require EVM reporting — tracking planned value, earned value, and actual costs against a performance measurement baseline. If your subcontract requires EVM, ensure your accounting and project management systems can generate EVM data.
Deliverable schedule: Contract deliverables have specific CDRLs (Contract Data Requirements Lists) with due dates, format requirements, and submission procedures. Missing a CDRL is a compliance issue. Track all CDRLs from the subcontract in a dedicated tracker with lead time for review and resubmission.
Rutagon operates as both a prime and subcontractor on government technology programs. Contact us to discuss subcontracting opportunities on current programs.
Frequently Asked Questions
How long does it take to onboard a subcontractor on a defense program?
In the best case — cleared personnel, existing FCL, DCAA-compliant accounting — a subcontractor can be productively onboarded in 2–4 weeks. In the typical case — one or two new clearance investigations, FCL pending, accounting system needing DCAA review — onboarding takes 3–6 months. For programs requiring TS/SCI with polygraph, onboarding can take 18+ months for new personnel. Understanding your specific program's timeline early allows planning.
Do I need a DCAA-compliant accounting system for fixed-price subcontracts?
Firm-fixed-price subcontracts do not require DCAA-approved accounting systems in the same way cost-type contracts do — you bill your fixed prices without cost reporting. However, maintaining a government contractor-compliant accounting system is recommended even for FFP shops because: (1) future cost-type work may require it, (2) primes may require it as part of their oversight of subcontractors, and (3) it simplifies tracking and reporting on your own profitability by contract.
What is a CAGE code and how do I get one?
A Commercial and Government Entity (CAGE) code is a unique identifier assigned to government contractors. It is required for SAM.gov registration and for all government contracting activities. CAGE codes are assigned automatically when you register in SAM.gov — there is no separate application. Existing companies not yet registered in SAM.gov can obtain a CAGE code by completing SAM.gov registration at sam.gov.
What are the most common subcontractor onboarding mistakes on defense programs?
The most common mistakes are: (1) not starting clearance processing until after contract award, creating months of delay, (2) underestimating the DCAA accounting system setup cost and timeline for first cost-type contract, (3) not identifying a qualified FSO candidate before the FCL is required, and (4) missing CDRLs in the first 30–60 days of performance due to unfamiliarity with the prime's delivery process. Getting ahead of each of these in the proposal phase prevents first-quarter performance problems.