Most people assume government contracting is reserved for large, established primes with dedicated capture teams. It isn't. The federal government buys everything from screws to ship components from small businesses every single day, and a large share of those opportunities go unbid simply because contractors don't know how to find or read them.

Tristan Thomas is proof of how navigable the system actually is. He started MeND Sourcing out of a garage in 2021 with no background in government contracting. Five years later, his company has been awarded more than 320 contracts through the Defense Logistics Agency (DLA) alone. Speaking at last month’s Secureframe National Cybersecurity Summit 2026, he walked through the exact process his team uses to find, bid on, and win government contracts.

This guide distills that process into a clear path you can follow, whether you're chasing your first award or trying to win more consistently.

Understanding what government contract opportunities are out there

"How to get government contracts" is a broad question, and there are many ways in: SAM.gov, GSA schedules, and agency-specific portals are just a few. But if you want the most accessible entry point, look at the Defense Logistics Agency (DLA).

The DLA is the logistics and supply arm of the Department of Defense. The simplest way to picture it, in Thomas's words: "Think of the DLA as the Amazon for the military." When a mechanic on a ship needs a specific part, the request flows through the DLA, which issues it to contractors as a request for quotation (RFQ). You fulfill the order, and the DLA delivers it to the warfighter.

The scale is hard to overstate. According to data shared in Thomas’s session, in fiscal year 2024, the DLA processed roughly $52.6 billion in obligations. Enough that, as a private company, it would rank in the top 350 of the Fortune 500. More than 40% of that spend is carved out specifically for small businesses (approximately $21 billion).

Here's the part most people miss: The agency puts out 1,500 to 2,000 RFQs every single day—roughly more than 500,000–700,000 per year—and a large number of those go untouched.

"A lot of them just sit there, and no one's bidding on them," Thomas said. 

In short, government contract opportunities aren’t scarce. The bottleneck is knowing how to navigate them.

How to get government contracts for small business

The steps below are tailored to small businesses, but can help any type of business secure a government contract. 

Step 1: Register as a government vendor

Before you can bid, you need three things in place:

• An active SAM.gov registration. This is the federal system you must be registered in to do business with the government. Keep it current.
• A CAGE code. This is your unique identifier as a government contractor. It's how the DLA tracks your awards and your credibility. You’ll be assigned this during SAM.gov registration.
• A DIBBS registration. DIBBS, the DLA Internet Bid Board System, is where DLA solicitations live, and registration is free. Once you register, the DLA mails a postcard to verify your address, and you're in.

Location is irrelevant here. "Whether you're working from home, in a garage, or a warehouse, it really doesn't matter," Thomas said. "If you can register, you can bid."

A small operation can compete directly with much larger players.

Step 2: Use set-asides to get your foot in the door

Set-asides are the single fastest way for a new contractor to start winning government bids. These are contracts reserved for specific business categories:

• service-disabled veteran-owned small businesses (SDVOSB)
• women-owned small businesses (WOSB)
• HUBZone businesses
• economically disadvantaged businesses, and 
• small businesses broadly.

mage source: DLA Energy's Bulk Petroleum Supplier Pathway Training Resource

Thomas's company qualifies as an SDVOSB through his business partner's designation, and that's precisely how they broke in. 

He uses a fishing analogy to explain why it matters: you don't want to drop your line where 30 other people are already fishing. You want the pond that still has fish in it and few competitors. A set-aside is that pond. It narrows the field and gives a smaller business a real shot against the bigger players.

The federal goal for SDVOSB awards has been raised to 5%, which is significant against tens of billions in annual obligations. Using DLA’s 2024 data, that’d be $2.6 billion.

If you qualify for a designation and don't have it yet, getting certified should be your first move. SDVOSB certification runs through the SBA's veteran certification portal, and WOSB certification runs through the SBA as well.

As Thomas put it, set-asides "got our foot in the door, which then we could kick open." His team eventually expanded to bidding on everything, but the designation is what made the early wins possible.

Step 3: Find winnable opportunities with FSC codes

Once you're in DIBBS, the volume of RFQs can be overwhelming. The way to cut through it is the Federal Supply Class (FSC), a four-digit code the DLA uses to categorize what it's buying. Rather than scanning everything, you search only the FSCs you've chosen to focus on.

The most common question Thomas gets is which FSC is "best." His answer: there isn't one. There’s only what’s best for your specific business. To narrow that down, focus on items where you have an edge, whether that's a manufacturer connection, industry knowledge, or supply relationships others don't have.

"Focus on items that you can find, where you have a competitive advantage," he said.

His strongest tactical advice here is to stay narrow. Many people try to chase 10 or more FSCs at once. He recommends three to four at most when starting out, so you can become genuinely expert in those categories rather than spread thin across all of them.

One myth he clarified: an old RFQ still sitting in the system does not mean no one wants the item. Thomas checked this directly with the DLA. Older solicitations linger because of internal turnover, since people move between departments and don't always close out or reassign their RFQs. Don't read into the age. Sort newest-first and work your way down.

Step 4: Read an RFQ like a pro

A single solicitation can run 25 pages, but most of it boilerplate FAR clauses. You don't need to read all of it to bid. You need to know where the decision-making information lives. The pages of clauses matter once you win the contract, and they don't need to slow down your quote.

Here's what Thomas actually pulls from every RFQ:

• The solicitation number and purchase request number. These tie the request back to the government's underlying order.
• The procurement history. This shows who won the item before, in what quantities, at what unit cost, and when. Critically, it's not a target price. "The procurement history isn't telling you a price you have to hit," he said. "It's telling you a story." Use it to judge whether the item is worth pursuing based on what your vendor can actually offer.
• The NSN versus the part number. The DLA tracks items by National Stock Number (NSN), while manufacturers track them by their own internal part numbers. Your job is to be the interpreter between the two. Hand a manufacturer an NSN and many won't recognize it, so you have to translate.
• The CLIN (Contract Line Item Number). This is the line that tells you exactly what's being bought and in what quantity. It's the line you send to your vendor for pricing.
• Delivery terms. Note the required delivery window, but quote what you can actually achieve. Price matters more to the DLA than speed, and they'll often wait. Also check the shipping terms: when a contract is FOB Origin, the government pays for shipping to the destination, which levels the playing field between a contractor in California and one next door to the depot.
• Packaging requirements and approved sources. Note the packaging standard called for (more on this below). And if the RFQ lists approved sources, you must source the part through one of those companies.

Step 5: Build vendor relationships, the real moat

The hardest and most valuable part of contracting isn't finding RFQs. It's the supplier relationships behind your bids. Thomas estimates that of hundreds of opportunities, only the right 10% are worth bidding on, and which 10% comes down to the vendor relationships you've built.

Most contractors fail here because they take the path of least resistance: one email, no response, give up. Thomas's team does the opposite. Every email is followed by a phone call. Even when a supplier sends back a "no-bid," he picks up the phone.

 "It's much harder to say no to a person when you hear their voice," he said. One of his largest partners started as a no-bid.

The mindset is proactive, not passive. "Don't think they're going to come to you with pricing," he said. "You have to be the squeaky wheel." 

Introduce yourself, show suppliers why working with you brings them volume, and deepen the relationship over time.

Step 6: Price your bid to win and protect your margin

There's a clean formula for pricing a bid. Start with your item cost, then add packaging, any labeling or inspection costs, and shipping (unless it's FOB Origin, in which case the government covers it). That gives you a subtotal. Add your margin, divide by the quantity, and you have your bid price.

Two things make or break this step.

First, don't underestimate packaging. 

Many contractors do, and Thomas has seen packaging cost more than the part itself. If you're not handling it in-house, line up a packaging partner before you bid.

Second, think in dollars, not just percentages.

The margin sweet spot on DLA contracts sits between 10% and 15%. Bid 20% to 25% and you'll get underbid every time. But the bigger insight is how Thomas's team reframed the decision. 

They stopped fixating on whether a bid hit a specific percentage and started asking a simpler question: "Does this profit justify the amount of work I need to do?" 

If a slightly lower dollar profit is still worth it, taking it lowers your bid price and makes you more competitive. That shift, he said, led directly to more awards.

5 mistakes that cost government contracts

We’ve covered what to do, now let’s go over what not to do when trying to get government contracts.

Thomas named the bidding errors his own team made early, and still sees constantly that cost organizations awards:

1. Not reading the full solicitation. Skipping straight to the CLIN means missing who pays for shipping, what packaging is required, and other terms that quietly determine whether a bid is even profitable.
2. Trusting a single supplier quote. Get more than one price, and audit your vendors regularly. A supplier who marks up because it's a government contract will quietly make you uncompetitive.
3. Promising delivery dates you can't hit. If the government wants it in 105 days but your vendor needs 200, put 200. Price usually wins anyway, and a missed delivery damages your standing.
4. Forgetting flowdowns. Post-award, the proper requirements have to flow down to your manufacturers. Skip this and you risk fulfillment problems.
5. Ignoring your SPRS score. The Supplier Performance Risk System (SPRS) is the government's measure of your reliability, effectively a credit score for contractors, built on on-time delivery, correct parts, and meeting specs. You start with none, just like an 18-year-old with no credit history. Build it deliberately and check it regularly, because the government is weighing whether it can trust you to deliver to the warfighter.

What's changing: CMMC in government contracts

If you're entering DoD contracting now, there's a development you can't bid your way around. The Cybersecurity Maturity Model Certification (CMMC) is already appearing on RFQs, according to Thomas, and it's becoming a standard condition of award across DoD contracts. In fact, the DLA is already starting to require CMMC attestations before some awards.

Thomas, who is going through the CMMC certification process himself, doesn't sugarcoat it: "It's this freight train. You have enough time to get out of the way and prepare, but a lot of people are just sitting on their hands." 

The contractors who treat CMMC as a future problem are the ones who'll be locked out of bids when the requirement lands on the contracts they depend on.

The rollout (defined in 32 CFR 170.3(e)) is already underway. Under the DoD's CMMC phased implementation timeline:

• Starting in Phase 1 on November 10, 2025, while the focus was on self-assessment requirements, the Level 2 (C3PAO) requirement could be included in contracts at the DoD’s discretion.
• Starting in Phase 2 on November 10, 2026, DoD contracting officials can include this third-party requirement in all applicable contracts involving Controlled Unclassified Information (CUI) as a condition of award or defer it to an option period.
• Starting in Phase 3 on November 10, 2027, Level 2 (C3PAO) will be required in all applicable contracts as a condition of award.
• Starting in Phase 4 on November 10, 2028, all CMMC level requirements will be implemented in applicable contracts as a condition of award.

What CMMC level you need depends on the data you handle. If you only touch Federal Contract Information, you're likely Level 1. If you store, process, or transmit CUI, you're at Level 2, which means implementing all 110 requirements in NIST SP 800-171 Revision 2 and, for most CUI contracts, passing a third-party assessment. Level 3 is reserved for 1% of contractors handling the most sensitive CUI.

There's real urgency for smaller contractors in particular, because primes are already enforcing CMMC down their supply chains ahead of the government's own deadlines.

The good news is that CMMC isn't a reason to stay out of government contracting, particularly for smaller businesses. It's a reason to get ready early, while you still have runway, and small businesses have a clear path to compliance.

How to get government contracts with CMMC requirements using Secureframe Defense

Government contracting rewards the people who understand the process and do the unglamorous work: registering properly, choosing the right categories, reading RFQs efficiently, building real supplier relationships, and pricing to win. None of it requires a background in defense. Thomas started in a garage.

Bottom line: The opportunity is enormous, the system is more navigable than it looks, and the contractors who prepare, including for what's coming with CMMC, are the ones who win.

And you don’t have to do it alone. As Thomas told the summit audience: "If you need assistance, there is assistance." 

Secureframe Defense was purpose-built for Defense Industrial Base contractors to make CMMC readiness achievable on a realistic timeline. With this end-to-end solution, you can:

• Auto-provision a CMMC-compliant cloud environment in GCC High or Google Workspace for CUI and devices required to securely access it.
• Generate the SSP, POA&M, and CMMC policies and procedures you'll need with AI and keep them up-to-date based on your live control environment
• Implement all Level 2 requirements following a guided workflow to get 100% assessment-ready before engaging with a C3PAO
• Maintain certification with a continuous compliance platform that automates CMMC-specific drift detection, evidence collection, risk management, and other operational guardrails.

And you can complete this all without pulling your team off the work of winning awards. As CMMC enforcement continues to ramp, being prepared is what keeps you eligible to bid.

To see how Secureframe Defense automates the CMMC side of staying contract-eligible, talk to a CMMC expert.