Private Equity in Government Contracting: The M&A Diligence Playbook

Private equity investment in government contractors has grown substantially over the past decade. Federal contracting revenue is recurring, often backed by multi-year contracts, and insulated from many commercial economic cycles. These characteristics make government contractors attractive platform investments and add-on targets. But the regulatory overlay in government contracting does not pause for a transaction. Contracts do not automatically transfer. Small business status does not survive most acquisitions unchanged. National security reviews can delay or block deals. Cybersecurity obligations accelerate. And organizational conflicts of interest — invisible before closing — can bar a combined entity from its most valuable opportunities.

This guide covers the issues in the order a sophisticated buyer should encounter them: first the contract transfer mechanics, then the small business and socioeconomic implications, then national security and cybersecurity, then cost and pricing obligations, then OCI. A checklist and glossary follow.

When a company that holds government contracts is acquired, the contracts do not automatically transfer to the new owner. The government's privity of contract means that a contract is between the government and the specific legal entity that signed it. A transaction changes the ownership of that entity, not the identity of the contracting party — but the implications depend entirely on the transaction structure.

Asset acquisitions require novation. Under FAR 42.12, when a contractor transfers all its assets or the portion relevant to the government contracts, the successor must request novation — a three-party agreement among the government, the transferor, and the transferee that substitutes the transferee as the contracting party. The government is not required to novate. Agencies evaluate whether the transferee has the technical capability, financial resources, and organizational stability to perform. Until the novation is executed, the transferor remains the party of record. This creates a gap period during which the contracts are technically unreassigned and the transferor must continue to perform.

Novation requests must include the transfer agreement (or merger agreement), evidence of the transfer, a list of all contracts being novated, evidence of the transferee's qualifications, and an opinion of counsel. The review process can take 60 to 180 days depending on the agency and the complexity of the portfolio. In a platform acquisition with 50 or more contracts across multiple agencies, novation management becomes a significant workday cost center in the months after closing.

Stock acquisitions do not require novation because the legal entity holding the contracts does not change — only its ownership changes. This is one reason why stock deals are common in govcon M&A. However, stock acquisitions do not eliminate regulatory implications; they relocate them. The same performance obligations, representations and warranties, and compliance requirements remain with the entity. Any violations or deficiencies that existed pre-close travel with the entity through a stock deal and become the buyer's problem.

GSA Schedule novation follows the same FAR 42.12 process but involves the GSA Contracting Officer specifically. GSA MAS schedules are among the most valuable assets in a govcon transaction. Losing MAS access during a delayed novation can interrupt hundreds of millions of dollars in ordering activity. Engage the GSA PCO early — ideally pre-closing — and prepare a complete novation package before the transaction closes.

A change-of-name agreement under FAR 42.12 is simpler than a novation and applies when the legal entity remains the same but changes its name (for example, following a rebranding after a PE acquisition). The contracting officer executes a bilateral modification to each affected contract substituting the new name. Change-of-name agreements do not transfer performance obligations or representations — they simply update the party name. If your transaction is structured as a stock purchase with no transfer of assets, a name change agreement (if applicable) is the only FAR 42.12 action required.

If the target company holds any small business set-aside contracts — 8(a), HUBZone, WOSB, SDVOSB, or general small business set-asides — the transaction's impact on small business status is critical and potentially deal-changing.

SBA affiliation under 13 CFR 121.103 is determined by the ability to control a company's management or operations, directly or indirectly. Private equity ownership structures almost always create affiliation between portfolio companies and, in many cases, between the portfolio company and the PE fund itself. If the PE fund or its affiliates have other companies in the same NAICS codes, all affiliated revenues are combined when calculating whether the target meets its size standard. A small business target with $8M in revenue might be affiliated with a PE fund portfolio that produces $200M in combined receipts in the same NAICS code — making it large and ineligible for every small business set-aside contract it holds.

Recertification requirements under 13 CFR 121.404(g) mean that a company that undergoes a merger or acquisition must recertify its size status upon the request of a contracting officer or within 30 days of the merger or acquisition for long-term contracts. For contracts with an ordering period, recertification determines whether future orders can be placed as set-aside orders. If the company recertifies as other-than-small, agencies may no longer be able to place set-aside orders under those contracts. This can materially reduce the value of the existing contract backlog.

For 8(a) participants, additional restrictions apply. An 8(a) company must remain majority-owned and controlled by one or more socially and economically disadvantaged individuals. A PE acquisition that gives the PE firm control over the 8(a) entity would typically terminate 8(a) participation unless SBA approves the change of ownership and determines that disadvantaged status and control are maintained. In practice, PE firms rarely acquire majority ownership of active 8(a) firms for this reason.

For HUBZone companies, the principal office must be located in a HUBZone and at least 35 percent of employees must reside in a HUBZone. These requirements are tied to the physical and employment characteristics of the company, not just its ownership. Post-acquisition integration decisions — office relocations, workforce restructuring — can disqualify a company from HUBZone status and trigger contract performance issues.

For SDVOSB companies, the veteran must own and control the company. PE investment that gives the PE firm effective control — through board composition, approval rights over major decisions, or put/call structures — can disqualify the company. The VA's Center for Verification and Evaluation (CVE) and SBA both have authority to verify SDVOSB status and have taken an expansive view of what constitutes control.

Government contractors with classified contracts, access to sensitive government information systems, or work in defense-critical industries face national security scrutiny that can delay or block a transaction, require structural mitigation, and create ongoing governance obligations post-close.

FOCI is a concept from the National Industrial Security Program (NISP) implemented through the NISPOM (32 CFR Part 117). A company is subject to FOCI when a foreign interest has the power to direct or decide matters affecting its management or operations in a way that could expose classified information to unauthorized disclosure or adversely affect the performance of classified contracts. FOCI is assessed by the Defense Counterintelligence and Security Agency (DCSA) for companies with facility security clearances (FCLs).

For PE-backed transactions, FOCI arises when the PE fund has foreign limited partners with sufficient ownership or influence over fund governance to be considered foreign interests. Even a minority LP position can create FOCI if the LP has special rights — consent rights, veto rights, board observation — that give it influence over the fund's investment decisions affecting the portfolio company. DCSA takes a substance-over-form approach to FOCI analysis and looks through fund structures to identify the ultimate beneficial owners.

FOCI mitigation agreements are negotiated with DCSA and can take several forms depending on the severity: a Board Resolution, a Security Control Agreement (SCA), a Special Security Agreement (SSA), or in the most restrictive case, a Proxy Agreement or Voting Trust Agreement. The mitigation structure determines what governance rights the foreign interest must relinquish and how the classified work is insulated. Negotiating and implementing FOCI mitigation takes three to twelve months and requires engagement with DCSA, the affected agencies, and often outside national security counsel.

CFIUS, under the Foreign Investment Risk Review Modernization Act (FIRRMA) of 2018, has jurisdiction over any transaction that could result in foreign control of a U.S. business, and over certain non-controlling investments in businesses that deal in critical technology, critical infrastructure, or sensitive personal data (TID U.S. businesses). For government contractors, CFIUS review is frequently triggered when the target has classified contracts, handles CUI, operates in defense-critical sectors, or has access to sensitive government systems or data.

CFIUS review can be mandatory (for certain TID businesses and transactions involving foreign government investors) or voluntary (filed proactively to obtain clearance). A transaction that is not filed and later comes to CFIUS attention can be reviewed at any time — including after closing — and CFIUS has the authority to require divestiture or impose mitigation conditions retroactively. Given the increasing CFIUS enforcement posture since FIRRMA, acquirers with any foreign LP exposure should conduct a CFIUS analysis as part of pre-signing diligence.

National security agreements (NSAs) and special security agreements (SSAs) negotiated as CFIUS conditions can impose ongoing obligations: appointment of government-approved directors, facility security requirements, restrictions on technology transfer, and regular audits by government monitors. These conditions become part of the post-close governance structure and must be reflected in the PE fund's portfolio company oversight framework.

If the target holds DoD contracts and handles Controlled Unclassified Information (CUI), DFARS 252.204-7012 requires implementation of NIST SP 800-171 security controls and 72-hour cyber incident reporting. Diligence must assess whether the target has a current System Security Plan (SSP), a Plan of Action and Milestones (POA&M) for control gaps, and a documented score under the NIST SP 800-171 self-assessment methodology. SPRS scores are submitted to the Supplier Performance Risk System (SPRS) and are visible to contracting officers evaluating award decisions.

CMMC 2.0, implemented through 32 CFR Part 170, is being phased into DoD solicitations beginning in 2025. A target that has not invested in CMMC Level 2 readiness — where most DoD service contractors will land — faces a significant capital expenditure post-close to achieve C3PAO certification. Include CMMC readiness assessment in technical and compliance diligence, and model the cost and timeline to certification in your post-close integration plan.

Section 889 of the FY 2019 National Defense Authorization Act (NDAA), implemented through DFARS 252.204-7018 and FAR 52.204-24/25, prohibits federal contractors from using or procuring certain telecommunications and video surveillance equipment or services produced by five named Chinese companies: Huawei, ZTE, Hytera, Hikvision, and Dahua, and their subsidiaries and affiliates. The prohibition applies to all federal contractors, not just defense, and covers equipment used in the performance of the contract as well as equipment used in the contractor's general internal operations.

Diligence should include a review of the target's IT infrastructure, surveillance systems, and supply chain for Section 889-covered equipment. Remediation can be costly — replacing network equipment, security cameras, and telecommunications hardware across multiple facilities — and must be completed before affected contracts can be performed or renewed.

Government contracting has a set of cost and pricing obligations that activate at specific contract value thresholds and can be materially affected by a PE acquisition — both in terms of what triggers them and what the acquiring entity must disclose.

TINA (Truthful Cost or Pricing Data statute), formerly the Truth in Negotiations Act, requires contractors to certify that cost or pricing data submitted for negotiated contracts exceeding $2 million is current, accurate, and complete. A PE-backed roll-up that consolidates multiple contractors can affect what indirect cost pools are shared across the combined entity and what cost data must be disclosed. Defective pricing claims — where the government alleges it paid too much because submitted data was inaccurate — survive the transaction in an asset deal only if assumed, but flow through in a stock deal.

CAS (Cost Accounting Standards) under 48 CFR Chapter 99 apply to contracts exceeding $2 million (modified coverage) or $7.5 million single-award (full coverage), with full coverage also triggered when prior-year CAS-covered awards exceed $50 million. A PE acquisition that combines two previously CAS-exempt contractors into a single business unit can create a CAS-covered entity for the first time and require Disclosure Statement submission, consistency of practice, and potential cost impact analysis across all affected contracts. CAS changes require government approval and can result in significant price adjustments — upward or downward — on all covered contracts.

DCAA accounting system adequacy is a prerequisite for award of cost-reimbursable contracts. If the target has an approved accounting system, a stock acquisition preserves that approval subject to any material change in accounting practices. An asset acquisition into a new legal entity restarts the adequacy determination process. Factor accounting system approval timelines — which can take six to twelve months — into your post-close integration plan if you are restructuring the legal entity.

Incurred Cost Submissions (ICS) are annual filings required within six months of the fiscal year end for all cost-reimbursable contracts. If the target has unfiled or overdue ICS, the PE firm inherits that liability in a stock deal. DCAA has the right to audit ICS for up to six years, and audit findings can result in cost disallowances, refund demands, and penalty assessments for expressly unallowable costs.

Organizational conflicts of interest (OCI) under FAR Subpart 9.5 are the most commonly underestimated deal risk in govcon M&A. An OCI exists when a contractor has an unfair competitive advantage — because it wrote the specifications for a competition, had access to non-public information about competing firms, or would be evaluating its own work — or when it has an impaired ability to give objective advice to the government because it has a competing financial interest.

FAR 9.5 identifies three types of OCI: unequal access to information (where the contractor has access to non-public competitive information unavailable to others), biased ground rules (where the contractor helped write the specifications or statement of work for a procurement), and impaired objectivity (where the contractor would be evaluating its own work or the work of a related company).

In a PE roll-up strategy, OCI risk is additive. Each company added to the platform may bring existing OCI restrictions — advisory and assistance services contractors are particularly likely to have biased-ground-rules or impaired-objectivity OCIs — and the combination of two companies that independently have no OCI may create OCI for the combined entity. A company that provides technical advisory services to an agency and another company in the same portfolio that bids on implementation contracts for that agency creates an impaired-objectivity OCI that could disqualify either company from future competitions.

Diligence should identify all existing OCI mitigation plans, firewall arrangements, and agency-granted OCI waivers for each target. Legal counsel with OCI expertise should model the combined entity's OCI exposure and assess whether any existing awards are at protest risk post-close. The 2025 proposed FAR rule on OCI (RIN 9000-AO54), which is expected to codify and expand the existing guidance, adds additional urgency to this analysis.

The following checklist organizes the diligence and integration actions described in this guide by phase.

Pre-LOI / Early Diligence:

• Confirm transaction structure (asset vs. stock) and its implications for novation requirements
• Identify all government contracts by type (CPFF, FFP, T&M), vehicle, agency, and period of performance
• Map small business set-aside contracts and assess recertification impact under 13 CFR 121.404(g)
• Screen for foreign LP exposure in your fund structure and assess FOCI and CFIUS triggers
• Confirm whether the target is CMMC Level 2 certified or assess gap to certification
• Screen IT infrastructure for Section 889-covered equipment
• Identify existing OCI mitigation plans and model combined-entity OCI exposure

Signing to Closing:

• Engage DCSA if FOCI mitigation is required; allow 3–12 months for SSA or SCA negotiation
• File CFIUS notice if required or voluntarily to obtain clearance
• Prepare novation request packages for all asset-transfer contracts
• Engage GSA PCO for MAS schedule novation pre-close
• Conduct DCAA accounting system gap assessment if restructuring the legal entity
• Review CAS coverage thresholds for combined entity; prepare Disclosure Statement if newly covered
• Identify overdue or unfiled Incurred Cost Submissions and assess audit risk

Post-Close Integration:

• Execute novation agreements across all agencies; track status by contract and agency
• File recertification for set-aside contracts where required by agency request
• Implement FOCI mitigation governance structure (board composition, security officer appointments)
• Remediate Section 889-covered equipment on a contract-by-contract priority basis
• Budget and timeline CMMC Level 2 C3PAO assessment; assign internal CMMC lead
• Establish OCI firewall protocols across combined entity; document in writing
• Set up CPARS monitoring protocol for all active contracts

If you are evaluating a government contractor acquisition, start with two questions: what is the transaction structure, and what is the small business status of the target? These two factors determine the scope and urgency of the regulatory analysis that follows. From there, work through the checklist above in order — novation and recertification, national security and cybersecurity, cost and pricing, OCI — and engage specialists in each area early enough to surface issues before they affect valuation or close timing.

The companies that get government contracting M&A right are the ones that treat it not as a standard commercial acquisition with extra paperwork, but as a regulated transaction where government consent — explicit or implied — is part of the deal. The government does not owe you a novation, does not guarantee your set-aside contracts survive recertification, and does not waive OCI or FOCI issues because you are a sophisticated buyer. Build those realities into your investment thesis and your post-close integration plan, and you will be prepared for the complexity that makes govcon M&A both challenging and rewarding.

8(a) Business Development Program

SBA program for small businesses majority-owned and controlled by socially and economically disadvantaged individuals; participants receive set-aside and sole-source contract opportunities.

CAS (Cost Accounting Standards)

Standards at 48 CFR Chapter 99 requiring contractors to disclose and consistently follow cost accounting practices on government contracts above specified thresholds.

CFIUS

Committee on Foreign Investment in the United States; reviews foreign investments for national security risks under FIRRMA and can require mitigation or block transactions.

CMMC (Cybersecurity Maturity Model Certification)

DoD program under 32 CFR Part 170 requiring contractors handling CUI to achieve specified cybersecurity maturity levels, with third-party assessments for Level 2.

CPARS

Contractor Performance Assessment Reporting System; federal system for recording and retrieving past performance evaluations under FAR 42.1502.

DCAA

Defense Contract Audit Agency; audits contractor accounting systems, incurred costs, and cost proposals on DoD and other federal agency contracts.

DCSA

Defense Counterintelligence and Security Agency; adjudicates FOCI determinations and approves facility security clearances under the NISP.

FOCI (Foreign Ownership, Control, or Influence)

Condition where a foreign interest has the power to influence the management or operations of a U.S. government contractor in a way that could expose classified information; assessed by DCSA under 32 CFR Part 117.

HUBZone

Historically Underutilized Business Zone; SBA certification requiring principal office location and 35 percent employee residency in designated zones.

ICS (Incurred Cost Submission)

Annual cost report required from cost-reimbursable contractors within six months of fiscal year end; subject to DCAA audit for up to six years.

Novation Agreement

Three-party agreement under FAR 42.12 that transfers contract rights and obligations from the transferor to the transferee in an asset acquisition; government consent required.

OCI (Organizational Conflict of Interest)

Situation under FAR Subpart 9.5 where a contractor has an unfair competitive advantage or impaired objectivity due to prior work for the government or related financial interests.

SDVOSB

Service-Disabled Veteran-Owned Small Business; certification requiring majority ownership and management control by a service-disabled veteran.

Section 889

FY 2019 NDAA provision prohibiting federal contractors from using or procuring telecommunications equipment from specified Chinese companies including Huawei, ZTE, and others.

SBA Affiliation

Relationship under 13 CFR 121.103 where entities are considered affiliated for size determination purposes because one controls or has the power to control the other.

TINA (Truthful Cost or Pricing Data)

Requirement under 10 U.S.C. 3701 and 41 U.S.C. 3501 that contractors certify the accuracy, currency, and completeness of cost or pricing data on negotiated contracts exceeding $2 million.

WOSB

Women-Owned Small Business; SBA certification for businesses majority-owned and controlled by women, providing access to WOSB set-aside contracts in underrepresented industries.

• Federal Acquisition Regulation (FAR) Subpart 42.12, Novation and Change-of-Name Agreements — acquisition.gov
• SBA Size Standards, 13 CFR Part 121 — ecfr.gov
• SBA Size Recertification, 13 CFR 121.404(g) — ecfr.gov
• National Industrial Security Program Operating Manual (NISPOM), 32 CFR Part 117 — ecfr.gov
• FIRRMA (Foreign Investment Risk Review Modernization Act), 31 CFR Part 800 — ecfr.gov
• CMMC Final Rule, 32 CFR Part 170 — federalregister.gov
• DFARS 252.204-7012, Safeguarding Covered Defense Information — acquisition.gov
• NIST SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems — csrc.nist.gov
• Section 889, FY 2019 NDAA; FAR 52.204-24 and DFARS 252.204-7018 — acquisition.gov
• Cost Accounting Standards, 48 CFR Chapter 99 — ecfr.gov
• FAR Subpart 9.5, Organizational and Consultant Conflicts of Interest — acquisition.gov
• Proposed FAR Rule on OCI, RIN 9000-AO54 — federalregister.gov