New contract for background investigations raises concerns about scale and risk

The Defense Counterintelligence and Security Agency (DCSA) sits at the center of one of government’s most sensitive and consequential missions: determining who is trusted to access classified information and facilities. At the heart of that mission is the Case Processing Operations Center (CPOC), a function that powers the intake, processing and quality control of federal background investigations.

As DCSA moves forward with its next-generation CPOC 2.0 procurement, recently released as a draft solicitation on SAM.gov, the agency deserves credit for continuing to modernize a mission that has evolved dramatically over the past decade. Of particular note is DCSA’s incorporation of the critical Continuous Vetting (CV) analytical services mission, a key component of Trusted Workforce 2.0 (TW 2.0), into the CPOC 2.0 draft solicitation along with the original CPOC clerical work covered by the Service Contracting Act (SCA).

But the acquisition strategy now taking shape — a total small business set-aside — raises important questions: how does DCSA balance the government’s commitment to small business participation with the need to deliver at scale for a mission that underpins national security? And how do we respond to the push for more realistic and equitable contract awards and fewer set-asides when some of the nation’s most important contracts still seem to be following acquisition business as usual?

A mission growing in complexity

Although historically CPOC has been procured as a small business set-aside, it has never been a small undertaking. The requirement supports the processing of background investigations for federal and contractor personnel, a workload that has historically included over a million cases annually and millions of investigative actions, requiring 800+ full-time equivalents to support the workload.

And it’s only getting bigger.

Based on the draft, the follow-on contract will expand into CV, a shift from periodic reinvestigations to near real-time monitoring of cleared personnel, analyzing an evolving series of threat alerts against the entire cleared population. That transformation is central to Trusted Workforce 2.0 and demands not just steady-state processing, but adaptability, technology integration and surge capacity.

The small business question

DCSA’s decision to pursue a total small business set-aside is consistent with longstanding federal priorities to expand opportunities for small and disadvantaged firms. That objective is both important and necessary, particularly in a market where consolidation and incumbent advantage can limit new entrants.

But not all requirements are created equally and suitable for small businesses. Large contracts like CPOC need established management discipline and systems, available funding to front payroll and capital expenditures and the ability to compete with large companies to recruit and retain top talent. Due to the inherent risk, most would not consider a contract of this size, complexity and criticality a viable small business set-aside opportunity.

Policy alignment and oversight

There is also a broader policy context to consider.

Secretary Pete Hegseth’s Jan. 16 memorandum, “Contract Review of All Small Business Sole Source and Set-Aside Awards Above $20 Million in Contract Value,” mandates a comprehensive review of such procurements. There is a fundamental question as to whether this acquisition strategy has undergone the appropriate level of scrutiny. Has the CPOC 2.0 procurement been evaluated in accordance with established oversight protocols to ensure alignment with mission priorities, adherence to small business eligibility intent and avoidance of de facto pass-through or structurally constrained competition?

This scrutiny is well-placed. Large, complex procurements introduce risks that must be carefully managed. But scrutiny on the backend only delays critical acquisitions. The government should be carefully considering its contract requirements and how some small business set-asides both slow progress and virtually guarantee litigation.

For a requirement like CPOC, the stakes are unusually high. Delays or performance issues don’t just affect contract metrics, they ripple across the entire personnel vetting enterprise, impacting hiring, readiness and national security. The ability to grow and scale the national security workforce is an imperative to a nation in conflict as the U.S. is today. The current policy and security reality argues for an acquisition strategy that maximizes competition among all capable providers, regardless of size classification.

Another concern raised by industry is the unusually compressed response timeline associated with the CPOC 2.0 acquisition. Requests for information and subsequent requests for purchase have been released with response timelines of just a few days, leaving little time for thoughtful industry input. While short suspense timelines are not uncommon in federal procurement, they can undermine one of the core purposes of draft solicitations: to gather meaningful feedback that improves the final acquisition.

There’s a lot of talk about acquisition reform today. But when basic business as usual, such as short suspense requests like this, is the norm, the only companies who can compete are those who already know the requirement. If the goal is to maximize competition and refine requirements, allowing sufficient time for industry to respond is not just a courtesy, it’s a strategic necessity.

Why this matters for DCSA CPOC 2.0

None of this is to suggest that DCSA’s objectives are misplaced. Supporting small businesses, advancing socioeconomic goals and fostering a diverse industrial base remain essential priorities.

But acquisition strategy should be tailored to mission needs.

The size and scale of DCSA’s mission today demands a robust and wide pool of available resources, not a single, consolidated contract, newly bucketed with additional, more complex requirements and then set aside as a small business acquisition.

DCSA has made significant progress in modernizing the personnel vetting enterprise, and the transition to CV represents a generational shift in how the government manages risk.

The CPOC recompete is a pivotal moment in that journey.

Getting the acquisition strategy right isn’t just about compliance with policy or alignment with small business goals, it’s about ensuring the resilience, scalability and effectiveness of the system that determines who can be trusted with the nation’s most sensitive information.

That’s a mission worth competing for — fully, openly and with the best capabilities available.