Sign in Subscribe
By V. David Zvenyach

Compliance matrices

Hi everyone, happy 2026! Glad to be back in your inboxes with another issue of GovContrActually. This year, I am hoping to make some adjustments to the newsletter. For example, at the bottom of this newsletter, you'll find links to "snippets" of recent GAO protests and GSA announcements that I'm posting in relative realtime on the website (https://govcontractually.com/tag/snippet/). As another example, I plan to move a bit more into deeper procurement policy conversations and beyond bid protests. As always, though, I appreciate you taking the time to read the posts and am grateful for any feedback. And now, on to the post.

When working on proposals for a government contract, a common artifact is the "compliance matrix." The compliance matrix is usually a spreadsheet, with each row representing a solicitation requirement. The spreadsheet's columns describe what the requirement is, where the requirement can be found in the solicitation, and, ultimately, whether the proposal meets the requirement.

If you step back and think about it, though, a "compliance matrix" is kind of a weird artifact.

In other domains, it would be strange for a seller to spend time generating detailed checklists just to make sure a proposal lands with a buyer. Sure, there might be a checklist, but it's not a huge deal; the main event is selling on value, outcomes, product differentiation, and price. If there's a spreadsheet, it's related to financing options and payback periods. Not typeface, page length, and ISO certifications.

The govcon domain requires compliance matrices because, well, governments are fundamentally compliance-sensitive buyers.

But the emphasis on compliance, and the existence of a compliance matrix, can be a bit misleading in practice because compliance itself isn’t always a binary. In some cases, even if a requirement seems like a nonnegotiable "must have," the government might look the other way if the requirement isn't met. Or in the other direction, failing to meet a soft requirement might end up tanking your proposal.

This week, the GAO published two cases that illustrate how misleading a binary framing can be.

  • In the first case—Hurricane Consulting, Inc.—the VA was seeking services for "warehouse logistics support services." After the first phase of a three-phase downselect, the VA gave HCI a "no confidence" rating for award. Why? Because, among the requirements in the solicitation was a requirement for four key personnel that each had "a minimum two years' experience with five years preferred in supervising warehouse logistical operations." And in HCI's case, because two of their proposed key personnel did not meet the 2-year minimum, they didn't get past the first step. A classic, nonnegotiable requirement.
  • In the second case—Salient CRGT, Inc.—the GAO was seeking "technology information services." In the solicitation, there was a requirement that one of the key personnel "must demonstrate expert (a minimum of 5 years) experience and/or knowledge related to a bulleted list of specific experience (e.g., designing, engineering, quality assurance and testing and operating cloud environments), and listed special qualifications and certifications including a bachelor's degree in computer science, information technology (IT), or a related field." Pretty clear "must", right? Well, SAIC proposed a "cloud lead" that had a degree in psychology, not comp sci or IT. Did that disqualify them? Nope! The agency said that "the lack of related bachelor's degree is a minor weakness in this instance where the individual has extensive experience and has the education and training that comes with his numerous certifications and where Psychology is a STEM field that can help provide insight into user behavior and experience." In other words, that "must-have requirement" was actually just a "minor weakness."

In both cases, the key personnel's minimum qualifications would show up as a row in the compliance matrix. On paper, they're both hard requirements. But the failure to meet the requirements had different outcomes.

Which brings us to Gen AI. Over the course of the past year, the govcon market has become saturated with promises of automatically generated compliance matrices. And sure, the temptation is obvious: why wouldn't it work to just point Claude or GPT-5.2 at a solicitation, have it “extract all requirements,” and spit out a compliance matrix? They might even come with citations! The dream!

And, look, these tools can be pretty helpful in proposal management. I've even given a talk about it!

But these cases are a healthy reminder that proposal-compliance work is not really an exercise in box-checking as much as it's an interpretation of what boxes need to be checked.

As long as humans are on the other side of the review[1], they are going to exercise some discretion in letting certain requirements slide by and using others to disqualify a vendor. That's just how it works.

AI might be faster and, I suppose, more confident in the creation of a matrix. And I have no crystal ball to predict whether compliance matrices will continue to be useful artifacts in a world of Generative AI.

But it's worth remembering that following a compliance matrix does not guarantee a perfect bid, because they are designed to be an approximation of what the government actually needs, a useful tool for guiding human judgment in preparing proposals. Compliance matrices don't ensure compliance; they are simply our best guess at how discretion will be applied.

[1] And they might not always be? On the same day that this opinion came out, GAO released a different Salient CRGT opinion where the protestor alleged that the government "improperly relied upon artificial intelligence (AI), rather than agency evaluators." The agency denied it and the GAO rejected the argument, but who knows what will happen down the road!

GAO Protest Snippets

  • Technical degree required? Nah. Sometimes, an agency wants key personnel with specific degrees. Here, a solicitation asked for someone with a technical degree (comp sci), but the agency ended up being ok with someone with a psychology degree, concluding it was a "minor weakness." Outcome? Protest denied. Didn't help that the protestor also had a non-comp-sci KP. GAO: Salient CRGT, Inc., B-423283.3 (Dec 05, 2025)
  • A big enough "party bus". Protestor argued that awardee's past performance — including the Air Force's "party bus contract" — wasn't at sufficient "scale." The agency argued that scale did not require a dollar‑value analysis and GAO agreed that the nature of the work (not prior contract value) was sufficient. Also, watch this space! "[W]hile not presented as a distinct protest ground, underlying the protester's numerous arguments taking issue with Salient's evaluation are allegations that DCSA improperly relied upon artificial intelligence (AI), rather than agency evaluators, to conduct the evaluation. In its report responding to the protest, the agency addressed these allegations. (attesting that “human evaluators” assessed quotations).
    GAO: Salient CRGT, Inc., B-423640.2,B-423640.4 (Jan 05, 2026)
  • Guidehouse gambled, and lost. Guidehouse received a "no-confidence" rating on its staffing plan after it deviated from the solicitation's "staffing matrix" to offer a lower price. On protest, the agency argued that the staffing plan "relied on unsupported and inadequately explained assumption" and didn't articulate benefits to the agency. GAO sided with the agency. Protest denied.
    GAO: Guidehouse Digital, LLC, B-423833,B-423833.2 (Jan 05, 2026)
  • Gotta meet the requirements. Protestor was assigned a significant weakness because the solicitation required "80dB RF attenuation" for the facility and two doors and the protestor only offered "a minimum of 60dB of attenuation." Despite a sizable cost difference, agency determined that the failure to meet 80dB RF attenuation was enough to go a different direction. GAO denies protest. GAO: Assisted Building Solutions, LLC, B-423895,B-423895.2 (Jan 08, 2026)
  • Scope drift. Protestor's claim that a Navy IDIQ didn't cover AI/ML was tossed because the contract covered "technical tasks, including those that involve the optimal utilization of IT tools and software development." Why wasn't AI/ML included explicitly five years ago? "At the time the [IDIQ] was issued nearly five years ago, utilization of AI/ML was not sufficiently widespread to be included in the performance work statement." But a broad scope covered the new tech and the $35 million threshold applied, so the protest was dismissed.
    GAO: JDSAT, Inc., B-423868 (Jan 12, 2026)
  • Minimum experience was not optional. Solicitation required four key personnel that each had "a minimum two years' experience with five years preferred in supervising warehouse logistical operations." But 2 of the protestor's key personnel did not meet the 2-year minimum. Agency considered that a material deficiency and GAO upheld the agency's decision. Protest denied. GAO: Hurricane Consulting, Inc., B-423839,B-423839.3,B-423839.4,B-423839.5 (Jan 02, 2026)
  • Preference Pecking Order. The VA noticed intent to sole source "switchboard services" under the AbilityOne program to the Central Association for the Blind under the Javits-Wagner-O'Day (JWOD) Act. Protestor claimed that this violated the Veterans First Contracting Program's Rule of Two for SDVOSBs or VOSBs. GAO explained that the Department of Veterans Affairs Contracting Preference Consistency Act addresses the conflict and JWOD has priority. Protest denied. GAO: Magellan Solutions USA, Inc., B-423857 (Jan 12, 2026)
  • One minute late. Protest window closed at 5:30 pm. Protest came in at 5:31 pm. Dismissed. GAO: Mission Analytics, LLC, B-423980 (Jan 14, 2026)

Contract Vehicle Updates / Snippets:

Subscribe to GovContrActually

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe