How would codifying the 'rule of two' in House proposals change small business set-aside opportunities and what should small firms do now? 2026

According to GSA guidelines, contractors must expect a stronger presumption in favor of small-business set-asides if the House proposals codify the 'rule of two.' The change directly affects contracting officers, large prime contractors competing for subcontracts, and certified small businesses (8(a), HUBZone, WOSB, VOSB, SDVOSB). Per FAR 19.502, contracting officers already must perform market research and document determinations when setting aside requirements; codification makes the paperwork and set-aside decision the default rather than an exception. The SBA reports that 78% of agency small-business goaling relies on timely documentation and accurate classification of firms; codification would therefore increase SBA monitoring and reporting activity. Under OMB M-25-21, agencies will be expected to justify cloud and AI acquisitions that affect small business access to procurements, and those justifications will now need to align with a statutory 'rule of two' presumption. DoD's CMMC framework requires cybersecurity vetting for many defense procurements, and small firms should budget the time and dollars to meet CMMC or FedRAMP requirements before they bid. This paragraph explains who must act and why: contracting officers will have less discretion, SBA goaling will tighten, and small firms must improve readiness to capture set-aside awards.

Per FAR 19.502, small businesses can become the default awardees when two or more qualified small firms are reasonably expected to bid; that FAR provision currently guides contracting officers but leaves meaningful discretion. The House proposal in H.R.2804—the Protecting Small Business Competitions Act of 2025—seeks to shift that discretion by codifying the 'rule of two' into statute so the default becomes a mandatory presumption unless a written, documented exception is justified. According to GSA guidelines, contractors must expect more frequent documentation requests, including contemporaneous market research and written determinations of availability. The SBA reports that 78% of past small-business goaling success was tied to agencies following a strong set-aside presumption; codification would likely raise that percentage by reducing instances where contracting officers opt for full-and-open competition. Under OMB M-25-21, agencies will also have to align AI and cloud sourcing decisions with small-business access goals, meaning acquisitions that rely on centralized platforms could be scrutinized if they reduce small-firm participation. For DoD buyers, DoD's CMMC framework requires cybersecurity hygiene that small firms must budget for; that requirement can become a gating factor for set-aside eligibility in defense acquisitions. This background explains why codification shifts both administrative burden and opportunity toward small firms.

The legislative push is grounded in data and policy. The SBA reports that 78% of agency small-business performance gains were tied to strong set-aside application and enforcement; codifying the rule aims to lock those gains into law and reduce agency-side waiver rates. According to GSA guidelines, contractors must also expect updated procurement forecasts and clearer statements of work where agencies will identify small-business-eligible NAICS codes up front. Per FAR 19.502, agencies must preserve competitive integrity—codification does not eliminate competition but channels it among eligible small firms (8(a), HUBZone, WOSB, VOSB, SDVOSB). Under OMB M-25-21, agencies will align digital procurement and security policies with small-business access, meaning FedRAMP or CMMC constraints must be planned in advance rather than applied reactively. DoD's CMMC framework requires certification timelines that can stretch 6–12 months; small firms that are not prepared will lose DoD set-aside opportunities even if the rule of two favors small-business awards. In short, codification raises both the floor for small-business access and the bar for readiness.

Under OMB M-25-21, agencies will be expected to integrate small-business considerations into digital and AI procurements; this affects how market research is scoped and how requirements are written. According to GSA guidelines, contractors must provide clear evidence of capability, past performance, and cost reasonableness in responses so contracting officers can justify set-aside awards under a codified standard. Per FAR 19.502, contracting officers must show that two qualified small businesses exist or explain why a set-aside is not appropriate; codification tightens that default. The SBA reports that 78% of successful goaling outcomes depended on upfront NAICS alignment and timely SAM registration—small firms must therefore verify NAICS, PSC codes, and size standards prior to solicitation release. DoD's CMMC framework requires specific cybersecurity controls for many defense awards, and agencies implementing a codified rule will likely include CMMC readiness as an evaluative factor. For firms pursuing FedRAMP-authorized cloud services, the timeline for authorization can be 6–18 months; plan accordingly so security requirements do not become a disqualifier after the rule shifts set-asides toward small vendors.

Implementing a codified rule of two also changes source selection records and audit exposure. According to GSA guidelines, contractors must expect contracting officers to require more granular market research reports and contemporaneous documentation of small-business outreach. Per FAR 19.502, if two or more small businesses can perform, the officer should set aside unless a written determination justifies otherwise; codification will likely standardize those determinations across agencies. The SBA reports that 78% of agency compliance issues arose from inconsistent documentation; codification and tighter OMB oversight will reduce variance and increase protest filings until practice stabilizes. Under OMB M-25-21, agencies will tie procurement transparency measures to small-business goaling metrics, and DoD's CMMC framework will be monitored to ensure cybersecurity prerequisites do not inadvertently exclude qualified small firms. In practice, agencies will need updated templates, and contractors should expect advance notices and explicit small-business advisory notices in procurement forecasts.

According to GSA guidelines, contractors must prioritize administrative readiness: keep SAM.gov active, NAICS up to date, and capability statements tailored to the agency forecast. Per FAR 19.502, maintain contemporaneous market-research logs and outreach records showing you were contacted or competed in a prior similar requirement; these records are often decisive in protests and in SBA goaling reviews. The SBA reports that 78% of high-performing small firms proactively engaged with agency small-business specialists before solicitation release; build those relationships and respond to forecasts with capability packages. Under OMB M-25-21, expect agencies to scrutinize supplier diversity outcomes and procurement transparency—ask for written justifications when a contracting officer opts against a set-aside. For DoD solicitations, DoD's CMMC framework requires verifiable cybersecurity posture; either partner with an approved subcontractor with CMMC certification or initiate your own readiness program immediately. Practical best practices: budget $25K–$150K for certification and readiness, submit capability statements within 30 days of forecast publication, and set calendar reminders for SAM renewals every 12 months.