User Guide

How to run a federal vendor audit, end to end.

Operational guidance for procurement officers, primes vetting subs, and compliance teams using DiligenceDesk to screen federal contractors and grant recipients.

On this page

Operational philosophy

DiligenceDesk runs on a strict verification model. The tool aggregates public federal data and surfaces evidence, not opinion. Unlike compliance suites that rely on opaque scoring models, every verdict here cites the federal source it came from, with the timestamp of the fetch.

Local-first by design

Search history is stored locally in your browser. The server caches upstream API responses for up to 24 hours to reduce quota burn, but does not retain a per-user search log.

Audit verification protocol

1

Identity resolution

Enter an entity name, UEI, or CAGE code. The orchestrator first resolves the target against SAM.gov to establish the canonical legal entity. Every downstream lookup uses that anchored identity, which prevents a fuzzy match like "Uber Te" from sweeping up unrelated federal contracts.

2

Cross-domain data gathering

With the entity anchored, eight federal data sources are queried in parallel:

  • SAM.gov: registration status, exclusions, NAICS, PSC.
  • DOL Wage and Hour: enforcement history, willful and repeat flags.
  • ITA Consolidated Screening List: sanctions, denied parties, entity list.
  • USAspending.gov: federal contract and grant award history.
  • SEC EDGAR: 10-K and 10-Q filings for public companies.
  • GLEIF: Legal Entity Identifier and parent / subsidiary chains.
  • NIST NVD: CVE / CVSS exposure for matched products.
  • Section 889 registry: prohibited-manufacturer MAC and OUI ranges.
3

Verdict synthesis

Evidence is weighed against a deterministic ladder. FAIL on prohibited hardware, active SAM exclusion, severe labor violations, or a high-severity Consolidated Screening List hit. WARNING on expired SAM, moderate CSL hit, or sensitive-sector involvement (weapons, nuclear ordnance, defense aerospace) even with an otherwise clean record. PASS on active SAM with no negative hits. NEUTRAL when no records exist anywhere and the identity needs manual verification.

Interpreting verdicts

FAIL

Critical risk. Verified exclusion (debarment), active sanctions hit, or severe labor violations. Stop the workflow until reviewed.

WARNING

Moderate or sector risk. Expired SAM, moderate sanctions hit, or sensitive-sector involvement. Requires human review.

PASS

Low risk. Active SAM, no exclusions, clean enforcement and screening. Continue with standard procurement review.

NEUTRAL

No records found. The target may not be a federal contractor. Verify the legal-entity name manually.

Integrity pillar

Sourced from the U.S. Department of Labor enforcement database. The tool monitors the Wage and Hour Division and OSHA datasets specifically.

Key indicators

  • Willful violator: employer knowingly violated the law.
  • Repeat violator: employer has a history of similar violations.
  • Back wages: unpaid wages recovered for employees.

Performance pillar

Sourced from USAspending.gov. The pillar reads an entity's track record on large federal contracts: whether they are first-time federal vendors, whether they have managed obligations above $1M, and which agencies have awarded them work.

Financial pillar

Sourced from SEC EDGAR. For public companies the tool parses 10-K and 10-Q filings for SIC code, revenue trend, and net income trajectory. Private vendors return no data here, which is expected.

Cyber risk pillar

Sourced from the NIST National Vulnerability Database. The tool cross-references hardware and software products against Common Platform Enumeration (CPE) identifiers, maps matches to Common Vulnerabilities and Exposures (CVE) records, and flags items on the Known Exploited Vulnerabilities (KEV) list.

Visual ecosystem intelligence

The risk graph maps verified relationships between the entity and its operational ecosystem. Funding agencies, beneficial owners, points of contact, and active risk events all appear as typed nodes with cited edges.

Hardware compliance auditor

The Section 889 hardware tool checks MAC address prefixes (OUI) against the prohibited-manufacturer list (Huawei, ZTE, Hytera, Hikvision, Dahua). Open the Hardware tab on the home page, paste any valid MAC, and the system returns the manufacturer plus a risk level.

Batch screening

The batch tab accepts a CSV upload and processes up to 100 vendors in one pass. Required column: a header that contains Vendor Name, Entity Name, Company, Name, or Entity. Other columns are ignored. CSVs missing a recognized header are rejected upfront so the run never silently passes garbage rows.

Related resources

Methodology and data sources

How the verdict ladder weighs evidence across SAM, DOL, ITA, sector risk, hardware, and cyber signals.

Due diligence checklist

A repeatable first-pass workflow for screening contractors and subcontractors.

SAM.gov check guide

What to confirm in SAM.gov before you trust the rest of the diligence workflow.

Section 889 check

How to add a fast hardware screen to the broader procurement review process.