I won a subcontract for a non-classified DoD software project and believed my standard $1M insurance policy was sufficient. However, the prime contractor’s compliance officer rejected my Certificate of Insurance and required a $5M aggregate policy, cyber liability coverage including incident response, and a DD254 clearance verification. As a result, I was unable to begin billing until these issues were resolved.
Key Takeaways
- Higher Limits: Gov contracts often require $2M, $5M, or even $10M limits. Standard online policies cap at $1M or $2M. You need an “Excess Liability” or “Umbrella” policy.
- Cyber is Mandatory: In 2026, CMMC (Cybersecurity Maturity Model Certification) requires specific insurance backing.
- Notification Costs: The government requires strict breach reporting timelines (often 72 hours). Your insurance must support this speed.
- The “Rated” Carrier: The government usually requires carriers rated “A-” or better by AM Best. No cheap, unrated startups.
The “Why”: FAR Clauses
The Trap: The Federal Acquisition Regulation (FAR) dictates insurance.
The Prime Contractor flows these requirements down to you.
Common requirement: “Cyber Liability covering CUI (Controlled Unclassified Information).”
If your standard policy excludes “Government Acts” or “Fines/Penalties,” it’s useless.
The Investigation: I Quoted 3 Major Carriers
1. Lloyd’s of London (Syndicates)
- My Analysis: For high limits ($5M+), Lloyd’s is the go-to. They can stack coverage layers. They understand the DoD requirements. You need a broker to access them.
2. AIG
- My Analysis: AIG has a specific “GovCon” practice. They know what a DD254 is. They can issue the specialized certificates needed for federal work.
3. CNA
- My Analysis: Good for mid-sized contractors. They can easily bump a $1M policy to $5M with an Umbrella for a reasonable cost.
[IMAGE: Screenshot of a sample COI with $5M limits and “Umbrella” section filled]
Comparison Table: GovCon Insurance
| Carrier | Max Limits | CMMC Compliant? | Cost | Best For… |
| Lloyd’s | $10M+ | Yes | | Classified/High-Risk |
| AIG | $10M | Yes | | Prime Contractors |
| CNA | $5M | Yes | | Subcontractors |
Step-by-Step Action Plan
- Read the RFP/Contract: Look for “Insurance Requirements.”
- Call a Broker: Do not use an online app. You need a human to build a “Tower” of coverage (Primary + Excess).
- Ask for “Umbrella”: It’s cheaper to buy $1M Primary + $4M Umbrella than $5M Primary.
- Verify Rating: Ask the broker “Is this carrier AM Best Rated A or better?”
FAQ
Can I bill the insurance cost to the government?
Usually yes, it’s an “Allowable Cost” in your overhead rate.
What is CMMC?
Cybersecurity standards. Your insurance application will ask if you meet them.
Do I need Workers Comp?
Yes, statutory limits are mandatory for all gov contracts.