The compliance map state procurement officers actually carry — and what vendors miss

A state procurement officer signing a benefits-modernization contract is signing against three different compliance regimes simultaneously. Each has its own audit cadence, its own evidentiary requirements, its own penalty structure. The three regimes overlap at the edges and conflict in the middle, and the procurement officer is the person responsible for harmonizing them in a document that protects the state against all three.

The vendors that win these contracts — and stay won, through delivery and audit — are the ones that hand the procurement officer the compliance map at the proposal stage. The vendors that hand-wave on it, or treat one regime as the whole picture, produce the modernization deployments that show up in OIG findings two years later. This piece is about what the compliance map actually contains, what falls through the cracks between the three regimes, and what a vendor should bring to the table to make the procurement officer's job tractable.

The three regimes

State procurement law. Every state has a procurement code — usually based on either the Model Procurement Code or the ABA Model State Procurement Code, with state-specific modifications. The code defines competition requirements, small-business set-asides, protest rights, contract administration, and dispute resolution. South Carolina's Consolidated Procurement Code (Title 11, Chapter 35), Georgia's State Purchasing Act, North Carolina's State Procurement Manual — each looks superficially similar and differs in load-bearing ways. The procurement officer is enforcing the state code, and a vendor that does not understand the specific state code is not a vendor that closes.

Federal grant flow-down. Most benefits-modernization money is federal, flowing through CMS, FNS, DOL, or HHS to the state as a grant. The grant carries flow-down compliance requirements: 2 CFR Part 200 (the Uniform Guidance) plus program-specific OMB Circulars and the relevant agency-specific addenda. The state's flexibility on procurement is constrained by these flow-down requirements — for example, a state's small-business preference that conflicts with federal full-and-open-competition requirements has to yield. The procurement officer has to reconcile state law and federal flow-down in the contract.

OIG audit posture. The OIG of the federal funding agency (e.g., HHS OIG for CMS-funded work, USDA OIG for FNS-funded work) audits state grantees on a routine cadence. The audit examines whether the state met both the state procurement requirements and the federal flow-down requirements, and whether the deployed system actually does what the agency said it would do. OIG findings can trigger disallowed costs, which means the state has to repay the federal share — a budget event no agency director wants to explain to the legislature.

These three regimes are not adversarial — they share many goals — but they are not perfectly aligned, and the procurement officer is sitting at the seam where the misalignments matter.

Where the regimes conflict

Three conflicts are recurrent enough that we map them explicitly on every engagement.

Small-business preference vs. federal full-and-open-competition. State procurement codes often include preferences for in-state small businesses, minority-owned businesses, or veteran-owned businesses. These preferences are politically important and legally codified at the state level. Federal flow-down rules typically require full and open competition for federal funds above certain thresholds, with limited and specific exceptions for set-asides. In the contract, the procurement officer has to either justify the state preference under a federally-recognized exception or scope the federal portion of the contract so the state preference applies only to the non-federal share. A vendor that does not understand this structure cannot help the procurement officer write the contract that protects both flexibilities.

State data-rights vs. federal data-rights. State procurement codes typically include some form of government-data-rights provision, often modeled on FAR 52.227-14 or a state equivalent. Federal grant flow-down has its own data-rights expectations — particularly for evaluations, holdout datasets, and model artifacts in AI deployments — that are often broader than the state code's defaults. The OIG, when it audits, expects the contract to give the state the data rights necessary to reproduce determinations, run independent evaluations, and respond to records requests. A contract that limits data rights to the state code's defaults will not survive OIG review. The vendor's data-rights clauses have to be drafted to the OIG's expected bar, not just the state code's floor.

State retention requirements vs. federal retention requirements. State retention schedules for benefits-program records typically run 3-7 years depending on program. Federal retention schedules under 2 CFR Part 200.334 require records of grant transactions for at least 3 years after the grantee's annual report is submitted (longer if litigation or audit is pending). For an AI-deployment artifact — the evidence pack, the model version pins, the holdout dataset — the retention period needs to be the longer of the two, indexed to the appeals and OIG-audit cycles, and the contract has to obligate the vendor to maintain those records (or transition them to the state) over that period. Most vendor proposals default to a 3-year retention that is too short for an AI-decisioning system whose decisions may be appealed years out.

The compliance map names these conflicts and resolves each one in the contract. The procurement officer's job is much harder when the map is not on the table.

The compliance artifact set

A vendor that has done this work brings a specific artifact set to the proposal:

The compliance crosswalk. A document — typically a table — that maps every contract clause to the relevant state procurement code section, federal grant flow-down requirement, and OIG audit expectation. The crosswalk makes visible where each clause is grounded, where conflicts have been resolved, and where the procurement officer has discretion to adjust. Procurement officers we have worked with treat the crosswalk as the most useful single document a vendor can provide.

The cost-and-allocability schedule. Under 2 CFR Part 200.404-405, costs charged to a federal grant must be allowable, allocable, reasonable, and adequately documented. The cost schedule shows how each line item is charged (direct vs. indirect), how indirect costs are allocated (with the relevant indirect-cost-rate agreement cited), and how the documentation will be produced for audit. Gunnar's CPA-grade work products fit naturally here; we have seen otherwise-competent vendors lose competitive proposals on a poorly-constructed cost schedule.

The audit-readiness plan. A document describing how the vendor will support OIG audit and federal-partner review, what records will be maintained, where they will live, how they will be retrieved, and what cooperation the vendor commits to (and at what cost). A vendor that has not written this plan will produce it under stress, in front of an auditor, badly. A vendor that writes it at the proposal stage gives the procurement officer something to attach to the contract.

The subcontractor flow-down attestation. Federal flow-down requirements apply not just to the prime contractor but to subcontractors. The vendor's proposal should attest, in writing, that the same compliance regime will flow down to subcontractors and that the prime is responsible for subcontractor compliance under the contract. We treat this elsewhere in Subcontractor compliance for multi-vendor AI deployments; the attestation belongs in the proposal package.

The retention and transition schedule. A schedule that names, by record category, how long records will be maintained, by whom, with what access rights, and what happens at the end of the retention period (deletion, transfer to the state, transfer to a successor contractor). This is the document that prevents the all-too-common end-of-contract situation where the state realizes a year too late that records it needed for an OIG audit have already been disposed of.

These five artifacts are the compliance map. They are not exotic. They are the documents a competent procurement-and-finance team produces in the ordinary course of running a multi-jurisdiction practice. Their absence is what distinguishes a vendor that has done this work before from a vendor that is figuring it out on the procurement officer's time.

What happens at the OIG

The OIG audit, when it arrives, is structured. The audit team works through the federal flow-down compliance requirements against the contract and the deployment. They ask for the cost schedule, they sample transactions, they trace the audit trail of decisions back to the contract clauses that authorized them, they verify retention, and they assess whether the deployed system actually does what the procurement documented.

The single biggest predictor of an OIG audit going well is whether the contract and the deployment can produce, on demand, the records that demonstrate compliance. Not whether the vendor or the state thinks they have been compliant — whether the records prove it. This is why the compliance artifact set we described above is structured around producible documentation: the crosswalk shows where each clause is grounded, the cost schedule shows what each dollar was for, the audit-readiness plan shows where the records live.

The agency director's posture in front of the OIG team is dramatically different when the records are organized, indexed, and retrievable. The audit takes weeks rather than months. The findings, if any, are narrow rather than systemic. The disallowed costs, if any, are scoped rather than program-wide.

What to do Monday

If you are a state procurement officer in a benefits agency: ask your next vendor proposal package to include the compliance crosswalk explicitly. Make it a required element of the technical evaluation. Score it.

If you are a state agency director with an AI deployment in flight: ask your finance and procurement teams to assemble the artifact set above for the existing contract. If they cannot produce all five, the gaps are your engineering and contracting backlog. The OIG audit window for the 2024-2025 cohort of state AI deployments has begun; the time to assemble the records is now.

If you are a vendor preparing a state-AI proposal: build the five artifacts before you walk into the procurement officer's office. The proposal that includes them is the proposal that survives.

Where Vardr fits

Lewis has worked the state-procurement-and-regulatory side from inside a governor's cabinet and from the industry-association seat negotiating with state agencies — a vantage point that covers state procurement codes across the Southeast in their actual practiced form, not just their statutory text. Gunnar brings the CPA-grade financial controls and federal-grant-compliance discipline — the documentation, allocability, and audit-readiness work that turns the contract into something the OIG will actually accept. Together they produce the compliance crosswalk and the artifact set above for a state agency before procurement, or assemble the records retroactively for a deployment already in flight that needs to be audit-defensible.