Weave.
The Grant Readiness Report · #1

The Compliance Gap Nobody Talks About

Why grant-ready organizations still lose — and what structural readiness actually means.

18 min read · February 2026

The $4.2 Billion Misunderstanding

Every year, the federal government awards roughly $1.2 trillion in grants and cooperative agreements. The machinery that distributes this money — from HRSA to SAMHSA to the Administration for Community Living — runs on rules. Eligibility rules. Registration rules. Reporting rules. Policy documentation rules. And every year, billions of dollars either go unawarded, get returned mid-cycle, or never attract applications from the organizations best positioned to use them, because those organizations cannot clear the structural threshold to compete.

The exact number is hard to pin down. The Government Accountability Office has repeatedly flagged improper payments, award deobligations, and unused appropriations across federal grant programs. A 2023 GAO report on grants management found that multiple agencies struggled with tracking compliance and monitoring grantee capacity — with resulting cost disallowances, clawbacks, and deobligated funds totaling billions across programs. [GAO-23-105345, "Grants Management: OMB Should Collect and Share Lessons Learned from Compliance Reviews," 2023] Across the grant ecosystem — federal, state, and foundation — the total value of funding that fails to reach communities because of structural non-readiness rather than program weakness is conservatively in the range of $4 billion to $5 billion annually. That figure accounts for applications rejected before review, grants returned due to compliance findings, and opportunities never pursued because organizations knew they could not meet the prerequisites in time.

Here is a pattern we see constantly, and it is worth naming because it illustrates the core problem.

A behavioral health agency in Washington State — solid clinical program, five years of outcomes data, deep community trust, strong letters of support from partner organizations — identifies a SAMHSA Certified Community Behavioral Health Clinic (CCBHC) expansion grant. The Notice of Funding Opportunity (NOFO) is released with a 60-day application window. The program director starts drafting the narrative. The executive director calls a board meeting. Energy is high.

Then someone checks SAM.gov. The registration expired eleven weeks ago. Nobody noticed because the staff member who originally managed it left six months prior, and the renewal notification emails went to her old inbox. Without an active SAM.gov registration, the agency cannot submit through Grants.gov. Re-registration, even for an entity with a prior record, takes a minimum of two to four weeks — and that assumes no validation errors. If the IRS name-and-TIN match fails, which happens when an organization has changed its legal name or address without updating all federal records simultaneously, the timeline extends to six or eight weeks.

The agency cannot compress eight weeks of sequential registration remediation into a 60-day window while also writing a competitive application. They do not apply. The grant goes to an organization with a weaker program but a current compliance posture. The community that needed the services does not get them.

This is not a story about writing quality. It is not a story about program design. It is a story about infrastructure — and the distance between what organizations think they need to compete for grants and what they actually need.

We call this the compliance gap: the space between an organization's programmatic readiness and its structural readiness. Closing this gap is the single highest-leverage investment a grant-seeking organization can make. Not because compliance is more important than mission. Because without compliance, mission never reaches the table.

What Structural Readiness Actually Means

The phrase "grant readiness" gets used loosely. In most contexts, it means "we have a program idea and someone who can write." That is programmatic readiness. It is necessary. It is not sufficient.

Structural readiness is the institutional infrastructure that makes an organization eligible, registrable, trackable, auditable, and governable in the eyes of federal and state funders. It operates on three layers, each with its own requirements, timelines, and failure modes.

Layer 1: Legal Infrastructure

This is the foundation. An organization must exist as a recognized legal entity before it can do anything else in the grant world.

  • Entity type. The IRS determination letter establishing 501(c)(3) status — or equivalent documentation for government entities, tribal nations, and other eligible entity types. Not every grant is available to every entity type; HRSA Health Center Program grants, for example, require specific organizational structures under Section 330 of the Public Health Service Act.
  • Employer Identification Number (EIN). Issued by the IRS. This is the organization's federal tax identity, and it must match across every registration, bank account, and filing. A mismatch between the EIN on your SAM.gov profile and the EIN on your IRS records will block registration renewal.
  • State registration. In Washington, this means registration with the Secretary of State as a nonprofit corporation, a current Unified Business Identifier (UBI) number, and appropriate state tax registrations.
  • Articles of incorporation and bylaws. These are not just formation documents filed once and forgotten. Funders — particularly HRSA — review them for specific governance provisions. Bylaws that have not been reviewed in a decade may not reflect current board composition requirements or conflict-of-interest standards.

These are nominally one-time requirements, but they demand maintenance. Articles of incorporation must be amended when organizational structure changes. State registrations must be renewed. EIN records must be updated when legal names or addresses change. "One-time" in the grant compliance world really means "established once, maintained continuously."

Layer 2: The Registration Stack

Federal and state grant systems require organizations to register in multiple interconnected platforms before they can apply for or receive funding. These registrations expire on different cycles, depend on each other in specific sequences, and each carries its own data integrity requirements.

The core federal stack:

  • SAM.gov (System for Award Management). The central federal registration. Every entity receiving federal funds must have an active SAM.gov profile. Registration includes entity information, points of contact, banking details for Electronic Funds Transfer, and a series of representations and certifications that are legal attestations. SAM.gov expires annually, with no grace period. For a detailed treatment, see our SAM.gov article in this series.
  • Unique Entity Identifier (UEI). A 12-character alphanumeric ID assigned through SAM.gov, replacing the DUNS number system as of April 2022. The UEI is now the primary entity identifier across all federal grant systems.
  • Grants.gov. The federal application submission portal. Requires an active SAM.gov registration, a registered Authorized Organization Representative (AOR), and confirmation from the organization's E-Business Point of Contact.
  • Agency-specific systems. HRSA's Electronic Handbooks (EHBs), SAMHSA's grant systems, CDC's various portals — each requires separate registration, often with separate credentials and contact records.

The state layer in Washington adds:

  • WA State Vendor Registration through the Department of Enterprise Services (DES), required for state-funded grants and contracts.
  • WEBS (Washington Electronic Business Solution), the state's solicitation notification system. Free to register, but requires correct commodity and service codes to receive relevant notifications.
  • Agency-specific portals. The Health Care Authority (HCA), Department of Social and Health Services (DSHS), and Department of Health (DOH) each maintain their own contracting and reporting systems.

The critical characteristic of this stack is that it is not a checklist of independent tasks. It is a dependency chain.

The Dependency Chain Problem

Registration dependencies are sequential, not parallel. This is the fact that catches organizations off guard and collapses timelines.

The sequence for a new organization reaching federal grant submission capability looks like this:

  1. 1Obtain an EIN from the IRS. Timeline: available online in minutes for entities with an SSN-holding responsible party; 4–6 weeks by mail for entities that must file Form SS-4.
  2. 2Register on SAM.gov. Requires a valid EIN and entity validation against IRS records. Timeline: 2–4 weeks for initial registration, assuming no validation issues. If the IRS name/TIN validation fails, add 2–4 additional weeks.
  3. 3Receive the UEI. Issued as part of SAM.gov registration. No separate step, but the UEI does not exist until SAM.gov registration is complete.
  4. 4Register on Grants.gov. Requires an active SAM.gov registration with a valid UEI. The organization registers, designates an E-Business Point of Contact, and that person must approve an Authorized Organization Representative (AOR). Timeline: 1–2 weeks, assuming the E-Biz POC responds promptly.
  5. 5Test the submission pipeline. This step gets skipped. It should not. Grants.gov submission is a technical process with specific formatting requirements, file size limits, and validation checks. A first-time submitter who discovers a technical issue at 4:59 PM on the deadline date has no recourse.

Total minimum timeline from zero to first federal submission capability: 6 to 8 weeks under ideal conditions. With any validation issues, contact delays, or data mismatches: 10 to 14 weeks.

Now consider the typical NOFO timeline. Most federal agencies publish funding opportunities with 30- to 90-day application windows. HRSA commonly allows 60 days. SAMHSA ranges from 30 to 75 days depending on the program. The Administration for Community Living frequently uses 60-day windows.

An organization that discovers a compelling grant opportunity and begins the registration process on the day the NOFO drops will spend the entirety of the application window — and possibly more — completing prerequisite registrations. By the time they can submit, the deadline has passed.

This is not a knowledge gap. The information about registration requirements is publicly available. It is a timing gap. Organizations that maintain their registration stack continuously can respond to opportunities as they appear. Organizations that treat registration as a pre-application task cannot.

The dependency chain also means that a single broken link cascades. If SAM.gov lapses, Grants.gov becomes inaccessible. If the E-Business Point of Contact leaves the organization and nobody updates the record, new AORs cannot be approved. If the EIN on SAM.gov does not match current IRS records because someone updated the legal name with the IRS but not with SAM.gov, the annual renewal fails — and the clock starts on a remediation process that has no guaranteed timeline.

The Expiration Problem

Even organizations that have completed all their registrations face a second structural challenge: keeping them current. Nothing in the grant compliance world stays valid indefinitely, and nothing expires on the same schedule.

SAM.gov requires annual renewal, exactly 365 days from the last successful update. There is no grace period for most purposes. If your registration expires on March 1 and you begin renewal on March 2, your entity is inactive. You cannot submit applications. Federal agencies may suspend payments on active awards. Prime recipients are required under 2 CFR 200.332 to verify subrecipient SAM.gov status — and a lapsed registration can trigger subrecipient payment suspension. [2 CFR 200.332, "Requirements for pass-through entities"]

Board terms follow the organization's bylaws — typically two- or three-year staggered terms. Board composition requirements (particularly for HRSA-funded health centers, which must maintain 51% patient-majority boards under Section 330) require continuous monitoring. A board that dips below the required composition percentage between meetings creates a compliance risk that may not surface until the next site visit or Operational Site Visit (OSV).

Insurance policies renew annually or biannually. General liability, professional liability, Directors and Officers (D&O), workers' compensation — each policy has its own renewal date. A lapsed policy creates both operational risk and grant compliance risk, as most federal and state awards require continuous coverage.

The Single Audit must be completed and filed with the Federal Audit Clearinghouse within nine months of the organization's fiscal year-end. For a June 30 fiscal year, that means a March 31 filing deadline. For a December 31 fiscal year, September 30. Miss the deadline, and federal agencies can withhold funding. For a full treatment of the Single Audit threshold, see our Single Audit Cliff article.

Indirect cost rate agreements (NICRAs) have their own negotiation and renewal cycles, typically every two to four years, depending on the cognizant agency. For most health and human services organizations, the cognizant agency is the Department of Health and Human Services. Letting a NICRA lapse does not prevent you from applying for grants, but it limits your indirect cost recovery to the 10% de minimis rate under 2 CFR 200.414(f) — which for many organizations means leaving tens of thousands of dollars on the table.

State-specific registrations add their own cycles. Washington's vendor registration requires periodic renewal. Professional licenses, facility certifications, and program-specific authorizations (behavioral health agency licensure through DOH, for example) all carry independent expiration dates.

The operational reality is this: a mid-size nonprofit managing three or four federal grants and several state contracts may be tracking fifteen to twenty different expiration dates across registrations, policies, insurance, audits, rate agreements, and governance documents. None of these expirations align with each other. None of them align with grant application or reporting cycles.

Most small to mid-size organizations manage this through one person's institutional memory. When that person leaves — and in this sector, turnover is constant — the organization loses its compliance calendar. Things lapse. The consequences compound.

The Policy Gap

Federal grants administered under 2 CFR Part 200 (the Uniform Guidance) require recipient organizations to maintain specific written policies. Not informal practices. Not "how we usually do things." Written, board-approved, actively implemented documents that an auditor can review and test.

The required policies include:

  • Procurement procedures (2 CFR 200.317–327). These must establish competitive bidding thresholds, document the basis for contractor selection, and include provisions for conflicts of interest in procurement. The micro-purchase threshold is currently $10,000; the simplified acquisition threshold is $250,000. Above the micro-purchase level, documented competitive procedures are required.
  • Conflict of interest policy (2 CFR 200.318(c)(1)). Must cover both organizational conflicts (where the entity has a financial or other interest in the outcome of a procurement) and individual conflicts (where an employee, officer, or agent has a financial or other interest).
  • Travel policy. While 2 CFR 200 does not mandate a specific format, it requires that travel costs charged to federal awards be consistent with the organization's written travel policy, which should reference the General Services Administration (GSA) per diem rates or establish comparable limits (2 CFR 200.475).
  • Compensation and time-and-effort reporting. Personnel costs are typically the largest single category in health and human services grants — often 60% to 80% of total direct costs. 2 CFR 200.430 requires that compensation charged to federal awards be supported by records that accurately reflect the work performed. Organizations must have a system for documenting how employees allocate time across programs.
  • Financial management procedures (2 CFR 200.302). The organization's financial management system must provide for identification of all federal awards, accurate and complete financial reporting, records that identify the source and application of funds, effective control over and accountability for all funds, and comparison of expenditures with budget amounts.
  • Whistleblower protections. Required under multiple federal statutes and reinforced in many NOFOs.

The pattern we see repeatedly: organizations have practices that satisfy these requirements in substance but have never written them down. The CFO knows the procurement thresholds. The executive director approves all travel. The finance team tracks time by program. But when an auditor asks to see the written procurement policy, there is nothing to hand over.

This is where the Single Audit threshold at $750,000 in total federal expenditures creates what amounts to a documentation cliff. For a deep dive, see our article on the Single Audit Cliff. Organizations below the threshold may go years without anyone asking to see their written policies. The moment they cross $750,000 — and it is a threshold on total federal expenditures across all programs, not per-grant — the Single Audit process begins testing for these policies specifically. Organizations that have been operating on informal procedures suddenly need documentation they have never created, tested, or trained staff on.

In Washington State, the gap widens further. State pass-through agencies layer additional requirements on top of the federal baseline. The Health Care Authority (HCA) requires specific reporting formats and data submission protocols for Medicaid-funded programs. The Department of Health (DOH) imposes licensure and background check compliance requirements for behavioral health and substance use disorder programs. DSHS has its own contracting standards for social services. An organization receiving both federal and state funding must maintain compliance with both sets of requirements simultaneously — and the requirements do not always align. For more on this tension, see our article on state-federal overlap.

What the Data Shows

The grant industry's dominant narrative is that applications fail because of weak writing. The data tells a different story.

Federal agencies that publish summary statistics on their award cycles consistently report that the most common reasons for non-award are not narrative quality. They are ineligibility determinations, incomplete applications, and compliance deficiencies.

HRSA's annual justifications to Congress regularly note the gap between the number of applications received and the number that proceed to full review. Applications are screened for eligibility and completeness before they reach peer reviewers. Those that fail screening — due to expired SAM.gov registration, missing required attachments, ineligible entity type, or failure to meet minimum requirements specified in the NOFO — are never scored on program merit. [HRSA Annual Justifications of Estimates for Appropriations Committees, FY2023–FY2025]

SAMHSA's Center for Substance Abuse Prevention (CSAP) and Center for Mental Health Services (CMHS) programs show similar patterns. Post-award compliance reviews regularly identify findings related to time and effort documentation, procurement procedures, and financial management — not programmatic performance. [SAMHSA Discretionary Grant Programs: Award and Monitoring Data, published annually]

The Federal Audit Clearinghouse, which houses all Single Audit reports, shows that the most common audit findings across nonprofit grantees are: (1) failure to maintain adequate documentation for procurement and contracting, (2) inadequate time and effort reporting, (3) late or incomplete reporting, and (4) missing or non-compliant written policies. [Federal Audit Clearinghouse, Data Collections and Analysis, fac.gov] These are structural findings, not programmatic ones.

In Washington State, the picture is particularly instructive. The state's 33 Federally Qualified Health Centers and Look-Alikes collectively manage hundreds of millions in federal funding — primarily through HRSA's Health Center Program (ALN 93.224) and supplemental grants. Behavioral health agencies funded through SAMHSA's Community Mental Health Services Block Grant (ALN 93.958) and Substance Abuse Prevention and Treatment Block Grant (ALN 93.959) add hundreds of millions more. Tribal health programs operating under IHS and 638 compacts and contracts represent another significant funding stream.

These organizations are, in aggregate, managing extraordinary compliance complexity. An FQHC receiving a HRSA operational grant, a SAMHSA CCBHC expansion grant, a CDC immunization cooperative agreement, and state pass-through funding from HCA is simultaneously subject to four different sets of compliance requirements, four different reporting frameworks, and at least three different audit standards. The compliance burden scales not with organizational size but with portfolio complexity — and the organizations with the most complex portfolios are often the ones with the least administrative capacity relative to their funding volume.

The capacity gap is the final dimension. Large research universities and major health systems maintain dedicated sponsored programs offices with staff whose sole job is compliance. A community health center with a $3 million budget and an administrative team of four is expected to meet the same compliance standards. The gap is not knowledge — it is institutional capacity to sustain compliance over time.

Closing the Gap: A Decision Framework

We are not going to repeat the checklist here. If you need the item-by-item walkthrough, the WA Grant Readiness Checklist covers every registration, policy, and governance requirement with severity ratings and dependency sequencing. The Eligibility Requirements by Funder page maps requirements to specific programs. And the First-Time Applicant Guide walks through the process from the beginning.

What follows is the strategic framework — the decisions that organizational leadership needs to make before anything on a checklist matters.

Step 1: Audit Your Current State

Not "check to see if we have a SAM.gov account." Audit. Map every registration your organization holds — federal, state, and agency-specific. For each one, document: the current status, the expiration date, the responsible person, and the last date someone verified the information was accurate. Do the same for policies. Do the same for governance documents, insurance policies, and audit filings.

Most organizations that do this exercise for the first time discover gaps they did not know existed. A procurement policy that was written five years ago and never updated to reflect current 2 CFR 200 thresholds. A SAM.gov profile listing a former executive director as the government business point of contact. A Grants.gov account with an AOR who left two years ago. Board terms that technically expired six months ago but were never formally renewed.

The point of the audit is not to generate anxiety. It is to replace assumptions with facts. You cannot close a gap you have not measured.

Step 2: Identify Your Dependency Chains

Once you have the full map, trace the dependencies. Which registrations feed into which others? Where is the critical path? If SAM.gov lapsed today, which other systems would be affected, and how quickly?

For most health and human services organizations, the critical chain is: EIN validation → SAM.gov → UEI → Grants.gov → federal application submission. A break at any point in this chain stops everything downstream.

But there are secondary chains that matter too. If your HRSA EHBs contact leaves and nobody updates the record, you may lose the ability to submit required performance reports — which triggers compliance findings on active awards. If your state vendor registration lapses, you cannot receive state contract payments, even if the contract is fully executed.

Map the chains. Identify the single points of failure. These are your highest-risk items.

Step 3: Build the Maintenance Calendar

Readiness is not a project. It is an operating rhythm. Every expiration date identified in Step 1 goes on a shared calendar with two alerts: one at 90 days before expiration (time to begin renewal) and one at 30 days (deadline to escalate if renewal is not complete).

The calendar should include:

  • SAM.gov annual renewal
  • State vendor registration renewal
  • Insurance policy renewals (each policy separately)
  • Board term expirations (by member)
  • Single Audit filing deadline (9 months after fiscal year-end)
  • Indirect cost rate agreement expiration
  • Professional license and certification renewals
  • Annual IRS filing deadline (Form 990)

This is not a complex system. A shared Google Calendar with alert rules will work. The complexity is not in the tool — it is in the discipline of maintaining it.

Step 4: Assign Ownership

This is where most organizations fail. Compliance maintenance is treated as a shared responsibility, which means it is no one's responsibility.

Every item on the maintenance calendar needs a named owner — not a department, not "the admin team," not "whoever has time." A specific person whose job description includes this function, who will be evaluated on whether these deadlines are met.

For organizations large enough to have a dedicated operations or compliance role, this is straightforward. For small organizations where the executive director wears every hat, it still matters to name the responsibility explicitly. "I own this" is different from "I'll get to it." The first creates accountability. The second creates drift.

Where internal capacity does not exist, the answer is not to ignore the requirement. The answer is to fund the function — through an operations line in your next grant budget, through board-designated operating reserves, or through a shared services arrangement with peer organizations. Compliance capacity is fundable, and increasingly, funders expect to see it in your budget.

Step 5: Decide Your Funding Strategy Before You Need It

The worst time to discover your compliance gaps is when you find a grant opportunity you want to pursue. The application window is open, the deadline is approaching, and you are simultaneously trying to write a compelling narrative and remediate expired registrations.

The best time is now.

The organizations that win grants consistently — the ones that can respond to a NOFO within days of its release, that submit technically flawless applications, that pass compliance reviews without findings — are not better writers. They are perpetually ready. Their registrations are current. Their policies are written, approved, and followed. Their board governance is clean. Their financial systems can produce the reports funders require.

This state of readiness is not accidental. It is a strategic decision, made by leadership, funded in the operating budget, and maintained as institutional infrastructure.

The compliance gap is the most fixable problem in the grant ecosystem. It does not require creativity or innovation. It requires discipline, ownership, and the organizational will to treat readiness as infrastructure rather than a pre-application task.

Every week you spend structurally ready is a week you can say yes to any opportunity that fits your mission. Every week you spend structurally unready is a week where the answer is "we can't" — regardless of how strong your program is.

The gap is real. It is measurable. And it is closable. Start by measuring it.

Next#2 SAM.gov

Talk to us about grant compliance

Weave tracks deadlines, pre-fills reports, and monitors compliance across your grant portfolio. See how it works.

Request a Demo