

MODULE 3
Compliance & Administrative Infrastructure
Put the operational and regulatory infrastructure in place so the company can function legitimately
Introduction
This module puts the basic operational infrastructure in place so the company can function legitimately: financial accounts, tax registrations, insurance, recordkeeping systems, and the government registrations necessary for federal R&D funding. These tasks are less complex than IP negotiation or equity structure, but they are no less important for setting up operations. Early administrative shortcuts create legal exposure and tax risk.
Task Guidance, Core Compliance Track
The following tasks apply to all companies regardless of funding strategy. They establish the minimum operational infrastructure required to function as a legitimate business entity.
| Task | “Done” Looks Like | Key Risk / Timing |
|---|---|---|
| Obtain EIN | Employer Identification Number is obtained from the IRS. EIN confirmation letter is saved. EIN is used on all tax registrations and banking applications. | EIN is required before opening a bank account or registering for state taxes. It can be obtained online from the IRS in minutes. This should be the first task completed after entity formation. |
| Register state tax accounts | Company is registered for applicable state taxes in its state of primary operations: sales tax (if applicable), business privilege tax, franchise tax, or other state-specific requirements. Registration confirmations are saved. | State tax requirements vary significantly. Tennessee has specific franchise and excise tax obligations for LLCs and corporations. An accountant familiar with Tennessee business taxes should confirm which registrations apply. |
| Open business bank account | A dedicated business checking account is open in the company's name using the company EIN. No personal funds are commingled. Account information is documented. | Some banks require a copy of the Articles of Incorporation and an EIN letter. The account should be opened before any company funds are received or expenses paid. Separation of personal and company finances should be non-negotiable. |
| Confirm business license requirements | Any required local or state business licenses are identified and obtained. Requirements are documented for annual renewal. | Requirements vary by municipality and business type. Some activities (e.g., professional services, certain manufacturing) require specific licenses. A local business attorney or accountant can confirm requirements. |
| Schedule annual report filing | Annual report filing deadlines for the state of incorporation and state of operations are calendared. A responsible party is assigned. | Failure to file annual reports can result in the company losing good standing, which may block certain legal transactions. This is easy to miss and easy to automate. |
| Implement accounting software | An accounting platform is active and configured for the company: chart of accounts established, bank account linked, and opening entries recorded. QuickBooks, Wave, or equivalent. | Founders who delay this until things get busier end up reconstructing months of transactions during due diligence. Setup takes a few hours; reconstruction can take weeks. |
| Assign bookkeeping responsibility | A named individual (founder, part-time bookkeeper, or accountant) is responsible for maintaining financial records. Frequency of reconciliation is defined. | This task is not complete if the answer is “we'll figure it out.” Someone must own this. For very early companies, a monthly reconciliation cadence with a part-time bookkeeper is usually sufficient. |
| Secure general liability insurance | A general liability policy is in force. Certificate of insurance is available. Coverage limits are appropriate for the company's activities. | Coverage needs vary by activity type. A $1M/$2M general liability policy is typical for early-stage companies. An independent insurance broker familiar with startups can find appropriate coverage efficiently. |
| Evaluate directors and officers (D&O) insurance | The company has assessed whether D&O coverage is needed given its current board and advisor composition. If outside directors or advisors serve, a policy is in place or is being obtained. | D&O coverage is not always needed at formation but should be evaluated before recruiting outside board members or advisors. The absence of D&O can make it difficult to attract qualified outside directors. |
| Register payroll accounts (if hiring) | If the company is compensating employees (including founders on salary), payroll accounts are registered with the IRS and state. A payroll service or platform is in place. | Payroll tax obligations are not optional and attach immediately. Using a payroll platform (Gusto, Rippling, or equivalent) from the first paycheck eliminates most compliance risk and cost. |
| Establish document storage system | A defined system exists for storing and organizing company documents: formation documents, contracts, financial records, and correspondence. Access controls are in place. | “It's in my email” is not document storage. A shared drive with folder structure and named ownership is the minimum. For companies handling sensitive technical data, additional security may be required. |
| Secure email domain and implement password manager | The company has a professional email domain (not @gmail or @yahoo). A password manager is in use for all company accounts and credentials. | A professional email domain is inexpensive and signals legitimacy to partners, investors, and customers. Password manager adoption prevents credential loss when team members change. |
Federal R&D Track
Apply these tasks when the company anticipates SBIR/STTR funding, government contracts, or DOD work. If the Federal R&D flag was set in the General Introduction, all items below are required. It is also useful to discuss the use of foreign-born, non-US citizens in the context of government contracts; establishing protocols when foreign nationals are in the company is important. These tasks are not optional for companies on this track, and several have significant lead-time requirements.
| Task | “Done” Looks Like | Key Risk / Timing |
|---|---|---|
| Register in SAM.gov | System for Award Management (SAM.gov) registration is initiated and, ideally, completed. Active registration status is confirmed. Registration renewal date is calendared (annual renewal required). | CRITICAL TIMING: SAM.gov registration must be active before any federal proposal can be submitted. Processing takes 2–6 weeks. Initiate immediately upon entity formation, BEFORE a specific opportunity is identified. Annual renewal is required and lapses are common. |
| Obtain CAGE code | Commercial and Government Entity (CAGE) code is assigned. CAGE code is documented and available for use in proposals and contracts. | CAGE codes are issued through SAM.gov registration automatically for new domestic entities. Confirm the code is active and matches the registered entity name and address exactly. |
| Confirm UEI number | Unique Entity Identifier (UEI) from SAM.gov is confirmed and recorded. This replaces the legacy DUNS number for all federal submissions. | UEI is assigned during SAM.gov registration. Confirm it is the number used on all federal submissions (not the retired DUNS). |
| Register for SBIR/STTR programs | Company is registered in the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) program portals relevant to target agencies (SBIR.gov, agency-specific portals). | Registration requirements vary by agency. NSF, NIH, DOD, NASA, and DOE each have distinct submission portals. Confirm which agencies are relevant to the company's technology and register accordingly. |
| Assess CMMC level requirements (DOD) | If DOD contracts or subcontracts are anticipated, the required CMMC level has been assessed. A compliance pathway and estimated timeline are documented. | CMMC Level 1 (basic cyber hygiene) is self-attestable. Level 2 may require a third-party assessment (C3PAO) and can take 6–18 months to achieve. Do not assume compliance is achievable quickly and self-certified. |
| Evaluate NIST 800-171 compliance needs | If the company will handle Controlled Unclassified Information (CUI), NIST 800-171 compliance requirements have been assessed. A System Security Plan (SSP) is initiated. | NIST 800-171 underpins CMMC Level 2. Begin assessment early; full implementation can take months and may require outside consultants. |
| Assess export control (ITAR/EAR) exposure | The company has determined whether its technology, products, or services are subject to the International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR). If subject to either, an export control compliance policy is in place and a responsible individual is designated. Foreign national participation (employees, advisors, collaborators) has been reviewed against deemed export requirements. | ITAR violations carry severe civil and criminal penalties and are strictly enforced. “We didn't know” is not a defense. The deemed export rule means sharing controlled technical data with a foreign national inside the US requires the same authorization as exporting it abroad. Academic spinouts with foreign-national co-founders, graduate-student employees, or international research collaborators are particularly exposed. Engage export control counsel before hiring or sharing technical data broadly. |
Completion Gate
This module is the one founders are most tempted to treat as low-stakes administrative work, yet failure to properly address these considerations is most likely to directly block revenue. A founder who misses the SAM.gov registration window loses a grant opportunity. A founder who hasn't opened a business bank account can't receive a payment cleanly. A founder without a certificate of insurance can't execute a partnership agreement. The tasks here are individually simple; the goal is to make sure none of them get deferred until they become urgent.
- EIN is obtained and saved.
- A dedicated business bank account is open, no personal funds commingled.
- Accounting software is active and configured.
- General liability insurance is in force.
- A document storage system and professional email domain are in place.
- [Federal R&D Track] SAM.gov registration is active and CAGE code is confirmed.
- [Federal R&D Track] SBIR/STTR program registrations are complete for target agencies.
- [Federal R&D Track] CMMC and ITAR compliance pathway is assessed if DOD contracts are anticipated.