Three federal contractors sharing one address and one expiration date isn't proof of anything. It's a flag.
The flag matters because most compliance officers, when they search SAM.gov for a specific UEI, see one entity at a time. They learn a vendor's status — active or expired, suspended in rare cases — but never see the address-level neighborhood that vendor sits in. Concentration patterns surface that neighborhood. The pattern shows you geography plus timing: at this address, three or more SAM-registered federal contractors share both a physical location and a registration renewal date.
The pattern can emerge for a handful of reasons, several of them mundane. Skipping past it without inspection is one mistake. Treating it as conclusive evidence of anything specific is the opposite mistake.
This article walks through what the pattern actually is, why it emerges, what it can tell a compliance team or a PTAC counselor, and — equally important — what it cannot.
What the pattern actually is
Convergence Data Analytics processes 2,684,826 SAM.gov entity registrations and groups them by normalized physical address. Address normalization means stripping suite numbers, expanding abbreviations (RD becomes ROAD, ST becomes STREET), and matching entities that sit at the same physical building even when they list different suite or unit designators.
When three or more uniquely named federal contractor entities share the same normalized address, that becomes a cluster. The current data identifies 69,336 such clusters — meaning roughly 14% of all SAM-registered entity addresses sit in a building that contains at least two other federally registered contractors. The remaining 86% are at addresses unique to a single entity.
Most clusters are small. Of the 69,336 clusters, 33,669 contain exactly 3 entities. Another 13,171 contain 4. Together, those two buckets account for 68% of all clusters. Median cluster size is 4 entities. The 95th percentile sits at 13. The 99th percentile sits at 27. There are 26 clusters that hold 100 or more co-located entities, and a single largest cluster of 325 entities at one normalized address.
Concentration adds a temporal layer. Within a cluster, you can ask a sharper question: of these co-located entities, do any three or more share an identical SAM expiration date? When the answer is yes, that's a concentration finding. There are 4,015 such findings across the database — about 6% of clusters have at least one. The rest of the clusters have entities at the same address but with renewal dates spread across the calendar year.
The methodology is mechanical. It doesn't read intent. It identifies pattern.
That distinction matters more than it sounds. A clustering algorithm running on public records can tell you with high confidence that 8 contractors share an address and 4 of them renew on the same day. It cannot tell you whether those 4 share a registered agent, are subsidiaries of a common parent, or simply submitted their initial SAM registrations in the same week three years ago and have been on synchronized renewal cycles ever since. The pattern shape is identical. The underlying business reality varies.
Why patterns emerge
A few mundane explanations cover most concentration findings.
The most common is registered agent or virtual office services. Many small federal contractors register their SAM addresses at corporate-services providers — companies that exist specifically to host registered addresses for businesses operating from anywhere geographically. A single such address can legitimately host hundreds of unrelated small businesses, each filing taxes and renewing SAM from elsewhere. When several happen to renew SAM in the same week, the cluster lights up with a concentration finding. Nothing untoward is happening — the address is a service provider's headquarters.
This pattern is genuinely common. All 26 of the clusters in the database with 100 or more co-located entities share this profile. Most are corporate-services addresses or virtual offices. Two are lobby addresses of major business-park buildings with hundreds of suite numbers that get stripped during normalization.
The second pattern is parent-subsidiary registration. A holding company registers all its subsidiary LLCs at the parent's headquarters. Each subsidiary gets its own SAM registration with its own UEI and legal name. The parent's compliance team handles all renewals on a single cycle, so the subsidiaries expire on the same day. This is correct and expected — not a flag of anything except the parent's organizational structure.
A third explanation is coordinated submissions through a shared compliance vendor. Small contractors often use the same SAM-registration consultancies — there are perhaps a dozen prominent firms specializing in this. If one consultancy onboards 5 clients in a given week, those 5 SAM registrations may complete on the same day, share a renewal cycle, and three years later renew together. The clients have no business relationship with each other. They share a vendor.
The fourth, and most analytically interesting, is pure coincidence at scale. With 2.68 million entities and roughly 365 possible expiration dates, statistical clustering is mathematically inevitable. A typical large-cluster address with 30 entities will produce some shared expiration dates by chance alone. The expected number of coincidences increases with cluster size in a predictable way, and most concentration findings inside clusters with 30+ entities have a meaningful coincidence component.
These reasons can coexist. A virtual-office address might have 40 unrelated entities (corporate-services pattern), 3 of which are subsidiaries of a shared parent (parent-subsidiary), 2 of which used the same compliance vendor. The data layer cannot tease these apart. Human investigation can.
What this means for due diligence
Concentration patterns are best treated as one input to investigation, not a conclusion.
For a compliance officer reviewing a subcontractor proposal, the workflow looks something like this. Receive proposal. Check the proposed subcontractor's SAM status directly at SAM.gov, which is still the authoritative source for real-time registration state. If the work is meaningful enough to warrant deeper review, check whether the subcontractor's address sits in a cluster with concentration findings. If yes, that's a prompt to investigate the cluster — not a verdict.
What does investigation look like? Reading the entity roster at the cluster, noting whether the names suggest related parties (similar legal-name keywords, common officer surnames if available through other sources), checking exclusion records for any of the co-located entities, and forming a judgment about whether the cluster's pattern is innocuous (virtual office) or warrants further questions (apparent shell-company patterns, identical contact information across supposedly unrelated entities, set-aside thresholds being approached suspiciously closely).
Most clusters investigate cleanly. Compliance teams that adopt cluster-aware workflows — anecdotally, this isn't a controlled study — report that the largest gain isn't catching wrongdoing. It's faster confidence on subcontractors whose addresses look unusual at first glance but whose cluster context explains the pattern. A small contractor at "1234 Main Street, Suite 200" looks suspicious when you see they're 1 of 47 entities at that address. Five seconds of cluster context tells you 1234 Main Street is a corporate-services provider you've encountered before in vendor screening — the contractor is fine.
The genuine flags are rare. A cluster where the entity roster looks designed to fragment a single underlying business across multiple SAM registrations — to qualify for set-aside award limits, for instance — is the kind of pattern the methodology can identify the geography of, even if it can't prove the intent. The methodology surfaces the addresses worth a second look.
PTAC and APEX Accelerator counselors tend to use concentration patterns differently. Their question is rarely "is this contractor suspicious." It's "are my clients on synchronized renewal cycles in ways that affect coordination outreach." A counselor with 30 small business clients in a state who realizes 6 of them sit in the same cluster with the same renewal date can plan a single coordinated check-in 60 days before that date. Different question, same data.
The pattern also surfaces something more subtle. With 51 jurisdictions in the database, the top 10 states by cluster count account for 57% of all clusters. The federal contractor base is structurally clustered in some states and distributed in others. Compliance teams in concentrated states see more clusters in their workflows. Compliance teams in distributed states see fewer. The methodology surfaces this as a side effect of where contractors actually concentrate.
Methodology limitations
Some things the analysis genuinely cannot tell you.
The methodology cannot determine whether two co-located entities are related parties. The data layer sees legal names and UEIs. Common ownership requires Secretary of State filings, IRS records, or other sources outside SAM.gov. CDA's reports flag the pattern; they don't claim relationship.
Intent is also outside the data's reach. A cluster with 4 contractors sharing a renewal date might be 4 subsidiaries of a parent (legitimate), 4 unrelated entities sharing a registered agent (also legitimate), or 4 fragments of a single business gaming set-aside thresholds (a problem). The methodology produces the same flag in all three cases. Which one applies is a question for a qualified investigator with access to non-public information.
Frequency of misuse is similarly outside scope. The 4,015 concentration findings in the database almost certainly represent overwhelmingly mundane patterns. Some small fraction may warrant deeper investigation. The methodology doesn't claim to estimate that fraction. Compliance teams that use the data treat it as a screening filter, not a prevalence estimate.
For authoritative status, SAM.gov remains the source of record. CDA's data refreshes on a schedule. SAM.gov is real-time. A vendor flagged as concentration-relevant in CDA's analysis might have updated their address yesterday. Authoritative point-in-time verification belongs at SAM.gov, always.
These limitations aren't disclaimers in the legal sense. They're the analytical shape of the methodology. A pattern-detection layer running on bulk public records produces fast, repeatable, and auditable signals. It doesn't produce conclusions. Treating its outputs as conclusions inverts what the methodology is good at.
The honest version of "what does this report tell you" is: where to look more carefully. Not what you'll find when you do.
Where this leaves a compliance team
The pattern is most useful for teams whose workflow already involves vendor screening at scale. For a team checking 5 subcontractors a year, the marginal cost of cluster-aware due diligence may exceed the value. For a team checking 50, the math reverses.
Concentration findings aren't claims about specific contractors. They're geography that compresses investigation time when investigation is warranted, and surfaces calendar coordination opportunities when it isn't. The same data point answers compliance and operational questions, depending on the team's role.
The full per-state breakdown of address clusters and concentration findings lives in CDA's State Risk Landscape Reports. The Missouri report is available free as a sample — a way to see the methodology applied to real data before deciding whether the analysis fits a workflow.