A fight between Amazon Web Services and IBM U.S. Federal over a $600 million contract to provide cloud computing services to the Central Intelligence Agency gives a rare glimpse into the role of government contractors in supporting national security agencies.
In a decision made public today, the U.S. Government Accountability Office ruled that the contract was wrongly awarded to Amazon and instructed the CIA to re-open the bidding. The government was also asked to pay the attorney fees of IBM's lawyers at McKenna Long & Aldridge.
The dispute concerned a contract to provide “commercially-managed cloud computing services for the Intelligence Community,” according to the GAO decision by General Counsel Susan Poling. The ruling was issued June 6 and released today in a redacted form. Cloud computing delivers computing services via networks, with the potential to provide IT services more quickly and at a lower cost.
Under the CIA’s request for proposal, the contractor would provide a copy of its existing public cloud (modified where necessary) to be installed on government premises and operated by the contractor. The contractor would be responsible for networking, storage, servers and virtualization, according to the GAO, and the government would handle the operating system, middleware, runtime, data, applications, and other items.
The CIA also required that the cloud would provide “auto scaling”—that is, it would automatically scale computer resources up or down based on needs at a specific time. In addition, the CIA stipulated the cloud had to permit intelligence agencies to run their own applications.
Along with Amazon and IBM, AT&T Corp. and Microsoft Corp. also submitted proposals, which were due July 13, 2012. Soon after, AT&T and Microsoft filed bid protests, objecting to some of the qualification requirements, which the government subsequently changed.
The proposals were evaluated on four factors: (1) technical/management (2) past performance (3) security and (4) price.
Security was graded on a pass/ fail basis, but companies were evaluated on other criteria in a more nuanced way, earning scores ranging from marginal to exceptional.
In its protest, IBM complained that after picking Amazon, the CIA relaxed a material requirement of the solicitation—one that could lead to a breach of security.
Under the original request for proposal, the CIA said the contractor must certify “that it will undertake to ensure that any software to be provided . . . under this contract will be provided . . . free from computer virus, which could damage, destroy, or maliciously alter software, firmware, or hardware, or which could reveal to unauthorized persons any data or other information accessed through or processed by the software.”
But in post-selection negotiations, “Amazon proposed, and the agency accepted, modifying the above solicitation clause as follows: ‘The Sponsor agrees that ‘only software developed and provided by [Amazon] would be subject to this requirement.’”
The GAO continued, “This is significant because Amazon’s proposal contemplated the provision of third party and open-source software that is not developed by Amazon and thus would not fall within its modified certification.”
During the hearing, according to the GAO, the CIA admitted “it did not consider the impact of the modified language; it understood that Amazon was certifying all software and did not realize that the change might be a restriction on the certification.”
The GAO concluded that the CIA wrongly relaxed the requirement “without affording the other offerors an opportunity to propose to the modified requirements.”
IBM also successfully challenged the agency’s price evaluation under one of the solicitation’s price scenarios.
The CIA’s request for proposal stated, “This scenario centers around providing a hosting environment for applications which process vast amounts of information in [parallel] on large clusters (1000s of nodes) …. Assume a cluster large enough to process 100TB [terabytes] of raw input data.” IBM complained that aspects of the scenario were ambiguous and asked for clarification, but said it still didn’t get a clear answer, and that its pricing was wrongly adjusted.
“The record indicates that the agency lacked sufficient information to ensure that proposals were evaluated on a common basis,” the GAO found. “We find the price evaluation to be unreasonable.”
The GAO said the CIA should revise its proposal and reopen competition for the contract. “We further recommend that the agency conduct discussions with offerors, obtain and evaluate revised proposals, and make a new source selection decision,” the decision stated. “Finally, we recommend that the protester be reimbursed its costs of filing and pursuing the protest, including reasonable attorneys’ fees.”
Jason Carey, Luke Meier, Katherine John., Kevin Barnett, and John Sorrenti of McKenna represented IBM.
Amazon turned to Craig Holman, Kara Daniels, Lauren Schlanger, and Steffen G. Jacobsen of Arnold & Porter, while Edwin Doster, Avi Baldinger and Arthur Passar represented the CIA.
And I thought I was leery of committing my clients' information to the Cloud! Putting the CIA's information up there sounds to me like a hell of a lot of risk.
And $600 million for doing it, without even requiring that all the software be virus-free, sounds to me like a hell of a lot of money.
Am I just old, or is the CIA losing touch with reality?
Posted by: Avon | June 14, 2013 at 08:38 PM