Cloud
News
10/19/2011
03:46 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

GSA Loses $2.5 Billion Cloud Contract Fight

The end result may let the feds require U.S.-only, government-only clouds.

Top 20 Government Cloud Service Providers
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The General Services Administration lost a dispute Monday over a $2.5 billion cloud email contract and, as a result, may have to go back to the drawing board for part of its proposal. However, in the process, the Government Accountability Office, which decided the dispute, may have given federal agencies leeway to require U.S.-only, government-only clouds in order to meet agency needs.

The dispute arises out of a $2.5 billion May request for quotations (RFQ) for a government-wide contract vehicle for cloud email that had been championed by former federal CIO Vivek Kundra, among others, with the aim of consolidating federal government email systems and driving cloud adoption. The Obama administration has been a strong supporter of government agencies' move toward cloud computing as a way to increase efficiency and cut costs.

The May RFQ limited the location of data center facilities hosting the services to the United States and a list of other countries, limited certain offerings to clouds that had only government tenants, and required that the services meet other security requirements.

[ Clouds are suppose to save money. That's important because Federal IT Budgets Flat Through 2017. ]

On the eve of the closure of the request for quotations, two small Microsoft resellers, Technosource and True Tandem, filed protests over several contract terms. Onix Networking and Unisys, both of whom are associated with Google, later intervened in the case.

Technosource and True Tandem made three arguments: first, that the data center location restriction was "unnecessarily restrictive of competition;" second, that the requirement that the cloud be limited to government clients was also unnecessarily restrictive and "exceed[ed] the government's needs;" and third, that a requirement that government-only email not be routed through external networks was ambiguous (the GAO sustained this last aspect of the protest).

It appears from the decision that GSA had wanted to require hosting of the email data in a U.S. data center, but the U.S. Trade Representative's office advised the GSA that limiting the hosting to U.S.-only data centers was too restrictive of free trade. While GSA felt that requiring data centers be located in the United States didn't run afoul of trade agreements, it decided to go along nonetheless.

According to the GAO decision, GSA decided that it would permit the data to be hosted in one of a list of countries, but not America's political enemies and rivals such as China, Iran, North Korea, and Cuba. GSA's justifications for this action included security concerns and an argument that the government needs to know the location of providers' data centers. "To state that data centers can be located anywhere in the world would be irresponsible," GSA said in a response to the GAO, according to the decision.

The GSA's need to know data center location could be fulfilled by requiring a contractual obligation that vendors identify their data center locations, The GAO said, not by limiting data centers to certain countries. It also determined that the GSA had appeared to arbitrarily draw limits, allowing data to be hosted in countries like Yemen where security concerns would be high while disallowing it in lower-risk countries like India.

Thus, the GAO found that the GSA's location-based restrictions were unreasonable and failed "to withstand logical scrutiny." However, while GAO decided that the GSA acted arbitrarily, the decision in no way forecloses the possibility of U.S. hosting-only requirements in cloud contracts, as the GAO even explicitly suggested there might be justification for requiring data to be hosted only in the United States.

The GAO upheld the government's restrictions of possible co-tenants to other government agencies. The auditor agreed that multi-tenant cloud environments carry unique risks and a government-only cloud model "can present a meaningful security distinction" and is thus a justifiable option for agencies looking for increased security in their cloud offerings.

"An examination [of risk] may lead to the consideration of risks presented by co-tenancy of agency data with the data of, for example, potentially hostile foreign entities," the GAO wrote. "Limiting a cloud to U.S. government entities insulate[s] government entities from being unnecessarily exposed to threats by co-tenancy with actors which may join a public cloud specifically to exploit their co-tenancy status in order to obtain or corrupt government data."

While GAO decisions are not technically binding on federal agencies, GAO recommendations are almost universally implemented, according to data from the GAO and Congressional Research Service. GAO is the auditing arm of Congress, and agencies are cognizant of the fact that if they do not follow GAO recommendations, they could see budgets slashed and money for projects cut off.

The GAO decision follows closely on the heels of another fight between Microsoft and Google over cloud contracts. Google recently dropped a case against the Department of the Interior after the federal agency said it would withdraw a contract that Google had alleged unfairly favored Microsoft cloud services.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
magicjack
50%
50%
magicjack,
User Rank: Apprentice
10/20/2011 | 8:17:04 PM
re: GSA Loses $2.5 Billion Cloud Contract Fight
Its not just about creating jobs in some congressmans' states (though we all expect there is a bit of that). Dedicated facilities, private networks and even general location restrictions do not limit competition. Companies are free to build a data centers in the US or other designated countries if they wish.

The US has the 2nd highest average corporate tax rate, so even if labor costs were the same, it can cheaper to send work offshore. Which seems to be the issue here - offshore companies knowing they can compete strongly on price if not in technical expertise or industrial knowledge. (In case you're wondering, Saudi Arabia has the highest corporate tax rate but it only applies to *foreign* companies not their own companies). The high tax rate coupled with China being allowed to join WTO (inspite of human rights issues still continuing today) opened the floodgates of US job loss. Mind you, many of those jobs were/are low margin, and you see large IT companies shifting focus to the more highly skilled higher profit jobs/contracts - we've got to get our higher education system geared up to fill those needs.

Back closer to the original topic, we the people, should be requiring our data (not just the governments) to be secure in general. Data transversing public internet, weither your email, your medical records, your purchasing records, etc, even if encrypted is exposed. With the kind of computer power available (remember the stories about cloud based hacking and how quickly and relatively cheaply things have been cracked?) encryption is no longer enough.
Hopefully intelligent informed consumers will start questioning their vendors and service providers if their information is truely protected, and if other parties have access to it. Maybe you trust the company you do business with, but the outsources to another company for some of there IT which outsources and offshores your data amongst other companies. Any security lapse anywhere in the chain puts you at risk. Even data transversing "private" networks connected up multiple companies and shared infrastructure is at risk if someone inflitrates any of the organizations involved.
tzimmerman191
50%
50%
tzimmerman191,
User Rank: Apprentice
10/20/2011 | 7:30:25 PM
re: GSA Loses $2.5 Billion Cloud Contract Fight
well it makes sense to protect Government Data - when is everyone going to realize that there are Terrorist Governments - that are Hacking the U.S. govt to death...before we lose any more valuable U.S. government data all things "CLOUD" should undergo rigorous security testing and YES it does need to be in a secure data center that is "government only" - that is not anti competitive - that is PRO U.S. Policy -- the contractors who protested need to get it -- governments and hackers around the world are not our friends and no one cares about U.S. secrets or security. If a contractor doesn't want to play by the security rules--then we don't want them working for the U.S. Government - it isn't about fairness - its about protecting our government data!
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.