GSA Loses $2.5 Billion Cloud Contract Fight - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:46 PM
Connect Directly

GSA Loses $2.5 Billion Cloud Contract Fight

The end result may let the feds require U.S.-only, government-only clouds.

Top 20 Government Cloud Service Providers
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The General Services Administration lost a dispute Monday over a $2.5 billion cloud email contract and, as a result, may have to go back to the drawing board for part of its proposal. However, in the process, the Government Accountability Office, which decided the dispute, may have given federal agencies leeway to require U.S.-only, government-only clouds in order to meet agency needs.

The dispute arises out of a $2.5 billion May request for quotations (RFQ) for a government-wide contract vehicle for cloud email that had been championed by former federal CIO Vivek Kundra, among others, with the aim of consolidating federal government email systems and driving cloud adoption. The Obama administration has been a strong supporter of government agencies' move toward cloud computing as a way to increase efficiency and cut costs.

The May RFQ limited the location of data center facilities hosting the services to the United States and a list of other countries, limited certain offerings to clouds that had only government tenants, and required that the services meet other security requirements.

[ Clouds are suppose to save money. That's important because Federal IT Budgets Flat Through 2017. ]

On the eve of the closure of the request for quotations, two small Microsoft resellers, Technosource and True Tandem, filed protests over several contract terms. Onix Networking and Unisys, both of whom are associated with Google, later intervened in the case.

Technosource and True Tandem made three arguments: first, that the data center location restriction was "unnecessarily restrictive of competition;" second, that the requirement that the cloud be limited to government clients was also unnecessarily restrictive and "exceed[ed] the government's needs;" and third, that a requirement that government-only email not be routed through external networks was ambiguous (the GAO sustained this last aspect of the protest).

It appears from the decision that GSA had wanted to require hosting of the email data in a U.S. data center, but the U.S. Trade Representative's office advised the GSA that limiting the hosting to U.S.-only data centers was too restrictive of free trade. While GSA felt that requiring data centers be located in the United States didn't run afoul of trade agreements, it decided to go along nonetheless.

According to the GAO decision, GSA decided that it would permit the data to be hosted in one of a list of countries, but not America's political enemies and rivals such as China, Iran, North Korea, and Cuba. GSA's justifications for this action included security concerns and an argument that the government needs to know the location of providers' data centers. "To state that data centers can be located anywhere in the world would be irresponsible," GSA said in a response to the GAO, according to the decision.

The GSA's need to know data center location could be fulfilled by requiring a contractual obligation that vendors identify their data center locations, The GAO said, not by limiting data centers to certain countries. It also determined that the GSA had appeared to arbitrarily draw limits, allowing data to be hosted in countries like Yemen where security concerns would be high while disallowing it in lower-risk countries like India.

Thus, the GAO found that the GSA's location-based restrictions were unreasonable and failed "to withstand logical scrutiny." However, while GAO decided that the GSA acted arbitrarily, the decision in no way forecloses the possibility of U.S. hosting-only requirements in cloud contracts, as the GAO even explicitly suggested there might be justification for requiring data to be hosted only in the United States.

The GAO upheld the government's restrictions of possible co-tenants to other government agencies. The auditor agreed that multi-tenant cloud environments carry unique risks and a government-only cloud model "can present a meaningful security distinction" and is thus a justifiable option for agencies looking for increased security in their cloud offerings.

"An examination [of risk] may lead to the consideration of risks presented by co-tenancy of agency data with the data of, for example, potentially hostile foreign entities," the GAO wrote. "Limiting a cloud to U.S. government entities insulate[s] government entities from being unnecessarily exposed to threats by co-tenancy with actors which may join a public cloud specifically to exploit their co-tenancy status in order to obtain or corrupt government data."

While GAO decisions are not technically binding on federal agencies, GAO recommendations are almost universally implemented, according to data from the GAO and Congressional Research Service. GAO is the auditing arm of Congress, and agencies are cognizant of the fact that if they do not follow GAO recommendations, they could see budgets slashed and money for projects cut off.

The GAO decision follows closely on the heels of another fight between Microsoft and Google over cloud contracts. Google recently dropped a case against the Department of the Interior after the federal agency said it would withdraw a contract that Google had alleged unfairly favored Microsoft cloud services.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/20/2011 | 8:17:04 PM
re: GSA Loses $2.5 Billion Cloud Contract Fight
Its not just about creating jobs in some congressmans' states (though we all expect there is a bit of that). Dedicated facilities, private networks and even general location restrictions do not limit competition. Companies are free to build a data centers in the US or other designated countries if they wish.

The US has the 2nd highest average corporate tax rate, so even if labor costs were the same, it can cheaper to send work offshore. Which seems to be the issue here - offshore companies knowing they can compete strongly on price if not in technical expertise or industrial knowledge. (In case you're wondering, Saudi Arabia has the highest corporate tax rate but it only applies to *foreign* companies not their own companies). The high tax rate coupled with China being allowed to join WTO (inspite of human rights issues still continuing today) opened the floodgates of US job loss. Mind you, many of those jobs were/are low margin, and you see large IT companies shifting focus to the more highly skilled higher profit jobs/contracts - we've got to get our higher education system geared up to fill those needs.

Back closer to the original topic, we the people, should be requiring our data (not just the governments) to be secure in general. Data transversing public internet, weither your email, your medical records, your purchasing records, etc, even if encrypted is exposed. With the kind of computer power available (remember the stories about cloud based hacking and how quickly and relatively cheaply things have been cracked?) encryption is no longer enough.
Hopefully intelligent informed consumers will start questioning their vendors and service providers if their information is truely protected, and if other parties have access to it. Maybe you trust the company you do business with, but the outsources to another company for some of there IT which outsources and offshores your data amongst other companies. Any security lapse anywhere in the chain puts you at risk. Even data transversing "private" networks connected up multiple companies and shared infrastructure is at risk if someone inflitrates any of the organizations involved.
User Rank: Apprentice
10/20/2011 | 7:30:25 PM
re: GSA Loses $2.5 Billion Cloud Contract Fight
well it makes sense to protect Government Data - when is everyone going to realize that there are Terrorist Governments - that are Hacking the U.S. govt to death...before we lose any more valuable U.S. government data all things "CLOUD" should undergo rigorous security testing and YES it does need to be in a secure data center that is "government only" - that is not anti competitive - that is PRO U.S. Policy -- the contractors who protested need to get it -- governments and hackers around the world are not our friends and no one cares about U.S. secrets or security. If a contractor doesn't want to play by the security rules--then we don't want them working for the U.S. Government - it isn't about fairness - its about protecting our government data!
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll