GSA Loses $2.5 Billion Cloud Contract Fight

The end result may let the feds require U.S.-only, government-only clouds.
Top 20 Government Cloud Service Providers
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The General Services Administration lost a dispute Monday over a $2.5 billion cloud email contract and, as a result, may have to go back to the drawing board for part of its proposal. However, in the process, the Government Accountability Office, which decided the dispute, may have given federal agencies leeway to require U.S.-only, government-only clouds in order to meet agency needs.

The dispute arises out of a $2.5 billion May request for quotations (RFQ) for a government-wide contract vehicle for cloud email that had been championed by former federal CIO Vivek Kundra, among others, with the aim of consolidating federal government email systems and driving cloud adoption. The Obama administration has been a strong supporter of government agencies' move toward cloud computing as a way to increase efficiency and cut costs.

The May RFQ limited the location of data center facilities hosting the services to the United States and a list of other countries, limited certain offerings to clouds that had only government tenants, and required that the services meet other security requirements.

[ Clouds are suppose to save money. That's important because Federal IT Budgets Flat Through 2017. ]

On the eve of the closure of the request for quotations, two small Microsoft resellers, Technosource and True Tandem, filed protests over several contract terms. Onix Networking and Unisys, both of whom are associated with Google, later intervened in the case.

Technosource and True Tandem made three arguments: first, that the data center location restriction was "unnecessarily restrictive of competition;" second, that the requirement that the cloud be limited to government clients was also unnecessarily restrictive and "exceed[ed] the government's needs;" and third, that a requirement that government-only email not be routed through external networks was ambiguous (the GAO sustained this last aspect of the protest).

It appears from the decision that GSA had wanted to require hosting of the email data in a U.S. data center, but the U.S. Trade Representative's office advised the GSA that limiting the hosting to U.S.-only data centers was too restrictive of free trade. While GSA felt that requiring data centers be located in the United States didn't run afoul of trade agreements, it decided to go along nonetheless.

According to the GAO decision, GSA decided that it would permit the data to be hosted in one of a list of countries, but not America's political enemies and rivals such as China, Iran, North Korea, and Cuba. GSA's justifications for this action included security concerns and an argument that the government needs to know the location of providers' data centers. "To state that data centers can be located anywhere in the world would be irresponsible," GSA said in a response to the GAO, according to the decision.

The GSA's need to know data center location could be fulfilled by requiring a contractual obligation that vendors identify their data center locations, The GAO said, not by limiting data centers to certain countries. It also determined that the GSA had appeared to arbitrarily draw limits, allowing data to be hosted in countries like Yemen where security concerns would be high while disallowing it in lower-risk countries like India.

Thus, the GAO found that the GSA's location-based restrictions were unreasonable and failed "to withstand logical scrutiny." However, while GAO decided that the GSA acted arbitrarily, the decision in no way forecloses the possibility of U.S. hosting-only requirements in cloud contracts, as the GAO even explicitly suggested there might be justification for requiring data to be hosted only in the United States.

The GAO upheld the government's restrictions of possible co-tenants to other government agencies. The auditor agreed that multi-tenant cloud environments carry unique risks and a government-only cloud model "can present a meaningful security distinction" and is thus a justifiable option for agencies looking for increased security in their cloud offerings.

"An examination [of risk] may lead to the consideration of risks presented by co-tenancy of agency data with the data of, for example, potentially hostile foreign entities," the GAO wrote. "Limiting a cloud to U.S. government entities insulate[s] government entities from being unnecessarily exposed to threats by co-tenancy with actors which may join a public cloud specifically to exploit their co-tenancy status in order to obtain or corrupt government data."

While GAO decisions are not technically binding on federal agencies, GAO recommendations are almost universally implemented, according to data from the GAO and Congressional Research Service. GAO is the auditing arm of Congress, and agencies are cognizant of the fact that if they do not follow GAO recommendations, they could see budgets slashed and money for projects cut off.

The GAO decision follows closely on the heels of another fight between Microsoft and Google over cloud contracts. Google recently dropped a case against the Department of the Interior after the federal agency said it would withdraw a contract that Google had alleged unfairly favored Microsoft cloud services.