Photographer: David Paul Morris/Bloomberg

Five Takeaways from GAO’s JEDI Decision Denying Oracle

November 30, 2018 Chris Cornillie

Security risks and concerns about excessive complexity were among the factors leading the Pentagon to choose a single-award contract for its Joint Enterprise Defense Infrastructure (JEDI) cloud contract, a Government Accountability Office ruling reveals.

The GAO on Nov. 19 published a 19-page decision ruling against Oracle Corp.’s JEDI bid protest, five days after issuing a news release explaining its decision.

GAO said that none of the three legal challenges raised by the Redwood Shores, Calif.-based database giant were supported. The government’s top watchdog ruled that the Defense Department’s decision to seek a single vendor for JEDI was consistent with federal acquisition regulations, that the department has provided reasonable support for certain JEDI requirements, and that there is no basis for claims of conflict of interest between the Pentagon and Oracle competitor Amazon Web Services LLC.

Bloomberg Government has analyzed the key issues raised by GAO’s decision to assess how they may affect the future of the JEDI acquisition and its upcoming legal challenges.

1. The Pentagon’s single-award approach was driven by concerns about limiting IT complexity.

In testimony before the GAO, Tim Van Name, deputy director of the Defense Digital Service (DDS), explained that the Pentagon’s departmentwide adoption of cloud computing would be “pretty technically complex,” citing the need to integrate a variety of legacy systems and bring the federal IT workforce up to speed on cloud computing.

“Doing that for a single solution provided to the Department by either a vendor or a team of vendors is a big lift already. Trying to do that for multiple solutions, with the Department operating as the integrator, would be exceedingly complex. And I don’t think we would be successful,” Van Name said.

The contracting officer overseeing JEDI, Chanda R. Brooks, determined that issuing multiple awards wouldn’t offer the Pentagon more favorable terms and pricing or provide benefits that would outweigh the costs of administering multiple contracts. According to Brooks, issuing multiple awards would “introduce technical complexity in a way that jeopardizes successful implementation and increases costs.”

2. The Pentagon determined that a single cloud would be more secure than a multi-cloud environment.

As experts have observed, when evaluating a single cloud against a multi-cloud environment, it’s necessary to weigh the risks of creating a single point of failure against that of multiplying the number of seams and access points, where cloud environments are most vulnerable.

The Pentagon determined that the multi-cloud approach posed the greater risk: “While security of data within a single cloud is largely standard and automatic, managing security and data accessibility between clouds creates seams that increase security risk,” Brooks wrote in her decision.

She said that moving data across clouds “requires complex manual configuration that is prone to human error and introduces security vulnerabilities” and that “systems in different clouds, even when designed to work together, require complex integration.”

3. The Pentagon plans to run 80 percent of its applications in JEDI.

The Pentagon’s goal “is for the JEDI Cloud to host 80 percent of current DoD applications,” according to a Sept. 24 memorandum. For months, defense officials have insisted that JEDI will be only one of several programs in its cloud ecosystem, albeit the biggest one. Though that may be the case, this is a clear signal of just how central JEDI is to the Defense Department’s IT strategy over the next decade.

What isn’t clear at this stage is which applications will be migrated to JEDI entirely, which ones will operate out of DOD-managed data centers or other cloud programs, and which ones will resemble a hybrid of the two – with government data residing on-premises and JEDI responsible for performing functions such as data analysis or backup. The Pentagon estimates that JEDI will represent about 20 percent of its IT infrastructure budget, according to a statement from spokeswoman Heather Babb.

4. GAO upheld the Pentagon’s ability to contract for services that haven’t been invented yet.

Oracle asserted that the Pentagon failed to comply with federal acquisition requirements requiring all single-award contracts worth more than $112 million to specify all services being delivered and offering them at firm fixed prices. The company stated that “because the RFP does not identify all of the specific tasks that may be performed,” it is impossible to offer a firm fixed price on them. This renders JEDI invalid, Oracle argued.

This raises an important question about the government’s acquisition of emerging technologies. With cloud computing a rapidly evolving field, it’s possible that by the end of JEDI’s 10-year lifespan, the winning vendor will deploy services that haven’t yet been invented. How can the Pentagon request firm fixed prices on services that don’t yet exist?

The Defense Department addressed the question by requiring bidders to submit a catalog of cloud services at firm fixed prices, while specifying that any new service added to that catalog would also need to be set at a firm fixed price equivalent to what it charges its commercial customers. GAO upheld the Pentagon’s approach, concluding that Oracle’s argument “would effectively preclude the award of a significant portion of IDIQ contracts.”

5. The Pentagon investigated at least two individuals for conflicts of interest based on past interactions with Amazon Web Services.

The GAO report notes that the Pentagon identified two employees – referred to only as the ‘“Chief of Staff” and the “Digital Service Expert” – with potential conflicts of interest stemming from previous interactions with Amazon Web Services LLC, a company seen as a front-runner for JEDI. After investigating, however, contracting officials determined that neither one unduly influenced the JEDI procurement.

The Chief of Staff had been previously employed by Washington consulting firm SBD Advisors, which counted AWS among its top clients. Several reports suggested that former SBD employees, including the Chief of Staff, may have influenced the acquisition in AWS’s favor. However, defense officials concluded his role was “ministerial and perfunctory in nature” and that he did not participate in the decision-making process.

The Digital Service Expert had been employed by AWS prior to his role with DDS, where he performed market research on potential JEDI competitors. He recused himself from JEDI activities in October 2017 and was subsequently rehired by AWS. Oracle argued that he might have provided AWS with nonpublic information that could give it a competitive edge.

GAO affirmed the Pentagon’s conclusion that there was no evidence of bias. However, GAO asserted that Oracle had the right to revisit the matter in a post-award challenge to JEDI, “[i]n the event the agency’s subsequent actions provide a basis for protest.”

Chris Cornillie is a federal market analyst with Bloomberg Government.

To contact the analyst on this story: Chris Cornillie in Washington at ccornillie@bgov.com

To contact the editors responsible for this story: Daniel Snyder at dsnyder@bgov.com; Jodie Morris at jmorris@bgov.com

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

×
NEXT
FAA Competes $500 Million Flight Scheduling Technology Contract