GSA Loses $2.5 Billion Cloud Contract Fight - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:46 PM
Connect Directly

GSA Loses $2.5 Billion Cloud Contract Fight

The end result may let the feds require U.S.-only, government-only clouds.

Top 20 Government Cloud Service Providers
(click image for larger view)
Slideshow: Top 20 Government Cloud Service Providers
The General Services Administration lost a dispute Monday over a $2.5 billion cloud email contract and, as a result, may have to go back to the drawing board for part of its proposal. However, in the process, the Government Accountability Office, which decided the dispute, may have given federal agencies leeway to require U.S.-only, government-only clouds in order to meet agency needs.

The dispute arises out of a $2.5 billion May request for quotations (RFQ) for a government-wide contract vehicle for cloud email that had been championed by former federal CIO Vivek Kundra, among others, with the aim of consolidating federal government email systems and driving cloud adoption. The Obama administration has been a strong supporter of government agencies' move toward cloud computing as a way to increase efficiency and cut costs.

The May RFQ limited the location of data center facilities hosting the services to the United States and a list of other countries, limited certain offerings to clouds that had only government tenants, and required that the services meet other security requirements.

[ Clouds are suppose to save money. That's important because Federal IT Budgets Flat Through 2017. ]

On the eve of the closure of the request for quotations, two small Microsoft resellers, Technosource and True Tandem, filed protests over several contract terms. Onix Networking and Unisys, both of whom are associated with Google, later intervened in the case.

Technosource and True Tandem made three arguments: first, that the data center location restriction was "unnecessarily restrictive of competition;" second, that the requirement that the cloud be limited to government clients was also unnecessarily restrictive and "exceed[ed] the government's needs;" and third, that a requirement that government-only email not be routed through external networks was ambiguous (the GAO sustained this last aspect of the protest).

It appears from the decision that GSA had wanted to require hosting of the email data in a U.S. data center, but the U.S. Trade Representative's office advised the GSA that limiting the hosting to U.S.-only data centers was too restrictive of free trade. While GSA felt that requiring data centers be located in the United States didn't run afoul of trade agreements, it decided to go along nonetheless.

According to the GAO decision, GSA decided that it would permit the data to be hosted in one of a list of countries, but not America's political enemies and rivals such as China, Iran, North Korea, and Cuba. GSA's justifications for this action included security concerns and an argument that the government needs to know the location of providers' data centers. "To state that data centers can be located anywhere in the world would be irresponsible," GSA said in a response to the GAO, according to the decision.

The GSA's need to know data center location could be fulfilled by requiring a contractual obligation that vendors identify their data center locations, The GAO said, not by limiting data centers to certain countries. It also determined that the GSA had appeared to arbitrarily draw limits, allowing data to be hosted in countries like Yemen where security concerns would be high while disallowing it in lower-risk countries like India.

Thus, the GAO found that the GSA's location-based restrictions were unreasonable and failed "to withstand logical scrutiny." However, while GAO decided that the GSA acted arbitrarily, the decision in no way forecloses the possibility of U.S. hosting-only requirements in cloud contracts, as the GAO even explicitly suggested there might be justification for requiring data to be hosted only in the United States.

The GAO upheld the government's restrictions of possible co-tenants to other government agencies. The auditor agreed that multi-tenant cloud environments carry unique risks and a government-only cloud model "can present a meaningful security distinction" and is thus a justifiable option for agencies looking for increased security in their cloud offerings.

"An examination [of risk] may lead to the consideration of risks presented by co-tenancy of agency data with the data of, for example, potentially hostile foreign entities," the GAO wrote. "Limiting a cloud to U.S. government entities insulate[s] government entities from being unnecessarily exposed to threats by co-tenancy with actors which may join a public cloud specifically to exploit their co-tenancy status in order to obtain or corrupt government data."

While GAO decisions are not technically binding on federal agencies, GAO recommendations are almost universally implemented, according to data from the GAO and Congressional Research Service. GAO is the auditing arm of Congress, and agencies are cognizant of the fact that if they do not follow GAO recommendations, they could see budgets slashed and money for projects cut off.

The GAO decision follows closely on the heels of another fight between Microsoft and Google over cloud contracts. Google recently dropped a case against the Department of the Interior after the federal agency said it would withdraw a contract that Google had alleged unfairly favored Microsoft cloud services.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
How CIOs Can Advance Company Sustainability Goals
Lisa Morgan, Freelance Writer,  5/26/2021
IT Skills: Top 10 Programming Languages for 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/21/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll