Recent DoD initiatives raise a consequential and far-reaching issue regarding the ability of the government to move from one commercial cloud vendor to another. As the Coalition for Government Procurement has stated in two previous blogs, for true innovation,

“A multiple award IDIQ approach that offers diversified solutions from the commercial market will facilitate a culture of experimentation, adoption, and risk-taking and increase the speed of technology development and procurement, as envisioned by the recent cloud acceleration memorandum by Deputy Secretary of Defense Patrick Shanahan.”

In contrast, a single award DoD Enterprise Cloud Acquisition contract would risk locking-in DoD to a single approach.

In the FAR & Beyond blog from two weeks ago, the Coalition discussed the recent posting of an Air Force Justification and Approval (J&A) for Other than Full and Open Competition to acquire web services in support of Air Force development and test initiatives.  We noted that the J&A, if not internally inconsistent, (i) lacked detail; (ii) did not conform to statutory requirements; (iii) was akin to pre-selecting the awardee before competing the requirement; and, (iv) by its own terms, provided an example of cloud vendor lock-in. Vendor lock-in is a risk for potential cloud customers generally, and a significant risk for an entity charged with securing our nation.  We concluded that DoD’s actions are raising more questions than they are answering, especially considering a recent DoD Request for Information on enterprise-wide cloud services that telegraphed a preference for a single-source, single cloud.  (Since then, a news report indicated that the J&A was withdrawn.)

Now comes word that DoD’s Defense Innovation Unit Experimental (DIUx) recently issued a Brand Name Justification for a $2,771,600.00 firm fixed-price contract to procure Amazon Web Services (AWS) GovCloud.  You may recall that DIUx’s mission is to engage commercial companies to help DoD address various technological challenges.  Here, DIUx needed “to host data in a cloud. To perform this function, DIUx require[d] a cloud solution provider to solve internal and customer focused problems[.]”

DIUx found that two cloud services providers, AWS GovCloud and Microsoft Azure, had the relevant certifications needed for this effort.  Without much explanation, it stated that “AWS GovCloud’s ability to meet high compute demands for intense algorithm deployment for planned DIUx activities, is the additional feature which separates AWS GovCloud from Microsoft Azure.”  Further,

“Discussions with experts from Google, FFRDC, and DIUx have confirmed that Azure does not have compute power of AWS GovCloud. Additionally, DIUx is already leveraging AWS GovCloud for a series of its activities and to move from AWS GovCloud to another CSP would incur wasted effort and time for those activities. The gained benefit of moving to Microsoft Azure does not exist when one is compared to the other as AWS GovCloud is able to meet DIUx’s requirement.”

The DIUx Justification’s “IDENTIFICATION OF STATUTORY AUTHORITY” cites a regulation, FAR 16.505(a)(4)(i).  The scope of FAR Part 16.5 concerns “policies and procedures for making awards of indefinite-delivery contracts and establishes a preference for making multiple awards of indefinite-quantity contracts.”  See FAR 16.500(a).  It “does not limit the use of other than competitive procedures authorized by [FAR] Part 6.”  See FAR 16.500(b).  As noted above, the DIUx Justification states, “This action will be a firm-fixed-price contract with a total estimated value of $2,771,600.00.”  Thus, it appears, DIUx needed to assess/justify its decision to procure without the use of full and open competition under FAR Part 6.3, which implements 10 USC 2304, and which requires a much more substantial rationale for what is tantamount to a multi-million-dollar sole-source award than that set forth in the DIUx Justification.

In addition, DIUx’s discussions with “experts from Google, FFRDC, and DIUx” to determine the capability of vendors’ products appear to be somewhat attenuated.  Further explanation in the Justification’s section, “ANY OTHER FACTS SUPPORTING THE JUSTIFICATION,” states,

“Market research was conducted via interviews with IaaS/PaaS experts at Open Source Software Companies[,] such as[] Google, Pivotal Labs, Red Hat Openshift, MITRE, and MIT LL Offerings were evaluated based upon their ability to meet the needs of DIUx’s requirement.”

There is no mention of market research interviews with the vendor offering what DIUx identified as the only other product that can meet the certification requirements. It is odd not to include an acknowledgement of such a conversation in a Justification document and even odder, under these circumstances, to exclude a vendor from competing for government business without a conversation. From a contracting process standpoint, more detail around the market research process would be help to allay concerns about the DIUx approach here.

Moreover, a comment in the Justification raises a serious and recurring concern about cloud vendor lock-in.  Specifically, DIUx stated,

“Additionally, DIUx is already leveraging AWS GovCloud for a series of its activities and to move from AWS GovCloud to another CSP would incur wasted effort and time for those activities.”

This issue is consequential and far-reaching.  If the ability to move from a commercial cloud vendor is stymied merely by initiating a business relationship for platform and infrastructure and poor planning, then a risk assessment is in order, especially when the risk implicates national security.

Multiple awards allow the government to reap the benefits derived from ongoing competitive forces of the market, which include access to continuing innovation. Creating uncertainty around the use of those forces risks signaling to innovators in our economy that their investments are best made in other sectors, putting our nation’s technological superiority in defense at risk.  To avoid the risks and associated unintended consequences of the issues discussed above, the Coalition offers to facilitate a dialogue to address and resolve the confusion in this area and promote DoD-vendor collaboration in maintaining a competitive environment that is open to continuing innovation as the department moves to the cloud.