Federal IT Procurement Gone Awry | Citizens Against Government Waste

Federal IT Procurement Gone Awry

The WasteWatcher

The concept that federal information technology (IT) procurement should be technology and vendor neutral is among the best practices for federal government agencies.  However, when a large federal agency issues an exceptionally large cloud contract to a predetermined vendor for a specific technology solution without competitive bidding, such a contract is neither technology nor vendor neutral.  A Department of Defense (DOD) contract to fix its agency-wide cloud problem is such a case.

Following this entire escapade has been somewhat akin to a game of ping-pong.  On February 7, 2018, an announcement was made that REAN, a cloud integration service provider, was awarded a five-year contract with DOD for up to $950 million to streamline DOD’s cloud services.  An Amazon Web Services (AWS) partner, REAN was supposed to move the Pentagon’s computing systems to the cloud to allow the agency to innovate its IT systems more quickly.  However, on March 5, 2018, DOD announced that it would be scaling back the REAN contract following strong criticism over how it was awarded.  The Pentagon limited the scope of the contract and reduced the award to no more than $65 million.

DOD then issued a draft solicitation for the Joint Enterprise Defense Infrastructure (JEDI) Cloud procurement on March 7, 2018.  This solicitation also has inherent problems, since it clearly seeks a single cloud solution from only one vendor.  Given that part of the project has already been awarded to REAN for its AWS cloud solution, that platform will be used as the ultimate solution for all future cloud services without further investigating other possible vendors or solutions. 

Despite the Pentagon’s claim that JEDI is not a sole-source contract, by selecting one specific cloud service, the Pentagon has already decided which company will be provisioning the department’s cloud services for the foreseeable future.  A report in Bloomberg Government News estimates that this contract could be as much as $10 billion over the next 10 years.  That would be the largest IT contract in the history of the Pentagon, and would consolidate the DOD’s cloud business into a single vendor, which is problematic both in terms of good governance and national security. 

It seems highly likely that 18F and U.S. Digital Services had some influence over the Pentagon’s decision to seek a sole-source contract for its cloud services procurement.  These two Obama-era offices, particularly 18F, are not the best sources for such a recommendation.  On October 24, 2016, the General Services Administration’s Office of Inspector General (OIG) issued a report detailing several administrative problems with 18F.  The group has struggled financially since its launch in March 2014, and is operating at an increasing deficit level, with a net loss of $31.66 million from the time of its inception through the third quarter of fiscal year 2016.  

On February 21, 2017, the OIG issued another evaluation of 18F, this time focusing on IT security compliance.  18F failed to obtain proper authorization to operate information systems, which is required to operate in the GSA IT environment.  In one instance, 18F staff had integrated the online messaging and collaboration application “Slack” into their GSA Google Drives, creating a security vulnerability that was not discovered under March 2016.    In addition, while most federal agency cloud services must undergo strict compliance reviews to obtain authorization to operate through GSA’s FedRAMP process, 18F circumvented the GSA IT assessment and authorization process by creating and using its own security assessment and authorization process.

Members of Congress are now questioning the wisdom of DOD’s decision to procure JEDI services from a single vendor, and language in the fiscal year 2018 Omnibus appropriations bill indicates a reluctance to fund a project potentially spanning 10 years that would be operated by a single company.  The Omnibus bill demands answers from the agency within 60 days of passage as to the framework DOD proposes to use to “acquire cloud services, including standards, best practices, contract types, and exit strategies that would ensure government flexibility as requirements evolve.” 

While modernizing government IT systems is long overdue, federal agencies must proceed carefully, and ensure that the services they procure are competitively bid, vendor neutral, and provide the best value for the taxpayer.