For the DOD, getting the right work on contract is a difficult task. Acquisition chief Ellen Lord wanted to get time from Request for Proposal to Contract Award down from 2½ years to one. The JEDI cloud computing contract, worth up to $10 billion over ten years, wanted to do that in four months.
“… we are not bidding on the JEDI contract because first, we couldn’t be assured that it would align with our AI Principles and second, we determined that there were portions of the contract that were out of scope with our current government certifications.”
Bob Work pointed out that the JEDI contract is for cloud infrastructure, its primary purpose is not to hurt people. But at industry day in March 2018, there was a lot of talk about the cloud’s purpose of increasing “lethality”.
While the original tenants of JEDI appeared to mostly be about a consolidated cloud infrastructure, the DOD rejected a lot of bidder’s proposals to that effect. The DOD wants a “large data lake to provide for machine learning and artificial intelligence.”
Nevertheless, Bob Work called Google’s actions the “height of hypocrisy” because they continue to build a search engine for China that meets its standards for surveillance.
Another subline to the story is allegations of misconduct by SecDef Mattis’ former aide, Sally Donnelly.
“All of the reports highlight Sally Donnelly, whose consulting firm worked for Amazon Web Services before she served as senior advisor to the secretary of defense, essentially Mattis’ right hand, during his first year on the job. They raise questions about whether she received payments from AWS for steering the Defense Department to custom-tailor the JEDI requirements.”
Pentagon spokespeople fired back that neither Donnelly nor Mattis had any part in shaping the contract requirements. This is likely true, but surely the CIA’s cloud experience with AWS served some role in framing the objectives and thus implying solutions, if only unconsciously.
A related thread is the rise of contract protests in the DOD.
Lawyers are brought in earlier and earlier. If only one piece of the source selection process isn’t met, the whole thing can be protested and re-competed. In August, Microsoft successfully protested a Navy cloud contract awarded to AWS.
In this case, Oracle and IBM have filed pre-award protest on the JEDI contract. They found that a sole-source provider for cloud computing is not the way to go, limiting competition for the various missions and locking in a single solution.
Earlier on, the understanding was that JEDI would be a consolidated solution. Ellen Lord said that “We are, no kidding, right now writing the contract to get everything moved to one cloud to begin with and then go from there.”
But since industry day, DefSecDef Patrick Shannahan has said that JEDI will only comprise 10-20% of DOD’s total cloud computing. So that’s definitely not a closed market. Further, there would be competition on the software applications on the cloud platform.
But how this squares with the idea of an “enterprise” solution isn’t clear. Eric Schmidt said: “Any military that fails to pursue enterprise wide cloud computing isn’t serious about winning future conflicts.” Will JEDI be scaled up to the entire DOD at some point?
(Real quick, let’s say that JEDI is $1 billion a year for 10% of the DOD’s cloud computing. That makes a $10 billion a year market in the defense cloud, about 1.6% of the DOD’s topline budget. Cross-check. There are over 500 cloud initiatives today. If we assume $10 billion spent annually, that makes $20 million per contract. Sounds reasonable.)
Another angle of this story is that JEDI reflects on the progress of acquisition reform.
JEDI was intended to engage non-traditional defense contractors from Silicon Valley like Google, Microsoft, and Amazon. Its contract attempted to move at the “speed of relevancy.” Its objectives were announced in September 2017. On March 2018 there was industry day, with Request for Proposals going out in May and Contract Award scheduled for September 2018.
The speed of the contract actually spooked bidders. Congress withheld half of JEDI funding in the FY 2019 NDAA unless the DOD promptly answers all its inquiries. As Daniel Goure pointed out:
“For the past five or six years, Congress has led the fight to reform the Pentagon’s slow, risk averse and costly acquisition system… So it is puzzling, at the very least, that on one of the most important technology issues confronting the DoD today – the migration to the cloud – Congress seems to be reverting to its old meddlesome ways.”
Yes, but the DOD is claiming that it needs an integrated enterprise solution. To get the benefits of consolidation, it needs to lock in an architecture. Because of the scale of the project chosen, the contract mechanism forces the DOD to specify its requirements exactly. A staid procurement man would say, “It fundamentally gets down to the requirements, requirements, requirements.” Otherwise, when problems occur the supplier can merely point to requirements change from the customer and shirk responsibility.
Perhaps the business efficiency of a single platform is not scalable to something like the DOD. Enterprise cloud computing, just like enterprise accounting, sounds only sensible. But we’ve been working toward an auditable DOD since 1955 without success!
Finally, we come to the most under reported aspect of this story, the regulations.
Google’s less discussed reason for dropping out of JEDI is the lack of certifications. Bob Work shrugged that off saying they simply had to get one security certificate: FedRAMP.
Now, I’m no expert, but it doesn’t sound so simple. FedRAMP’s website has forty documents on policies and procedures. These don’t seem so bad individually, each is only a handful of pages.
But FedRAMP is just GSA’s certification process implementing the NIST requirements, whose website has 20 references, each of which is often hundreds of pages long. Some take you to other websites with various supplemental material. We are really talking about thousands of pages of specific security regulations, which implies technical solutions or processes.
 |
| FedRAMP certification implements NIST requirements, the whole set of regulations contains thousands of pages |
This is my experience with DOD regulations. The primary regulation is relatively short. It then references other regulations, which reference forms, implementation guides, milspecs or specific IT instructions, and so forth. It becomes a spiderweb of information that sounded so plain and simple at first.
Perhaps it was this experience with byzantine processes that made Google think that the DOD’s business is not worth a fight with outspoken employees. After all, roughly $1 billion a year (and follow-on goodies) isn’t so strategically important to a firm the size of Google.
Maybe the size of the Chinese market makes it harder to put aside. I wonder whether Google will get caught in a Chinese spiderweb that lowers their expectations and causes them to pull out.
Leave a Reply