Award Remains Cloudy: IBM Victorious in Protest Over CIA Computing Contract
July 12, 2013
By: Eric Whytsell
In a recent bid protest decision, IBM-U.S. Federal, B-407073.3 (Comp. Gen. June 6, 2013), (published June 14, 2013), GAO found that a four-year, $600 million CIA cloud computing contract was wrongly awarded to Amazon over IBM and other bidders. The decision was based on the agency’s relaxation of security terms during post-solicitation negotiations with Amazon and its failure to evaluate price on a comparable basis. GAO recommended that competition be reopened and that the agency can amend the RFP consistent with its decision.
Cloud computing provides access to a shared pool of computing resources with less need for oversight because of its capability to increase or decrease IT capacity to match the demands of its users. The CIA sought this capability in order to increase the potential for the sharing and coordinated analysis of intelligence between the CIA, NSA, and other members of the intelligence community.
Bids were to be evaluated based on four factors: (1) technical/management; (2) past performance; (3) security, evaluated on a pass/fail basis; and (4) price. Notably, Amazon’s proposed price was $13.5 million per year higher than that of IBM. However, the CIA’s source selection authority found that Amazon’s superior technical approach outweighed IBM’s price advantage.
IBM’s first protest ground related to a provision regarding software certification that read in part:
The Contractor certifies that it will…ensure that any software to be provided…will be provided….free from computer virus, which could damage, destroy, or maliciously alter software, firmware, or hardware.
During post-award negotiations, Amazon offered a modification to that language saying that only software “developed and provided” by Amazon would be subject to this certification. The agency agreed to this modification. This modification is significant because Amazon’s bid contains provisions for using third party and open-source software created by other developers. The CIA admitted that it did not consider what impact the change in language might have; instead, CIA claimed that it still believed Amazon was certifying all software and didn’t realize what might result from the alteration. GAO found this change altered a material requirement of the solicitation, and had been allowed for Amazon without the same opportunity’s having been given to the other bidders.
IBM’s second protest grounds involved the CIA’s price evaluation of one of the RFP’s price scenarios. IBM complained that the scenario as presented was ambiguous and that the agency had not provided an adequate response when IBM asked for clarification. GAO found that the agency lacked sufficient information to evaluate the bids on a common basis with respect to the contested scenario.
Amazon Web Services, Amazon’s cloud computing service, is the largest provider of cloud services in the world, with an estimated $1.5 billion in revenue during 2012. It was authorized through the Federal Risk Authorization Management Program (FedRAMP) on May 20 of this year, becoming only the third cloud provider to receive this difficult- to-achieve security certification. Although Amazon Web Services already counts hundreds of federal, state, and local government agencies as customers, the magnitude of this potential deal with the CIA would be, by far, its largest and most prestigious government contracting project. Further, receiving such a large-scale contract in the intelligence community would provide better advertising for Amazon’s cloud security capabilities than any actual advertising could afford.
The CIA has yet to announce what corrective action it will take, if any, but competition is likely to be reopened given the issues raised by the GAO’s recommendation.
This article was drafted by Summer Associate Michael Samuels with assistance from attorneys Eric Whytsell and Katie Calogero.
© Jackson Kelly 2013