In a decision [PDF] issued yesterday, a US public watchdog said the Library of Congress needs to stop asking contractors to supply brand-name-only commercial stuff for a five-year $150m cloud hosting contract.
Congress's library, which is a federal agency, had required that suppliers must offer Amazon, Google and Microsoft products - crucially, without providing any justification - to qualify for the $150m job lot, an indefinite-delivery, indefinite-quantity (IDIQ) contract.
The Library's IDIQ was published on 1 May, 2020 and Oracle and Big Red systems integrator Mythics filed their protests against it on June 1. The request for proposal (original here), according to the Government Accountability Office (GAO) decision, identified:
"[T]he name-brand products of three cloud services providers, Amazon Web Services, Google Cloud Platform and Microsoft Azure, and requires offerors to provide pricing for an enumerated list of 13 products or services available from these three firms."
The research library where Congresscritters and the American public alike can pore over bill texts - and whose librarian also selects first editions of important American cultural artefacts like The Godfather and seminal NWA album Straight Outta Compton - was said to have breached the Federal Acquisition Regulation (FAR - PDF) by insisting on brand name cloud.
The GAO found the library's emphasis on contractors' ability to provide specific commercial tech products was "unduly restrictive of competition", with the FAR regulations being meant to promote it.
The decision said "the FAR mandates that agencies include restrictive provisions only to the extent necessary to satisfy actual requirements".
We're 'soliciting cloud services through resellers' - are you a reseller?
The GAO was not persuaded by the LoC's earlier proposed amendments to its RFP, nor was it minded to accept the agency's attempt to get the Oracle protest (but not the Mythics one) dismissed because it was soliciting cloud services "through resellers (such as Mythics) as opposed to the actual cloud service providers (such as Oracle)".
It also failed to get the protests dismissed due to "corrective action" the Library proposed to make, with the GAO saying its proposals were "vague". Among other changes, the agency had offered to "modify the RFP to remove all references to brand names in connection with its requirement for IaaS" but said it would "continue to solicit its requirement for SaaS on a brand-name basis from Microsoft", which the GAO didn't think was adequate.
In its decision, the GAO noted:
These contracts, as modified, required the prime vendor contractors--private concerns rather than government agencies--to populate the master list with supplies that were selected by them, rather than with supplies that had been selected by the VA through, for example, the conduct of a competition to provide particular supplies...
The Library was told it could either rejig the RFP so it met FAR requirements - and give offerors the chance to respond to the revised document - or it could use the RFP "as issued", but then generate a few more reams of documentation from the Library "to support such a decision".
The GAO also recommended the LoC cough for Oracle's and Mythics' legal costs. Their lawyers will have 60 days to detail what those are - though you don't need verified name-brand software to figure out they totted up the sum ages ago. ®