US Government Accountability Office explains why it sustained Microsoft's protests over $10bn NSA contract
Not so much JEDI lightsabers, more magic WANDS
The US Government Accountability Office (GAO) has revealed why it upheld Microsoft's challenge over the award of a $10bn National Security Agency (NSA) cloud contract to arch-rival AWS.
The protest filed by Microsoft was regarding a procurement named WILDANDSTORMY (WANDS) won by AWS in August, and on 29 October the GAO sustained it, but declined to explain what bits of the NSA's evaluation it had deemed unreasonable, citing worries about classified information. Instead, it recommended the NSA think again as well as review the decision for sensitive information.
This week, the GAO published the reasoning [PDF] for its decision. Though it dismissed objections from Microsoft about the evaluation of prices and management by the NSA, the GAO did have sympathy with a protest suggesting the NSA "unreasonably evaluated [the] offerors' technical proposals."
Thus Microsoft's accusation "that the agency's evaluation of proposals and resulting award decision were improper" was supported.
While complaints from Microsoft were batted away regarding what it contended was "an 'unannounced preference' for dedicated, as compared to multi-tenant, cloud services", the GAO agreed that "the significant weakness assigned to its [the NSA's] technical proposal regarding the security authorization process for new service offerings was unreasonable."
Microsoft had explained its approach for maintaining parity between WANDS services and commercial services, and how it would introduce new services, a classic process described as "onboarding."
However, the NSA's evaluators took exception to this and stated: "The Offeror identifies that DISA [Defense Information Systems Agency] is the authorizing agent for the Azure Government Unclassified region under a contract unrelated to WANDS, and establishes a process that would require all services that are deployed to the Azure Top Secret cloud to first be deployed to the Azure Government Unclassified cloud."
- US Defense Department invites four cloud firms to seek contracts for JEDI replacement system
- JEDI mind tricks: Google said Pentagon contract didn't align with company values. Now it's chasing another defence gig
- Microsoft wins JEDI contract, Amazon complains. Amazon wins NSA contract, watchdog says Microsoft right to moan
- No return of the JEDI: Supreme Court declines to hear Oracle's challenge to now-dead cloud deal
In a nutshell, the evaluators were concerned that this would place DISA in the driving seat, and the NSA's own priorities might not be met. Using services designed to fulfil the needs of another government agency could end up not meeting the standards demanded by WANDS.
The GAO raised an eyebrow at this, first noting "the record reflects that there is no contract between Microsoft and DISA which requires DISA to approve Microsoft's new offerings."
Worse, the GAO went on, "the agency, in response to the Microsoft protest, now contends that it 'assumed,' or 'guessed,' that there was a contract between Microsoft and DISA because of the manner in which Microsoft proposed."
The NSA had failed to admit that there was guesswork at play in its evaluation, instead reporting "in no uncertain terms" the existence of such a contract.
The GAO also agreed with Microsoft's protest that network latency was not evaluated on a common basis.
And so the merry-go-round spins again. The proposals must be re-evaluated and a new source selection decision made.
Microsoft is also to be reimbursed for the costs incurred in making its protest and, should it win on the value stakes this time, the AWS contract is to be terminated. ®