NSA cloud contract in trouble after Microsoft’s successful protest


The best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

A National Security Agency cloud computing acquisition is in limbo after losing bidder Microsoft successfully challenged one of the source selection criteria. The case shows how agencies need to be careful, especially when price is not the main criterion. Smith Pachter McWhorter’s procurement attorney, Joe Petrillo, reviewed the case on Federal Drive with Tom Temin.

Tom Temin: And Joe, what happened here? It was another fierce competition between two companies that are always in fierce competition, namely Microsoft and Amazon.

Joseph Petrillo: Yes absolutely. To set the stage, this is a National Security Agency contract for cloud computing services, both classified and unclassified. It’s a big contract. It’s a five-year contract with an option for five more years worth hundreds of millions, if not billions of dollars. And it was a best value buy with a non-price factor, as you mentioned, more important than price. And among non-pricing factors, technical and managerial factors were significantly more important than other non-pricing factors. After the evaluation was completed, Amazon Web Services dismissed Microsoft, they were rated superior in both technical and management factors. But Microsoft had a better price. The assessed price was 422 million for Microsoft and 482 million for Amazon Web Services. Supply, by the way, the program was called Wild and Stormy by the National Security Agency. So they kind of have a lively way of naming these things.

Tom Temin: Sounds like windy had stormy eyes or stormy had windy eyes. I forget that old song, but it reminds me of that old song from the 60s.

Joseph Petrillo: Well, maybe that’s what they thought. But regardless, it became a wild and stormy supply. During the protests, Microsoft raised a number of issues. One of them didn’t work. There was a difference between the two in which Amazon Web Services had offered a dedicated approach to meet the needs of the NSA. Microsoft, however, met the computing needs of the NSA with a system that worked for multiple users. So it was essentially a multi-tenant system.

Tom Temin: Multi-federal tenant or just multi-tenant?

Joseph Petrillo: It’s not clear in the decision

Tom Temin: I get it.

Joseph Petrillo: But the question is whether Amazon’s approach of dedicating it was seen as an important discriminating factor between the proposals. And Microsoft said, but there was nothing in the evaluation criteria that said we were going to value that. The GAO decided that it was not a good matter of protest. And he said the distinction or difference between multi-tenant and dedicated services falls within the planning, execution and maintenance of all cloud service offerings. Thus, this type of fairly general umbrella, according to the GAO, is broad enough to allow specific discernment between a dedicated system and one that serves many users.

Tom Temin: We speak with Smith Pachter McWhorter’s procurement attorney, Joseph Petrillo. And it’s kind of surprising that Microsoft even offers a multi-tenant solution to something like the NSA, knowing what the toughest agency I can think of is even in the intelligence community when it comes to security . And so multi-tenancy has always been a problem for every federal agency. Microsoft was therefore not supported on this ground. What about the other field?

Joseph Petrillo: They were more successful in attacking a significant weakness that the NSA attributed to its proposal. One of the issues with the procurement was that the NSA wanted to try to achieve technical parity with commercial offerings. He was therefore concerned that when a new offering became available, it would be certified for classified and unclassified use by its users as quickly as possible so that they could take advantage of the enhancements available in the commercial market. Now, as you know, there are several different ways to certify cloud computing services. There’s the FedRAMP system, which is run jointly by Homeland Security and GSA. DISA does the same for most DoD agencies, and the NSA has its own process. And all of these processes distinguish between different levels of security, and some of them get quite granular by doing this. The way the NSA had read Microsoft’s proposal, they considered that DISA should approve new classified and unclassified service offerings before those offerings were sent to the NSA for approval. And it upset them. They wanted him in the queue sooner than that. Microsoft said, No, that’s not what we said at all. And the GAO read the proposal and agreed with my Microsoft, they felt that the NSA had simply misread the proposal and made assumptions about the existence of a contract between Microsoft and DISA that could stand in the way of the ‘approval.

Tom Temin: Alright, so Microsoft was rejected on one protest ground, supported on the other. So what did the GAO decide?

Joseph Petrillo: Well, there was another protest ground on which Microsoft won. And it was a latency issue. It seemed in the rating that Amazon Web Services had a faster system for communicating with the cloud service. This is called latency. And it depends on two factors. One is the physical distance between the data center and the NSA. And since everyone uses fiber optics, this factor relies solely on distance and physical distance, as signals travel the same distance through fiber optic cable.

Tom Temin: That’s right. In some cases, even the speed of light is too slow in these computer applications.

Joseph Petrillo: Exactly. And the other issue is how much extra time is added by the network equipment of the contractors, because there is some delay there. Amazon had apparently made its latency estimate using only physical distance. Microsoft, on the other hand, used physical distance, and included the lag caused by its network equipment. The NSA apparently didn’t discern this difference in the estimate and unfairly decided that Amazon had a faster system. GAO said no it’s not, it’s not an apples to apples comparison. And so you’ve based an important factor here on the misinterpretation of the proposition. Again, there were a bunch of other issues, but Microsoft didn’t prevail on any of them. The result of all this is that the protest was sustained on these two issues, they are important enough to require a re-evaluation of the proposals and a new award decision.

Tom Temin: And when this happens, are bidders allowed to revise their bids? So that, for example, the latency of all components between the data center and the agency is taken into account, etc.

Joseph Petrillo: Well, the GAO was not requiring a reopening of talks, which would include revising the offers. So maybe that’s not what’s happening. It’s up to the NSA to decide how to implement this. They may have valid reasons for wanting to reopen and re-evaluate the proposals. One of the issues, quite interestingly, that didn’t pass, although the GAO noted, the NSA should consider was that there was a question about how the assessed prices were developed and how they were assessed. They consisted of three sample job orders and then prices for five different SKUs. These were all totaled up, even though it looked like the reference prices, which were very low compared to the task order prices, in terms of actual performance, these reference prices would constitute much more of the total price. Somehow the rating system didn’t take that into account. And the NSA might want to fix that, but that would probably require a new round of proposals.

Tom Temin: Okay, so at this point the NSA is, as far as what happens next.

Joseph Petrillo: That’s right.

Tom Temin: Joe Petrillo is a procurement attorney at Smith Pachter McWhorter. Thank you very much for this analysis.

Joseph Petrillo: It’s my pleasure.


Comments are closed.