The General Accountability Office earlier this month found two key deficiencies in a cloud contract that the Central Intelligence Agency intended to award to Amazon Web Services. The GAO decision was prompted by a protest against the contract filed by IBM. GAO is the designated federal agency for handling challenges to federal contracts.
The proposed contract provides for commercially managed cloud computing services for the federal intelligence community with a maximum value of US$600 million over four years. However, the CIA failed to evaluate prices comparably under one of the contract’s pricing scenarios, GAO said.
The CIA also “waived only for Amazon” a portion of the security requirements dealing with software certification, according to a memo issued by Ralph White, managing associate general counsel for procurement law at GAO. However, the GAO rejected other IBM assertions, including the company’s claim that the CIA failed to properly evaluate Amazon’s past performance given certain outages that occurred with Amazon’s cloud service during 2012.
CIA Should Start Over
The CIA should reopen negotiations with the cloud providers, GAO recommended, amending the solicitation if necessary to ensure that proposals would be prepared and evaluated on a common basis.
At the conclusion of the re-evaluation, the CIA should make a new selection decision, GAO also recommended. The GAO sticks strictly to contract regulations in handling such cases.
“GAO’s decision expresses no view as to the merits of these firms’ respective proposals to provide commercial cloud computing services,” White said. Generally, agencies abide by GAO recommendations in resolving contract challenges.
As a result of the process, IBM appears to have gotten a second shot at the contract.
“We now anticipate the re-opening of the contract proposal process and look forward to competing for the opportunity to serve this important federal agency on this vital program,” the company said in a statement provided to the E-Commerce Times by IBM spokesperson Clint Roswell.
Amazon’s capabilities were the principal factors behind its selection by the CIA, the company said.
“Providing true cloud computing services to the intelligence community requires a transformative approach with superior technology. The CIA selected AWS based on its superior technological platform, which will allow the agency to rapidly innovate while delivering the confidence and security assurance needed for mission-critical systems,” AWS said in a statement provided to the E-Commerce Times by spokesperson Rena Lunak.
“The agency conducted a very detailed, thorough procurement that took many months to award. We look forward to a fast resolution of the two issues raised by the GAO so the agency can move forward with this important contract,” AWS said.
The CIA did acknowledge the contract challenge.
“At this time, the agency is reviewing details of the GAO decision,” CIA spokesperson Todd Ebitz told the E-Commerce Times.
Vendors and Cloud Security Issues
While the CIA contract review was disappointing for AWS, the company experienced some good news regarding its federal cloud marketing. The company was among three major IT players who recently qualified for acceptance in a cloud security initiative known as the Federal Risk and Authorization Management Program, or FedRAMP. The two others were Lockheed Martin and HP Enterprise Services.
FedRAMP is a standardized approach to cloud security authorization and monitoring that is designed to save the government money, time and staff by eliminating redundant agency security assessments. Once a cloud provider gets FedRAMP approval, it can use that certification to meet the basic security requirements for all federal agencies. Thus the agency and the provider do not have to go through separate and repetitive security procedures in the award of individual cloud contracts.
In mid May, AWS obtained a FedRAMP “authority to operate” listing from the General Services Administration, which runs the program. AWS worked through the Department of Health and Human Services to obtain the authority. Cloud providers can either utilize security procedures within a federal agency or go through a clearance procedure operated by a GSA sanctioned Joint Authorization Board to qualify for FedRAMP status.
“HHS’s authorization of Amazon’s cloud services using FedRAMP requirements ensures the security of government data and paves the way for other agencies in using secure cloud services,” said Matthew Goodrich, FedRAMP program manager.
GSA added Lockheed Martin and HP Enterprises to the FedRAMP roster in early June. It has taken GSA nearly two years to implement the process, and to date only five providers have gained FedRAMP status. This first group of approved providers is comprised of the pioneers in running the gauntlet of security examinations from a contingent of third-party assessment organizations and the Joint Authorization Board.
“Achieving FedRAMP certification was a six-month process for AWS, but this is a brand new program and the government is conducting new processes. GSA is being thorough, and AWS’ certification is testament to continued progress,” AWS’ Lunak told the E-Commerce Times.
“We are proud to have received the highest level FedRAMP authorization from the GSA Joint Authorization Board, and we’re one of the first companies to receive this level of authorization. We had a positive and highly professional experience with the board,” Jason Ni, program information security manager at Lockheed Martin, told the E-Commerce Times.
“As one of the first companies to go through the complete audit and JAB review, we were happy to work with the JAB to ensure they had everything they needed to do a thorough review,” he said.
Security Is an Evolving Process
While the FedRAMP process facilitates meeting basic level security requirements common to all federal agencies, each agency may have supplemental requirements as well. Thus another challenge for vendors is to be aware of security issues beyond the FedRAMP program.
For example, the National Institute for Standards and Technology has been involved in preparing cloud security criteria, as well as issuing various guidance to assist federal agencies. In early June, NIST issued a draft “Cloud Computing Security Reference Architecture” guidance document for government IT managers.
When agencies first design cloud configurations, each agency “remains responsible for performing a risk assessment analysis, identifying all the security requirements for its cloud-based service, and for selecting the appropriate security controls before it consults FedRAMP’s secure repository of authorized cloud suppliers,” Michaela Iorga, chair of the NIST Cloud Computing Security Working Group, told the E-Commerce Times.
The objective of NIST’s document “is to demystify the process of selecting cloud-based services that best address an agency’s requirements in the most secure and efficient manner,” she said.
NIST is seeking comment on the draft from commercial cloud providers, federal agencies, and other interested parties by July 12.