The Pentagon released its long-awaited final solicitation for the Joint Enterprise Defense Infrastructure (JEDI) contract on Thursday, opting to stick with an approach that will award the massive cloud computing deal to a single vendor despite widespread concern among contractors and members of Congress.
The single-award indefinite-delivery/indefinite quantity contract is worth up to $10 billion over up to 10 years. Bids are due on Sept. 17; before that, DoD is offering vendors until Aug. 16 to schedule in-person sessions with procurement officials to answer questions about the RFP.
Insight by the Anomali: Justice Department, DODIN, DHS and IT-ISAC explore cyber threat intelligence in this free webinar.
“I am confident the JEDI Cloud RFP reflects the department’s unique and critical needs and employs the best standards of competitive pricing, innovation, and security,” Dana Deasy, the department’s chief information officer wrote in a letter to industry. “I am excited to be part of an initiative that will revolutionize how we fight and win wars.”
DoD had previously planned to issue the RFP in May, but delayed the solicitation after Deasy was appointed as the new CIO and given control over the department’s cloud projects, including JEDI. That delay had prompted some observers to speculate that the department was changing its strategy to accommodate a multiple-vendor approach to the ID/IQ contract.
Instead, the department issued a legal certification that allows it to bypass the government’s usual requirement to award task order ID/IQs to multiple companies.
The approach is justified by the fact that DoD will only be issuing firm, fixed-price task orders at rates that are established up front in the contract, Ellen Lord, the department’s undersecretary for acquisition and sustainment wrote in the document.
“To reflect the consistent downward trends in public cloud catalog pricing based on commercial competition, the contract automatically lower DoD’s prices when the contractor’s public commercial prices are lowered,” she wrote. “Moreover, to achieve commercial parity over time, the contract contemplates adding new or improved cloud services to the contract. The new services clause requires contracting officer approval for the addition of new services and includes mechanisms to ensure that the fixed unit price for the new service cannot be higher than the price that is publicly-available in the commercial marketplace in the continental United States.”
The contract also includes a list of “gate criteria” that vendors will have to satisfy before DoD will consider their proposals.
Among them, companies will need to show that their existing commercial cloud business is already so large that the work they would perform for DoD under the JEDI contract would not make up more than 50 percent of their cloud revenue.
Also, companies will have to earn security certifications under DoD’s cloud security requirements guide to show that they’re capable of safely storing and processing sensitive Defense data. They would be able to wait until after the contract award to satisfy some of those criteria. But prior to the award, they would, at a minimum, have to show that they already have at least three data centers in the U.S. that the government has certified with its “FedRAMP Moderate” criteria.
Congress has expressed repeated concerns with DoD’s acquisition strategy for JEDI during the Defense appropriations and authorization process this year, including in the 2019 Defense authorization bill the House passed on Thursday morning.
The bill withholds a portion of DoD’s funding for JEDI until the department submits a report on its overall strategy for cloud computing. Among the concerns lawmakers raised: that the department still does not have an adequate understanding of the types of computing services it can readily move to cloud environments.
“The conferees believe that workload analysis is critical to understanding migration feasibility and costs,” lawmakers wrote in a report accompanying the House-Senate agreement on the NDAA. “Especially where barriers stem from technical, intellectual property, and data rights issues that are poorly understood, such barriers may fundamentally limit the potential utility of commercial cloud services to the department.”
But in his Thursday letter, Deasy characterized the JEDI contract as only a “pathfinder” for the department’s broader cloud transition.
“We will take every advantage of learning from this effort to drive how DoD enables modern security practices and effective governance that still allows the flexibility to be innovative and keep pace with evolving technology,” he wrote. “We also expect to learn a lot about the best ways to do enterprise architecture in a modem, relevant manner. With the diversity of DoD’s mission, DoD will always have a multiple cloud environment, but we need to do better in applying an enterprise approach to that environment.”
Although the contract allows for a duration of up to 10 years, it’s far from certain that JEDI will actually last that long. The solicitation includes a base period of just two years, followed by several option periods that DoD may or may not exercise, and the contract only guarantees the winning vendor a minimum of $1 million in task orders.
It also requires the winning vendor to provide a “transition out” plan within 60 days after DoD requests it, if the department decides it needs to move its applications to another cloud vendor without a disruption in service.
“The Transition Out Plan shall provide recommendations on how account holders may efficiently extract their applications and user data in a manner that is consistent with the Portability Plan,” according to the contract. “The Transition Out Plan shall address the unclassified environment, classified environment, and tactical edge offerings separately. Further, the contractor shall explain the process to provide knowledge transfer to the cloud computing program office and include job shadowing for 109 up to 30 days, training, and other activities in order to successfully transition the environment to the new hosting environment.”
Defense officials said they had considered more than 1800 comments and questions from industry as they drew up the final solicitation, including more than 400 that vendors registered over the last three months.
But at least some vendors indicated befuddlement at how little the RFP had been changed compared to the most recent draft, despite months of feedback from companies and Congressional committees.
“Everyone who cares about this is digesting it right now, trying to reconcile how so little could have changed when multiple indicators said change was afoot,” said one industry source who asked not to be identified because he was not authorized to speak on his company’s behalf. “It’s hard to get around the fact that after the NDAA and appropriations bills expressed unambiguous concern, JEDI remains fundamentally unchanged…For anyone who does procurement politics, it doesn’t compute. Assuming everyone is a rational actor, how is this in DoD’s self-interest? It makes the already unhappy appropriators, who are still working on their bill, look ineffectual and disrespected. That doesn’t accelerate DoD’s move to the cloud. It’s a political escalation.”
Some large vendors, including IBM and Oracle, have publicly urged DoD to reconsider its single-award strategy, arguing that no large private-sector firm would consider such an approach in its own IT environment.
But that argument appears to be over.
“Throughout the JEDI cloud procurement process, we have attempted to share best practices based on IBM’s extensive cloud engagements with clients worldwide. The time for debate has now passed, and we look forward to submitting a competitive bid,” Sam Gordy, the general manager for IBM’s federal business said in a statement. “We appreciate the Pentagon’s need to move forward in the way it feels is in the best interests of the U.S. military.”