CIA cloud program awarded; CISA cyber program under protest

Editor’s Note: The CIA confirmed it made awards under C2E on Nov. 20.  A CIA spokeswoman said, “We are excited to work with the multiple industry partners awarded the Intelligence Community Commercial Cloud Enterprise (C2E) cloud service provider contract and look forward to utilizing, alongside our IC colleagues, the expanded cloud capabilities resulting from this diversified partnership.”

The CIA’s next-generation cloud contract seems ready for primetime. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s governmentwide shared service faces its first big challenge.

These are two of the major story lines you should be following in the federal acquisition community.

Let’s start with the “breaking news”— multiple sources say the CIA awarded its C2E cloud computing contract to five vendors: Amazon Web Services, Google, IBM, Microsoft and Oracle.

The CIA, AWS, Microsoft and IBM declined to comment. A Google federal spokesperson said they would look into it and never got back to me.

If you want to read the tea leaves a little with me, generally speaking agencies and companies don’t decline to comment if a rumor isn’t true. They will just tell you it’s not true.

Second, it’s very likely the CIA told the companies not to talk about C2E until all the pieces are in place to announce the awards.

And third, given the Defense Department’s experience with the JEDI cloud contract, it would make sense for the CIA to be extra careful in how they roll out C2E.

As a reminder, the Commercial Cloud Enterprise’s (C2E) program objective is to “acquire cloud computing services directly from commercial cloud service providers …” at all three security impact levels. The spy agency is looking for vendors to provide infrastructure-as-a-service capabilities as well as support services. Bloomberg Government estimates the C2E contract could be worth $10 billion over 10 years.

The CIA released the draft solicitation in February and made the awards in October. As compared to DoD’s JEDI, which is now pushing three years since the Pentagon released the first draft request for proposals, it seems the CIA ran the acquisition with the speed and certainty needed to meet their goals.

The CIA cloud contract builds on its success of the C2S program, which was a single award to AWS back in 2013, which was worth a reported $600 million over 10 years.

With C2E, the CIA recognized the benefits of a multi-cloud environment, which continues to baffle many in industry why DoD continues to pursue JEDI’s single award approach.

But JEDI aside, the CIA still could face a protest as sources say one bidder didn’t make the cut. And yes, that protest could hang up C2E for years. Let’s just hope for all our sakes, the CIA procurement experts did their jobs well and they don’t face the craziness of JEDI. At least the CIA seemed to be smart enough to understand the optics of a single award.

CISA faces protest

Meanwhile, over at CISA, the first shared service under the Quality Service Management Office (QSMO), a vulnerability disclosure platform (VDP), is facing its first real challenge.

HackerOne filed a protest with the Government Accountability Office over CISA, and the General Services Administration’s, which is acting as the procurement arm, award to EnDyna to create VDP service offering.

GSA awarded the women-owned small business a five-year, $13 million contract in early October. Under the contract, EnDyna will create a centralized database that agencies can use to report, discover and take actions against cyber threat information. The QSMO will offer the platform as a shared service so agencies can meet the September Binding Operational Directive (BOD) calling for the use of a VDP platform.

“We believe the security of our national cyber infrastructure depends significantly on the efforts of security researchers. CISA’s requirements are clear on what they need in a vendor to support this bold initiative,” a HackerOne spokesperson said in an email to Federal News Network. “We can confirm that we have filed a protest challenging the award to EnDyna to ensure eligibility requirements to carry out this vital task are fully met, and that the vendor selected can support the work CISA is entrusting them to do.”

HackerOne filed the protest on Oct. 9 and is challenging the evaluation and arguing that the awardee should have been rejected.

Details are sparse about the protest. GSA said it couldn’t comment on the protest due to ongoing litigation.

In many ways, EnDyna winning this award was a bit of an upset. HackerOne has run several bug bounty programs across the Defense Department and GSA’s Technology Transformation Service (TTS) since at least 2016.

Cloud solicitation delayed

Keeping with the theme of this roundup, industry will have to wait a bit longer for another cloud contract.

DoD announced on Oct. 22 that it will release the final solicitation for the cloud contract for the Fourth Estate agencies, called the Defense Enclave Services (DES), later than it initially wanted.

In a notice on beta.sam.gov, DoD says the final RFP has been pushed to mid-late first quarter of fiscal 2021, meaning sometime in late November or December — happy holidays, industry!

The Defense Information Systems Agency released the draft solicitation in August for what it estimates will be an $11.7 billion contract over the next 10 years. DISA plans to use a single-vendor indefinite delivery, indefinite quantity (IDIQ) approach to, over the next decade, bring together the networks and commodity IT of the 14 defense agencies, including the Defense Logistics Agency, the Defense Finance and Accounting Service and the Defense Health Agency. DoD expects to save about $170 million from the Fourth Estate consolidation initiative.

DHS, meanwhile, issued a draft RFP for data center and cloud optimization support services.

Comments on the draft solicitation are due by Nov. 5, and DHS said a final RFP is expected in early December. The agency then would make awards by mid-March.

Another reason for industry not to take vacation in December.

“The purpose of this requirement is to acquire contractor support for the operation, maintenance, automation, optimization and modernization of the DHS hybrid cloud environment (HCE) and to offer an efficient, responsive information technology (IT) hosting environment that serves as the foundation for continued computing operations in support of the DHS mission,” the draft RFP states. “The HCE shall include unclassified and classified IT infrastructure, applications and data. The contractor shall provide data center-based hosting and IaaS obtained from both commercial and government cloud service provider (CSP) service offerings. The contractor shall provide professional services to support application operation, migration, and operations and maintenance (O&M) orders. The contractor shall provide customer service including an introduction to HCE environments and services for DHS customers.”

Karen Evans, the DHS chief information officer, said in late September at an event sponsored by ACT-IAC, that she met with the agencywide CIO council about what the priorities are over the next year.

“We are really looking at different business processes as possible use cases that allows for us to be able to really focus on the data center consolidation and cloud migration,” she said. “We are really more focused on specific business processes. What we are attempting to do, and what I’ve talked to the team about, is get technology agnostic. Some of the innovation comes around our ability to use data. It really doesn’t matter what platforms or technology you are using, it’s really the business process that we are supporting and the data we would collect as a result of that.”

She said the end goal is to get data to decision-makers regardless of the technology that underpins it.

Happy holidays industry

Along with the DHS and DISA cloud-related RFPs, two other large multiple-award solicitations are expected to come out in December.

Kathleen Sievers, a senior research manager for federal information solutions at Deltek, said on Friday at an event sponsored by Washington Technology, that the final RFPs for DHS’ FirstSource III and the National Institutes of Health’s CIO-SP4 are due out before the end of the calendar year.

Sievers said it could take up to a year for NIH to make awards under its $40 billion IT contract, while DHS could make awards under FirstSource III by March.

No surprise it’s going to be a busy next few months of contractors so sit back and enjoy the ride.

Related Stories

Comments

Sign up for breaking news alerts