On October 25, 2019, the Department of Defense (“DoD”) issued an award of its $10 billion Joint Enterprise Defense Infrastructure (“JEDI”) cloud computing contract to Microsoft, beating out Amazon Web Services (“AWS”), the long-time favorite to receive the award. DoD’s decision has come as a shock to most federal procurement experts and cloud service providers (“CSPs”), as many believed JEDI was tailor-made for AWS based on the contract’s advanced technical standards, as well as its stringent security certification requirements. The contract’s rigorous security criteria, an ongoing issue of contention between government contractors bidding on the contract, ultimately removed many offerors early on from the competition (including Oracle), which left Microsoft and Amazon in a winner-take-all battle to control the Pentagon’s cloud computing for years to come. For more on the JEDI contract, please also see Lauren Brier’s recent interview on Government Matters.
Although Amazon may hold the DoD’s highest data management certification, Microsoft recently became authorized to perform services at the Federal Risk and Authorization Management Program (“FedRAMP”) high-impact level, which significantly improved their standing at the time of source selection. FedRAMP is a federal program established back in 2011 that provides a uniform approach to security assessment, authorization, and continuous monitoring of cloud products and services used by the federal government. CSPs interested in selling their cloud services to the federal government should obtain a FedRAMP authorization, where FedRAMP will authorize a CSP’s cloud service offerings (“CSOs”) on a level of low-, moderate-, or high-impact level, with high being used for the Government’s most sensitive, unclassified data in cloud environments.
Despite Microsoft’s completion of this more stringent federal certification process, those who have been watching this procurement closely since its inception have now shifted their focus to the President. It is no secret that President Trump dislikes AWS, and its Chief Executive Officer, Jeff Bezos. However, more recently, it has been alleged that the President attempted to interfere in the JEDI source selection process, asking former Defense Secretary Mattis to “screw” AWS out of the contract (SOURCE: October 23, 2019, Washington Post). This allegation of improper influence provides AWS with enough ammunition to file a likely protest of the DoD’s decision to award JEDI to Microsoft and stay contract performance, especially as an election year approaches. Additionally, since AWS likely has information demonstrating its advanced technical offerings surpassing Microsoft’s capabilities, AWS is primed to challenge the source selection committee’s decision to go with Microsoft.
AWS will have 5 days from the receipt of its debriefing from DoD to file a protest with the Government Accountability Office (“GAO”) if it wants an automatic stay in Microsoft’s performance. Once the protest is filed with GAO, GAO will then have 100 days to issue a final decision on the protest. The other option is for AWS to file its protest in the Court of Federal Claims (“COFC”). Although protests at the Court are not subject to the same expedited timeline as before the GAO and therefore do not automatically receive stays of contract performance, AWS can file a motion for temporary restraining order and preliminary injunction to stay Microsoft’s performance while the Court presides over the protest.
Understanding that AWS has been the more dominant cloud provider, controlling around 45% of the cloud computing industry, it will not come as a surprise if AWS decides to protest the DoD’s decision in the next few days. Unfortunately for all parties, the controversy surrounding this procurement is ongoing, and will likely not abate until AWS has explored every legal avenue challenging the DoD’s unexpected decision.