Slashdot Mirror
Is Amazon Rigging the Bidding For Massive Government Contracts? (vanityfair.com)
SpzToid quotes Vanity Fair:
The controversy involves a plan to move all of the Defense Department's data -- classified and unclassified -- on to the cloud. The information is currently strewn across some 400 centers, and the Pentagon's top brass believes that consolidating it into one cloud-based system, the way the CIA did in 2013, will make it more secure and accessible. That's why, on July 26, the Defense Department issued a request for proposals called JEDI, short for Joint Enterprise Defense Infrastructure. Whoever winds up landing the winner-take-all contract will be awarded $10 billion -- instantly becoming one of America's biggest federal contractors.
But when JEDI was issued, on the day Congress recessed for the summer, the deal appeared to be rigged in favor of a single provider: Amazon. According to insiders familiar with the 1,375-page request for proposal, the language contains a host of technical stipulations that only Amazon can meet, making it hard for other leading cloud-services providers to win -- or even apply for -- the contract. One provision, for instance, stipulates that bidders must already generate more than $2 billion a year in commercial cloud revenues -- a "bigger is better" requirement that rules out all but a few of Amazon's rivals... Much of the language of JEDI, in fact, seems specifically tailored for Jeff Bezos. "Everybody immediately knew that it was for Amazon," says a rival bidder who asked not to be named. To even make a bid, a provider must maintain a distance of at least 150 miles between its data centers and provide "32 GB of RAM" -- specifications that few providers other than Amazon can meet.
The article also cites last year's "so-called Amazon amendment, a provision buried in a defense authorization bill that will establish Amazon as the go-to portal for every online purchase the government makes -- some $53 billion every year." And it also notes that Amazon employs more than 100 lobbyists in Washington, and "has spent $67 million on lobbying since 2000 -- including more this year than Citigroup, JP Morgan Chase, and Wells Fargo combined."
The article says this controversy may be "a sign of how tech giants and Silicon Valley tycoons will dominate Washington for generations to come."
But when JEDI was issued, on the day Congress recessed for the summer, the deal appeared to be rigged in favor of a single provider: Amazon. According to insiders familiar with the 1,375-page request for proposal, the language contains a host of technical stipulations that only Amazon can meet, making it hard for other leading cloud-services providers to win -- or even apply for -- the contract. One provision, for instance, stipulates that bidders must already generate more than $2 billion a year in commercial cloud revenues -- a "bigger is better" requirement that rules out all but a few of Amazon's rivals... Much of the language of JEDI, in fact, seems specifically tailored for Jeff Bezos. "Everybody immediately knew that it was for Amazon," says a rival bidder who asked not to be named. To even make a bid, a provider must maintain a distance of at least 150 miles between its data centers and provide "32 GB of RAM" -- specifications that few providers other than Amazon can meet.
The article also cites last year's "so-called Amazon amendment, a provision buried in a defense authorization bill that will establish Amazon as the go-to portal for every online purchase the government makes -- some $53 billion every year." And it also notes that Amazon employs more than 100 lobbyists in Washington, and "has spent $67 million on lobbying since 2000 -- including more this year than Citigroup, JP Morgan Chase, and Wells Fargo combined."
The article says this controversy may be "a sign of how tech giants and Silicon Valley tycoons will dominate Washington for generations to come."
The existing defense-oriented government data centres can easily support a really large open stack instance, which provides a more secure option that trusting a single vendor.
(In previous lives, I've worked with both Open Stack and with the Solaris side of the U.S. Defense Department's server farms: what I propose is child's play for them. Other departments? Maybe so, maybe not.)
davecb@spamcop.net
Just fill it to over-flowing and "we'll see what happens".
Here's a different view:
In the past several months, a private investigative firm has been shopping around to Washington reporters a 100-plus-page dossier raising the specter of corruption on the part of senior Defense Department and private company officials in the competition for the JEDI cloud contract. But at least some of the dossier's conclusions do not stand up to close scrutiny.
https://www.defenseone.com/tec...
There are already 200+ providers that are 800-37 compliant, or are in the process of getting products authorized. The DoD has 47 vendors on there. AWS has 184 authorizations, MS has 86; they are the top 2.
I suspect once Trump groks this, he will FREAK out. He seems to have a huge amount of hatred for Amazon, so I would expect him just ordering the DoD to not do this if AWS is going to be the provider...not sure if he will have any other solutions.
Personally, I think anything that falls under 800-53 should NOT be outsourced in any way; you can't properly lock down the underlying AWS; you don't have access to their actual infrastructure. How would you audit that all the switches that your data travels across have the proper DoD login banners, or restricting SNMP by IP address? Maybe they already do all this; but a "small breach" could become "keys to the kingdom" to a huge amount of information.
Amazon was the *first* to pass the FedRAMP High test, and first to get approved on all 5 non-classified DISA Impact Levels back in 2014, but is by no means still the only.
Amazon, Microsoft, Oracle, and CSRA are all approved at FedRAMP High levels. For DISA Impact Level 5, the above list is also joined by IBM and possibly others.
Learning HOW to think is more important than learning WHAT to think.
This does not apply here. DoD requires an air-gapped cloud that has no connectivity with the public Internet. Amazon already operates such a "region" for the CIA.
The "must already have $2B in revenues" is a little sketchy.
These two don't seem particularly discriminatory: Data centers 150 miles or more apart is something every cloud provider of any significance already has. Maybe not every data center is 150 miles from every other, but Amazon doesn't have that either. 32gb ram virtual servers is trivially added for anyone who didn't have it -- the physical servers backing the VMs often have 1TB ram or more.
Here's what really cuts out almost everybody: Amazon has a virtual networking system (VPCs) with their cloud product that allows for complex security infrastructures with VMs behind multiple layers of protection devices. Most cloud providers offer VMs plugged directly in to the Internet. Period.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Speaking as a federal employee - it’s incredibly difficult to just buy what you need. In business you find a provider and initiate a contract. In government, there are a ridiculous number of steps that make this impossible, all in the name of ensuring we cannot send a sweetheart deal to a relative or etc. This means it is not possible to just buy, say, a Dell computer, we have to propose a computer buy and specify what we need and let a reseller bid. We “save money” by buying the exact same Dell from a reseller who bought it from Dell to sell it to us. I am still 100% unclear how that can possibly be cheaper, but the reseller meets the requirement to be minority owned or Veteran owned or what have you, so hooray.
What happens in many cases when you have a very specific need is that multiple resellers will jump in and insist that they can provide what you want, when in fact they cannot. We spent about a year researching software for a very specific need and settled on one service that did what we wanted; during the bidding, several other providers (which we had specifically rejected during our fact-finding) popped up and insisted they could do things that their software clearly was not capable of doing. The contracting agents don’t have the background to know this. They just see a vendor saying “we can do this for way cheaper” without realizing that “way cheaper” is only possible because the service lacks 50% of what we need it to do.
Writing an “open bid” contract in such a way that only one vendor really can match the need is the simplest, fastest way around this mess, and unless/until the federal contracting and acquisition system is fixed, this will continue to happen. Everyone on the inside knows it happens, and honestly every once in a while some other vendor actually CAN meet the requirements, so it is as fair as we can make it without wasting everyone’s time and your tax dollars.
Tl;dr: if it looks suspiciously specific it’s intentional, and likely so for a damn good reason. We’d save a lot more cash if we just accepted some level of graft once in a while.
(Don’t get me started on the “approved” vendor site we have to use for most smaller buys; imagine Amazon if coded by Microsoft in 1996, where everything you buy that claims to be “new” is actually remanufactured, “name brand genuine” shows up as a knock-off, and once we actually got a device show up with European voltage requirements even though it stated repeatedly that it took 115v. Damn thing wouldn’t turn on with our puny American voltage and we had to fight to return it.)