D&A: 06062013 Amazon & GAO Cloud Services For The CIA
D&A: 06062013 Amazon & GAO Cloud Services For The CIA
Decision
Matter of: IBM-U.S. Federal
Jason A. Carey, Esq., Luke W. Meier, Esq., Katherine M. John, Esq., Kevin T.
Barnett, Esq., and John W. Sorrenti, Esq., McKenna Long & Aldridge LLP, for the
protester.
Craig A. Holman, Esq., Kara L. Daniels, Esq., Lauren J. Schlanger, Esq., and
Steffen G. Jacobsen, Esq., Arnold & Porter LLP, for Amazon Web Services, Inc., an
intervenor.
Edwin G. Doster, Esq., Avi M. Baldinger, Esq., and Arthur Passar, Esq., Central
Intelligence Agency, for the agency.
Paul E. Jordan, Esq., and David A. Ashen, Esq., Office of the General Counsel,
GAO, participated in the preparation of the decision.
DIGEST
IBM U.S. Federal (IBM), of Bethesda, Maryland, protests the Central Intelligence
Agency’s (CIA) award of a contract to Amazon Web Services, Inc., of Seattle,
Washington, under request for proposals (RFP) No. 2012-12041000001, for
commercial cloud services (C2S). IBM challenges the evaluation of proposals and
the selection decision.
BACKGROUND
The RFP contemplated the award, on a “best value” basis, of a single fixed-price
indefinite-delivery/indefinite-quantity (ID/IQ) contract for commercially-managed
cloud computing services for the Intelligence Community to be provided through
task orders. The contemplated ID/IQ contract was to include a 270-day period to
achieve initial operating capability, a 4-year base ordering period, a 3-year option,
and a 2-year option, with a maximum value of $600 million over the base period.
Here, the contractor generally was to provide a copy of its existing public cloud
(modified where necessary) to be installed on government premises and operated
by the provider. Performance is to include both: (1) infrastructure as a service, in
which the provider (contractor) is responsible for networking, storage, servers and
virtualization, and the consumers (government agencies) are responsible for the
operating system, middleware, runtime, data, and applications, System
Requirements Document (SRD) Fig. 2-2; and (2) platform as a service, which
encompasses the same components as infrastructure as a service, but only
applications and data are the responsibility of the consumer.1 Id.
1
The concepts of infrastructure as a service, and platform as a service are also
referenced in GAO’s audit work on cloud computing. Information Technology
Reform: Progress Made but Future Cloud Computing Efforts Should be Better
Planned, supra, at 4.
Five offerors, including IBM and Amazon, submitted proposals by the July 13, 2012,
closing time. Shortly thereafter, two offerors (AT&T Corporation and Microsoft
Corporation) filed protests with our Office challenging various aspects of the
mandatory qualification requirements, and a third offeror withdrew its proposal.
When the agency elected to take corrective action by amending the RFP to remove
the qualification language challenged in the protests, we dismissed both protests as
academic (B-407073, B-473073.2, Aug. 17, 2012).
The final consensus evaluation for IBM and Amazon was as follows:
Amazon IBM
Technical /Management
-- Technical Approach (Demo) Very Good Marginal
-- Technical Approach (Written) Exceptional Very Good
-- Service Level Agreements Very Good Satisfactory
-- Management Approach Satisfactory Very Good
Past Performance (confidence) High Moderate
Security Pass Pass
Proposed Price [deleted] [deleted]
Evaluated Price $148.06 million $93.9 million
Guaranteed Minimum [deleted] [deleted]
Overall Proposal Risk Low High
Based upon the above evaluation results, the source selection authority (SSA)
concluded that Amazon’s proposal represented the best value. In this regard, while
IBM’s proposal offered an evaluated [deleted] price advantage over 5 years, the
SSA concluded that this advantage was offset by Amazon’s superior technical
solution. SSD at 8.
DISCUSSION
IBM raises numerous challenges to the evaluation of its technical and price
proposals, the conduct of discussions (including the post-selection negotiations with
Amazon), and the evaluation of Amazon’s past performance. Based upon our
review of the record, we find for IBM on its challenges to the agency’s price
evaluation under one of the solicitation’s price scenarios, and the conduct of post-
selection negotiations. For these reasons we sustain the protest. We deny IBM’s
challenges to the agency’s evaluation of Amazon under the past performance
evaluation factor. We have considered all of IBM’s arguments and discuss the most
significant below.
As set forth above, offerors were required to address six notional scenarios.
Scenario 5, for data analytics, was identified as platform as a service (everything
but applications and data are the responsibility of the contractor), and included the
following description:
2
Duty cycle refers to the percentage of time a computer spends in an active state
as a fraction of the total duration. IBM First Supplemental Protest at 40. If the
duration is 1 year, a 100% duty cycle would cover 8,760 hours of time. COS at 33.
Pointing to the solicitation reference to a “100% duty cycle” and the pricing
instruction’s request for yearly prices, the agency explains, in its report and at the
hearing our Office conducted in this matter, that it was requesting under scenario 5
the prices for simultaneously running a large number of orders, each consisting of
100 TB of data, repeatedly throughout the year. COS at 28-29; Hearing Transcript
(Tr.) 269-71. Because IBM’s FPR price was based on a single run processing
100 TB of data, multiplied by the specified number of orders for the period (30 for
the first year), the agency used IBM’s proposed catalog pricing and the services
identified in its FPR for this scenario, to adjust the firm’s price to represent 1 year of
continual processing for each order.
IBM asserts that the agency’s adjustment of its scenario 5 price was unreasonable.
In this regard, IBM maintains that the agency imposed an unstated requirement that
each 100 TB data analytics unit provided under this scenario was to be continually
repeated throughout the entire year. In contrast, under the protester’s interpretation
(as reflected in its FPR), it was only required to propose a solution capable of
processing a single 100 TB data run with no specified duration. IBM First
Supplemental Protest at 40. IBM explains that it therefore proposed an “optimal”
price for a level of services (e.g., computer capacity) with a processing time of
approximately [deleted], which represented a single run of 100 TB of data.
Tr. at 410.
Are orders the number of new images of that scenario type that are
loaded to the image store/catalog in the year or are they the number
of instantiations/runs of that scenario type in a year?
Question/Answer No. 49. The agency responded that “[a]s outlined in the scenario,
the servers should be treated as operating on 100% duty cycle and should be
priced out as simultaneous orders.” Id.
Id.
Under our Bid Protest Regulations, a solicitation defect apparent on the face of the
solicitation must be protested prior to the time set for receipt of initial proposals or
quotations, when it is most practicable to take effective action against such defects.
4 C.F.R. § 21.2(a)(1) (2013). Furthermore, an offeror who chooses to compete
under a patently ambiguous solicitation does so at its own peril, and cannot later
complain when the agency proceeds in a way inconsistent with one of the possible
interpretations. Wackenhut Servs., Inc., B-276012.2, Sept. 1, 1998, 98-2 CPD ¶ 75
at 5; CardioMetrix, B-274585, Nov. 18, 1996, 96-2 CPD ¶ 190 at 3; Watchdog, Inc.,
B-258671, Feb. 13, 1995, 95-1 CPD ¶ 69 at 5.
Here, by its own actions, IBM evidenced its recognition that the scenario 5
instructions were ambiguous as to the frequency of the expected 100 TB data runs.
IBM requested clarification of the requirements in this regard and then, not having
received meaningful clarification, first adopted one interpretation (that is, continual
runs) in its initial proposal and then a different interpretation (a single run per order)
in its FPR. Having chosen to compete despite its recognition of the patently
ambiguous nature of the solicitation in this area, IBM cannot now complain when
the agency proceeds in a manner inconsistent with one of the possible
interpretations and adjusts IBM’s price to match the government’s (and Amazon’s
apparent) interpretation of the requirement. See, e.g., Wackenhut Servs., Inc.,
supra.
That said, while we view as untimely IBM’s challenge to the agency’s interpretation
that continual runs (100% duty cycle for 1 year) were required under scenario 5, its
challenge to the agency’s calculation of an evaluated price for scenario 5 is not
untimely.
Here, the record indicates that the agency lacked sufficient information to ensure
that proposals were evaluated on a common basis with respect to scenario 5. In
this regard, the agency attempted to ensure that offerors were evaluated on a
common basis with regard to scenario 5 by scaling IBM’s single-run price upwards
to equal one year of continual processing for each order. Generally, this resulted in
assuming that each IBM 100 TB data run, indicated by IBM to take [deleted], would
be repeated approximately [deleted] times in a year. Tr. at 361, 375.
However, while Amazon’s scenario 5 price indicated that it, like every other offeror
besides IBM, assumed repeated 100 TB data runs throughout the year, an agency
adviser to the price evaluation team (and author of scenario 5) testified that based
on the information in the proposal, the agency did not know how long a single
100 TB data run would take using Amazon’s proposed solution. Tr. at 314, 378.
Specifically, Amazon’s proposal made various assumptions about running 100 TB
data sets at “100% duty cycle” and “leveraging [its] [deleted],” and “priced [its]
[deleted]” instance type for 100% of the time, but it did not propose a specific time
for a single 100 TB data run. Amazon Proposal at VI-32-33. Thus, there was no
way from the information available concerning Amazon’s solution to ascertain how
many 100 TB data runs were included in Amazon’s scenario 5 pricing.
Further, the agency recognized that solutions (and prices) could vary based on the
makeup of virtual machines--the amount of locally available storage, the amount of
memory, the amount of virtual compute cores proposed--and how fast a unit
processes 100 TB of data, all of which would have an effect on performance,
including how many times a solution could process that amount of information in a
given period. Tr. at 344, 347. In this regard, while Amazon’s proposed scenario 5
solution included [deleted] compute units or [deleted] virtual cores (i.e., divisions
within the virtual computer available for separately processing information without
interfering with one another), IBM’s solution included [deleted] virtual cores;
[deleted]. Tr. at 386-88.
Post-Selection Negotiations
IBM asserts that in agreeing to this modification, the agency relaxed a material
requirement of the solicitation. The agency responds that post-selection
negotiations were contemplated by the RFP, RFP at 47 (“The Government intends
to select for final negotiations a contractor(s) resulting from this solicitation whose
proposal represents the best value . . . .”), and that this modification does not
represent a material change to the RFP’s requirements or Amazon’s obligations.
We disagree.
Here, the record indicates that the modification of the RFP clause to the negotiated
language materially reduced Amazon’s obligations from those imposed in the RFP.
In this regard, the RFP clause required the offeror to certify its undertaking to
ensure that “any software” provided will be virus free, while the modified language
covered “only software developed and provided” by Amazon. This is significant
because Amazon’s proposal contemplated the provision of third party and open-
source software that is not developed by Amazon and thus would not fall within its
modified certification. See, e.g., Amazon Proposal at 1-4,1-9 (“rich ecosystem of
. . . third-party security tools”), and at 1-13, 1-23, 1-26, 2-38 (proposed use of
“MySQL” and “Red Hat Enterprise Linux,” an open-source database and software
product, respectively).
During the hearing before our Office, the agency admitted that, at the time of the
post-selection negotiations, it did not consider the impact of the modified language;
it understood that Amazon was certifying all software and did not realize that the
change might be a restriction on the certification. Tr. at 486-88. Indeed, the
contracting officer testified that had the agency focused more closely on the
modification, it would have taken exception to the revision. Tr. at 502-03. Thus, the
hearing testimony suggested that the new language represented a material change
to the terms of the underlying competition.
Both at the hearing and in briefs filed after the hearing, however, the agency asserts
that this change was not significant because Amazon is still required to comply with
other provisions of its contract. For example, the agency points out that SRD
§ 3.13.2 required C2S infrastructure and services to be “assessed and authorized in
accordance with Intelligence Community Directive (ICD) 503 (reference 3),” which
provides for the agency to incorporate standards, policies, and guidelines issued by
the National Institute of Standards and Technology and the Committee on National
Security Systems (CNSS). Agency Post Hearing Comments at 20. One aspect of
these standards includes “malicious code protection,” and Amazon’s detailed
proposal to meet these requirements was incorporated into the contract.
Tr. at 470-72; Amazon System Security Plan, Appendix B-91--B-93.
In any case, the agency’s current position does not show that the modification was
not material. In this regard, the agency now contends that the only aspects not
covered by Amazon’s agreement to the certification requirements were (1) the
certification itself, which the agency believes would be satisfied by Amazon signing
its contract; and (2) the requirement to immediately notify the contracting officer of
an issue with malicious code. Agency Post Hearing Comments at 20. However,
regardless of the agency’s position with respect to the certification, it is unclear why
elimination of Amazon’s obligation to immediately notify the contracting officer about
malicious code would not represent a change in a material requirement.4
3
The agency also generally claims that the SSA was briefed on the final negotiation
items and felt this was a minor issue. Tr. at 469; SSD at 9. The contracting officer
was unaware of the impact of this particular provision and there is nothing in the
record to indicate that he provided a relevant assessment of that impact in the
briefing to the SSA or that the SSA exercised otherwise considered judgment in this
regard.
4
Our conclusion is not changed by Amazon’s assertions that IBM also sought
numerous proposed changes to provisions in the RFP, including a proposal that it
would not provide [deleted] with respect to [deleted]. IBM FPR at 5-8; see
Intelligent Env’ts, B-256170.2, Nov. 28, 1994, 94-2 CPD ¶ 210 at 4 (protest denied
where neither protester nor awardee complied with specific requirement). While
offerors were free to ask for changes, waiving a material term of the solicitation for
only one of them, after the selection decision was made, was improper. We also
disagree with Amazon that IBM cannot claim to be prejudiced by this change. IBM
argues that this modification materially reduces the risk to the contractor. IBM
Supplemental Comments, May 6, 22013, at 8. In our view, IBM’s assertion that the
level of risk to the contractor was reduced by this modification is sufficient to
establish prejudice.
Auto-Scaling Evaluation
During the agency’s final evaluation, the evaluators assigned IBM’s proposal a
deficiency under the demonstration factor because they found that IBM’s FPR
introduced new language that cast doubt on whether the firm’s existing public cloud
provided auto-scaling for all applications, both IBM-supplied and agency consumer-
supplied. COS at 9. While the evaluators found that IBM’s proposed C2S cloud for
the intelligence community included auto-scaling capability for all applications, they
also assigned a significant weakness because there was a lack of detail on how this
additional capability (relative to the existing public cloud) would be accomplished.
Id. at 13. IBM asserts that the agency’s evaluation was irrational and that its
proposal made clear that its public cloud provided auto-scaling capability for all
applications whether supplied by IBM or agency consumers.
Here, the proposal instructions required each offeror to “clearly demonstrate its
understanding of the technical requirements and suitability of the proposed
technical approaches that will be employed.” Evaluation Criteria at 2. Moreover, it
is an offeror’s obligation to submit an adequately written proposal for the agency to
evaluate. See Independence Constr., Inc., B-292052, May 19, 2003, 2003 CPD
¶ 105 at 5.
Our review of the record shows that the RFP clearly required offerors to
demonstrate the ability to auto-scale computer resources both in their existing
public cloud and in the C2S cloud solution. Specifically, the cloud was to provide
“dynamic workload management . . . across the cloud infrastructure,” SRD § 3.4.11,
and “shall provide application services with . . . automated scaling.” SRD § 3.9.1.
While IBM’s initial presentation demonstrated its auto-scale capability for
applications from its existing public cloud structure, in its FPR, IBM revised its
written proposal in support of the demonstration so as to indicate that its ability to
auto-scale in its existing public cloud structure was limited to applications provided
by IBM. In this regard, in referring to its capability to auto-scale, IBM’s FPR drew a
Our review of the record indicates that these various references suggest that IBM
may in fact have auto-scaling capability for consumer applications. However, while
the cited passages in IBM’s FPR established, e.g., that consumer applications can
be added to the “library,” and that “applications” can be auto-scaled in IBM’s
5
In providing both platform and infrastructure as services, an “instance” refers to
the supply of a virtual machine or server for use by the consumer. Tr. at 45-46.
6
Load balancing refers to the distribution of computer workload across multiple
servers, while auto-scaling refers to changing the capacity of a particular server.
We recognize that IBM’s proposed cloud for the intelligence community--i.e., the
contract at issue here--promised the capability to auto-scale all applications.
However, the above deficiency was assigned for failure to demonstrate the
existence of this capability in IBM’s existing public cloud, a different element of the
evaluation. Further, since we find the agency reasonably determined that IBM
failed to clearly establish the capability of its existing public cloud to auto-scale all
applications, there is no basis to find unreasonable the agency’s assignment of a
significant weakness, under a different evaluation element (the written element), as
a result of IBM’s failure to explain how it would add the capability to auto-scale all
applications in the cloud it proposes to provide for the intelligence community.
IBM also argues that the past performance evaluation of Amazon’s proposal was
flawed because the agency failed to take into account news reports about
five service outages experienced by some of Amazon’s public cloud clients between
April and December 2012, while the agency was conducting this procurement.7
IBM First Supplemental Protest at 57. IBM contends that this information was
relevant to the past performance evaluation, noting that the second most important
element under the past performance factor was whether an offeror’s “performance
history demonstrates success in meeting management, delivery, and performance
requirements within the terms of a Service Level Agreement [SLA].” Evaluation
Criteria at 3-4. IBM argues that had the agency considered this information,
Amazon’s past performance rating would have been lower than high confidence.
7
These outages were reported in various media outlets, including, for example,
The Washington Post, The New York Times, The Wall Street Journal, and Cable
News Network. IBM First Supplemental Protest, Exhs. D through P.
The record here shows that the contracting officer, the SSA, and other members of
the evaluation team, were aware of the news reports regarding the service outages,
Addendum to Supplemental Agency Report at 1, but concluded that the reports and
their knowledge of the circumstances surrounding the outages were not sufficiently
detailed to take the outages into account in the past performance evaluation. Id.;
Contracting Officer’s Declaration, Apr. 25, 2013; SSA Declaration, Apr. 26, 2013.
For example, as noted by the SSA, none of the cited news reports addressed
Amazon’s success in meeting the terms of its SLAs with the affected customers.
SSA Declaration, Apr. 26, 2013.
In addition, the record shows that one of Amazon’s past performance references
acknowledged outages in Amazon’s system. Specifically, the National Aeronautics
and Space Administration, Jet Propulsion Laboratory (JPL), rated Amazon as very
good for meeting SLAs, despite reported outages, commenting:
IBM asserts that the agency improperly considered the effect of its guaranteed
minimum price on its total evaluated price. In this regard, IBM relies on the RFP
The guaranteed minimum price feature of this solicitation was intended to allow the
offerors to recover a portion of the upfront infrastructure expenditures and to reduce
their cost risk. Source Selection Evaluation Board (SSEB) Recommendation at 19.
The RFP specifically provided that the guaranteed minimum proposed by each
offeror would be evaluated for completeness and reasonableness and would “be
used within the Government’s overall risk rating involved with this acquisition.”
Evaluation Criteria at 5. The SSEB, in its discussion of the offerors’ guaranteed
minimum prices, addressed the risk involved with IBM’s minimum by noting that
[deleted]. SSEB Report at 20. The SSEB also found “serious cost risk” associated
with IBM’s proposed contract clause which indicated that the contractor would
[deleted]. Id. The SSEB observed that if the guaranteed minimum was “considered
as part of the likely cost,” it would reduce the price difference between IBM and
Amazon. Id. The SSA made similar observations in her source selection decision.
SSD at 9.
In our view, the evaluation in this regard was not inconsistent with the RFP’s
evaluation criteria. The record shows that IBM’s evaluated price was not increased
by the amount of its guaranteed minimum. See, e.g., SSD at 8. Rather, the
SSEB’s evaluation and the SSA’s tradeoff analysis simply considered the risk
involved in IBM’s guaranteed minimum and future position on negotiations. While
IBM objects to consideration of the magnitude of its guaranteed minimum, clearly
the magnitude of the guarantee was a factor in the extent of the resulting risk, which
under the RFP was to be evaluated.
RECOMMENDATION
We sustain the protest because the agency’s adjustment of scenario prices was
unreasonable in that it did not result in evaluation on a common basis, and because
the agency materially relaxed a solicitation term for the awardee during post-
selection negotiations. We recommend that the agency reopen the competition and
amend the RFP as necessary to ensure that proposals are prepared and evaluated
on a common basis, consistent with the issues discussed in this decision. We
further recommend that the agency conduct discussions with offerors, obtain and
evaluate revised proposals, and make a new source selection decision. Finally, we
recommend that the protester be reimbursed its costs of filing and pursuing the
protest, including reasonable attorneys’ fees. 4 C.F.R. § 21.8(d)(1).
Susan A. Poling
General Counsel