Oracle America, Inc.

B-416657,B-416657.2,B-416657.3,B-416657.4: Nov 14, 2018

Additional Materials:

Contact:

Ralph O. White
(202) 512-8278
WhiteRO@gao.gov

Kenneth E. Patton
(202) 512-8205
PattonK@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Oracle America, Inc., of Reston, Virginia, protests various aspects of request for proposals (RFP) No. HQ0034-18-R-0077, issued by the Department of Defense (DoD) to obtain comprehensive cloud services; the procurement is generally referred to as the Joint Enterprise Defense Infrastructure (JEDI) Cloud procurement. Oracle protests that: the RFP provisions leading to a single-award indefinite-delivery, indefinite-quantity (IDIQ) contract are contrary to statute and regulation; the terms of the solicitation exceed the agency's needs; and the agency failed to properly consider potential conflicts of interest.

We deny the protest.

DOCUMENT FOR PUBLIC RELEASE
The decision issued on the date below was subject to a GAO Protective Order. The entire decision has been approved for public release.

Decision

Matter of:  Oracle America, Inc.

File:  B-416657; B-416657.2; B-416657.3; B-416657.4

Date:  November 14, 2018

Craig A. Holman, Esq., Kara L. Daniels, Esq., Dana E. Koffman, Esq., Amanda J. Sherwood, Esq., and Nathaniel E. Castellano, Esq.,  Arnold & Porter Kaye Scholer LLP, for the protester.
Christina M. Austin, Esq., and Andrew Bramnick, Esq., Department of Defense, for the agency.
Glenn G. Wolcott, Esq., and Peter H. Tran, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

1.  Agency's determination to pursue a single-award approach to obtain cloud services under an indefinite-delivery, indefinite-quantity contract is consistent with statute and regulation where agency reasonably determines that a single-award approach is in the government's best interests for various reasons, including national security concerns. 

2.  Agency has provided reasonable support for all of the solicitation provisions that protester asserts exceed the agency's needs.

3.  Protester's allegations regarding conflicts of interest do not provide a basis for sustaining the protest.

DECISION

Oracle America, Inc., of Reston, Virginia, protests various aspects of request for proposals (RFP) No. HQ0034-18-R-0077, issued by the Department of Defense (DoD) to obtain comprehensive cloud services; the procurement is generally referred to as the Joint Enterprise Defense Infrastructure (JEDI) Cloud procurement.  Oracle protests that:  the RFP provisions leading to a single-award indefinite-delivery, indefinite-quantity (IDIQ) contract are contrary to statute and regulation; the terms of the solicitation exceed the agency's needs; and the agency failed to properly consider potential conflicts of interest.   

We deny the protest.

BACKGROUND

The Decision to Buy Comprehensive Cloud Services

On September 13, 2017, the Deputy Secretary of Defense issued a memorandum titled "Accelerating Enterprise Cloud Adoption."  Revised/Consolidated Protest, Sept. 6, 2018, exh. 2.  That memorandum referenced the Secretary of Defense's then-recent trip to Seattle, Washington and Palo Alto, California, characterizing those areas as "two epicenters of innovation in our country," and noting that the trip "reflected several realities:  (1) technologies in areas like data infrastructure and management, cybersecurity, and machine learning are changing the character of war; (2) commercial companies are pioneering technologies in these areas; and (3) the pace of innovation is extremely rapid."  Id. at 1.  The memorandum further stated that "[t]he Secretary is determined to prevent any potential adversary of the United States from surprising us or overtaking our military advantage" and, in that context, provided:  "I am directing aggressive steps to establish a culture of experimentation, adaptation, and risk-taking; to ensure we are employing emerging technologies to meet warfighter needs; and to increase speed and agility in technology development and procurement."  Id.

Accordingly, the memorandum directed the establishment of a Cloud Executive Steering Group (CESG) to "devise and oversee the execution of a strategy to accelerate the adoption of cloud architectures and cloud services, focusing on commercial solutions." [1]  Id.  The memorandum elaborated that the "cloud adoption initiative will occur in two phases," explaining that in phase one, DoD will "use a tailored acquisition process to acquire a modern enterprise cloud services solution that can support unclassified, secret, and top secret information" and, in phase two, "the CESG will rapidly transition select DoD Components or agencies to the acquired cloud solution, and, to the maximum extent possible, operationalize its mission."  Id. at 2.   

Thereafter, the Defense Digital Service (DDS) undertook market research activities on behalf of the CESG.  Agency Report (AR), Tab 20, Market Research Report, at 362.[2]  As part of the market research, a request for information (RFI) was posted on the Federal Business Opportunities (FBO) internet website seeking industry input regarding how to approach and structure the planned JEDI Cloud acquisition. [3]  The RFI sought responses by November 17; a total of 64 responses were submitted.  Id. at 4; see AR, Tabs 41, 44, RFI Responses. 

In December 2017, the Joint Requirements Oversight Council (JROC) issued a memorandum that identified "cloud characteristics and elements of particular importance to warfighting missions" in order to guide DoD's efforts in the JEDI Cloud acquisition.   AR, Tab 17, JROC Memorandum, Dec. 22, 2017, at 317-20.  Among other things, this memorandum referred to the need for "cloud resiliency," "cyber defenses," and the need for "enabl[ing] Cyber Defenders to detect, deny, and defeat cyber malicious activity."  Id. at 319.  

The Decision to Use a Single-Award Approach

In March 2018, the agency issued a report summarizing its market research.  Although the report concluded that "multiple sources are capable of satisfying DoD's requirements for JEDI Cloud," it also stated that "[o]nly a few companies have the existing infrastructure . . . to support DoD mission requirements, worldwide."  AR, Tab 20, Market Research Report, at 362, 365.  The report further acknowledged that "the majority of industry recommends multiple awards."  Id. at 382.

Notwithstanding industry's preference for multiple awards, the agency subsequently concluded that a single-award approach was appropriate.  At the GAO hearing conducted in connection with Oracle's protest,[4] the DDS deputy director discussed some of the bases for the single-award decision, testifying as follows:

The Department [of Defense] has adopted cloud technology in a variety of different ways, but they are very disparate, and in very particular fashions.  We have not yet been able to adopt a commercial cloud solution at enterprise scale.  And this particular RFP is about trying to do that. 

It's also important to understand that doing so is pretty technically complex.  The Department today operates a wide variety of different systems that we'll need to integrate.  We have a bunch of particular requirements about the way that we deploy and operate systems that we need to account for.  And as I mentioned earlier, we have a broad technical base that will have to be brought up to speed on how this technology works.

Doing that for a single solution provided to the Department by either a vendor or a team of vendors is a big lift already.  Trying to do that for multiple solutions, with the Department operating as the integrator, would be exceedingly complex.  And I don't think we would be successful. . . . [A]lso worth highlighting is that, we and the Department . . . need to get our minds around how to make sure that our data and applications are secure in the cloud environment provided to us, as part of the JEDI Cloud contract.  You know, we have got a really complex process today for how we think about managing risk. . . .  [W]e've got to focus on the infrastructure and the platform that we're using.  We have to focus on the software, the way it's been configured, the way it's deployed. . . .

And so part of this effort is to work with the winner of the JEDI Cloud contract, so that we can help the Department better understand the risk [it is] accepting, better manage that risk, but also do so in a more timely manner, so that our war fighters get access to applications and services much faster.

And again, trying to do that . . . with [one] vendor is a thing, I think, the Department knows how to do.  It's going to take a considerable amount of our technical experts.  Trying to do that with multiple vendors simultaneously, I just don't think we have the technical expertise to do that well.

Hearing Transcript (Tr.) at 57-60.

In April 2018, the agency prepared a business case analysis (BCA) that, along with a subsequently-executed acquisition strategy, cybersecurity plan, and statement of objectives, serves as the "foundation for acquisition of the . . . JEDI Cloud."  AR, Tab 21, BCA at 395.  Among other things, the BCA states that:  "[c]yber warfare and disruptive cyber activities from an ever-increasing host of adversaries is widespread and pernicious, and continues to pose a clear and present danger to military capabilities."  Id. at 397.  The BCA further notes that DoD "is dependent on outdated computing and storage infrastructure" and that its current information technology environment, comprised of "aging hardware, fragmented data-centers and antiquated software," is "unable to fully operationalize data for real-time situational awareness and decisionmaking."  Id. at 398. 

On July 17, 2018, the contracting officer executed a memorandum for the record (MFR) documenting the single-award determination, as required by section 16.504(c)(1)(ii)(C) of the Federal Acquisition Regulation (FAR).[5]  AR, Tab 24, Contracting Officer's Single-Award MFR.  That MFR noted that, although "10 U.S.C. 2304a(d) establishes a preference for multiple award IDIQ contracts," the regulations implementing the statutory preference also provide that "[t]he contracting officer must not use the multiple award approach if [one of six listed conditions is met]."[6]  Id. at 451.  The contracting officer concluded that the following three conditions were applicable to the JEDI Cloud procurement:

(2)  Based on the contracting officer's knowledge of the market, more favorable terms and conditions, including pricing, will be provided if a single award is made;

(3)  The expected cost of administration of multiple contracts outweighs the expected benefits of making multiple awards;

*  *  *  *  *

(6) Multiple awards would not be in the best interests of the Government.   

Id. at 453-60; FAR § 16.504(c)(1)(ii)(B).

For each of the conditions, the contracting officer provided a narrative explaining the basis for her determination of applicability.  For example, with regard to "best interests of the Government," the contracting officer stated: 

Technologies such as artificial intelligence, machine learning, and software orchestration are fundamentally changing the character of war.  Battlefield advantage is driven by who has access to the best information that can be analyzed to inform decision-making at the point and time of need.  Providing the DoD access to foundational commercial cloud infrastructure and platform technologies on a global scale is critical to national defense and preparing the DoD to fight and win wars.  Based on the current state of technology, multiple awards are not in the best interest of the Government because they: i)  increase security risks;[[7]] ii) create impediments to operationalizing data through data analytics, machine learning (ML), and artificial intelligence (AI); and iii) introduce technical complexity in a way that jeopardizes successful implementation and increases costs.

AR, Tab 24, Contracting Officer's Single-Award MFR, at 457-58.   

Similarly, on July 19, 2018, the Under Secretary of Defense for Acquisition and Sustainment executed a Determination and Findings (D&F) that justified a single-award IDIQ contract pursuant to the provisions of 10 U.S.C. § 2304a(d)(3).  That statute states that "[n]o task or delivery order contract in an amount estimated to exceed $100,000,000[8] (including all options), may be awarded to a single source unless the head of the agency determines in writing that [one of four conditions has been met]."[9]  The Under Secretary's D&F included the determination that "the ID/IQ contract for JEDI Cloud will provide only for FFP [firm fixed-price] task orders for services for which prices are established in the contract for the specific tasks to be performed," and identified various factual findings to support that determination.  AR, Tab 16, Under Secretary's Single-Source D&F, at 315-17.

The Decision on Conflicts of Interest

On July 23, in the context of considering potential conflicts of interest, the contracting officer signed an MFR titled "Contracting Officer's Assessment of No Impact Under [FAR §] 3.104-7."  AR, Tab 33, Contracting Officer's Integrity MFR.  In the assessment, the contracting officer noted that, pursuant to FAR § 3.104-7, a contracting officer who receives information regarding a violation or potential violation of specified statutory prohibitions, restrictions, or requirements (including those regarding conflicts of interest), must determine if the violation or potential violation has any impact on the pending award or selection of a contractor.  Id. at 679.  The MFR identified five individuals for whom the contracting officer had received information regarding such potential violations, but concluded there was no negative impact on the procurement created by each of the individuals' activities.  Of relevance to this protest, the MFR discussed two specific individuals who were identified as:  (1) "(former) Deputy Chief of Staff, Office of the Secretary of Defense & Chief of Staff, Deputy Secretary of Defense" (hereinafter, "Chief of Staff"); and (2) "Digital Service Expert (Former), Defense Digital Service" (hereinafter, "Digital Service Expert").  Id. at 681-82.

With regard to the Chief of Staff, the MFR noted that he had "previously provided consulting services to AWS [Amazon Web Services] while employed with SDB Advisors," but had "ended his SDB Advisors employment in January 2017."[10]  Id. at 681.  The MFR further stated that although he scheduled and attended meetings relative to the JEDI Cloud procurement  "which did include access to pre-decisional documents concerning JEDI Cloud procurement acquisition strategy and other matters during the Fall and Winter of 2017," he "had no input or involvement in the reviewing or drafting of the draft solicitation package, the Acquisition Strategy, Business Case Analysis, or other pre-decisional sensitive documents relative to the JEDI Cloud acquisition" and described his involvement in the meetings as "record[ing] meeting minutes."  Id.  Accordingly, the contracting officer concluded that the Chief of Staff's involvement in the procurement "was ministerial and perfunctory in nature"; he "provided no input into the JEDI Cloud acquisition documents"; he "did not participate personally and substantially in the procurement"; and his involvement "did not negatively impact the integrity of the JEDI Cloud acquisition."  Id.   

With regard to the Digital Service Expert, the MFR stated he "was previously employed with AWS, which ended in January 2016," and that he was "involved with JEDI Cloud market research activities between September 13, 2017 and October 31, 2017."  Id. at 682.  The MFR further stated:

In late October 2017, AWS expressed an interest in purchasing a start-up owned by [the Digital Service Expert].  On October 31, 2017, [the Digital Service Expert] recused himself from any participation in JEDI Cloud.  His access to any JEDI Cloud material was immediately revoked, and he was no longer included in any JEDI Cloud related meetings or discussions.

Conclusion:  [The Digital Service Expert's] regulatory impartiality restriction [flowing from his previous employment with AWS, which ended in January 2016] had expired long before the JEDI Cloud procurement was initiated and his participation was limited to market research activities.  [The Digital Service Expert] promptly recused himself from participating in JEDI Cloud once AWS expressed interest in doing business with him.  Therefore, [the Digital Service Expert's] connections to AWS did not negatively impact the integrity of the JEDI Cloud acquisition.

Id. at 682-83.

Issuance of the Solicitation  

On July 26, 2018, the agency issued RFP No. HQ0034-18-R-0077 pursuant to FAR subpart 12.6, streamlined procedures for evaluation and solicitation for commercial items, seeking proposals for a single-award IDIQ contract to provide various commercial cloud services, including infrastructure as a service (IaaS)[11] and platform as a service (PaaS)[12] in both classified and unclassified environments.[13]  AR, Tab 35, RFP at 714-810.  The solicitation anticipates the award of a contract with a maximum value of $10 billion, over a potential 10-year performance period, if all options are exercised.[14]  Id. at 726.  The RFP includes a statement of objectives (SOO)[15] identifying various requirements and desired capabilities, and directs each offeror to provide a performance work statement (PWS) that describes the offeror's particular approach to achieving the RFP's stated objectives.[16]  Id. at 790. 

The solicitation further stated that source selection will be made on a best-value tradeoff basis, and established nine evaluation factors.  Factor 1 contains the following  subfactors against which proposals will first be evaluated on an acceptable/ unacceptable basis:[17]  elastic usage; high availability/failover; commerciality; automation; commercial cloud offering marketplace; and data.  Id. at 802-03.  Proposals that are rated unacceptable with regard to any of the factor 1 subfactors will be eliminated from further consideration.  Proposals that are rated acceptable for the factor 1 gate criteria will then be evaluated against factors 2 through 6,[18] and factor 9 (price).[19]  Thereafter, a competitive range will be established, and the competitive range offerors will be invited to submit proposals for evaluation under factors 7 and 8 (small business participation and demonstration, respectively).  Proposals that receive a "marginal" or "unacceptable" rating under factor 8 (demonstration) will be eliminated from further consideration.  Following evaluation of factors 7 and 8, discussions may be conducted and final proposal revisions submitted, and a best-value determination will be made.  RFP at 801-02. 

DISCUSSION

On August 8, Oracle filed its initial protest challenging various aspects of the solicitation.[20] Thereafter, the solicitation was amended.[21]  On September 6, Oracle filed a "Revised and Consolidated Protest,"[22] asserting that:  a single-award IDIQ for the JEDI Cloud procurement is contrary to statute and regulation; the terms of the solicitation exceed the agency's needs; and the agency failed to properly consider  potential conflicts of interest.

Compliance with Statute and Regulation

First, Oracle challenges the agency's decision to make a single award, asserting that various statutes and regulations "require DoD to use a multiple award contract approach for the JEDI Cloud RFP." Revised/Consolidated Protest at 33.  In this context, Oracle complains that the agency failed to comply with the fixed-price requirements of 10 U.S.C. § 2304a(d)(3)(B), as implemented by FAR § 6.504(c)(1)(ii)(D)[23]--despite the Under Secretary's D&F that specifically stated that the JEDI Cloud contract "will provide only for FFP [firm fixed price] task orders for services for which prices are established in the contract for the specific tasks to be performed."  See AR, Tab 16, D&F at 317. Oracle maintains that, because the RFP does not identify all of the specific tasks that may be performed, the RFP does not meet the statutory and regulatory requirements regarding established prices for such tasks, and asserts that this renders the D&F invalid.  Revised/Consolidated Protest at 33-44.

The agency responds that the RFP clearly provides that "pricing for all services is offered at a firm-fixed price," and specifically provides that only fixed-price task orders, based on established prices in the contract for the specific tasks to be performed, will be issued under the contract.  MOL at 22; RFP at 726 ("All TOs [task orders] will be firm-fixed price.").  More specifically, the agency references the RFP provisions requiring offerors to submit fixed-price catalogs for CLINs 1 through 4,[24] noting that each catalog may include thousands of services.  RFP at 715-25, 796-97.  The agency notes that, likewise, the RFP requires submission of fixed prices for CLIN 5 (portability plan), CLIN 6 (portability test), and CLIN 7 (program management support). The agency further notes that the solicitation provides that any new services that are added to the contract must be priced on a fixed-price basis.  Id. at 736-37; AR, Tab 16, Under Secretary's D&F, at 317.  Finally, the agency notes that Oracle's purported interpretation of the statutory and regulatory requirements--in essence, that all subsequent tasks must be definitively identified in the RFP--would effectively preclude the award of any single-award IDIQ contract pursuant to an RFP with a statement of objectives and, similarly, would preclude any modification of such contracts.  Since this interpretation would render meaningless the various statutes and regulations that authorize such awards and modifications, the agency maintains that Oracle's protest challenging the Under Secretary's D&F is without merit. 

In considering whether an agency has violated procurement laws or regulations, we will not construe the meaning of statutory or regulatory provisions in a manner that renders other provisions superfluous, void, or meaningless.  See, e.g., Oracle America, Inc., B-416061, May 31, 2018, 2018 CPD ¶ 180 at 16.

Based on our review of the record here, we reject Oracle's assertion that the Under Secretary's D&F failed to comply with the provisions of 10 U.S.C. § 2304a(d)(3)(B) and FAR § 16.504(c)(1)(ii)(D).  As the agency points out, the RFP requires that offerors submit fixed prices for each of the solicitation's CLINs, and states that all subsequent task orders will be issued on a fixed-price basis.  To the extent Oracle is suggesting that 10 U.S.C. § 2304a(d)(3)(B) and FAR § 16.504(c)(1)(ii)(D) contemplate only the issuance of fixed-price task orders for services that are currently identified with specificity in the RFP, such assertion is without merit.  Section 16.504(a)(4)(ii) of the FAR only requires the government to "[s]pecify the total minimum and maximum quantity of supplies or services the Government will require under the contract."  In addition, FAR § 16.504(b) provides that "[c]ontracting officers may use an indefinite-quantity contract when the Government cannot predetermine, above a specified minimum, the precise quantities of supplies or services that the Government will require during the contract period. . . ."  Oracle's argument would effectively preclude the award of a significant portion of IDIQ contracts--particularly those that employ a statement of objectives, and similarly preclude any modifications to single-award IDIQ contracts.[25]  On this record, we decline to find the Under Secretary's D&F inconsistent with the requirements of 10 U.S.C. § 2304a(d)(3)(B) or FAR § 16.504(c)(1)(ii)(D). 

Next, Oracle asserts that the contracting officer's single-award MFR failed to give adequate consideration to the established preference for multiple awards, as enunciated in 10 U.S.C. § 2304a(d)(4)and FAR § 16.504(c)(1)(i).  Oracle notes that these authorities establish a preference for multiple-award IDIQ contracts "to the maximum extent practicable," and asserts that "none of the [three] conditions cited by the contracting officer [in her single-award MFR] apply to this procurement."  Revised/Consolidated Protest at 44-45.

The agency responds by first referencing the specific language of the FAR, on which the contracting officer's MFR was based, which states: "The contracting officer must not use the multiple award approach if [any one of six conditions is met.]."  FAR §16.504(c)(1)(ii)(B) (emphasis added.)  In this context, the agency maintains that the contracting officer's determination not to use a multiple-award approach was not only permissible, it was mandated.  The agency further notes that, as discussed above, one of the three bases for declining to use a multiple-award approach incorporated the agency's concerns with regard to security.  The contracting officer's documentation supporting her determination addressed the significantly greater security risks that would be created if the agency were required, through conducting task order competitions, to integrate various portions of the JEDI Cloud--provided by multiple, competing vendors--rather than implement a single vendor's solution.[26]  The agency acknowledges that it will still operate in a multiple-cloud environment (the goal for the JEDI Cloud is to encompass 80 percent of current DoD applications, see Contracting Officer's Statement, Sept. 24, 2018, at 2), but maintains that the security risks associated with a single-award approach to the JEDI Cloud are considerably diminished because of "significantly fewer seams and connection points."  MOL at 40.

The determination of a contracting agency's needs and the best method of accommodating them are matters primarily within the agency's discretion.  Crewzers Fire Crew Trans., Inc., B-402530, B-402530.2, May 17, 2010, 2010 CPD ¶ 117 at 3; G. Koprowski, B-400215, Aug. 12, 2008, 2008 CPD ¶ 159 at 3.  A protester's disagreement with the agency's judgment concerning the agency's needs and how to accommodate them does not show that the agency's judgment is unreasonable.  Cryo Techs., B-406003, Jan. 18, 2012, 2012 CPD ¶ 29 at 2; G. Koprowski, supra.

Here, we reject Oracle's protest challenging the contracting officer's bases for making a single-award determination.  First, as previously discussed, FAR § 16.504(c)(1)(ii)(B) provides that a multiple-award approach is precluded where any one of the six listed conditions is met, and we view the contracting officer's determinations regarding each of the three applicable conditions to be reasonable.  For example, the contemporaneous agency record contains significant documentation supporting the agency's national security concerns associated with a multiple-award solution for the JEDI Cloud procurement.  In our view, such concerns reasonably support the contracting officer's "best interest of the government" determination.  Since the agency reasonably determined that three of the conditions identified in FAR § 16.504(c)(1)(ii)(B) are applicable to the JEDI Cloud procurement, Oracle's protest challenging the contracting officer's single-award determination is denied.

Finally, Oracle protests that the agency's single-award approach is precluded by the recently-enacted Department of Defense and Labor, Health and Human Services, and Education Appropriations Act, Public Law No. 115-245 (Appropriations Act).[27]  Supp. Protest, Oct. 1, 2018, at 24-25.

The agency responds that, while the Appropriations Act prohibits the obligation of funds to perform the JEDI Cloud contract until 90 days after DoD has submitted a required report, the Act does not require DoD to abandon the JEDI Cloud contract.  The agency further notes that, absent further Congressional action, the obligation of funds is authorized following the 90-day waiting period.  Agency's Post Hearing Comments, Oct. 18, 2018, at 18-24.

Here, we do not view the plain language of the Appropriations Act as a basis to sustain Oracle's protest.  Rather, that Act requires DoD to subsequently submit a report to Congress regarding various matters related to its cloud acquisition activities.  While Oracle's protest is based on the assertion that DoD will be unable to comply with the reporting requirement and also continue with its single-award approach in the JEDI Cloud procurement, we see nothing in the Act's reporting requirement as providing a basis to conclude that the agency's single-award procurement approach violates statute or regulation.  Accordingly, we decline to sustain Oracle's protest based on the provisions of the Appropriations Act.

Restrictive Specifications

Next, Oracle asserts that various solicitation requirements exceed the agency's needs and/or are "designed around a particular cloud service."  Revised/Consolidated Protest at 56-72.  In challenging the allegedly restrictive requirements, Oracle focuses primarily on the RFP's factor 1 gate criteria, which are evaluated on an acceptable/unacceptable basis.  Id.  For example, Oracle complains that subfactor 1.2, high availability and failover, reflects requirements that exceed the agency's needs.  Oracle notes that, pursuant to this subfactor, proposals must demonstrate that the offeror has three existing data centers, 150 miles apart,[28] that each support at least one IaaS offering and one PaaS offering that are "FedRAMP  Moderate 'Authorized' by the Joint Authorization Board (JAB) or a Federal agency."[29]  Id. at 62-66; see RFP at 788.  Oracle complains that the requirements for FedRAMP authorization, as well as application of that requirement at the time proposals are submitted, is improper and exceeds the agency's needs.  In this regard, Oracle asserts that DoD "has no legitimate need" for FedRAMP authorized offerings and, even if it does, that DoD "can evaluate proposed approaches to meet [this requirement] after contract award."  Id. at 64.   

The agency first responds, generally, that its mission mandates rapid acquisition of cloud technologies in order to maintain the military's technological advantage, and the agency "vehemently denies" Oracle's assertion that the RFP's requirements are "designed around a particular cloud service."  MOL at 43, 45. 

More specifically, with regard to subfactor 1.2, high availability and failover, the agency states that the actual cyber security performance requirements the successful offeror will be required to meet in performing the JEDI Cloud contract are "much greater" than the FedRAMP Moderate requirement.[30]   Id. at 58.  The agency elaborates that: 

FedRAMP Moderate represents a lower, baseline set of requirements but demonstrates that the Offeror has successfully met foundational security requirements. . . .  [The requirement for FedRAMP Moderate at each data center is] a mechanism to validate that the core architecture is extensible and likely to be able to meet the JEDI Cloud requirements across all service offerings. . . .  JEDI Cloud must be capable of hosting the Department's most sensitive information.  FedRAMP Moderate is the standard for cloud computing security of controlled unclassified information across the Federal government.  Without this requirement at time of proposal, the Department would be taking on an unacceptable level of risk that an Offeror will be unable to achieve the more stringent security requirements of JEDI Cloud. 

AR, Tab 43, MFR Justification for RFP Amendments, at 951.

Accordingly, the agency concludes that requiring offerors to have the FedRAMP Moderate authorization upon proposal submission significantly mitigates the risk of unsuccessful performance with regard to the more stringent security requirements with which the contractor will have to subsequently comply.  MOL at 58. 

Although an agency's otherwise legitimate requirements regarding an offeror's demonstrated ability to meet contract requirements may not generally be applied at a point in time prior to when such qualifications become relevant, see USA Jet Airlines, Inc.; Active Aero Group, Inc., B-404666, Apr. 1, 2011, 2011 CPD ¶ 91 at 5, an agency may properly require an offeror to submit evidence of its ability to meet contract requirements at the time of proposal submission where the agency has articulated a reasonable basis for requiring the evidence at that time.  See, e.g., Contract Servs., Inc., B-411153, May 22, 2015, 2015 CPD ¶ 161 at 3-4.; Air USA, Inc., B-409236, Feb. 14, 2014, 2014 CPD ¶ 68 at 5.  Further, where the challenged requirements relate to national defense, an agency has the discretion to define solicitation requirements to achieve the highest level of reliability and effectiveness.  Womack Mach. Supply Co., B-407990, May 3, 2013, 2013 CPD ¶ 117 at 3.

Here, the agency has clearly articulated a reasonable basis for the subfactor 1.2 gate criteria prior to award, noting that this less stringent requirement will establish a basis for the agency to assess the offeror's subsequent capability to comply with the solicitation's more stringent requirements.  Further, it is clear that the agency's basis for the subfactor 1.2 gate criteria relate to national security and, in that context, is subject to even greater agency discretion in establishing the requirements.  Womack Mach. Supply Co., supra.  On this record, Oracle's complaints regarding the subfactor 1.2 gate criteria are without merit. 

By way of another example, Oracle complains that subfactor 1.6, commercial cloud offering marketplace, exceeds the agency's needs.  Revised/Consolidated Protest at 67-68.  This subfactor requires an offeror to demonstrate that its proposal includes an online marketplace for third-party platform and software offerings.  RFP at 789-90.  Oracle complains that an online marketplace for third-party offerings "is not a typical cloud computing offering for most vendors" and that this requirement "will unduly restrict the competition to those few offerors which currently have an online store for users to purchase third-party software."  Revised/Consolidated Protest at 67.

The agency responds that its market research established that most global cloud services providers offer an online marketplace offering third-party software.  The agency further notes that Oracle's own response to the agency's RFI stated:

Oracle has an Oracle Partner Cloud Marketplace.  More than 4000 Oracle Partner apps and services are offered on the marketplace - and more partners are adding their apps every day.  Oracle Cloud Marketplace continues our commitment to offer the broadest and most advanced cloud portfolio in the industry. The pricing for each cloud app/service is provided by the 3rd party provider.

AR, Tab 41, Oracle RFI Response, at 903 (bold in original).   

In any event, the agency further responds that this requirement is necessary to enable DoD and its JEDI Cloud contractor to easily "spin up" new systems using a combination of IaaS and PaaS offerings as well as offerings available through the vendor's online marketplace.  MOL at 60; AR, Tab 42, Justification for Gate Criteria, at 946-47.

As noted above, the determination of a contracting agency's needs and the best method of accommodating them are matters primarily within the agency's discretion.  Crewzers Fire Crew Trans., Inc., B-402530, B-402530.2, May 17, 2010, 2010 CPD ¶ 117 at 3; G. Koprowski, B-400215, Aug. 12, 2008, 2008 CPD ¶ 159 at 3.  A protester's disagreement with the agency's judgment concerning the agency's needs and how to accommodate them does not show that the agency's judgment is unreasonable.  Cryo Techs., B-406003, Jan. 18, 2012, 2012 CPD ¶ 29 at 2; G. Koprowski, supra.

Based on Oracle's own response to the agency's RFI, it appears that Oracle's protest is challenging a solicitation requirement that is not prejudicial to Oracle.  Regardless, we find nothing unreasonable in the agency's explanation for this requirement, and Oracle's protest challenging the requirements of subfactor 1.6 is denied. 

Oracle's protest has also challenged various other aspects of the solicitation requirements, including another gate criterion (elastic usage), the pricing scenarios, and the price evaluation provisions.  Oracle further asserts that the solicitation is ambiguous as to whether two or more companies are permitted to propose a multi-cloud solution.  We have considered all of Oracle's various challenges to the terms of the solicitation, along with the agency's detailed responses to these challenges, and find no merit in any of Oracle's allegations.   

Conflicts of Interest

Finally, Oracle protests that the contracting officer failed to adequately consider potential conflicts of interest created by the Chief of Staff's and the Digital Service Expert's relationships with AWS.  Revised/Consolidated Protest at 79-87.  In this regard, Oracle asserts that the contracting officer's assessments of those issues in her July 23, 2018 MFR were inadequate. 

Oracle first asserts the existence of conflicts on the basis that the Chief of Staff, the Digital Service Expert, or both, were allegedly involved in "shap[ing] the JEDI Cloud requirements"--including the single-award provision and the other RFP requirements that Oracle asserts are unduly restrictive.  In this context, Oracle maintains that the contracting officer should have concluded, pursuant to FAR § 3.101 and FAR subpart 9.5, that there was an actual or apparent "biased ground rules" conflict with regard to one or both individuals.[31]  See Revised/Consolidated Protest at 8-10, 79-87; Supp. Protest, Oct. 1, 2018, 67-90. 

The agency responds that the Chief of Staff was not personally and substantially involved in the procurement in that his activities were primarily limited to administrative actions such as scheduling and attending meetings and recording meeting notes, and that he did not provide any substantive input to any of the solicitation requirements.  With regard to the Digital Service Expert, the agency maintains that his involvement in this procurement was limited to market research activities; he was involved for less than 7 weeks; and his involvement was terminated in October 2017--nearly 9 months before the RFP was issued.  In any event, the agency maintains that all of the solicitation requirements, including the single-award determination, were driven by the agency's substantive needs, including its national security concerns. 

It is true that, in post-award protests involving award to a contractor that has hired a former government employee who possesses competitively useful non-public information, our Office will presume prejudice "without the need for an inquiry as to whether that information was actually utilized by the awardee."  See, e.g., International Resources Group, B-409346.2 et al., Dec. 11, 2014, 2014 CPD ¶ 369 at 9-10.  Nonetheless, as a general rule, prejudice is still a necessary element with regard to any protest.  See, e.g., Crane & Co., B-297398, Jan. 18, 2006, 2006 CPD ¶ 22 at 9.   

Here, we decline to sustain Oracle's protest on the basis of its assertion that the Chief of Staff and/or the Digital Service Expert were responsible for "shap[ing]" the solicitation requirements.  First, as discussed above, we have reviewed the agency's explanations for all of the challenged RFP requirements, including the single-award determination, and have concluded that the agency has presented multiple bases--including, but not limited to, the agency's concerns regarding national security--that reasonably support all of the challenged requirements.  Accordingly, even if we were to conclude that either the Chief of Staff or the Digital Service Expert meaningfully participated in the agency's determinations regarding the RFP requirements, it would be improper for our Office to recommend that the agency proceed with the JEDI Cloud procurement in a manner that is inconsistent with meeting its actual needs.  Accordingly, on the record here, we reject Oracle's protest that there were biased ground rules conflicts for either the Chief of Staff or the Digital Service Expert.

Next, Oracle asserts that, following the Digital Service Expert's participation in the JEDI Cloud procurement from September 13 through October 31, 2017, he was re-hired by AWS in a "leadership position."  Revised/Consolidated Protest at 82-83.   Accordingly, Oracle suggests that this creates an unequal access to information conflict of interest that could provide an unfair competitive advantage to AWS.  

The agency responds that its contracting officer "will continue to comply with her conflict of interest duties concerning this acquisition" and, if appropriate, will perform an investigation of any potential conflicts prior to award.  Agency Post-Hearing Brief, Oct. 18, 2018, at 14.  In this context, the agency maintains that any such investigation "was not ripe for investigation prior to receipt of proposals."[32]  Id.

As noted above, we have recognized that, in post-award protests involving the award to a contractor that has hired a former government employee who possesses competitively useful non-public information, our Office will presume prejudice "without the need for an inquiry as to whether that information was actually utilized by the awardee."  See, e.g., International Resources Group, supra.  We also note that the FAR provides that a contracting officer should identify and evaluate potential conflicts as early in the acquisition process as possible in order to avoid, neutralize, or mitigate significant conflicts before contract award.  FAR § 9.504(a).

On the record here, we decline to consider Oracle's assertion that the contracting officer's consideration of conflicts--before proposals were submitted--was flawed for failing to consider the actions of AWS and the Digital Service Expert after he left government service.  In the event the agency's subsequent actions provide a basis for protest, Oracle may raise this matter consistent with our Bid Protest Regulations.   

The protest is denied.

Thomas H. Armstrong
General Counsel



[1] The memorandum provided that the CESG would be chaired by a DoD Under Secretary, and would be comprised of members from DoD's Strategic Capabilities Office (SCO); Defense Innovation Unit Experimental (DIUx); Defense Digital Service (DDS); and Defense Innovation Board (DIB). 

[2] The agency assigned sequential Bates numbers to the documents submitted with its report.  All citations to AR documents refer to the applicable Bates page numbers.

[3] The agency also engaged in other outreach efforts, including one-on-one meetings with vendors, focus sessions with DoD offices and industry thought leaders (i.e. Federally Funded Research & Development Centers and public/private partnerships), and meetings with the intelligence community.  AR, Tab 20, Market Research Report, at 363. 

[4] In considering Oracle's protest, GAO conducted a hearing, on the record, at which testimony was obtained from the agency's contracting officer and the deputy director of DDS. 

[5] Section 16.504 of the FAR establishes requirements applicable to IDIQ contracts and states:  "The contracting officer must document the decision whether or not to use multiple awards in the acquisition plan or contract file."  FAR §16.504(c)(1)(ii)(C).

[6] The six conditions are: 

(1)  Only one contractor is capable of providing performance at the level of quality required because the supplies or services are unique or highly specialized;

(2)  Based on the contracting officer's knowledge of the market, more favorable terms and conditions, including pricing, will be provided if a single award is made;

(3)  The expected cost of administration of multiple contracts outweighs the expected benefits of making multiple awards;

(4)  The projected orders are so integrally related that only a single contractor can reasonably perform the work;

(5)  The total estimated value of the contract is less than the simplified acquisition threshold; or

(6)  Multiple awards would not be in the best interests of the Government.

FAR §16.504(c)(1)(ii)(B).

[7] With regard to security risks, the contracting officer elaborated that:

A single cloud environment does not mean that all data and applications are hosted in a single physical environment where everything is vulnerable to a single attack.  Rather, a single cloud environment is subdivided into many virtual private enclaves, like a honeycomb, where applications and data are logically isolated from other users. . . .

While security of data within a single cloud is largely standard and automatic, managing security and data accessibility between clouds creates seams that increase security risk for multiple reasons.  Crossing clouds requires complex manual configuration that is prone to human error and introduces security vulnerabilities. . . .  Systems in different clouds, even when designed to work together, require complex integration. . . .  Connections that are not correctly configured and managed at both endpoints introduce new attack vectors. . . . I find that multiple awards increase security risks.

AR, Tab 24, Contracting Officer's Singe-Award MFR, at 458. 

[8] This amount has been increased to $112,000,000, pursuant to 41 U.S.C. § 1908.  See FAR §16.504(c)(1)(ii)(D).

[9] Of relevance here, the four conditions include the following:  "the contract provides only for firm, fixed price task orders or delivery orders for . . . services for which prices are established in the contract for the specific tasks to be performed."  10 U.S.C. § 2304a(d)(3)(B). 

[10] We understand that the contracting officer's reference to "SDB Advisors" should have been a reference to "SBD Advisors." 

[11] IaaS is defined as:  "Hardware or virtualized hardware provisioning.  Including but not limited to compute servers, networking and storage."  AR, Tab 20 Market Research Report, at 368.

[12] PaaS is defined as: "Mechanisms to run applications on an IaaS platform, often used to aid in the development or execution of software applications.  Including but not limited to databases, containers, serverless compute, web-servers, analytics, and developer operations tools."  Id.

[13] The agency has advised Congress that this procurement "is the initial step toward enterprise-wide adoption of foundational infrastructure and platform technologies available from commercial solutions."  Initial Protest, exh. I, Combined Congressional Report, at 3.  Although the agency states that "the JEDI Cloud . . . is intended to be a solution for the entire DoD," and will extend "across the homefront to the tactical edge," the agency also notes that the JEDI Cloud is "not meant to be the only DoD Cloud."  Memorandum of Law (MOL), Sept. 24, 2018, at 2; Contracting Officer's Statement, Sept. 24, 2018, at 2.  The stated goal is for the JEDI Cloud to host 80 percent of current DoD applications.  Id.

[14] The RFP provides for a 2-year base period, two 3-year option periods, and one 2-year option period.  RFP at 730. 

[15] The FAR defines an SOO as "a Government-prepared document incorporated into a solicitation that states the overall performance of objectives.  It is used in solicitations when the Government intends to provide the maximum flexibility to each offeror to propose an innovative approach."  FAR § 2.101.

[16] The agency states that the SOO was written to "maximize Offeror flexibility in proposing and delivering solutions" and that the JEDI Cloud contract will "serve as a pathfinder for DoD to understand how to deploy enterprise cloud at scale while effectively accounting for security, governance, and modern architectures."  AR, Tab 27, Amended SOO, at 603.

[17] The factor 1 subfactors are referred to as "gate evaluation criteria."  RFP at 801. 

[18] Factors 2 through 6 are:  logical isolation/secure data transfer; tactical edge; information security/access controls; application and data hosting/portability; and management/task order 001.  Id. at 803-06.

[19] With regard to price, the RFP established the following seven contract line item numbers (CLINs) for each performance period:  (1) unclassified IaaS and PaaS; (2) classified IaaS and PaaS; (3) unclassified cloud support package; (4) classified support package; (5) portability plan; (6) portability test; and (7) program management.  RFP at 714-25.  The solicitation also established six "pricing scenarios," and required offerors to respond to each of these for purposes of price evaluation.  RFP attach. L-2, at 811-30.

[20] On August 14, the agency submitted various documents into the protest record.  On August 23, Oracle filed its first supplemental protest.

[21] The solicitation was amended on August 23 and August 31.

[22] Oracle's September 6 revised/consolidated protest subsumed and superseded Oracle's prior protest submissions.

[23] As discussed above, 10 U.S.C. § 2304a(d)(3)(B), as implemented by FAR § 6.504(c)(1)(ii)(D), provides that no IDIQ contract with an estimated value in excess of $112 million may be awarded to a single source unless the designated agency official "determines in writing that . . . the contract provides only for firm, fixed price task order or delivery orders for . . . services for which prices are established in the contract for the specific tasks to be performed."

[24] As noted above, CLINs 1 through 4 required fixed-price submissions for classified and unclassified IaaS and PaaS offerings, and classified and unclassified cloud support package offerings. 

[25] To the extent Oracle believes that a subsequent modification is beyond the scope of the awarded contract, it may subsequently file a protest challenging that modification. 

[26] As noted above, the contracting officer stated, among other things, that:

[M]anaging security and data accessibility between clouds creates seams that increase security risk for multiple reasons.  Crossing clouds requires complex manual configuration that is prone to human error and introduces security vulnerabilities. . . .  [S]ystems in different clouds, even when designed to work together, require complex integration. . . .  Connections that are not correctly configured and managed at both endpoints introduce new attack vectors. . . . I find that multiple awards increase security risks.

AR, Tab 24, Contracting Officer's Singe-Award MFR, at 458.

[27] The Appropriations Act provides that:

None of the funds appropriated or otherwise made available by this or any other Act may be obligated or expended by the Department of Defense to migrate data and applications to the proposed Joint Enterprise Defense Infrastructure or the Defense Enterprise Office Solutions cloud computing services until a period of 90 days has elapsed following the date on which the Secretary of Defense submits to the congressional defense committees-

(1)a proposed plan to establish a budget accounting system that provides transparency across the Department, including all military Services and Defense Agencies, for funds requested and expended for all cloud computing services procured by the Department and funds requested and expended to migrate to a cloud computing environment; and

(2)a detailed description of the Department's strategy to implement enterprise-wide cloud computing, including the goals and acquisition strategies for all proposed enterprise-wide cloud computing service procurements; the strategy to sustain competition and innovation throughout the period of performance of each contract, including defining opportunities for multiple cloud service providers and

insertion of new technologies; and an assessment of potential threats and security vulnerabilities of the proposed cloud computing strategy, and plans to mitigate such risks.

Public Law No. 115-245, § 8137 (2018).

[28] The RFP explains that each data center "must be capable of automated failover of all computing, network, and storage services to one another," noting that this requirement protects against data loss "in case of catastrophic data center failure."  RFP at 788.

[29] FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.  See www.fedramp.gov (last visited Nov. 8, 2018).

[30] FedRAMP Moderate represents DoD's "minimum security requirements for processing or storing DoD's least sensitive information."  AR, Tab 42, Justification for Gate Criteria, at 943.

[31]  The FAR provides that:

Government business shall be conducted in a manner above reproach and, except as authorized by statute or regulation, with complete impartiality and with preferential treatment for none.  Transactions relating to the expenditure of public funds require the highest degree of public trust and an impeccable standard of conduct.  The general rule is to avoid strictly any conflict of interest or even the appearance of a conflict of interest in Government-contractor relationships.

FAR § 3.101.

We have noted that the conflict of interest provisions of FAR subpart 9.5 "serve as useful guidance in determining whether the type of conflicts prohibited by FAR § 3.101 exists."  See, e.g., Department of the Navy--Recon., B-286194.7, May 29, 2002, 2002 CPD ¶ 76 at 4.  Conflicts of interest, as described in FAR subpart 9.5, can be broadly categorized into three groups:  (1) unequal access to information; (2) impaired objectivity; and (3) biased ground rules.  As relevant to this protest, a biased ground rules conflict exists where a firm or individual has set the ground rules for the competition in an improper manner.  See FAR §§ 9.505-1, 9.505-2.  An unequal access to information conflict exists based on access to nonpublic information that may provide one offeror an unfair competitive advantage.  See FAR §§ 9.505(b), 9.505-4.

[32] The closing date for submission of proposals was October 12, 2018. 

Dec 14, 2018

Dec 13, 2018

Dec 12, 2018

Looking for more? Browse all our products here