Oracle takes its gripes about Pentagon's JEDI contract to federal court

Great way to make friends during procurement for a $10bn contract, eh Larry?

Fresh from defeat at the hands of the US Government Accountability Office, Oracle has taken its battle against the single-vendor Pentagon cloud contract to court.

The legacy database biz filed a suit against the Department of Defense in the US Court of Federal Claims last week, and the redacted complaint was published yesterday.

The babylon 5 trolls

Oracle's JEDI mind-meld doesn't work on Uncle Sam's auditors: These are not the govt droids you are looking for

READ MORE

Under the $10bn contract, known as JEDI (Joint Enterprise Defense Infrastructure), almost 80 per cent of the Department of Defence's IT systems will be migrated to the cloud. It could last 10 years and will be awarded to just one vendor: AWS is thought to be in pole position.

Oracle has claimed since the start of the process that this approach would lock the government into legacy tech and could damage innovation, competition and security – and that it goes against various rules on government procurement for high-value awards.

The lawsuit repeated these assertions, but also alleges conflicts of interest within the DoD and that the Pentagon "crafted" the request for proposals criteria to limit the number of vendors that could compete.

It also claims the government has introduced "unduly restrictive requirements" into the criteria required for vendors to bid, which will "cause Oracle significant competitive prejudice".

Is this the contract they're looking for?

The Joint Enterprise Defense Infrastructure programme will cover all branches of the military and run for a maximum of 10 years. It will be awarded to just one vendor.

Oracle and others claim this lock-in would be bad for security and stifle innovation, especially with the pace of change in cloud technology. They have said it makes it almost impossible for anyone but a huge vendor to win – splitting it up would give smaller firms the chance to pick up some scraps.

The DoD has countered that multiple awards will slow down the process and hamper its ability to use tech to boost defences, and that the extra investment most vendors would need to reach the military bar would raise costs. And maintaining non-standardised infrastructure and platform environments would complicate development and use of software applications.

It has also emphasised the exit points in the contract: the minimum base period is two years, with a subsequent three-year option ordering period, followed by another three-year option ordering period and a final two-year period.

Oracle filed two protests with the Government Accountability Office (GAO) in August, but both were denied last month and the GAO permitted the Pentagon to go ahead with its single-award approach. The GAO has said it will issue a decision on a similar appeal filed by IBM by 18 January.

Arguing that the government has drafted the request for proposal (RFP) in a way that favours Amazon Web Services, Oracle checks off Gartner's six biggest IaaS providers, pointing out that Google has quit the race, Alibaba was ineligible and that both it and IBM had filed protests against the award.

"Microsoft has severely criticised the JEDI cloud procurement, questioning its structure and fairness," it said. The only firm left is Amazon.

This brings Big Red nicely to its other point in the lawsuit: that two members of DOD staff who it claims were involved in shaping the contract had ties to AWS.

Oracle alleged that Deap Ubhi – whose 18 months at the US Digital Service (USDS), from summer 2016, was sandwiched between positions at AWS – had had engaged in "highly technical" discussions with potential JEDI competitors and had access to a drive with information on the procurement.

The second person Oracle claims to have been conflicted is Anthony DeMartino, the chief of staff for the deputy secretary of defense whose previous job at a consultancy saw him work with AWS. According to Oracle, he didn't seek approval from the DoD Standard of Conduct Office until April 2018 – by which time the "damage" had been done.

However, accusations that the DoD had failed to consider or protect against such conflicts have already been dismissed by the GAO; it said the allegations "do not provide a basis for sustaining Oracle's protest".

In response to the claims made at that time, the DoD said that the chief of staff "did not participate personally and substantially" in the procurement – his activities were limited to admin.

Meanwhile, the USDS employee's involvement was limited to market research activities and lasted for less than seven weeks, ending nine months before the RFP was issued.

Elsewhere, the lawsuit went into the specifics of the criteria Oracle believes to be unduly restrictive and how they force Oracle out.

For instance, the requirements on FedRAMP compliance were added too late for vendors to seek and obtain this authorisation, Oracle said. It went on to list the various benefits the government would be offered by its self-branded next-generation cloud – much of the detail here is redacted.

A key component of this "second generation cloud", released at OpenWorld this year, is the bare-metal server, which CTO Larry Ellison claimed would tackle the "incredible vulnerability" of running sensitive cloud-control software and customer-provided code on the same computers – a vuln he said Amazon does not address.

It isn't clear how the lawsuit (PDF) will affect the award of the contract – the Pentagon is expected to make a decision on the vendor in early 2019, but if Oracle's case is successful the department could face a long delay in implementation or be forced to revise JEDI.

Earlier this year, the GAO ruled that the DoD should scrap another cloud deal, originally valued at about $1bn, as a result of successful protests from Oracle and others. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019