Protest challenging the agency’s determination to pursue a single-award IDIQ for cloud services is denied, where the agency’s decision was supported by several reasonable bases, including national security and cybersecurity concerns, and where the decision violated no regulation or policy. GAO also denied protest grounds arguing the solicitation requirements exceeded the agency’s needs, finding the agency provided reasonable explanations for its requirements for a FedRAMP Moderate certification and an online marketplace. Finally, GAO denied allegations of conflicts of interest, finding that two former employees of a competing vendor were not meaningfully involved in the development of the procurement and that, in any event, the agency had well-reasoned support for its requirements.
Oracle America Inc. protested various aspects of the Department of Defense’s request for proposals for cloud services, the Joint Enterprise Defense Infrastructure Cloud procurement. The protester argued that the RFP provisions leading to a single-award IDIQ contract are contrary to statute and regulation; the terms of the solicitation exceed the agency’s needs; and the agency failed to properly consider potential conflicts of interest.
First, Oracle challenged the agency’s decision to make a single award, asserting that various statutes and regulations require DoD to use a multiple award contract approach. Oracle also noted the agency failed to comply with regulatory fixed price requirements, despite statements from defense officials asserting that the JEDI Cloud contract would provide only for firm fixed-price task orders for services for which prices are established in the contract. According to Oracle, because the RFP does not identify all of the specific tasks that may be performed, it does not meet the statutory and regulatory requirements regarding established prices for such tasks, and asserts that this renders the agency’s determination and findings invalid.
In response, the agency argued the RFP clearly provides that pricing for all services is offered at a firm-fixed price, and specifically provides that only fixed-price task orders, based on established prices in the contract for the specific tasks to be performed, will be issued under the contract. Specifically, the agency noted the RFP required offerors to submit fixed-price catalogs for CLINs 1 through 4, which may contain thousands of services. The solicitation also states that any new services that are added to the contract must be priced on a fixed-price basis. Finally, the agency notes that Oracle’s arguments would effectively preclude the award of any single-award IDIQ contract pursuant to an RFP with a statement of objectives or any modification of such contracts.
GAO agreed, citing language in the RFP supporting the agency’s assertions. To the extent Oracle suggested that federal regulations contemplate only the issuance of fixed-price task orders for services that are currently identified with specificity in the RFP, GAO found this argument meritless. The FAR requires an agency to specify only the total minimum and maximum quantity of supplies or services the government will require under the contract, and provides that an agency may use an IDIQ when it cannot predetermine the precise quantities of required supplies or services above the established minimum. GAO agreed that Oracle’s interpretation would prevent an agency from awarding or modifying a single-award IDIQ.
Next, Oracle argued the agency failed to give adequate consideration to the preference for multiple awards, as stated in 10 U.S.C. § 2304a(d)(4) and FAR § 16.504(c)(1)(i). Oracle asserted that these authorities establish a preference for multiple-award IDIQ contracts to the maximum extent practicable, and argued that none of the three conditions cited by the contracting officer in her single-award memorandum for the record apply to this procurement.
In response, the agency noted the FAR states the CO must not use a multiple-award approach if any one of six conditions are met, and therefore the contracting officer’s determination not to use a multiple-award approach was not only permissible, it was mandated. Further, one of the three bases for declining to use a multiple-award approach was the agency’s concerns about security. The CO’s determination addressed the significantly greater security risks that would be created if the agency were required, through conducting task order competitions, to integrate various portions of the JEDI Cloud—provided by multiple, competing vendors—rather than implement a single vendor’s solution.
GAO rejected Oracle’s challenge to the CO’s bases for making a single-award determination. GAO agreed that the FAR provides that a multiple-award approach is precluded where any one of the six listed conditions is met, and GAO found CO’s determinations regarding each of the three applicable conditions to be reasonable. For example, GAO found the agency’s concerns about security reasonably supported the CO’s “best interest of the government” determination. Because the single-award determination was adequately justified, GAO denied the protest on these grounds as well.
Next, Oracle argued that the agency’s single-award approach is precluded by the Department of Defense and Labor, Health and Human Services, and Education Appropriations Act. In response, the agency noted that while the act prohibits the obligation of funds to perform the JEDI Cloud contract until 90 days after DoD has submitted a required report, the Act does not require DoD to abandon the JEDI Cloud contract. The agency further noted that, absent further Congressional action, the obligation of funds is authorized following the 90-day waiting period. GAO agreed. According to GAO, while Oracle’s asserted that DoD will be unable to comply with the reporting requirement and also continue with its single-award approach for the procurement, GAO found nothing in the act’s reporting requirement precluding a single-award procurement approach for JEDI.
Next, Oracle alleged that various solicitation requirements exceeded the agency’s needs or were designed around a particular cloud service. For example, under the high availability and failover subfactor, Oracle noted that proposals must demonstrate that the offeror has three existing data centers, 150 miles apart, that each support at least one IaaS offering and one PaaS offering that are FedRAMP Moderate authorized. Oracle argued that this exceeded the agency’s requirements, as DoD had “no legitimate need” for FedRAMP authorized offerings. According to Oracle, even if DoD does require this, it could evaluate proposed approaches to meet this requirement after contract award.
In response, the agency explained that its mission mandates rapid acquisition of cloud technologies in order to maintain the military’s technological advantage. The agency also denied Oracle’s assertion that the RFP’s requirements were designed around a particular cloud service. More specifically, the agency stated that the actual cyber security performance requirements the successful offeror will be required to meet in performing the JEDI Cloud contract are much greater than the FedRAMP Moderate requirement. While FedRAMP Moderate shows that an offeror has successfully met foundational security requirements, the JEDI Cloud must be able to host the department’s most sensitive information. Without this requirement, DoD would have to accept the risk that an offeror would be unable to achieve a higher security standard than Moderate. According to the agency, requiring offerors to have a FedRAMP moderate certification created an acceptable minimum threshold for security. GAO found this reasonable.
Oracle also complained that the agency did not require an online marketplace for third-party platform and software products, arguing that few offerors have such a store. In response, the agency noted that its market research suggested that most global cloud services providers have such a marketplace and that Oracle’s own proposal stated that the protester itself had one. The agency also argued the requirement is necessary to enable DoD and the contractor to “spin up” new systems using a combination of IaaS and PaaS offerings as well as offerings available through the marketplace. GAO found the requirement reasonable and within the agency’s discretion. GAO also noted that Oracle appeared to challenge a requirement that was not prejudicial to Oracle.
Finally, Oracle argued the CO failed to adequately consider potential conflicts of interest created by the Chief of Staff’s and the Digital Service Expert’s former employment and consulting relationships with Amazon Web Services. First, Oracle asserted that the Chief of Staff, the Digital Service Expert, or both, were involved in shaping the JEDI Cloud requirements—including the single-award provision and the other RFP requirements Oracle asserts are unduly restrictive. Oracle agued this created a biased ground rules OCI with regard to both individuals.
In response, the agency explained that the Chief of Staff was not personally and substantially involved in the procurement, but was limited to administrative actions such as scheduling and attending meetings. The Digital Service Experts involvement was limited to market research activities. Further, he was involved for less than 7 weeks and his involvement was terminated nearly 9 months before the RFP was issued.
GAO denied these protest grounds, first noting that the agency’s bases for its single-award determination were all reasonable and well-supported. Accordingly, even if the two individuals participated in shaping the procurement despite an apparent COI, GAO would not recommend that the agency proceed with the JEDI Cloud procurement in a manner that is inconsistent with meeting its actual needs.
Oracle also noted that the Digital Service Expert was re-hired by AWS in a leadership position after his participation in the JEDI Cloud procurement. Accordingly, Oracle suggested that this created an unequal access to information conflict of interest that could provide an unfair competitive advantage to AWS. In response, the agency noted the CO would perform an investigation of any potential conflicts prior to award, and argued that this allegation was not ripe for investigation prior to receipt of proposals. GAO agreed and declined to find the CO’s consideration of conflicts to be flawed for failing to consider this situation prior to the submission of proposals. In the event the agency’s subsequent actions provide a basis for protest, Oracle may raise this matter in a new protest.
Oracle America Inc. is represented by Craig A. Holman, Kara L. Daniels, Dana E. Koffman, Amanda J. Sherwood, and Nathaniel E. Castellano of Arnold & Porter Kaye Scholer LLP. The government is represented by Christina M. Austin and Andrew Bramnick, Department of Defense. GAO attorneys Glenn G. Wolcott and Peter H. Tran participated in the preparation of the decision.
