What the CIA Cloud Does and Doesn’t Tell Us
Much has been written about the US Government Central Intelligence Agency's award of its private cloud business to Amazon Web Services and the subsequent protest and government ruling on this award, but much of the coverage leaves out a few pertinent and key facts. Let's look at the key questions being debated about this proposed contract:
Q: Is this a private cloud? AWS said it doesn't believe in private clouds.
A: Yes, despite AWS' protests to the contrary, this is a private cloud. According to the documents that have thus far been made public from this proposal, the CIA is looking for a cloud service (an Infrastructure as a Service) offered on a dedicated set of resources isolated to a specific customer and deployed on CIA-owned resources from within a government owned and operated facility.
Q: Would this be AWS' first private cloud?
A: Yes and no. Yes, it would be the first implementation of the AWS services atop a customer-owned infrastructure and facility asset base. But no, it would not be the first time AWS has delivered an isolated environment offering its services. AWS's GovCloud is also a private cloud for the greater US Government. FedCloud is operated from an AWS-owned facility on AWS owned assets.
Q: Is this a community cloud? What's the difference between that and a private cloud?
A: This is primarily a private cloud dedicated to the CIA as its only customer. The public documents suggest (although they do not explicitly state this) that the CIA could offer access to this environment to other members of the intelligence community. That would make it a community cloud. The terms private cloud and community cloud are tangential to each other. A community cloud is a cloud service that is accessible only to a community of related entities. Community clouds can be either public or private in their deployment – with security setting the boundaries of access, not physical infrastructure isolation. If the CIA were to invite the greater intelligence community into its private cloud it would become a private community cloud with the CIA taking responsibility for the shared access.
AWS already hosts a public community cloud, the NASDAQ's FinQloud service. This service resides on the public AWS cloud with access to the service isolated through virtual security parameters rather than physical isolation. NASDAQ controls access to this environment, not AWS. Other public community clouds on AWS include the Adobe Creative Cloud and Autodesk 360.
Q: Is this just IaaS? The CIA's Request for Proposal (RFP) also ask for Platform as a Service (PaaS)?
A: While the term PaaS is used in the RFP, what is specifically asked for is a managed MapReduce application service. AWS has an existing cloud service for this request – its Elastic MapReduce service — which would be part of the offering. A broader PaaS solution, which tends to include a full runtime environment for a given programming language or set of languages, is not specifically requested. The CIA said it would need clusters of MapReduce able to process 100TBs of data. This requirement was part of what was protested (more on this below).
Q: Was this contract really worth $600 million?
A: Yes, if all phases of the proposal were fulfilled to maximum value. Public documents break the contract into phases covering 10 years starting with a 270-day period to achieve initial operating capability. If successful this would be followed by a 4-year base ordering period, a 3-year extension option, and a 2-year further extension option. It isn't clear in any of the documentation how much each phase would be worth and nothing was a hard commitment past the initial operating phase. But that isn't the total cost to the CIA. They would also have to burden the facility costs and potentially the infrastructure as well (assuming AWS isn't also selling them hardware). It should also be noted that the CIA won't get any of the benefits of pay per use in this deal. They will be paying for the service and all the resources it runs on, perpetually, whether they use it or not.
Q: Much of the media coverage said that IBM protested because they lost the bid despite having the lowest price. Is this correct?
A: No. IBM protested that the parameters of the bidding process were not equal for all participating parties and on two counts this protest was sustained. The first protest that was sustained was in regards to some language pertaining to efforts the vendor would make to ensure all software provided to the agency would be free of computer viruses. AWS requested (and was granted) an amendment to this language that would limit their liability to only AWS developed software. All other competitors had to take liability for all software provided – including third party and open source software.
The second protest sustained was around the MapReduce service and how to cost out this offering. Some ambiguous language in the RFP may have led AWS and IBM to different conclusions about how resources would be required to meet the CIA's MapReduce needs and thus widely differing cost proposals. The Goverment Accountability Office has recommended that the CIA clarify the requirements here and accept new bids from all remaining candidate parties.
Q: The media coverage also suggests that IBM lost the bid because they do not have autoscaling capabilities. True?
A: Not true. Again, according to the public documents, IBM did provide auto-scaling capabilities as part of its proposal. However, it limited its ability to provide this capability to applications in its existing service catalog and that customer-created workloads would not automatically auto-scale. However, in IBM's protest, the company stated that customer-created workloads simply needed to be added to the IBM service catalog to then be available for autoscaling. While not explicitly stated in the public documents it can be inferred that a service desk request would have to be filed with IBM to get a new workload added to the service catalog. The public documents state that the CIA rated IBM's response to autoscaling as a fail. The GAO, in its ruling clarified the situation but said it would not sustain IBM's protest on this ground.
By the way, it should be noted that in the GAO recommendation's endnotes there is an effort to define autoscaling where it states that this capability refers to "changing the capacity of a particular server." This is inaccurate or at least misleading. Autoscaling typically adds new servers to a pool to achieve higher capacity and performance rather than changing the capacity of a given, deployed server.
Q: Is it true that the CIA overlooked AWS' past service outages in its evaluation of this vendor?
A: No. The CIA, according to the public documents was in fact aware of the AWS outages but did not deem them detrimental to its evaluation of AWS' past performance. Why? Because the outage of one service in one availability zone or region does not equate to a full service outage. In fact the National Aeronautics and Space Agency (NASA) Jet Propulsion Laboratory (JPL) came to the defense of AWS stating that it has had "100% uptime in AWS despite the outages." The CIA further defended AWS on the grounds of its transparency about outages. At least they are upfront about it.
Q: Will IBM get to rebid for the business or is this all just rhetoric and politics?
A: Yes, if the CIA takes the GAO's recommendation, all past participating vendors will get the chance to rebid for this contract under new, modified specifications. The GAO made specific recommendations about changes in RFP language to ensure a level bidding playing field. While it is not uncommon for government contractors (especially long-standing contractors like IBM) to protest when they lose a large bid like this, the GAO committee who evaluated this protest felt there were sufficient grounds to support this protest and in reading their explanation there are certainly enough uncertainties here to warrant the second go-round. And IBM got its protest filing costs and attorney fees paid in the ruling.
Q: Does this open the door for other government agencies or enterprises to request AWS private clouds?
A: Yes, but don't expect to get one. Few entities, government or commercial, have the specific security requirements of the CIA or its clout. But once this door has been opened it certainly makes fulfillment of such a request not only reasonable (at the right price) but technically proven. While AWS is very likely to frown upon further private deployments of its software, it certainly must be prepared for a flood of such requests. But while such a prospect might sound appealing to you, Forrester clients should recognize that a private AWS (or any other private cloud) will cost significantly more than using the public service and arguably will not be more secure, available or performant.
But if you do insist on a private AWS don't expect to get the full value of this service. You will likely get only a subset of all the services AWS provides on its public cloud (which you might have to specify in your request) and you will miss out on nearly every bit of its ecosystem of PaaS and web services software partners, licensed software offerings, geographic regions and multiple availability zones and all the other enterprises running on AWS that you might want to be partners.
Q: Doesn't this harm AWS' position on the benefits of the public cloud?
A: No. If anything it will increase the appeal and use of the public cloud. First off, it's a ringing endorsement of their services and capabilities. As stated above, the CIA will only get a subset of the AWS value so when and if they want to tap into the rest of that value they will likely set up a hybrid architecture leveraging the public service. And most likely if you want to do business with the CIA but aren't an invited member of the intelligence community, you will likely be encouraged to connect to them through AWS as both services will share the same APIs.