[HN Gopher] Google Cloud earns defense contract win for Anthos m...
___________________________________________________________________
Google Cloud earns defense contract win for Anthos multi-cloud
management tool
Author : MLEnthusiast
Score : 34 points
Date : 2020-05-20 21:00 UTC (1 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| justicezyx wrote:
| It was well known that at the JEDI bidding, GCP's offering is
| vastly behind MSFT and AWS.
|
| Note that that does not necessary contradict the original
| decision to withdraw based on conflicting AI principle.
| boulos wrote:
| Disclosure: I work on Google Cloud (but I wasn't involved at
| all with anything regarding JEDI).
|
| I think it's more accurate to say that we did not have (and do
| not have) the Impact Level 6 (IL-6) authorization that JEDI
| _strongly suggested_. As a commenter below says, that doesn 't
| actually mean "vastly behind" any more than "Oh, you don't have
| < French Law thing >" would mean vastly behind.
|
| The Defense Department now has a writeup actually [1] about
| some of this (search for "Impact Level"):
|
| > In an October 22, 2018 letter to the OIG, Representatives
| Womack and Cole raised concerns about the RFP's "gating or
| restricting provisions" that seemed to be tailored to one
| specific contractor that the Representatives did not identify.
| On September 6, 2018, Oracle made a similar allegation in its
| supplemental complaint to the GAO. For example, the
| Representatives referred to "the requirement that the Cloud
| Service Provider meets the Defense Information Systems Agency
| Impact Level 6. Currently, this unnecessary requirement, along
| with many others, can only be met by one specific contractor."
|
| > [...] As of December 2018, Amazon Web Services was the only
| contractor granted an IL-6 authorization."
|
| > [...] We reviewed the JEDI Cloud RFP and found that it did
| not include a gate criteria that required a contractor to meet
| the IL-6 security requirements; rather, the RFP Statement of
| Objectives required a contractor to have infrastructure capable
| of meeting security requirements associated with hosting
| information classified at the Secret level within 180 days of
| contract award. The contractor's infrastructure also had to
| meet security requirements associated with hosting information
| classified at the Top Secret level, within 270 days of contract
| award. Additionally, on December 12, 2019, DISA granted
| Microsoft IL-6 authorizations, demonstrating that more than one
| contractor was capable of meeting the security requirements.
|
| [1]
| https://media.defense.gov/2020/Apr/15/2002281438/-1/-1/1/REP...
| DevKoala wrote:
| Can you provide some specifics? I am not refuting your claim.
|
| GCP is my favorite cloud platform to develop on, but obviously
| the needs of the US government are different from the needs of
| an individual software consultant.
| tw04 wrote:
| I would imagine it's more a matter of contracts and
| relationships than strictly features. Doing business with the
| government generally requires a dedicated business unit - not
| because their requirements are markedly different (although
| they can definitely be more strict on security requirements)
| but more because there's just a mountain of paperwork to be a
| qualified vendor. Google or not.
| moandcompany wrote:
| Google/Alphabet employee here, but not affiliated with GCP.
|
| One quick way to get a grasp of this is to take a look at the
| FedRamp page for various Cloud services providers with IaaS
| and other offerings to see how many authorizations exist, and
| at what level:
|
| https://marketplace.fedramp.gov/#/products?sort=productName&.
| ..
|
| What is FedRamp?
|
| "The Federal Risk and Authorization Management Program
| (FedRAMP) is a government-wide program that provides a
| standardized approach to security assessment, authorization,
| and continuous monitoring for cloud products and services.
| This approach uses a "do once, use many times" framework that
| saves cost, time, and staff required to conduct redundant
| Agency security assessments."
|
| Not all DoD work is classified, but classified data storage,
| transmission, and processing has strict standards defined by
| the National Security Agency. There are many levels of
| information classification, and generally these information
| levels are not allowed to comingle or information systems are
| run at a system-high level (i.e. everything in and about a
| system is handled at the highest level of classification for
| information the system may contain).
|
| Generally, information systems used by the Department of
| Defense must be certified and accredited for use by the
| information owner / equivalent of a CIO-level role
| (G6/A6/N6/etc).
|
| Not all cloud service providers have facilities and systems
| designed and certified for classified information storage and
| processing.
|
| https://fcw.com/articles/2017/11/20/aws-secret-region.aspx
|
| https://www.nextgov.com/it-modernization/2018/03/defense-
| age...
|
| https://www.nextgov.com/it-
| modernization/2020/03/microsoft-u...
| tootie wrote:
| AWS and Azure have a ton of services up and down the value
| chain but I kinda doubt the DoD is interested in more than
| compute and storage. Everything past that is security and
| price.
| samfisher83 wrote:
| Given the dod budget is bigger than the revenue of google, amzn,
| and msft combined and with a million employees why can't they
| just build their own data centers?
| jdpedrie wrote:
| Probably the same reason they don't build factories and bring
| airplane and tank production in house.
| codemac wrote:
| This was surprising to me, but in retrospect not that
| surprising - AMZN 2019: 280.5B - GOOG
| 2019: 160.7B - MSFT 2019: 125.8B total:
| 567.0B - DoD 2019: 686.1B
| throwawaysea wrote:
| If I had to guess, it is because the working culture of public
| organizations (often a lack of motivation/incentive due to lack
| of competition), combined with tenure-based job security, and
| artificial constraints (pay structures/levels that don't align
| with the competitive market) mean that someone like the DoD
| can't really get something like this done. They wouldn't be
| able to hire the right talent. If they did hire talent, that
| talent would need to work in the shadow of existing
| hierarchies/authorities that aren't suited for the role. Not to
| mention that bidding processes like LPTA (Lowest Price
| Technically Acceptable) would hinder procurement with a lot of
| red tape and poor decision making.
|
| TLDR, because they aren't set up for success like private
| organizations.
| jbay808 wrote:
| I would guess it's less likely to be this, and more likely to
| be purchasing rules in place that ask them to by default
| place bids for private organizations to carry out work to
| meet specifications, and only bring it in-house under
| exceptional cases or where the bids are very uncompetitive.
|
| These rules often exist as a means of ensuring fairness, as
| an anti-corruption measure, or to provide enough business to
| maintain a robust network of private contractors.
___________________________________________________________________
(page generated 2020-05-20 23:00 UTC)