[HN Gopher] Google Cloud earns defense contract win for Anthos m... ___________________________________________________________________ Google Cloud earns defense contract win for Anthos multi-cloud management tool Author : MLEnthusiast Score : 34 points Date : 2020-05-20 21:00 UTC (1 hours ago) (HTM) web link (techcrunch.com) (TXT) w3m dump (techcrunch.com) | justicezyx wrote: | It was well known that at the JEDI bidding, GCP's offering is | vastly behind MSFT and AWS. | | Note that that does not necessary contradict the original | decision to withdraw based on conflicting AI principle. | boulos wrote: | Disclosure: I work on Google Cloud (but I wasn't involved at | all with anything regarding JEDI). | | I think it's more accurate to say that we did not have (and do | not have) the Impact Level 6 (IL-6) authorization that JEDI | _strongly suggested_. As a commenter below says, that doesn 't | actually mean "vastly behind" any more than "Oh, you don't have | < French Law thing >" would mean vastly behind. | | The Defense Department now has a writeup actually [1] about | some of this (search for "Impact Level"): | | > In an October 22, 2018 letter to the OIG, Representatives | Womack and Cole raised concerns about the RFP's "gating or | restricting provisions" that seemed to be tailored to one | specific contractor that the Representatives did not identify. | On September 6, 2018, Oracle made a similar allegation in its | supplemental complaint to the GAO. For example, the | Representatives referred to "the requirement that the Cloud | Service Provider meets the Defense Information Systems Agency | Impact Level 6. Currently, this unnecessary requirement, along | with many others, can only be met by one specific contractor." | | > [...] As of December 2018, Amazon Web Services was the only | contractor granted an IL-6 authorization." | | > [...] We reviewed the JEDI Cloud RFP and found that it did | not include a gate criteria that required a contractor to meet | the IL-6 security requirements; rather, the RFP Statement of | Objectives required a contractor to have infrastructure capable | of meeting security requirements associated with hosting | information classified at the Secret level within 180 days of | contract award. The contractor's infrastructure also had to | meet security requirements associated with hosting information | classified at the Top Secret level, within 270 days of contract | award. Additionally, on December 12, 2019, DISA granted | Microsoft IL-6 authorizations, demonstrating that more than one | contractor was capable of meeting the security requirements. | | [1] | https://media.defense.gov/2020/Apr/15/2002281438/-1/-1/1/REP... | DevKoala wrote: | Can you provide some specifics? I am not refuting your claim. | | GCP is my favorite cloud platform to develop on, but obviously | the needs of the US government are different from the needs of | an individual software consultant. | tw04 wrote: | I would imagine it's more a matter of contracts and | relationships than strictly features. Doing business with the | government generally requires a dedicated business unit - not | because their requirements are markedly different (although | they can definitely be more strict on security requirements) | but more because there's just a mountain of paperwork to be a | qualified vendor. Google or not. | moandcompany wrote: | Google/Alphabet employee here, but not affiliated with GCP. | | One quick way to get a grasp of this is to take a look at the | FedRamp page for various Cloud services providers with IaaS | and other offerings to see how many authorizations exist, and | at what level: | | https://marketplace.fedramp.gov/#/products?sort=productName&. | .. | | What is FedRamp? | | "The Federal Risk and Authorization Management Program | (FedRAMP) is a government-wide program that provides a | standardized approach to security assessment, authorization, | and continuous monitoring for cloud products and services. | This approach uses a "do once, use many times" framework that | saves cost, time, and staff required to conduct redundant | Agency security assessments." | | Not all DoD work is classified, but classified data storage, | transmission, and processing has strict standards defined by | the National Security Agency. There are many levels of | information classification, and generally these information | levels are not allowed to comingle or information systems are | run at a system-high level (i.e. everything in and about a | system is handled at the highest level of classification for | information the system may contain). | | Generally, information systems used by the Department of | Defense must be certified and accredited for use by the | information owner / equivalent of a CIO-level role | (G6/A6/N6/etc). | | Not all cloud service providers have facilities and systems | designed and certified for classified information storage and | processing. | | https://fcw.com/articles/2017/11/20/aws-secret-region.aspx | | https://www.nextgov.com/it-modernization/2018/03/defense- | age... | | https://www.nextgov.com/it- | modernization/2020/03/microsoft-u... | tootie wrote: | AWS and Azure have a ton of services up and down the value | chain but I kinda doubt the DoD is interested in more than | compute and storage. Everything past that is security and | price. | samfisher83 wrote: | Given the dod budget is bigger than the revenue of google, amzn, | and msft combined and with a million employees why can't they | just build their own data centers? | jdpedrie wrote: | Probably the same reason they don't build factories and bring | airplane and tank production in house. | codemac wrote: | This was surprising to me, but in retrospect not that | surprising - AMZN 2019: 280.5B - GOOG | 2019: 160.7B - MSFT 2019: 125.8B total: | 567.0B - DoD 2019: 686.1B | throwawaysea wrote: | If I had to guess, it is because the working culture of public | organizations (often a lack of motivation/incentive due to lack | of competition), combined with tenure-based job security, and | artificial constraints (pay structures/levels that don't align | with the competitive market) mean that someone like the DoD | can't really get something like this done. They wouldn't be | able to hire the right talent. If they did hire talent, that | talent would need to work in the shadow of existing | hierarchies/authorities that aren't suited for the role. Not to | mention that bidding processes like LPTA (Lowest Price | Technically Acceptable) would hinder procurement with a lot of | red tape and poor decision making. | | TLDR, because they aren't set up for success like private | organizations. | jbay808 wrote: | I would guess it's less likely to be this, and more likely to | be purchasing rules in place that ask them to by default | place bids for private organizations to carry out work to | meet specifications, and only bring it in-house under | exceptional cases or where the bids are very uncompetitive. | | These rules often exist as a means of ensuring fairness, as | an anti-corruption measure, or to provide enough business to | maintain a robust network of private contractors. ___________________________________________________________________ (page generated 2020-05-20 23:00 UTC)