Microsoft is catching up to Amazon in obtaining federal security approvals, giving it an edge over other potential bidders in the Pentagon’s winner-take-all competition for a multibillion-dollar cloud-computing contract.
The company best-known for its office software is advancing toward the certification needed to host the government’s most sensitive, classified information — a status held currently only by Amazon Web Services — as it expands cloud-computing storage centers through its Azure Government Secret unit.
“Based on the security-accreditation process alone there are really only two competitors,” Amazon and Microsoft, said Christopher Cornillie, a federal market analyst for Bloomberg Government.
The Defense Department is moving, slowly, toward issuing a final request for proposals for the project it calls the Joint Enterprise Defense Infrastructure, or JEDI, which it has said it plans to award by September. Other potential bidders have complained that plans for a winner-take-all contract favor Amazon, the dominant provider of cloud services, and have called for splitting the award among multiple contenders.
A provision in the annual military-spending bill passed Thursday by the House would hold up funding for the cloud project until the Pentagon submits a strategy to sustain competition and multiple cloud-service providers.
Less public attention has been given to the clearances the Pentagon has indicated any winning contractor must obtain. The draft request for proposals indicated the winner will need to qualify to host unclassified information within 30 days, classified information within six months and top-secret information within nine months.
The long and costly process to gain security authorization to provide cloud services to the federal government is also one reason other major technology companies such as Google, Oracle and IBM are lagging behind Amazon.
“If you haven’t gone through that already it’s hard to state confidently that you are able to provide services at that level,” said Rick Holgate, a research director with technology advisory firm Gartner.
A Microsoft spokeswoman said the company would soon be able “to support agencies and partners with their U.S. secret classified data and Impact Level 6 workloads,” referring to the highest clearance needed to handle the government’s top-secret information, the same level that Amazon has. “We’re making progress but have no further updates on timing to share.”
Amazon, Oracle and Google declined to comment. An IBM spokeswoman said the company is confident it will meet the necessary requirements for the contract.
Commercial cloud providers for the federal government must seek certification from the Federal Risk and Authorization Management Program (FedRAMP), which awards approval based on the sensitivity of data the service is hosting. A low-level certification might be sufficient for cloud-based services used with public websites, while a high level would be needed to host secret government information.
Those working for the Defense Department typically need additional clearance from the Defense Information Systems Agency (DISA.) It issues security authorizations from IL-2, for hosting unclassified material, to IL-6, for classified data such as national security information.
“The analogy you hear in the industry all the time is it’s like hiring a baby-sitter,” Cornillie said. “If that baby-sitter is by all means extremely competent, at the end of the day you’re still taking the risk of leaving your child with somebody else. And to ensure the baby-sitter keeps doing a good job, you do things like having a neighbor check up on them, or set up a home video camera.”
The average commercial cloud provider spends $2.25 million to achieve authorization through FedRAMP and $1 million a year to maintain it, according to estimates from the U.S. General Services Administration. FedRAMP recently made changes to its program to reduce the time it takes to become authorized.
Microsoft is working to make the case that it, too, can be a safe and competent option for the Defense Department.
The Redmond company has already obtained FedRAMP’s high rating for its Azure Government business and IL-5 through DISA. In October, the company announced it was developing Microsoft Azure Government Secret to shepherd the company through the highest authorization, IL-6, which Amazon already holds.
The company also recently secured a lucrative cloud deal that allows 17 intelligence agencies and offices to use Microsoft’s Azure Government in addition to other products the company offers. Microsoft, which is making headway in the cloud market, also boasts the ability to support hybrid technology, mixing legacy on-premise computing with cloud systems.
Security and procurement experts caution that a company isn’t a sure bet to win the Pentagon’s cloud contract just because it already holds approval to handle high-security data. Major technology companies with expertise in federal security standards could move through the authorization process easily if given a green light by the Pentagon.
“It’s not crawl, walk, run,” said Katie Lewin, who helped designed the FedRAMP program and is the current federal director of industry group Cloud Security Alliance. “You can start at run.”
The Pentagon also has said it’s open to accepting a bid from a team of companies, offering potential candidates the opportunity to make up for any disadvantages they face by partnering with another tech firm. Companies have already started having conversations about jointly bidding for the contract, Bloomberg News has reported.
It’s not easy to be cleared to serve the government. Companies have to hire independent third-party assessors to scan their systems for vulnerabilities, hack their own products and assess how well they are maintaining security standards. They also have to submit answers to as many as hundreds of questions about their security systems and even invest in innovations to get approval.
“We have seen it done in a couple of months. We have seen it done in a couple years,” said Michael Carter, vice president of FedRAMP and Assurance Services at Coalfire, an independent security assessor.
Amazon Web Services got its head start in security accreditation when it won a $600 million contract from the Central Intelligence Agency in 2013.