Auditors say the General Services Administration's 2010 blanket purchase agreements for cloud infrastructure as a service ignored sound contracting practices in the agency's rush to provide a contracting vehicle for cloud solutions.
In a report (.pdf) dated June 4, the GSA office of inspector general says a contracting officer gave a BPA to one offeror despite knowing that the offeror fell short on the technical requirements. Specifically, the unidentified offeror was unable to affirm that a specific requirement necessary to obtain a security authorization would be available at time of award, auditors say. The contracting officer gave the company a BPA anyway, on the premise that anytime a federal agency would attempt to execute a contract against the BPA it would have to ensure that the offeror met all technical requirements.
Auditors describe the contracting officer's reasoning as "not a sound decision."
In addition, auditors say great cost variances among the selected IaaS vendors point to a lack of a reliable price analysis. For example, two offerors acting as resellers for the same third-party cloud provider service quoted prices 55 percent apart.
"As a result, customer agencies may pay different prices for identical items depending on which BPA they use in placing their order," auditors note.
Auditors also fault GSA for generally lacking a strategy to determine the number of BPAs they would agree to, deciding in the place of a strategy to simply award one to any offeror able to meet the solicitation requirements.
The GSA official response says the agency agrees that the process under which the IaaS BPA awards were made was inconsistent and lacked clarity. In February 2011, GSA says, the agency completely revised its contract review board process.
- download the report, A110172/Q/A/P12008 (.pdf)
NIST: Cloud reliability, information security remain 'open issues'
FedRAMP JAB to name third party assessment organizations by May
McClure: Cloud services require acquisition officers to retool