An amendment to the annual defense authorization bill that would have forced the Department of Defense Inspector General to turn over documents related to DoD’s failed JEDI cloud computing contract was shot down after the committee’s Democratic chair argued that it would only serve to reopen an old political fight and imperil the Pentagon’s new replacement contract.
The $10 billion JEDI contract — ultimately awarded to Microsoft before being canceled earlier this year — was beset from start to finish by accusations of bias from industry that the bidding process was set up to cater to the strengths of Amazon Web Services. there were multiple bid protests, lawsuits and even public attacks from then-President Donald Trump, who encouraged the Pentagon to investigate the contract for signs of corruption and Amazon bias. Those comments would later form the basis of a lawsuit against the government by Amazon claiming political interference.
The contract and procurement wound up going through a lengthy review by the department’s inspector general, which cleared the Pentagon and multiple defense officials of charges that the process was tainted by bias or corruption. It was later revealed that the inspector general’s office withheld multiple emails from Congress and the public, some of which indicate deeper discussion with Amazon officials ahead of the bidding process, though none appear to cross any clear ethical lines or indicate officials were overtly rigging or massaging the process.
The amendment, defeated 28-30 along party lines, would have required DoD’s inspector general to turn over to Congress all documentation and other materials used in their review of the JEDI contract, documents the secretary of defense provided to the IG and all documents received in response to requests by the inspector general. Rep. Jim Banks, R-Ind., the amendment’s sponsor, characterized it as a “simple amendment” that was in line with Congress’ core oversight and transparency responsibilities.
“This is a gigantic contract and the way this was handled from the beginning was riddled with all kinds of issues, and if we dare not repeat this disaster with JEDI in the future, this committee deserves to know what happened along the way,” said Banks.
Chair Adam Smith, D-Wash., who opposed the amendment, acknowledged that there were “a wide range of allegations against a wide range of actors” during the procurement. He said that due to the $10 billion price tag attached to the contact, a long-running feud between Trump and Amazon owner Jeff Bezos — as well as self-interested behind-the-scenes maneuvering by competing cloud companies like Oracle, Amazon and Microsoft — all combined to turn the contract into a political football.
However, Smith said that JEDI has already been investigated, that there’s “isn’t any particular mystery what happened” and said relitigating the issue would only serve to breathe new life into the issue and slow down work on JEDI’s replacement, which he said was “so desperately needed to move the Pentagon forward on key technology issues.”
“What I think this committee should do is not get in the way of moving forward with the cloud contract,” said Smith. “It was bad enough that everything happened that did that slowed down the awarding of it and then stopped the contract and has put us behind. This will put us further behind unnecessarily.”
Asked to explain how further review of documents related to a dead contract might impact an entirely separate procurement process, Smith said that JEDI was “infused with politics” on all sides from the very beginning by industry, Congress and the White House.
Another review focused on Amazon’s role, particularly after previous investigations and after DoD awarded JEDI to Microsoft before canceling it entirely, would only serve to reopen old wounds and feed further political grandstanding around the department’s cloud needs.
“We turn these documents over and everybody does their little examination of every email and … how it slows it down is that with politics you just throw gasoline on the fire again,” Smith said.
Rep. Matt Gaetz, R-Fla., then thanked Smith for his “pro-Amazon” position, prompting Smith, whose state is home to both Amazon and Microsoft headquarters, to respond that those are exactly the kind of politically charged comments he was seeking to discourage by opposing the amendment.
The security impact of further delays
While it’s not clear whether or how further review of JEDI might delay or impede its replacement, the Pentagon has made it clear in the past that moving to an enterprise cloud environment went hand-in-hand with a number of initiatives to modernize cybersecurity operations.
The Pentagon’s 2019 cloud strategy, which at the time still envisioned a single vendor enterprise cloud procurement like JEDI, was crafted to align with the military’s broader cybersecurity strategy. Specifically, it referenced the need to leverage the elasticity of a commercial cloud architecture to increase the efficacy of cyber operations and shift away from on-premise, network boundary security practices that are out of step with today’s cloud-conscious best practices around digital security.
“DoD must embrace modern security mechanisms built into modern commercial cloud providers' platforms to ensure the security of these large amounts of data and to safeguard the information,” the strategy noted. “This requires shifting the focus of security from the perimeter edge of the network to actively controlling use of the data itself.”
Greg Touhill, a retired brigadier general who spent decades protecting the .mil domain and former U.S. chief information security officer under the Obama administration, told SC Media that while JEDI and its successor are important components of DoD’s future plans, the department is already operating in a hybrid cloud environment.
Whether its JEDI or its replacement, Amazon or Microsoft (or a completely different vendor), much of the work developing security processes that will govern that new environment will be mostly the same. That means there is plenty the Pentagon can do to prepare on the defensive side while it waits for the new contract process to play out.
“From a security standpoint, it’s important that your cloud security rule sets, policies, procedures and technologies are largely congruent, regardless of which architectural construct you have,” said Touhill, now director of the Software Engineering Institute’s CERT at Carnegie Mellon University. “Some of those policies will be regarding things like access, identity and ultimately concepts like zero trust so that you only see the information you’re authorized to see and nothing else.”