Microsoft Catching Up to Amazon in Security Clearances for Cloud

Microsoft Corp. is catching up to Amazon.com in obtaining federal security approvals, giving it an edge over other potential bidders in the Pentagon's winner-take-all competition for a multibillion-dollar cloud computing contract.

The company best-known for its office software is advancing toward the certification needed to host the government's most sensitive, classified information - a status held currently only by Amazon Web Services - as it expands cloud-computing storage centres through its Azure Government Secret unit.

"Based on the security accreditation process alone there are really only two competitors," Amazon and Microsoft, said Christopher Cornillie, a federal market analyst for Bloomberg Government.

The Defense Department is moving, slowly, toward issuing a final request for proposals for the project it calls the Joint Enterprise Defense Infrastructure, or JEDI, which it has said it plans to award by September. Other potential bidders have complained that plans for a winner-take-all contract favour Amazon, the dominant provider of cloud services, and have called for splitting the award among multiple contenders.

A provision in the annual defence spending bill passed Thursday by the House would hold up funding for the cloud project until the Pentagon submits a strategy to sustain competition and multiple cloud-service providers.

Less public attention has been given to the clearances the Pentagon has indicated any winning contractor must obtain. The draft request for proposals indicated the winner will need to qualify to host unclassified information within 30 days, classified information within six months and top-secret information within nine months.

The long and costly process to gain security authorisation to provide cloud services to the federal government is also one reason other major technology companies such as Alphabet's Google, Oracle Corp. and International Business Machines Corp. are lagging behind Amazon.

"If you haven't gone through that already it's hard to state confidently that you are able to provide services at that level," said Rick Holgate, a research director with technology advisory firm Gartner.

A Microsoft spokeswoman said the company would soon be able "to support agencies and partners with their US secret classified data and Impact Level 6 workloads," referring to the highest clearance needed to handle the government's top-secret information, the same level that Amazon has. "We're making progress but have no further updates on timing to share."

Amazon, Oracle and Google declined to comment. An IBM spokeswoman said the company is confident it will meet the necessary requirements for the contract.

Commercial cloud providers for the federal government must seek certification from the Federal Risk and Authorization Management Program (FedRAMP), which awards approval based on the sensitivity of data the service is hosting. A low-level certification might be sufficient for cloud-based services used with public websites, while a high level would be needed to host secret government information.

Those working for the Defense Department typically need additional clearance from the Defense Information Systems Agency (DISA.) It issues security authorisations from IL-2, for hosting unclassified material, to IL-6, for classified data such as national security information.

"The analogy you hear in the industry all the time is it's like hiring a babysitter," Cornillie said. "If that babysitter is by all means extremely competent, at the end of the day you're still taking the risk of leaving your child with somebody else. And to ensure the babysitter keeps doing a good job, you do things like having a neighbour check up on them, or set up a home video camera."

The average commercial cloud provider spends $2.25 million (roughly Rs. 15.5 crores) to achieve authorization through FedRAMP and $1 million a year to maintain it, according to estimates from the US General Services Administration. FedRAMP recently made changes to its program to reduce the time it takes to become authorised.

Microsoft is working to make the case that it, too, can be a safe and competent option for the Defense Department.

The Redmond, Washington-based company has already obtained FedRAMP's high rating for its Azure Government business and IL-5 through DISA. In October, the company announced it was developing Microsoft Azure Government Secret to shepherd the company through the highest authorisation, IL-6, which Amazon already holds.

The company also recently secured a lucrative cloud deal that allows 17 intelligence agencies and offices to use Microsoft's Azure Government in addition to other products the company offers. Microsoft, which is making headway in the cloud market, also boasts the ability to support hybrid technology, mixing legacy on-premise computing with cloud systems.

Security and procurement experts caution that a company isn't a sure bet to win the Pentagon's cloud contract just because it already holds approval to handle high-security data. Major technology companies with expertise in federal security standards could move through the authorisation process easily if given a green light by the Pentagon.

"It's not crawl, walk, run," said Katie Lewin, who helped designed the FedRAMP program and is the current federal director of industry group Cloud Security Alliance. "You can start at run."

The Pentagon also has said it's open to accepting a bid from a team of companies, offering potential candidates the opportunity to make up for any disadvantages they face by partnering with another tech firm. Companies have already started having conversations about jointly bidding for the contract, Bloomberg News has reported.

For instance, General Dynamics Corp., which recently acquired CSRA, faces challenges in securing the Pentagon's cloud contract on its own because the draft requirements favour companies that generate less than half of their business from the federal government. General Dynamics generated 61 percent of its revenue from the federal government in 2017, according to data compiled by Bloomberg.

Damon Bramble, General Dynamics Information Technology's vice president for DISA and defence enterprise services, said his company is still weighing its options on how it will approach JEDI but the company could leverage its experience with the Defense Department in partnership with other tech giants. General Dynamics Information Technology is already supporting an on-premise cloud environment for the military through milCloud 2.0, which is ranked at an IL-5 for infrastructure.

"We have a unique understanding of the challenges" facing the Defense Department, Bramble said. "That makes us in many ways an ideal partner."

It's not easy to be cleared to serve the government. Companies have to hire independent third-party assessors to scan their systems for vulnerabilities, hack their own products and assess how well they are maintaining security standards. They also have to submit answers to as many as hundreds of questions about their security systems and even invest in innovations to get approval.

"We have seen it done in a couple of months. We have seen it done in a couple years," said Michael Carter, vice president of FedRAMP and Assurance Services at Coalfire, an independent security assessor.

Amazon Web Services got its head start in security accreditation when it won a $600 million contract from the Central Intelligence Agency in 2013.

Google has obtained only a "moderate" authorisation level through FedRamp and the low-level authorisation - IL-2 - through DISA. Also, its relations with the Defense Department have been strained by its decision not to renew a contract with Project Maven, a program that uses artificial intelligence to analyse drone footage, after employees led an internal revolt at taking part in war-making.

IBM has obtained FedRAMP's "moderate" impact level and IL-5 accreditation through DISA for its cloud infrastructure but hasn't been evaluated by either program for cloud platform services. The company has a deal with the Army to manage an on-premise cloud environment for the Army's Redstone Arsenal, near Huntsville, Alabama, that will eventually give IBM an IL-6 authorisation, the company has said.

Oracle has been authorised at a FedRAMP "high" level but only at IL-2 through DISA for its cloud infrastructure offering and IL-5 for its platform services, according to federal databases. Still, the company has an extensive relationship with the Defense Department, which currently uses many of the company's databases.

© 2018 Bloomberg LP