Hacker News new | comments | show | ask | jobs | submit login
Microsoft wins $927M Pentagon contract (defense.gov)
143 points by richardboegli on Dec 21, 2016 | hide | past | web | favorite | 66 comments

This is an ID/IQ, which means that DISA has set aside $927M over five years for optional services and support. ID/IQs are a cool contract vehicle because it gives the government a cost-effective way to buy just what they need as they go along.

Even if they leveraged the hell out of this contract, they're basically buying the full power of MS for $185M per year. That's a hell of a good deal for the government.

+-1.5M DISA email users(Navy/MC unclass contracted separately) at 185M a year is quite a bargain.

Not to mention desktop/laptop OS, collaboration tools, web servers, forest/domain management at 800 sites in 70 countries.

Oh dang. I estimated tens of thousands. I was off by an order of magnitude and I was the one trying to defend this contract to HackerNews. Lol. Yeah, DISA is freaking huge. We're doing some work for them right now and the scope is massive.

Speaking of which... if any of you have a Secret clearance and want a job... :)

Out of curiosity, if you have a Secret clearance and it expires after 10 years where does that place you on the scale from never having a clearance 0 to having an active clearance 10.

Your Secret clearance now expires sometimes within a matter of months of being off a contract or out of a job that requires it. OPM is cleaning up the clearances, and revoking millions of them. I've had employees go from active TS to "eligible" status (which mean no clearance) in a matter of a few weeks after their contract ended. That whole "10 year active period" is not true, at least anymore, unless you are in a position that requires the clearance for that whole period of time.

You're considered lucky to retain a clearance more than a month out of the service now, too. OPM is taking a tough stance on unused clearances and it has negatively impacted the job market for recently separated Veterans because the contracts that come out all require a pre-cleared workforce, which is a rapidly diminishing pool of people to pull from given that clearances are now being revoked as soon as someone gets out of the service or leaves their last position.

I don't recall what the actual text says, but when I became a security manager we were always told it was 10/5 years eligible.

But I've never even attempted to get a job that required a clearance after my ETS...

But I think the question being asked is not what you answered. I think he's wondering if his clearance eligibility expired last year, where does he stand in line for getting a job that requires a clearance?

Yeah, and having already had a clearance in the past definitely helps speed up the process to "reactivate" it. The big bummer for companies like mine is that our contract says that we have to have employees with an active clearance. So to activate the clearance, we have to hire them, keep them on overhead for several months and they can't start working until their clearance is approved.

It's a painful $20-$40k hit to the budget. :/

Do you not have a Prime? They should be supporting these kind of issues with supplement contract workers.

Being eligible for a clearance is binary on the current investigation.

Holding an active clearance is dependent on being read in, which is dependent on being eligible and having a need to know.

Also, having an expired investigation is synonymous with having no investigation. If you miss the window to re-investigate you start from 0.

Interesting, thanks for the update.

I always figured that for Secret level, at least, it seemed like a not-too-detailed investigation. No interviews, anyways.

frankydp is likely referring to the DISA Enterprise Email (DEE) service. It's, in my opinion, DISA's largest and most mature "cloud" service. And it serves all of DoD.


I have a Secret and am mid job-hunt. Working anywhere warm? :V Clearence has been verified as active as-of last month? I suppose they are keeping it due to my IRR status

Jesus, I want to read the RFP for that.

No, it simply means that DISA has chained itself to Microsoft in the past and now paying for that mistake. Its most certainly not a good deal considering all the options. $927M buys a whole lot of OpenStack or even AWS, with no "leverage a variety of proprietary resources and source code", i.e. gratuitous rent-seeking.

What is their option? 1.5 million Macs? 1.5 million RedHat installs? They've tried going that route in the past and then paid through the nose just to get basic desktop applications available to their workforce.

I'd expect a lot of that would go not towards desktop licensing but Professional Services and the like. Services such as SQL Server, Sharepoint, IIS, Lync, and Active Directory are critical to DoD, and they rely on Microsoft a lot for continued engagement.

Unless things have changed, DoD is Microsoft's biggest customer. It's not that they're stuck. Between the combination of sheer scale (not thousands, millions) security requirements, and desire for a stable ecosystem, there's few, if any, that can match what they provide. This isn't a dig at others products, let alone "open" solutions. They've been serving DoD for decades, and you can count on a Microsoft product to come with solid security documentation (often with NIST 800-53 reference) , FIPS 140-2 compliance, PKI support (absolute must in the DoD Common Access Card environment), and(relatively) solid vulnerability management. DoD requires ALL of those things.

I wouldn't argue that they don't have room to improve. But that doesn't discount what Microsoft has accomplished.

Yup, seems like their only option is to pay the ransom.

Let's do some math.

So, this is a $927,000,000 five year contract. Right?

So let's tell the government not to pay talented companies to provide services and instead hire federal employees to build out infrastructure to do the same thing.

Assuming we have kind of a $200,000/year base salary for the types of people we need (so like a GS-15 or so), how much does that cost the government over the same time span?


So you would prefer the government hire 927 people full time for five years to completely replace MS? Do you think they'll do a good job? Is $200,000 salary a good deal, or will you end up hiring bad software developers at that rate? Can you hire better developers for $400,000/year? Can 464 people build a MS replacement in 5 years?

Also, who will support it? Do we need to factor that in as well? Will we have to replace this new OS/tech stack in 5 years? Is that another billion dollars?

I suspect that you're looking at the price and being blown away by the number. The DoD spends $580 billion each year (roughly). Are there any comparable companies with a $580 billion/year run rate? Expand your mind, friend. This is a bargain price for the government.

You should do some digging and try to find out how much DISA is paying for their own version of AWS. I suspect that number will blow your mind as well.

I'd like to think that my government team is trying to approach this the right way.

I work on a small team of about 12 within 18F (part of the General Services Administration). We are creating cloud.gov, a Platform as a Service (think Heroku, Google App Engine, IBM Bluemix) for the Federal Government. The key is to remove the government compliance burden from federal government development teams while also making modern technology accessible and understandable.

We come from private sector for a two year civil service. We are super lean and all of our work is open source (github.com/18F).

Note that cloud.gov is only seeking certification for FISMA Moderate impact level, so a lot of DoD systems (such as anything classified) cannot be hosted on our PaaS.

You give me that money and I can replace MS in 3 years with 50 people.

Shit, I can't even find a SINGLE qualified mid-level software engineer with a clearance for a job that's already started and fully funded. Good luck bringing on 50 people in a short time frame. You might be fully staffed in a year if you have the world's most talented internal recruiting team.

This is a REALLY hard problem to solve and the government does not make this process easy. If we miss milestones, we don't get paid, so that $1,000,000 in salary that your team was paid for the last 90 days of work suddenly doesn't get paid. Your $100,000 in profit you forecasted suddenly turns into a $1,100,000 loss for that quarter.

When I started working in government way back in the early 00s, I too thought "I can just automate all these worthless idiots out of a job." If it was that easy, someone would have figured it out by now.

Most companies have to spend $30k - $50k just writing a proposal in the hopes they'll win some work. The problem at this size and scale is astronomical.

If you can think of a better way, I really would love to talk to you. Email is in my profile. :)

> Shit, I can't even find a SINGLE qualified mid-level software engineer with a clearance for a job that's already started and fully funded.

Two questions (on a tangent):

1. Define "qualified"

My experience, before I gave up on the DOD sector, is that companies that post Landry list reqs actually mean it. They are even worse than the larger industry at only interviewing candidates who look stellar on paper.

2. How much are you paying?

The few times I did get past the resume filter the salary was slightly below market, and none of these companies have anything resembling non-salary compensation.

50 people likely wouldn't be enough to TYPE the source code of the entirety of Microsoft products in five years. Assuming that you did no design, and simply had them copying source code as fast as they could.

    120WPM * 60minutes/hour * 16hours/day * 5workdays/week * 52weeks * 5years * 50people / 10words/line

    = 748.8M lines of code
For comparison, Google is 2B lines of code. https://www.wired.com/2015/09/google-2-billion-lines-codeand...

Good luck!

Or, you know, you take existing open source software and adapt it to your needs?

Might be 2B lines of code now... but that's not including the version history over time. It's going to be many times that.

And, over the 3 day MLK day weekend, you'll implement all of Stack Overflow to boot!


Until you actually try to do it, yeah.

I feel like this is supposed to be a funny reference to something.

Also, DISA not only has AWS instances, they have their own freaking installation of AWS! As in, they literally own a replicated version of AWS that only they can use and control. The government is a bloated, ugly beast, but they know what they're doing and they squeeze the vendors for every drop of value. Margins in this space are tiny.

I thought it was CIA that did that. DISA in on it too or is it a DOD-wide thing?

Yea, forgive me if I don't shed a tear for a $20B revenue company's "tiny" margins. Revenue, I may add, accrued by underhanded and illegal means. It broke the rules we depend on for society to work, and it got away with that. Leaving its "partners" with no viable options.

It's not just the $20B revenue companies that provide support and services to the government. The big companies make the headlines with their billion dollar contracts, but the bulk of the support, services, and infrastructure is provided by Service-Disabled Veteran Owned Small Businesses, 8(a)s, and a bunch of other tiny business acronyms. We're all trying to kick ass (because we love the country) for pennies on the dollar.

Please post the data if you have any.


No matter what kind of thread we're in, it's not OK to post personal attacks like this.

I like articles that consist of just one sentence.

> Microsoft Corp has been awarded a $927 million contract to provide technical support to the Defense Information Systems Agency, the Pentagon said in a statement on Tuesday.

> (Reporting by Mohammad Zargham)

In all seriousness, this shouldn't be a surprise given the amount of outdated systems and general reliance on Microsoft tech at DISA.

> I like articles that consist of just one sentence.

I like articles like that too...just not when they're packaged in a ~4MiB page sprinkled with ads.

The page works fine as a flat page with JavaScript disabled.

And that was the most concise article I'll read all day.

To be fair, Reuters is not really known for articles. This is not unusual for news agencies, as opposed to newspapers or magazines.

I knew MS shared their code with select customers, but has the DOD always had it?

They were one of the first customers of that shared source review program.

In other news, Microsoft just bought the most lucrative position for corporate espionage available on planet Earth.

How many people are typically involved in this type of decision?

It depends on the type and scope of the contract. Federal Acquisition Regulations do a fair job at keeping oversight and "fairness" (depending on a lot of factors), but at a minimum, you'd have:

* A large body of workers and analysts constructing the requirements * A few contracts officers working to codify those requirements into a request for proposal * A handful of technical contracts officers evaluating the mass of responses * A large pool of technical contracts officers and contracts officers ensuring that the statutory grounds of the proposals are met (verifying that yes, this is a small / veteran owned / minority owned business or yes, this business does have prior qualifications, etc.)

After you've separated the wheat from the chaff, and eliminated the obviously incapable parties, the team contracts down to 1 or 2 contracts officers and their staff. This team evaluates the technical feasibility against the requirements, asks a lot of questions to their own technical teams, and then ultimately, votes on the winner.

How is it deemed "reporting"?

There are three times as many public relations professionals as journalists in America. Media companies are being consolidated into a few owners, many of them with tech leadership. Microsoft, for example is the MS in MSNBC (although I think they recently sold MSNBC?)

Someone's getting sweet Christmas gifts this year.

Here [1] is the actual statement on defense.gov.

[1] http://www.defense.gov/News/Contracts/Contract-View/Article/...

I'd encourage Mods to swap the link.

Also, here is the Microsoft enterprise agreement for those interested: https://enterprise.microsoft.com/en-us/industries/government...

We should change OP's link and leave the title.

Mr. Zargham certainly is a concise writer.

A bit too long-winded for me.


Please try to make your comments here more civil and substantive so that we can have the kind of discussion that Hacker News is for.

What would you suggest as the alternative? Have DISA write their own tech stack, operating systems, and cloud services? This is a freaking great deal for the government.


I don't have any real numbers to back it up, but I have been told that Red Hat costs the government more money per machine for the licenses. At least within the DoD. Now this could well be attributed to buying less licenses, and not getting as much bulk discount. But Red Hat not necessarily a cheaper option. And even if you got the license costs down you would still have to pay absurd amounts in retraining the entire workforce.

DISA is a big group. They have mountains of RedHat instances already as well. I would bet they've probably got a billion dollars or so invested in the RedHat infrastructure.

If I had to hazard a guess without seeing the SOW/PWS, I would bet that most of this MS contract would cover desktop support services.

DISA supports IT services for a huge portion of the DoD. This is basically a Fortune 100 company in terms of employees and scale.

Probably more like multiple Fortune 100 companies combined.

Are we talking DoD or DISA? DISA is probably close to a Fortune 100 company. DoD's annual spend exceeds Apple's market cap. The annual research budget is $40B+


Holding them ransom? They chose this at the highest levels. I was in DoD for the transition from Sun to MS on the desktop. You're off by orders of magnitude. My one, tiny little facility had an IT department of several hundred to support the crazy infrastructure stuff we had to deal with.

And don't assume that they're not also using other services and providers as well. How would you provide desktop services and solutions to 80,000 people distributed all over the world?

If you have a solution that doesn't cost $1bn, please write the white paper. I'll gladly write the RFP response and we can enjoy our profits. :D

The numbers may seem staggering, but this is how much shit costs in the government. Most of our competitors in my space are offering services with 2%-4% margins because the government is so stingy about how the work is performed. DISA alone is probably at nearly the scale of AWS in terms of compute power and system requirements. And they probably have 5-10x the number of employees. It's not a trivial problem to solve, and I've been working for contractors for 10+ years now.

I'd start with a base image of an enterprise Linux on certified configurations of hardware. This could be a VM, CD they'd burn, or Live USB. Specialize it to some more for specific roles. Semi-automate that part esp for creation, testing (esp updates), and distribution. Host it on those cheap, storage sites with verification & other tools pre-installed on their desktops by local admins.

One UNIX admin at each remote site with standardized tools for the various functions like DNS, email, etc. A centralized solution for communications, workflow, secure sharing, and so on. They just access it over the internet with replication to a few sites (or even all filtered by whose present there) to get availability or extra performance.

I'm not seeing this cost $1 billion even if I did it with VMS clusters. Even that overpriced system that ran whole enterprises was under $100,000/yr licensing per branch with mega-fee for main offices. I can't guess how much support would take but imagine local admins handling a portion of it. If it's just Linux desktops, extra load might be offloaded to vetted consultants or companies that do it on the cheap with anything they do logged. Admins or local developers come up with design improvements or tools for recurring problems.

>I'd start with a base image of an enterprise Linux on certified configurations of hardware.

And right there you lose, because I all but guarantee there is Microsoft-specific code running at all levels of this organization. Everyone has to be retrained, a lot of infrastructure has to be rebuilt. All of that will chew up your 1bn quickly.

This isn't some SV startup, it's the government. Typical "move fast and break things" mindset doesn't fly here. You don't get any "tear it down and start over" moments, you get to make those hairy migrations to ensure everything stays up with smooth, staged cutovers. And that's not even mentioning the red tape...

I don't do Silicon Valley philosophy. I'm talking the efficient stuff that midsized organizations overstretched IT teams have been pulling off for years plus some tooling that comes with DISA's extra money. However, the lock-in effect...

"because I all but guarantee there is Microsoft-specific code running at all levels of this organization. Everyone has to be retrained, a lot of infrastructure has to be rebuilt. All of that will chew up your 1bn quickly."

...is a valid reason to default on using Microsoft. The difference is that moving what I can to alternatives means I can gradually move from lock-in to more flexible IT with open standards & multiple vendors to choose from. Organizations on Microsoft are often stuck, though. This much is undeniable. IBM, Oracle, and SAP the other huge offenders here.

What makes you think that Linux or OSS route will be cheaper or better ? It's often the opposite.

It was every time I did it. Plus many of the individual tools are free and mature. No licensing fees. There's also the benefit of not having BSA looking into your firm.

The best benefits, though, are in flexibility and security rather than cost. I just have so much more available over long term to me with open formats, protocols, API's, and code. Plus, Microsoft has been saying "screw you" to its own customers in product development over past few years leveraging its lockin to keep them. Whereas, open stuff gives opportunity of switching vendors.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact