When I saw the IBM blog post titled, "JEDI: Why We're Protesting," I was thinking “Oh cool, light sabers!” But unfortunately, JEDI may have more to do with the dark side of procurement than the dark side of the Force.
JEDI stands for "Joint Enterprise Defense Infrastructure," and it is the federal government project that will put the US’s IT infrastructure for the Department of Defense in a single cloud for 10 years.
In my opinion, this single-vendor approach is ill-conceived. I’m an ex-internal auditor and have participated in government audits. The underlying concept of making sure large sweeping technology buys were across multiple vendors is a major part of best vendor practices. And to me, placing the defense of a nation into a single cloud seems insane. In fact, the government’s own Office of Management and Budget has taken a position on the use of cloud resources and it doesn't appear to be a fan of the single-vendor approach.
I’m not a fan either. Many of the issues I investigated while I was an auditor had to do with vendors or individuals having excessive power and misusing it. This single-vendor approach gives the winning vendor excessive power.
It isn’t an uncommon practice to structure a bid to favor a single vendor, as IBM alleges is happening with JEDI. However, this is far from an acceptable practice from the standpoint of good governance and cost management. It basically assures the win for the selected vendor, thus preventing real competitive bidding to get the best price. It then locks that vendor in so they can, without fear of competitive displacement, face few restrictions over future charges.
Therefore, most mature companies have policies against single sourcing any major project because it effectively locks the firm to the single vendor, putting it at risk. Competitive bidding not only helps assure the lowest cost but the interest of the vendor, because they know if they take the account for granted and under-resource the effort, the customer can bolt to one of the other choices. But in a single-source effort, the customer is locked in, and the vendor knows it. So the vendor tends to shift resources from the locked in firm(s) to those that are at competitive risk.
This really isn’t good for the firm or government entity entering into the contract or the vendor because, eventually, this relationship will break. Given the size and profitability of a lock-in approach, the result can be catastrophic to both parties.
Since then, it has flipped to become aggressively open source and advocate for the multi-vendor approach — not just because it is better for its customers, but because it assures its own future as well.
The use of a single-source approach is particularly troubling for national defense, especially if that single source carries a large portion of the nation’s IT workload. It would make for an unbelievably attractive target for infiltration.
Given the China spy reportage, espionage attempts seem highly likely. The huge shortages of critical labor in tech would make it far easier to slip a foreign operative into a large company focused tightly on assuring low cost and process. Such an environment, particularly without a second vendor providing redundancy, is almost certain to be breached. Were that to happen during an attack, the result could be catastrophic at geographic scale.
JEDI Could Cripple US Defense
I’ve never been a fan of the single-source practice, largely because it tends to lead to bad, almost suicidal behavior by the vendor that gets the contract. In this instance, it also would seem to put the US at greater risk of a catastrophic breach or failure during a time of conflict. Collateral damage could spread to the other firms using this service should that service be effectively targeted. And this would be particularly problematic for the vendor who was single-sourced, because it would make it a primary focus for foreign nations wishing to gain a significant military advantage during any conflict.
RFPs, requests for proposals, for large, mission-critical projects should always be vendor independent, and they should require vendor redundancy to assure competitive pricing and reliability in case the primary vendor can’t perform. JEDI doesn’t do this.
In my opinion, JEDI is clearly from the dark side of the Force, by which I mean that JEDI is a really, really bad idea.
Photo courtesy of Shutterstock.