AWS has been awarded a £450m contract to provide cloud services to the UK’s Home Office. The contract document provided little clarity about the services provided under the deal or why it is over three times more expensive than the last partnership between Amazon’s cloud platform and the government department.
The wording of the contract, which begins today and runs for three years, implies that AWS staff may be exempt from security clearances when handling sensitive Home Office data.
AWS collects large Home Office cloud contract
The deal was awarded according to the UK government’s G-Cloud 13 cloud buying framework. The call-off contract requires the government to pay AWS some £72m for services rendered by this time next year. The services rendered by AWS will include cloud computing infrastructure, support training and ‘bring your own licence’ services, which means AWS will integrate software licences already procured by the department.
Many details of the contract are redacted, but the deal is likely to be a straight replacement of the Home Office’s previous two-year contract with AWS worth £120m. Precisely why the new partnership is so expensive remains unknown – or why, in a section titled ‘“’Technical Standards’, it is highlighted in yellow that there is “no supplier staff vetting requirement”.
If the vetting requirement has been waived it “beggars belief that AWS staff are exempt from any type of security clearance, given the nature of Home Office data”, says Nicky Stewart, ex-commercial director for UK Cloud and the former head of ICT strategy delivery for the Cabinet Office. It would also, Stewart told Tech Monitor, be “completely unfair on other suppliers who have to shoulder the costly and time-consuming burden of securing and maintaining security clearances for staff”.
Enterprise security architect Owen Sayers, who has himself worked with the Home Office on similar projects, told Tech Monitor that there was a small possibility that the contract’s wording on vetting could be an error from a civil servant who has failed to fill out that part of the document correctly, which, if true, would be “concerning”.
What is more likely, explained Sayers, was that the contract’s wording crudely reflects little-noticed changes in UK government classification requirements made in June, which specified that “national security vetting” is not required to access data classified as “official”. Even so, the guidelines specify that all contractors must undergo Baseline Personnel Security Standard (BPSS) pre-employment checks or appropriate equivalent vetting to do so. Lowering its vetting requirements to this level would also make it impossible for AWS to handle police data under the new £450m contract, which demands higher levels of vetting to handle by law.
Sayers added that if security vetting requirements have been lowered for AWS as part of this latest deal with the Home Office, other suppliers “might feel justified in either asking to be given the same flexibility in their contracts of supply (i.e. have the requirement removed), or to challenge why there appears to be one rule for the… hyperscalers and another for everyone else. That’s a legitimate question for them to ask, and if this is not an error, Home Office should be prepared to answer that question transparently.”
The Home Office declined to comment on details of the contract, instead inviting Tech Monitor to submit a request under the Freedom of Information Act. AWS has been approached for comment.
Hyperscaler government contracts under the microscope
AWS is a major supplier to the UK government, but critics have questioned the extent to which the Amazon platform is used by Whitehall departments. Last year, a report from the Centre for International Corporate Tax Accountability and Research (CICTAR) and think tank TaxWatch revealed the cloud provider had won UK public sector contracts worth over £600m since 2017. During that time, it had avoided paying some £84m in taxes. Amazon said at the time that the UK branch of AWS pays “all applicable taxes”.
The CICTAR report named the Home Office as AWS’s biggest UK public sector customer, having paid the company some £225m between 2017–22.
The new agreement comes against the backdrop of an ongoing investigation by the Competition and Market Authority into alleged anti-competitive market practices by hyperscaler providers in the UK cloud market. Discount structures like the ‘One Government Value Agreement’ (OGVA) between the government and AWS, under which this new £450m agreement has been signed, have been criticised by smaller cloud providers, who claim that they are unable to provide such guarantees and therefore find themselves excluded from participating in large public cloud computing contracts.
Despite this, says Stewart, “it looks as if the Home Office is determined to press ahead, given that it expects its spending to nearly quadruple over the next three years. This supports the argument that terms and volume discounts are a recipe for lock-in. What is the next iteration of this contract going to look like in three years?”