Concerns raised over Home Office's £450m mega cloud deal with AWS

Controversial contract size

Returning to the size of the deal, it is the largest deal to date done between AWS and the Home Office, according to invoice data shared with Computer Weekly by public sector-focused analyst house Tussell.

Its data shows that the amount of money the Home Office has spent with AWS has risen markedly overall from £874,691 in 2016 to £64.4m in 2023 so far, although the department’s full-year spend hit £65.9m in 2022.  

The go-live date for the contract suggests it is effectively a renewal of the long-standing public cloud hosting deal the two parties have had in place now for several years, given their previous cloud hosting contract is set to expire on 11 December 2023.  

That deal was valued at around £120m and the replacement contract is set to be more than quadruple its value at £450m, but it remains unclear why the department’s cloud costs are expected to soar by so much in the coming years.

Computer Weekly understands from a government source that the contract value is for “non-committed spend” and the final costs will be determined by the Home Office’s actual usage of AWS during this period, while the contract itself is essentially an estimated value at this point.

When Computer Weekly asked the Home Office why its cloud costs and usage are expected to rise during the contract period, a department representative did not directly answer the question in its response.

The listing for the deal on the government’s Contract Finder portal also offers little to no insight on this point, as it simply states AWS is being commissioned to provide public cloud hosting services to the department. This is almost identical to what the listing for the previous version of the deal stated.

A redacted copy of the call-off contract does confirm, however, the Home Office is reaping the benefits of the recently renewed preferential pricing deal AWS has in place with the UK government, known as the One Government Value Agreement (OGVA).

The Home Office contract is the first to be signed under the OGVA 2.0 agreement, which is overseen by the government’s procurement arm, the Crown Commercial Service (CCS).

The first iteration of this committed spend discount pricing scheme expired in October 2023, and provided public bodies with baseline level discounts of 18%, with additional discounts of 2% offered to buyers that paid for their services upfront and in full.

At the time of writing, it is not known what level of discount the Home Office will be benefiting from under OGVA 2.0, but a spokesperson for CCS told Computer Weekly that it “anticipates [the] commercial benefits…for public sector customers in OGVA 2.0 [will be] well in excess” of those delivered through the original agreement.

“The new agreement between AWS and CCS includes a new discount structure which makes lower prices available to all public sector bodies directly through AWS’s or via licensed solution providers, regardless of their size or size of order,” a CCS spokesperson added.

Questions raised over framework usage

While the Home Office deal was arranged under the terms of the OGVA 2.0 agreement, questions have been asked about why it was called off under the government’s long-standing, SME-focused G-Cloud framework instead of either version of the more hyperscale-oriented Cloud Compute framework.

As previously reported by Computer Weekly, the Cloud Compute frameworks were created to discourage central government departments from using G-Cloud to directly award large-scale, high-value contracts to hyperscale cloud firms such as AWS because this was considered a misuse of G-Cloud’s original purpose.

For this reason, Nicky Stewart, former head of ICT at the UK government’s Cabinet Office, told Computer Weekly that the Home Office’s decision to use G-Cloud to arrange this high-value contract massively undermines the government’s efforts to put more business through Cloud Compute.

“With high-value contracts intended to go through Cloud Compute 2, it’s surprising that the first contract [under OGVA 2.0] has been transacted under G-Cloud – particularly as this latest version of the Home Office contract has nearly quadrupled in value since its previous £120m iteration,” said Stewart.

For context, the latest Home Office-AWS contract was called off under the 13^th iteration of the public sector G-Cloud framework, and the £450m Home Office deal is nearly 50% of all of the previous spend that AWS has previously accrued through that purchasing agreement since it started in 2012.

AWS is G-Cloud’s top supplier in terms of how much public sector spend goes its way, and the Home Office is the government department that has spent the most through the framework to date, with purchases in excess of £1.8bn.

“It will be very interesting to see if all the OGVA 2.0 contracts are also transacted under G-Cloud 13 and if they will all see similar uplifts in value. If so, this will further undermine Cloud Compute 2,” Stewart added.

Computer Weekly asked the Home Office why it had opted to use G-Cloud over Cloud Compute 2 for this procurement, but the department declined to answer the question in its response to Computer Weekly.  

Secon Solutions’ Sayers, however, believes the answer to why G-Cloud was favoured for this procurement over either version of the Cloud Compute framework relates back to the contract’s “no vetting” clause.

“The Home Office has allowed them to apply no vetting at all – and that’s not permissible under either Cloud Compute 1 or Cloud Compute or under HM government policy,” said Sayers. “The Home Office contract award simply could not have been made under the terms of Cloud Compute 1 or Cloud Compute 2.”

This is because both versions of the Cloud Compute framework insist that government suppliers have Baseline Personnel Security Standard (BPSS) clearance as a minimum, with the policy stating that “all supplier personnel shall be subject to a pre-employment check” before they participate in the provision of a service to a department.

“The requirement for security vetting existed in Cloud Compute, and is repeated in the new Cloud Compute 2 framework. Both of these align to the HM government policy of BPSS as a minimum, and higher vetting when required by the customer,” he said.

“The Home Office, therefore, couldn’t have shown such vetting latitude if they had awarded this contract to AWS under the newly awarded Cloud Compute 2.”

A cursory glance over the G-Cloud 13 listings for some of Amazon’s cloud services on the Digital Marketplace state that its staff already conform to the British Standards that help employers screen security personnel before employing them.

It also states that AWS staff have undergone “developed vetting”, which permits them to have “substantial access” to top secret assets and carry out work for the security and intelligence agencies.

The way the Home Office contract is worded means the department will simply have to take AWS at its word that its staff are up to the job of handling its data and workloads safely and securely.

“It is really not clear how the Home Office will be able to test and assure any services they deploy onto AWS under this contract,” continued Sayers. “They’ll literally need to take everything AWS tell them on trust. I’m not sure that’s a wise approach for any government service provider and I’ve never seen this before.”