Sergey Nivens - stock.adobe.com

Concerns raised over Home Office's £450m mega cloud deal with AWS

The Home Office's latest three-year contract with AWS is valued at nearly half a billion pounds, but questions are emerging about the contents of the contract and how it has been arranged

The Home Office’s mega £450m public cloud hosting contract with Amazon Web Services (AWS) is concerning public sector market watchers as more details emerge about the contract’s content and how it was arranged.

The three-year contract commenced on Friday 1 December 2023, and a redacted copy of the 114-page call-off contract for the deal confirmed it was arranged through the government’s long-running G-Cloud procurement framework, with the Home Office benefiting from preferential pricing from AWS.

Even with those discounts factored in, the fact is this contract – which is the latest in a succession of cloud deals between the Home Office and AWS – represents a sizeable chunk of change.

Owen Sayers is a senior partner at IT security consultancy Secon Solutions and has more than 20 years’ experience in delivering national policing systems, and described the Home Office contract as “completely without precedent and staggeringly large”.

“Cabinet Office figures show AWS has received £840m of contracts since G-Cloud began, meaning this single Home Office award of £450m is over half that value again in a single three-year contract,” he told Computer Weekly. “It’s very hard to see how that can be justified or how it represents good value for the taxpayer.”

The high value of the contract is far from the only element that has attracted attention, as there is a clause in it that the Home Office has no right to vet the AWS staff who work on the project – nor does it have the right to audit or inspect the AWS datacentre infrastructure used to host its systems.

“[The] buyer can request (where applicable under non-disclosure agreement) an independent audit report in respect of the operations of the supplier’s physical infrastructure,” the call-off document for the contract stated.

According to a source with close working knowledge of cloud contracts, this wording is “standard” in Amazon cloud contracts, but it is a “really unusual” stipulation to see within a public sector contract.

What makes the lack of vetting and infrastructure checks even more eye-opening is that the Home Office, in its role as the ministerial department responsible for immigration, security and policing in England and Wales, will potentially be dealing with very sensitive data and workloads.  It is also spending nearly half a billion pounds on a cloud setup over which it essentially has no oversight.

“The Home Office has simply waived all obligations for AWS personnel vetting, and some of [these checks] are required by law, so I don’t believe they can realistically do that – and it’s quite confusing why they might feel the need to do so,” said Sayers.

Computer Weekly asked the Home Office for a response to this point, but the department did not directly address the question in its reply.

Given the sensitivity of the data the Home Office handles, Sayers added the department should not be remaining tight-lipped on this topic.

“[The] Home Office should be transparent about why they feel no vetting is required for the AWS staff processing their data, which includes some very sensitive material indeed,” he added.

What makes the situation even more perplexing is the fact that Amazon’s listing on the latest iteration of the G-Cloud framework states the company can meet the BS7858:2019 code of practice, which is a British Standard that allows employers to screen security personnel before they employ them, continued Sayers. But the Home Office contract means it has no way of verifying that. 

It is also worth noting, Sayers said, that the explanatory notes for the National Cyber Security Centre’s Cloud Security Guidance does warn that some cloud providers might be unwilling to perform personnel screening checks.

“It’s [also] quite likely that the Home Office waiver of vetting is genuinely reflective of the true status of AWS’ globally distributed administrators and engineers,” he added.

Controversial contract size

Returning to the size of the deal, it is the largest deal to date done between AWS and the Home Office, according to invoice data shared with Computer Weekly by public sector-focused analyst house Tussell.

Its data shows that the amount of money the Home Office has spent with AWS has risen markedly overall from £874,691 in 2016 to £64.4m in 2023 so far, although the department’s full-year spend hit £65.9m in 2022.  

The go-live date for the contract suggests it is effectively a renewal of the long-standing public cloud hosting deal the two parties have had in place now for several years, given their previous cloud hosting contract is set to expire on 11 December 2023.  

That deal was valued at around £120m and the replacement contract is set to be more than quadruple its value at £450m, but it remains unclear why the department’s cloud costs are expected to soar by so much in the coming years.

Computer Weekly understands from a government source that the contract value is for “non-committed spend” and the final costs will be determined by the Home Office’s actual usage of AWS during this period, while the contract itself is essentially an estimated value at this point.

When Computer Weekly asked the Home Office why its cloud costs and usage are expected to rise during the contract period, a department representative did not directly answer the question in its response.

The listing for the deal on the government’s Contract Finder portal also offers little to no insight on this point, as it simply states AWS is being commissioned to provide public cloud hosting services to the department. This is almost identical to what the listing for the previous version of the deal stated.

A redacted copy of the call-off contract does confirm, however, the Home Office is reaping the benefits of the recently renewed preferential pricing deal AWS has in place with the UK government, known as the One Government Value Agreement (OGVA).

The Home Office contract is the first to be signed under the OGVA 2.0 agreement, which is overseen by the government’s procurement arm, the Crown Commercial Service (CCS).

The first iteration of this committed spend discount pricing scheme expired in October 2023, and provided public bodies with baseline level discounts of 18%, with additional discounts of 2% offered to buyers that paid for their services upfront and in full.

At the time of writing, it is not known what level of discount the Home Office will be benefiting from under OGVA 2.0, but a spokesperson for CCS told Computer Weekly that it “anticipates [the] commercial benefits…for public sector customers in OGVA 2.0 [will be] well in excess” of those delivered through the original agreement.

“The new agreement between AWS and CCS includes a new discount structure which makes lower prices available to all public sector bodies directly through AWS’s or via licensed solution providers, regardless of their size or size of order,” a CCS spokesperson added.

Questions raised over framework usage

While the Home Office deal was arranged under the terms of the OGVA 2.0 agreement, questions have been asked about why it was called off under the government’s long-standing, SME-focused G-Cloud framework instead of either version of the more hyperscale-oriented Cloud Compute framework.

As previously reported by Computer Weekly, the Cloud Compute frameworks were created to discourage central government departments from using G-Cloud to directly award large-scale, high-value contracts to hyperscale cloud firms such as AWS because this was considered a misuse of G-Cloud’s original purpose.

For this reason, Nicky Stewart, former head of ICT at the UK government’s Cabinet Office, told Computer Weekly that the Home Office’s decision to use G-Cloud to arrange this high-value contract massively undermines the government’s efforts to put more business through Cloud Compute.

“With high-value contracts intended to go through Cloud Compute 2, it’s surprising that the first contract [under OGVA 2.0] has been transacted under G-Cloud – particularly as this latest version of the Home Office contract has nearly quadrupled in value since its previous £120m iteration,” said Stewart.

For context, the latest Home Office-AWS contract was called off under the 13th iteration of the public sector G-Cloud framework, and the £450m Home Office deal is nearly 50% of all of the previous spend that AWS has previously accrued through that purchasing agreement since it started in 2012.

AWS is G-Cloud’s top supplier in terms of how much public sector spend goes its way, and the Home Office is the government department that has spent the most through the framework to date, with purchases in excess of £1.8bn.

“It will be very interesting to see if all the OGVA 2.0 contracts are also transacted under G-Cloud 13 and if they will all see similar uplifts in value. If so, this will further undermine Cloud Compute 2,” Stewart added.

Computer Weekly asked the Home Office why it had opted to use G-Cloud over Cloud Compute 2 for this procurement, but the department declined to answer the question in its response to Computer Weekly.  

Secon Solutions’ Sayers, however, believes the answer to why G-Cloud was favoured for this procurement over either version of the Cloud Compute framework relates back to the contract’s “no vetting” clause.

“The Home Office has allowed them to apply no vetting at all – and that’s not permissible under either Cloud Compute 1 or Cloud Compute or under HM government policy,” said Sayers. “The Home Office contract award simply could not have been made under the terms of Cloud Compute 1 or Cloud Compute 2.”

This is because both versions of the Cloud Compute framework insist that government suppliers have Baseline Personnel Security Standard (BPSS) clearance as a minimum, with the policy stating that “all supplier personnel shall be subject to a pre-employment check” before they participate in the provision of a service to a department.

“The requirement for security vetting existed in Cloud Compute, and is repeated in the new Cloud Compute 2 framework. Both of these align to the HM government policy of BPSS as a minimum, and higher vetting when required by the customer,” he said.

“The Home Office, therefore, couldn’t have shown such vetting latitude if they had awarded this contract to AWS under the newly awarded Cloud Compute 2.”

A cursory glance over the G-Cloud 13 listings for some of Amazon’s cloud services on the Digital Marketplace state that its staff already conform to the British Standards that help employers screen security personnel before employing them.

It also states that AWS staff have undergone “developed vetting”, which permits them to have “substantial access” to top secret assets and carry out work for the security and intelligence agencies.

The way the Home Office contract is worded means the department will simply have to take AWS at its word that its staff are up to the job of handling its data and workloads safely and securely.

“It is really not clear how the Home Office will be able to test and assure any services they deploy onto AWS under this contract,” continued Sayers. “They’ll literally need to take everything AWS tell them on trust. I’m not sure that’s a wise approach for any government service provider and I’ve never seen this before.”

Read more government cloud stories

Read more on Infrastructure-as-a-Service (IaaS)