Alchemy for aliens – 5 solicitation sins wasting our money

To find waste, read the RFPs

Apr 23, 2025

Why doesn’t government work well? Why does it seem like everything the government builds, from websites to railroads, costs more than it should, and takes longer than you expect? Some blame has to go to a workhorse of government documents, the humble Request for Proposals.

In this article, I’ll explore how a dry bureaucratic document, this 8-page Sources Sought Notice, is actually a cookbook for the dark art of alchemy. In five simple steps, this notice fluffs up a simple requirement into a mega-million dollar jackpot for one lucky vendor.

Read on to learn about the magic tricks deployed here, and in solicitations wherever you look, that make contracts unnecessarily complex, limit competition, and guarantee bad results.

Requirements sprawl: long lists of niche, ambiguous, and misguided requirements
Waterfall: QA processes that assess compliance instead of outcomes
Regulations Run Rampant: endless IT regulations cited without context
Only aliens needs apply: only companies with extremely specific experience can compete for this contract
Locked in with the aliens: contracts awarded to a single vendor for 5+ years

Background

If you can suffer the boredom, skim this average Sources Sought Notice, published January 30, which we’ll be diving into. The Defense Media Agency (DMA) has spent at least $46M on contracts for “Web.mil Support Services” since December 2020,1 going to companies with otherworldly names like Zolon Tech, Sky Solutions, and Gryphon Marine – the aliens. This new Notice announces DMA’s interest in hearing from other vendors who can handle up to $30M in additional work on this project.

A charmingly amateur website, web.dma.mil – bringing warmth to my cold soul with its pixelated mouse cursor icon, Exuberant and Arbitrary Capitalization, and especially the dead help desk link – summarizes the mission of Web.mil as Create. Comply. Secure. As best as I can tell, Web.mil is a tool that lets other parts of DOD make websites and write articles. In other words, it’s a content management system (CMS), just like WordPress or Drupal. Besides the $10s of millions in contract spending, there’s also a team of 11 Federal employees overseeing Web.mil.2

So how does this solicitation justify $30 million of new work, maintaining a tool that already works? If the job is so straightforward, what’s stopping a vendor from coming in and offering a lower price?

The answer is via alchemy for aliens. Let’s look behind the curtain.

Requirements sprawl

tl;dr: long lists of niche, ambiguous, and misguided requirements

This solicitation goes downhill quickly. A single sentence in the first paragraph under “Scope” calls for the winning vendor to possess at least 26 distinct capabilities.3

This includes all professional labor services and commodity required to execute this objective, including Cloud, software-as-a-service, Global Content Delivery Network (GCDN) labor and commodity, software subscriptions, collaborative communication platform, Learning Management System (LMS) and training, migration operations, infrastructure operations, provide security, threat log reporting, code scanning, metrics reporting, accessibility reporting, software development and maintenance, customer relations management, program management, project management, security, analysis, continual vulnerability assessments, support to service desk operations, 24/7 technical support, Risk Management Framework compliance and other legal and regulatory compliance as well as transition.

Over the next five pages, these requirements are broken out into 14 little sections that provide more detail on what DMA’s looking for, plus one more labelled “Provide Optional Services” which inexplicably tacks on “news clip services.” These sections match the laundry-list energy from the first paragraph, piling up hundreds of goodies that a decent WEB.mil Support Services vendor simply cannot do without. The “Software and Associated Products” section is on the shorter side, but dense with vague references to tech that someone thought should be in the picture:

The Contractor shall propose and procure Cloud bandwidth, storage, virtual networks, key vaults, Cloud App Services, Advanced Data Security, Advanced Threat Protection Storage, SQL databases, collaborative data archives, security centers, virtual machines, Cloud DNS, VPN Gateways, Log Analytics, Cloud Active Directory, Service Buses, and Business, Office, and Customer Support software/subscriptions, and Functions on Government request (e.g., code review software, active directory license, network monitoring license, DNS security subscription)

The specific items on this list raise red flags. The terms “collaborative data archives” and “security centers” don’t have any discernible meaning, so a diligent contractor or auditor would struggle to prove how these requirements are being met. Jennifer Pahlka traced the cursed history of “Service Buses” in DOD tech projects, a seeming mandate from on high to use a particular IT architecture that was favored 25 years ago. Even the software that you’d expect in a CMS’s tech stack, like SQL databases, are unnecessarily prescriptive – especially at the sources sought stage, before you’ve finalized your requirements. If I have a great platform that only uses NoSQL databases, guess I’m out of luck.

Here’s my suggestion for the RfP writers of the world: wring the laundry lists out of your notices altogether. Leave in the vision and any hard constraints, and cut out the “how.” Every extraneous “how” makes the government’s bill longer, piles on more compliance paperwork, and increases the possibility for messy disagreements between the government and contractors.4 Only a tiny niche of companies that already hold these contracts will be able to 1) decipher what these vague terms mean for DMA or 2) assemble the unusual mix of tech and staff that comply with this muck of requirements – that’s why aliens like Zolon or Gryphon or Sky Solutions have so little competition for such lucrative contracts.5 Contracts are supposed to give the government the best solution to meet a particular need, at a reasonable price. If anyone can argue in good faith that these laundry lists accomplish that for DMA, I’ll delete this post.

At the risk of belaboring the point, I want to call out one especially counterproductive practice: belaboring this solicitation by demanding both labor and software from one vendor. The sources sought notice asks for:

A complex, bespoke piece of software (CMS meeting government security guidelines, plus a learning management solution with materials for the CMS’s end-users), ready to go when the contract starts;
Training in how to use the CMS, including a forum moderator and staff to run in-person and web-based training sessions;
Software developers: “an experienced and fully functioning software management team to provide software development and management support for Web Enterprise Business owned, used, and supported CMS software and products using industry best practices,” including a Section 508 expert to ensure accessibility;
A program manager and project manager; AND
A service desk that shall be staffed “7:00 a.m. to 9:00 p.m. Eastern Time (ET) Monday through Friday and 9:00 a.m.to 5:00 p.m. Eastern Time (ET) Saturday through Sunday”

I don’t see how any vendor could sustain a business that sprawls over so many domains – unless they already have this contract! And if you have expertise in one of these bullets, like maintaining CMS software, would you bid on this contract with the confidence that you’d be able to hire dozens of people within a month or two to do all these other jobs? A competitive solicitation process should encourage vendors to propose different service models, at a range of prices, and empower the government to pick the options that efficiently meet the need. When you solicit offers that break down the costs of each component of this contract, the buyer can decide whether all the add-ons are worth the cost and complexity.

Waterfall

tl;dr: QA processes that assess compliance instead of outcomes

After the sprawl comes the waterfall. The government put a lot of work into writing out dozens of laundry lists, and the quality control processes described in this notice show that it’s serious about sticking to the list.

At the end of all 14 sub-sections within this requirements document, there’s scrupulous detail on exactly how compliance with these requirements will be enforced. And unless you watched Office Space and thought Initech needed more TPS reports, you won’t be happy.

No less than five documents (three updated monthly or weekly) are to be produced to monitor performance of requirements regarding the “Learning Management System (LMS) and Training”:

“The Contractor shall provide the WEB.mil Training Plan, CMS Training Guide, Weekly Training Report, Monthly Status Report, and Weekly Activity Report utilizing Government Task Manager and COR instructions”

The very next section, “Migration Operations”, scoffs at these five measly documents, requiring at least eight distinct types of documentation:

The Contractor shall provide the Website Migration Plan, Website Migration Guide, Migration Quality Control Program, Weekly Website Migration Report, Monthly Status Report, Weekly Activity Report, JIRA project for each migration project, and Website Migration SOP utilizing Government Task Manager instructions and COR guidance as required.

I wanted to stop here, so it doesn’t sound like the part of the Passover Haggadah where great rabbis enumerate the plagues seen during Exodus… but alas, the next two sections, “Infrastructure Operations” and “Software Development”, require 11 and 13 different reports, respectively. Rabbi Akiva would perhaps point out that we’re now past counting on two hands.

Multiple humans are likely employed at the alien companies to produce all of these reports, a great demonstration of the alchemy by which sprawling requirements inflate costs.6 If anyone reviews these reports after they’re produced, that, too, takes away time and energy from productive work.

Yet the added costs are a secondary problem. All these status updates, activity downloads, and training plans plainly demonstrate that a paper trail is prioritized above providing a service that works well. You can kinda, sorta answer the questions you’d ask to assess performance, but not in a satisfying way:

The words “simple”, “easy”, and “understand” don’t appear in the Sources Sought notice at all, in fact. That’s good, actually, because they might provide the false impression that DMA is looking to buy software that’s simple and easy to understand, instead of a complex contraption with dozens of well-documented (if not usable) features. Nothing in the Sources Sought notice requires, or even incentivizes, a publishing service that actually works for people.

Industry best practice and common sense suggest that you should regularly check in on how your customers are going about their jobs (in this case posting blogs and making websites); identify what’s going well and what’s causing problems in these workflows; and make regular updates to meet their needs. These updates should also move you closer to some clear, agreed-upon long-term goals. But miraculously, among the literal hundreds of requirements listed here, “talk to customers” and “achieve our goals” are nowhere to be found.

Part 2, linked here, will cover the last three solicitation sins. If you want to skip to the end, keep reading to cut to the chase here.

Back to earth

So, what to do? Based on the info available, it would be no great loss if Defense Media Agency just stopped this procurement, and declined to exercise the next option in Zolon Tech’s current contract. Yes, instead of slashing cancer research and stranding nuclear waste trucks, this is one contract I’d be happy for DOGE to delete. (DOGE.gov doesn’t list any cancelled contracts from the DMA, yet.) If the software needs to be maintained, the 11 Federal employees on the DOD DMA Web Enterprise Business Team should be able to handle it, or a much leaner replacement contract could be filed.

But the problem is systemic. I truly don’t mean to pick on this agency or this vendor, since the blunders in this solicitation (sprawling requirements, compliance-driven QA processes, endless references to IT regulations, arbitrary restrictions on competition, and long contracts locking in a single vendor) are endemic not just in Federal government contracting, but in state and local contracts, too. Procurement executives and political appointees should be empowered to stop these solicitations early on, and direct the acquisition team to write better RFPs. I proposed building an open database of procurement worst practices, updated in real-time, so that agency heads and the public can spot bad solicitations ASAP.

Are you a contracting or IT executive who wants me to build a review tool for your agency’s solicitations, to save money and avoid embarrassing boondoggle contracts? Or a supporter of effective governance who’d like to fund research into AI applications spotting bad solicitations? If so, contact me and let’s talk!

To support this work, and projects like the Sole Source Spotter, you can subscribe or donate via Buy Me a Coffee, and I’ll keep in touch about new articles and tools I’m working on.

If you’d like to keep learning about how we can make procurement better – from a former public servant who actually believes in government – subscribe to receive future articles in your inbox.

$46 million represents the outlays on the following contracts: The original award to Gryphon Marine, LLC (2020–2022, $14.6M), a sole source extension of Gryphon's contract (2022–2023, $9.7M), the current award to Zolon Tech Inc. (2022–2025 with possible extension to 2027, $17.3M and counting with a maximum award value of $120.4M), plus $4.5M awarded to Sky Solutions LLC for a “WEB NextGen Pilot” (2023–2025). Roughly $40M above this amount has been “obligated” on these contracts. The obligated money has been committed for spending on these contracts, and may or may not have actually been spent.

The current vendor’s account of this work on their company website, and their press release upon award in 2022, confirm for me that no groundbreaking work is going on to justify the $30+ million contract.

If you read this and don’t know what these terms mean, that’s OK – neither do the people writing the solicitation

https://www.crowell.com/en/insights/client-alerts/bid-protest-unreasonable-and-ambiguous-solicitation-terms-sink-procurements, ambiguity over what a “labor harmony agreement” requirement meant led GAO to sustain a protest and require recompetition. https://www.whitcomblawpc.com/articles/common-causes-of-government-contract-disputes, “Ambiguous Contract Terms” is first item listed under “Most Common Causes of Government Contract Disputes”

The current award held by Zolon Tech Inc. saw only two other vendors put in offers. (scroll down to “Competition Details” on the bottom of the USASpending page). The award to Gryphon Marine, LLC in late 2020 records only one offer, and then it was extended via a sole source notice in 2022.

I found a job posting on ZipRecruiter (archived here) from Zolon Tech, the incumbent contractor, for a Schedule Analyst (Level 2 Mid) – a full-time job for a mid-career engineer that’s just… making project schedules. Bleak.