Skip to main content

Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements

GAO-24-106137 Published: Sep 10, 2024. Publicly Released: Sep 20, 2024.
Jump To:

Fast Facts

In 2019, the Office of Management and Budget established 5 key requirements for agencies related to procuring secure, cost-effective cloud services.

As of July 2024, the 24 major agencies set policies and guidance that addressed some of these requirements but not others. For example, all the agencies had established guidance to ensure their chief information officer oversees agency modernization efforts.

But most hadn't established guidance on service level agreements—which define the levels of service and performance the agency expects its cloud providers to meet.

Our 47 recommendations address these and other issues.

Artistic graphic image showing a hallway of computer servers with cloud and other digital icons floating between them.

Skip to Highlights

Highlights

What GAO Found

Agencies had mixed results in setting policies and guidance that addressed the five key procurement requirements established by the Office of Management and Budget (OMB) in its 2019 Cloud Smart Strategy. Specifically, as of July 2024, all 24 agencies had established guidance to ensure the agency Chief Information Officer (CIO) oversaw modernization and almost all had guidance in place to improve their policies and guidance related to cloud services. However, most agencies did not establish guidance related to service level agreements (SLA), which define the levels of service and performance that the agency expects its cloud providers to meet. In addition, nearly one-third of agencies did not have guidance to ensure continuous visibility in high value assets (systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise).

Table 1: Extent to Which Federal Agencies' Guidance Has Addressed the Five Procurement-Related Cloud Computing Requirements, as of July 2024

Requirement

Fully Addressed

Partially Addressed

Not Addressed

Ensure the agency's chief information officer oversees modernization.

24

0

0

Iteratively improve agency policies and guidance.

23

0

1

Have cloud service level agreement in place.

6

10

8

Standardize cloud contract service level agreements

9

2

13

Ensure continuous visibility in high value asset contracts.a

11

2

5

Legend: Fully addressed = The agency provided evidence that addressed the requirement. Partially addressed = The agency provided evidence that it had addressed some, but not all of the requirement. Not addressed = The agency did not provide evidence that it had addressed any of the requirement.

Source: GAO analysis of agency documentation. | GAO-24-106137

aThe requirement was not applicable for six agencies because high value assets were not stored in the cloud.

Agency officials provided different reasons as to why guidance had not been developed for the requirements. For example, six agencies reported that they had used SLAs provided by the cloud service providers. One agency reported that it had included language in its blanket purchase agreement and two agencies reported they were in the process of finalizing guidance. Regarding high value asset guidance, one agency reported that it had included language in their contracts to meet the requirement but had not developed corresponding guidance. One agency reported that it had relied on standard acquisition practices and had not developed separate processes for these assets.

In addition, agency officials reported that additional guidance, including standardized SLA language and high value asset contract language, would be helpful. The CIO Council, as a forum for improving agency practices, could facilitate the collection of examples of guidance and language from agencies that have met these requirements. By sharing examples of agency guidance and contract language related to the SLA and high value asset requirements, agencies would be able to more readily address OMB's requirements.

Why GAO Did This Study

Cloud computing enables on-demand access to shared computing resources, providing services more quickly and at a lower cost than having agencies maintain these resources themselves. In 2010, OMB began requiring agencies to shift their IT services to cloud services when feasible. In 2019, OMB updated its Federal Cloud Computing Strategy (called Cloud Smart) and established five key cloud procurement requirements.

GAO was asked to examine agencies' efforts to implement OMB's Cloud Smart initiative. This report assesses the extent to which agencies' cloud guidance addresses OMB's five Cloud Smart procurement requirements. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement and security policies, guidance, and SLAs. GAO then assessed the results of the analysis against the five requirements. GAO also interviewed officials in the 24 agencies' Offices of the CIO.

Recommendations

GAO is making one recommendation to the CIO Council to collect and share examples of guidance on cloud SLAs and contract language. GAO is also making 46 recommendations to 18 agencies to develop or update guidance related to OMB's Cloud Smart procurement requirements. Fourteen agencies agreed with all recommendations, one agency did not explicitly agree but provided planned actions, the CIO Council and three agencies neither agreed nor disagreed, and one (Department of Education) disagreed. GAO continues to believe its recommendation to Education is warranted, as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Chief Information Officers Council The CIO Council, working with its chair, the Office of Management and Budget's Deputy Director for Management, should collect and share examples of agency guidance and contract language related to OMB's requirements in the Federal Cloud Computing Strategy on: (1) the four key SLA elements, (2) standardizing SLAs, and (3) ensuring that contracts affecting federal agencies' HVAs, including those managed and operated in the cloud, include requirements that provide agencies with continuous visibility of the asset. (Recommendation 1)
Open
As of September 2025, the CIO Council has not yet taken any actions to implement our recommendation. We will continue to monitor the CIO Council's progress in implementing this recommendation.
Department of Agriculture The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance on standardizing cloud SLAs. (Recommendation 2)
Closed – Implemented
The Department of Agriculture (Agriculture) has addressed our recommendation to finalize guidance on standardizing cloud service level agreements (SLA). Specifically, in March 2025, an official from Agriculture's Office of the Chief Information Officer provided a copy of the department's new departmental regulation on cloud computing. The department's guidance noted that SLAs should include language related to ensuring federal security laws and guidance are addressed, and security monitoring, performance measurements, and privacy are addressed. By implementing our recommendation, Agriculture is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
Department of Agriculture The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 3)
Closed – Implemented
The Department of Agriculture (Agriculture) has addressed our recommendation related to finalizing guidance on requiring contracts affecting the agency's high value assets that are managed and operated in the cloud to include language that provides the agency with continuous visibility of the asset. Specifically, in March 2025, an official from Agriculture's Office of the Chief Information Officer provided a copy of the department's new departmental regulation on cloud computing. The department's guidance noted that service level agreements should include language requiring continuous visibility of assets for all cloud systems. By implementing our recommendation, Agriculture has helped to ensure the department can monitor the integrity and security posture of all cloud deployments.
Department of Agriculture The Secretary of Agriculture should ensure that the CIO of Agriculture updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 4)
Closed – Implemented
The Department of Agriculture has addressed our recommendation to update its existing contracts for high value assets to ensure language is included in the contract that provide the agency with continuous visibility of the asset. Specifically, in July 2025, an official from Agriculture's Office of the Chief Information Officer provided a copy of a basic ordering agreement for a current department system, which contained the necessary language. In addition, Agriculture developed standardized ordering agreements that will be used for all department systems going forward to ensure the department has continuous visibility of all its assets. By implementing our recommendation, Agriculture has helped to ensure the department's contracts include language ensuring the department can monitor the integrity and security posture of all cloud deployments.
Department of Commerce The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 5)
Closed – Implemented
The Department of Commerce (Commerce) agreed with and has addressed our recommendation. In November 2024, an official in Commerce's Office of the Chief Financial Officer provided a copy of the department's finalized guidance on service level agreement (SLA) cloud procurement best practices. The guidance included language regarding the continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. For example, the department's guidance noted that minimum service levels for each service, including penalties for not meeting these service levels, should be identified and the cloud provider should regularly report on these metrics. Further, the guidance specified that cloud provider's services should be in alignment with Federal Risk and Authorization Management Program (FedRAMP) and be integrated with the department's security operations center. By implementing our recommendation, Commerce is better positioned to ensure that SLAs are in place to govern the levels of service and performance the department expects when procuring cloud services from a vendor.
Department of Commerce The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance on standardizing cloud SLAs (Recommendation 6)
Closed – Implemented
The Department of Commerce (Commerce) agreed with and has addressed our recommendation. In November 2024, an official in Commerce's Office of the Chief Financial Officer provided a copy of the department's finalized guidance on service level agreement (SLA) cloud procurement best practices. The department's guidance noted that SLAs should include language related to e-discovery requirements, data retention, privacy, and destruction, incident handling, 3rd party certification of IT security program, and reducing vendor lock-in. By implementing our recommendation, Commerce is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
Department of Education The Secretary of Education should ensure that the CIO of Education updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 7)
Open
The Department of Education (Education) has not yet taken action to address our recommendation. In March 2025, Education's Chief Information Officer sent a document with excerpts of its existing guidance as additional supporting documentation to address the recommendation. Specifically, Education provided several examples, many of which were the same examples that were provided to us previously. As we noted before, the majority of the sections cited were not relevant to the requirement being assessed. There was only one example related to vulnerability remediation that included some consequences for contractors related to establishing plans of action and milestones and the possibility of revocation of the authority to operate. We will continue to monitor Education's progress in implementing this recommendation.
Department of Energy The Secretary of Energy should ensure that the CIO of Energy develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 8)
Open
The Department of Energy (Energy) concurred with our recommendation and stated that it would form a working group to develop guidance that incorporated OMB's four required elements. We will continue to monitor Energy's progress in implementing this recommendation.
Department of Energy The Secretary of Energy should ensure that the CIO of Energy develops guidance regarding standardizing cloud SLAs. (Recommendation 9)
Open
The Department of Energy (Energy) concurred with our recommendation and stated that the department's Office of the CIO would work with Office of Acquisition Management to develop guidance. We will continue to monitor Energy's progress in implementing this recommendation.
Department of Energy The Secretary of Energy should ensure that the CIO of Energy develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 10)
Open
The Department of Energy (Energy) concurred with our recommendation and stated that it was still assessing the appropriate mechanism to document the requirement. We will continue to monitor Energy's progress in implementing this recommendation.
Department of Energy The Secretary of Energy should ensure that the CIO of Energy updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 11)
Open
The Department of Energy (Energy) concurred with our recommendation and stated that the Office of the CIO and the Office of Acquisition Management would work to modify these contracts once language from the CIO Council was available. We will continue to monitor Energy's progress in implementing this recommendation.
Department of Homeland Security The Secretary of Homeland Security should ensure that the CIO of DHS updates its guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 12)
Open
The Department of Homeland Security (DHS) concurred with our recommendation and stated that it would review its cloud computing practice requirements and strengthen its guidance by ensuring the guidance addressed OMB requirements. In March 2025, DHS's Assistant Secretary for Legislative Affairs reported that the department intended to finalize its implementation plan and timeline by September 30, 2025. We will continue to monitor DHS's progress in implementing this recommendation.
Department of Homeland Security The Secretary of Homeland Security should ensure that the CIO of DHS develops guidance regarding standardizing cloud SLAs. (Recommendation 13)
Open
The Department of Homeland Security (DHS) concurred with our recommendation and stated that the department would take steps to address it. In March 2025, DHS's Assistant Secretary for Legislative Affairs reported that the department intended to develop and issue enterprise Cloud Smart guidance. The department plans to finalize the guidance by March 31, 2026. We will continue to monitor DHS's progress in implementing this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 14)
Open
The Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included developing a service level agreement guidance framework for cloud services and training. In November 2024, HUD's Chief Information Officer reported the department had a target completion date of March 31, 2025 for these activities. HUD officials provided an update in September 2025. The officials noted that the department was continuing to develop the guidance but did not have an estimate on when it would be finalized. We will continue to monitor HUD's progress in implementing this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance regarding standardizing cloud SLAs. (Recommendation 15)
Open
The Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included developing a standardized service level agreement framework that incorporated best practices and aligned with Cloud Smart and industry standards. In November 2024, HUD's Chief Information Officer reported the department had a target completion date of June 30, 2025 for these activities. HUD officials provided an update in September 2025. The officials noted that the department was continuing to develop the framework but did not have an estimate on when it would be finalized. We will continue to monitor HUD's progress in implementing this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 16)
Open
The Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included collaborating with internal stakeholders to define specific requirements for continuous visibility of HVAs in cloud contracts and incorporating the language intro contract templates. In November 2024, HUD's Chief Information Officer reported the department had a target completion date of September 30, 2025 for these activities. HUD officials provided an update in September 2025. The officials noted that the department was continuing to develop the contract templates but did not have an estimate on when it would be finalized. We will continue to monitor HUD's progress in implementing this recommendation.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should ensure that the CIO of HUD updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 17)
Open
The Department of Housing and Urban Development (HUD) provided an action plan to address our recommendation which included monitoring CIO Council updates for guidance regarding contractual language and working with stakeholders to update the contracts with language that meets OMB's requirements upon renewal or amendment. In November 2024, HUD's Chief Information Officer reported the department had a target completion date of September 30, 2025 for these activities. HUD officials provided an update in September 2025. The officials noted that the department was continuing its monitoring efforts and working with stakeholders on updating contracts but did not have an estimate on when these activities would be finalized. We will continue to monitor HUD's progress in implementing this recommendation.
Department of Justice The Attorney General of the United States should ensure that the CIO of Justice updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 18)
Open – Partially Addressed
The Department of Justice (Justice) has partially addressed our recommendation to update service level agreement guidance to include language that addresses remediation plans for non-compliance. In August 2025, an official in Justice's Office of the Chief Information Officer provide a draft copy of the department's revised guidance on the security of department information and systems. The guidance included language related to cloud service provider compliance with performance measures and steps to address non-compliance. Once this guidance is finalized, it should address OMB's requirement and our recommendation. We will continue to monitor Justice's progress in implementing this recommendation.
Department of Labor The Secretary of Labor should ensure that the CIO of Labor develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 19)
Closed – Implemented
The Department of Labor (Labor) agreed with and has addressed our recommendation. In September 2024, a Labor official in the Office of the Assistant Secretary for Policy provided a copy of the department's new service level agreement (SLA) guidance. The guidance included language regarding the continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. For example, the department's guidance noted that the SLA should include the performance metrics the vendor shall use to determine the health and security of the services being delivered and a description of the plan and process the vendor will follow to detect, report, and remediate any non-compliance as well as the credits to be offered if non-compliance is identified. By implementing our recommendation, Labor is better positioned to ensure that SLAs are in place to govern the levels of service and performance the department expects when procuring cloud services from a vendor.
Department of Labor The Secretary of Labor should ensure that the CIO of Labor develops guidance regarding standardizing cloud SLAs. (Recommendation 20)
Closed – Implemented
The Department of Labor (Labor) agreed with and has addressed our recommendation. In September 2024, a Labor official in the Office of the Assistant Secretary for Policy provided a copy of the department's new service level agreement (SLA) guidance. The department's guidance noted that SLAs should include language related to ensuring Labor's cybersecurity and encryption requirements are addressed, responding to breaches and unauthorized disclosures of data, monthly reviews of cybersecurity configurations, and other privacy requirements. By implementing our recommendation, Labor is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
Department of Transportation The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 21)
Open
In April 2025, the Assistant Secretary for Administration from the Department of Transportation (Transportation) reported that the department would publish governance processes, guidance, and documentation as part of its cloud initiative and in accordance with the administration's Executive Order on procurement consolidation. The department expected to complete actions by December 30, 2026. We will continue to monitor Transportation's progress in implementing this recommendation.
Department of Transportation The Secretary of Transportation should ensure that the CIO of Transportation updates its guidance regarding standardizing cloud SLAs. (Recommendation 22)
Open
In April 2025, the Assistant Secretary for Administration from the Department of Transportation (Transportation) reported that the department would publish governance processes, guidance, and documentation as part of its cloud initiative and in accordance with the administration's Executive Order on procurement consolidation. The department expected to complete actions by December 30, 2026. We will continue to monitor Transportation's progress in implementing this recommendation.
Department of Transportation The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 23)
Open
In April 2025, the Assistant Secretary for Administration from the Department of Transportation (Transportation) reported that the department would publish governance processes, guidance, and documentation as part of its cloud initiative and in accordance with the administration's Executive Order on procurement consolidation. The department expected to complete actions by December 30, 2026. We will continue to monitor Transportation's progress in implementing this recommendation.
Department of Transportation The Secretary of Transportation should ensure that the CIO of Transportation updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 24)
Open
In April 2025, the Assistant Secretary for Administration from the Department of Transportation (Transportation) reported that the department would publish governance processes, guidance, and documentation as part of its cloud initiative and in accordance with the administration's Executive Order on procurement consolidation. The department expected to complete actions by December 30, 2026. We will continue to monitor Transportation's progress in implementing this recommendation.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the CIO of VA updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and clear performance metrics. (Recommendation 25)
Open
The Department of Veterans Affairs (VA) concurred with our recommendation. In April 2025, the Chief of Staff of VA provided an update and stated that the department was working to provide the documentation to address our recommendation but did not provide a timeframe when the documentation would be provided. We will continue to monitor VA's progress in implementing this recommendation.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance regarding standardizing cloud SLAs. (Recommendation 26)
Open
The Department of Veterans Affairs (VA) concurred with our recommendation. In April 2025, the Chief of Staff of VA provided an update and stated that the department was working to provide the documentation to address our recommendation but did not provide a timeframe when the documentation would be provided. We will continue to monitor VA's progress in implementing this recommendation.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 27)
Open
The Department of Veterans Affairs (VA) concurred with our recommendation. In April 2025, the Chief of Staff of VA provided an update and stated that the department was working to provide the documentation to address our recommendation but did not provide a timeframe when the documentation would be provided. We will continue to monitor VA's progress in implementing this recommendation.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that the CIO of VA updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 28)
Open
The Department of Veterans Affairs (VA) concurred with our recommendation. In April 2025, the Chief of Staff of VA provided an update and stated that the department was working to provide the documentation to address our recommendation but did not provide a timeframe when the documentation would be provided. We will continue to monitor VA's progress in implementing this recommendation.
Environmental Protection Agency The Administrator of EPA should ensure that the CIO of EPA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and remediation plans for non-compliance. (Recommendation 29)
Open
The Environmental Protection Agency (EPA) concurred with our recommendation and stated that it would evaluate the agency's current performance metrics and identify any gaps or improvements required to support the agency's mission. In March 2025, the Acting Chief Financial Officer reported that EPA was working to develop new service level metrics. Once the new metrics were finalized, the agency intended to negotiate updates with contractors and incorporate the changes into existing contracts. These metrics will be enforced through the issuance of award fees. The agency anticipated completion of this activity by March 2026. We will continue to monitor EPA's progress in implementing this recommendation.
Environmental Protection Agency The Administrator of EPA should ensure that the CIO of EPA updates guidance regarding standardizing cloud SLAs. (Recommendation 30)
Open
The Environmental Protection Agency (EPA) concurred with our recommendation and stated that the agency will evaluate existing metrics across existing contracts to identify standard requirements that have evolved organically and incorporate them into guidance related to cloud statements of work, including security requirements already established. In March 2025, the Acting Chief Financial Officer reported that EPA had established language to standardize applicable cybersecurity tasks but needed to further develop guidance related to cloud service statements of works and standardize this across cloud providers. The agency anticipated completion of this activity by March 2026. We will continue to monitor EPA's progress in implementing this recommendation.
General Services Administration The Administrator of GSA should ensure that the CIO of GSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed for the agency. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 31)
Closed – Implemented
The General Services Administration (GSA) agreed with and has addressed our recommendation. In November 2024, a GSA official in the Office of the Chief Financial Officer provided a copy of the agency's updated guidance on security and privacy requirements for IT acquisition efforts, which included language regarding remediation plans for non-compliance. For example, the agency's guidance noted that service level agreements (SLA) would specify the penalties for not meeting service levels stated in the agreements and identify the associated responsibility of all stakeholders for these activities. By implementing our recommendation, GSA is better positioned to ensure that SLAs are in place to govern the levels of service and performance the agency expects when procuring cloud services from a vendor.
General Services Administration The Administrator of GSA should ensure that the CIO of GSA develops guidance regarding standardizing cloud SLAs. (Recommendation 32)
Closed – Implemented
The General Services Administration (GSA) agreed with and has addressed our recommendation. In November 2024, a GSA official in the Office of the Chief Financial Officer provided a copy of the agency's updated guidance on security and privacy requirements for IT acquisition efforts. The agency's guidance included language related to ensuring service metrics were calculated and communicated in acquisitions more explicitly. In addition, GSA's guidance included clauses related to IT security and privacy requirements, particularly for cloud vendors providing software as a service, and clauses requiring vendors to comply with Federal Risk and Authorization Management Program (FedRAMP) service level agreement (SLA) requirements. By implementing our recommendation, GSA is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.
National Science Foundation The Director of the NSF should ensure that the CIO of NSF updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 33)
Open
The National Science Foundation (NSF) concurred with our recommendation and stated that the agency will update its guidance to require the use of service level agreements when cloud solutions are procured, utilizing language that aligns with OMB requirements. In March 2025, the Director of NSF reported that the agency was working to address the recommendation and would complete activities by September 2025. However, as of September 2025, we have not received any subsequent updates. We will continue to monitor NSF's progress in implementing this recommendation.
National Science Foundation The Director of the NSF should ensure that the CIO of NSF develops guidance regarding standardizing cloud SLAs. (Recommendation 34)
Open
The National Science Foundation (NSF) concurred with our recommendation and stated that the agency will develop guidance to standardize cloud service level agreements. In March 2025, the Director of NSF reported that the agency was working to address the recommendation and would complete activities by September 2025. However, as of September 2025, we have not received any subsequent updates. We will continue to monitor NSF's progress in implementing this recommendation.
National Science Foundation The Director of the NSF should ensure that the CIO of NSF updates its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 35)
Open
The National Science Foundation (NSF) concurred with our recommendation and stated that the agency will update agency guidance to require language on continuous asset visibility in cloud contracts. In March 2025, the Director of NSF reported that the agency was working to address the recommendation and would complete activities by September 2025. However, as of September 2025, we have not received any subsequent updates. We will continue to monitor NSF's progress in implementing this recommendation.
National Science Foundation The Director of the NSF should ensure that the CIO of NSF updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 36)
Open
The National Science Foundation (NSF) concurred with our recommendation and stated that the agency will update language in cloud contracts for high value assets to require continuous asset visibility, in accordance with Federal CIO Council guidance. In March 2025, the Director of NSF reported that the agency was working to address the recommendation and would complete activities one year after the Federal CIO Council guidance goes into effect. As of September 2025, we have not received any subsequent updates. We will continue to monitor NSF's progress in implementing this recommendation.
Nuclear Regulatory Commission The Chairman of NRC should ensure that the CIO of NRC develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 37)
Open
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In March 2025, the Chairman of the NRC reported that the agency planned to review its existing service level agreement guidance and make sure it included all four required elements. The agency noted that this effort was targeted for completion by the end of July 2025. However, as of September 2025, we have not received any subsequent updates. We will continue to monitor NRC's progress in implementing this recommendation.
Nuclear Regulatory Commission The Chairman of NRC should ensure that the CIO of NRC develops guidance regarding standardizing cloud SLAs. (Recommendation 38)
Open
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In March 2025, the Chairman of the NRC reported that the agency planned to review its existing documentation to ensure service level agreements for all cloud-based assets are standardized. The agency noted that this effort was targeted for completion by the end of July 2025. However, as of September 2025, we have not received any subsequent updates. We will continue to monitor NRC's progress in implementing this recommendation.
Nuclear Regulatory Commission The Chairman of NRC should ensure that the CIO of NRC develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 39)
Open
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to update its statement of work templates to include this requirement and also to include language in agency guidance that would require the agency to be responsible for monitoring NRC's high value asset systems and the continuous visibility needed to perform these activities. We will continue to monitor NRC's progress in implementing this recommendation.
Nuclear Regulatory Commission The Chairman of NRC should ensure that the CIO of NRC updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 40)
Open
The Nuclear Regulatory Commission (NRC) concurred with our recommendation and has stated that they will take plans to address it. In November 2024, an official in NRC's Office of the Executive Director for Operations reported that the agency planned to establish a working group to address the OMB requirement. In addition, the agency planned to update its existing high value asset contracts to provide the agency with continuous visibility of the asset. We will continue to monitor NRC's progress in implementing this recommendation.
Office of Personnel Management The Director of OPM should ensure that the CIO of OPM updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required element for SLAs: remediation plans for non-compliance. (Recommendation 41)
Open
As of September 2025, the Office of Personnel Management has not yet taken any actions to implement our recommendation. We will continue to monitor the agency's progress in implementing this recommendation.
Small Business Administration The Administrator of SBA should ensure that the CIO of SBA develops guidance that requires a periodic review of the agency's policies related to cloud services, including any technical guidance and business requirements, to determine if improvements should be made. (Recommendation 42)
Open
The Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. However, as of September 2025, the agency has not yet taken actions to implement our recommendation. We will continue to monitor SBA's progress in implementing this recommendation.
Small Business Administration The Administrator of SBA should ensure that the CIO of SBA develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 43)
Open
The Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. However, as of September 2025, the agency has not yet taken actions to implement our recommendation. We will continue to monitor SBA's progress in implementing this recommendation.
Small Business Administration The Administrator of SBA should ensure that the CIO of SBA develops guidance regarding standardizing cloud SLAs. (Recommendation 44)
Open
The Small Business Administration (SBA) concurred with our recommendation and stated that the agency would develop guidance to address them. However, as of September 2025, the agency has not yet taken actions to implement our recommendation. We will continue to monitor SBA's progress in implementing this recommendation.
Social Security Administration The Commissioner of SSA should ensure that the CIO of SSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 45)
Closed – Implemented
The Social Security Administration (SSA) agreed with, and has addressed, our recommendation. In July 2025, an SSA official from the Office of External Affairs provided a copy of the agency's updated cloud security requirements for cloud service provider service level agreements (SLA), which included language regarding specific performance metrics as well as remediation plans for non-compliance. For example, the agency's guidance requirements specify service commitment percentages, penalties for not meeting the service commitments in the agreements and identifies the associated responsibility of all stakeholders. By implementing our recommendation, SSA is better positioned to ensure that SLAs are in place to govern the levels of service and performance the agency expects when procuring cloud services from a vendor.
U.S. Agency for International Development The Administrator of USAID should ensure that the CIO of USAID updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 46)
Closed – Implemented
The U.S. Agency for International Development (USAID) agreed with and has addressed our recommendation. In October 2024, a USAID official in the Office of the CIO provided a copy of the agency's updated guidance on information security requirements for acquisition of unclassified information technology, which included language regarding the remediation plans for non-compliance. For example, the agency's guidance noted that service level agreements (SLA) will specify the level of performance, how the performance will be measured, and what enforcement mechanisms will be used to ensure the specified levels are achieved, which would address areas of non-compliance. By implementing our recommendation, USAID is better positioned to ensure that SLAs are in place to govern the levels of service and performance the agency expects when procuring cloud services from a vendor.
U.S. Agency for International Development The Administrator of USAID should ensure that the CIO of USAID develops guidance regarding standardizing cloud SLAs. (Recommendation 47)
Closed – Implemented
The U.S. Agency for International Development (USAID) agreed with and has addressed our recommendation. In October 2024, a USAID official in the Office of the CIO provided a copy of the agency's updated guidance on information security requirements for acquisition of unclassified information technology. The agency's guidance noted that service level agreements (SLA) should include language related to ensuring data ownership, licensing, and disposition are met as well as requirements for inspection and audit activities. Further the guidance included language for requirements related to third party security assessments in accordance with the Federal Risk and Authorization Management Program (FedRAMP). By implementing our recommendation, USAID is better positioned to ensure that standardized SLAs are in place to provide more effective, efficient, and secure cloud procurement outcomes.

Full Report

GAO Contacts

Carol C. Harris
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

BudgetsBusiness systems modernizationChief financial officersChief information officersCloud computingFederal agenciesGovernment procurementIT investmentsInformation technologyBest practices