Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses
Fast Facts
Cloud computing offers on-demand access to shared IT resources like networks and servers.
Federal agencies must move their data and software to the cloud when possible. But software licenses and restrictive vendor practices can limit or prevent such efforts. For example, some vendors charge extra fees to use their software with third-party cloud providers. Five agencies we interviewed said restrictive practices generally affected the cost of cloud services or their choice of cloud providers.
We recommended the agencies assign responsibility and update and implement guidance to lessen the effects of restrictions on moving software to the cloud.
Highlights
What GAO Found
Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies' efforts to use software in cloud computing. Officials from five of the six selected agencies described multiple impacts that they had experienced from restrictive software licensing practices. The agencies impacted were the Departments of Justice (DOJ), Transportation (DOT), and Veterans Affairs (VA); the National Aeronautics and Space Administration (NASA); and the Social Security Administration (SSA). Officials from the remaining agency, the Office of Personnel Management (OPM), reported that it had not encountered any restrictive licensing practices. The following table summarizes the impacts.
Impacts from the Restrictive Licensing Practices Experienced by Five Selected Agencies
|
Type of impact |
Description of restrictive practice |
Number of agencies experiencing impact |
|---|---|---|
|
Cost increase (4 agencies) |
Vendor required repurchase of same licenses for use in cloud. |
3 |
|
Vendor charged additional fees to use its software on infrastructure from other cloud service providers. |
2 |
|
|
Vendor charged more (e.g., a conversion fee) to migrate its software to the cloud under an agency's existing licenses used in on-premise systems. |
1 |
|
|
Limit on choice of cloud service provider or cloud architecture (3 agencies) |
Vendor required or encouraged agencies to use its software on that vendor's own cloud infrastructure (i.e., encouraged vendor lock-in). |
3 |
|
A contractor that migrated an agency's data into a vendor's cloud infrastructure required the agency to pay to regain ownership of the data at the end of the contract, which encouraged vendor lock-in. |
1 |
|
|
A vendor for an on-premise private cloud did not allow another vendor's software to be used with its hardware, thereby creating vendor lock-in. |
1 |
Source: GAO analysis of information provided by agency officials. | GAO 25 107114
None of the six selected agencies had fully established guidance that specifically addressed the two key industry activities for effectively managing the risk of impacts of restrictive practices. These activities are to (1) identify and analyze potential impacts of such practices, and (2) develop plans for mitigating adverse impacts. Furthermore, of the five agencies that reported encountering restrictive practices, three agencies partially implemented the key activities to manage those restrictive practices and the other two agencies—DOT and VA—did not demonstrate that they had fully implemented either of the activities.
Key causes for the selected agencies' inconsistent implementation of the two activities included that (1) none of the agencies had fully assigned responsibility for identifying and managing restrictive practices, and (2) the agencies did not consider the management of restrictive practices to be a priority. Until the agencies (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices, they will likely miss opportunities to take action to avoid or minimize the impacts.
Why GAO Did This Study
Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices.
GAO was asked to review the impacts of restrictive software licensing on federal agencies. This report (1) describes how restrictive software licensing practices impacted selected agencies' cloud computing services and (2) evaluates the extent to which selected agencies effectively managed the potential impact of such practices.
To do so, GAO interviewed IT and acquisition officials from six randomly selected agencies and 11 selected cloud investments within those agencies. These investments included a mix of cloud computing types, among other things. GAO also assessed relevant policies and documentation of agency efforts to manage restrictive licensing practices and compared them to key activities for risk and acquisition management identified by industry.
Recommendations
GAO is making 12 recommendations—two to each agency—to (1) fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices. Five agencies concurred with the recommendations. One agency—DOJ—did not agree with the recommendations. GAO continues to believe its recommendations to DOJ are warranted, as discussed in this report.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Justice | The Attorney General should update and implement Department of Justice guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 1) |
Although the Department of Justice (DOJ) did not concur with this recommendation when we issued the report in November 2024, the department has since initiated action to address it. Specifically, the Deputy Assistant Attorney General reported in May 2025 that the department's Office of the Chief Information Officer (OCIO) planned to update its procurement guidance to include language that addresses identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. As of January 2026, that guidance has not yet been established and implemented. As such, DOJ has not yet identified related cost savings. Until DOJ implements sufficient guidance for managing the impacts of restrictive software licensing practices, DOJ investments will likely continue to take ad hoc, potentially ineffective actions--or no action--for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| Department of Justice | The Attorney General should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 2) |
Although the Department of Justice (DOJ) did not concur with this recommendation when we issued the report in November 2024, the department has since initiated action to address it. Specifically, in May 2025, the Deputy Assistant Attorney General for Policy, Management, and Procurement stated that the department's Office of the Chief Information Officer had coordinated with the Office of Acquisition Management to begin updating procurement guidance to assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. As of January 2026, the department has not yet provided evidence that it has developed and implemented the guidance. We will continue to follow-up with the agency on its efforts to address this recommendation.
|
| Department of Transportation | The Secretary of Transportation should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 3) |
The Department of Transportation (DOT) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, the Assistant Secretary for Administration reported that the department planned to update its acquisition guidance in 2025 regarding procurement and IT to address restrictive licensing practices. However, as of January 2026, DOT's efforts to update its guidance have been paused, pending the results of federal efforts to update the Federal Acquisition Regulation. As such, DOT's guidance has not yet been established and implemented, and it has not yet identified related cost savings. Until DOT implements sufficient guidance for managing the impact of restrictive software licensing practices, DOT investments will likely continue to take ad hoc, potentially ineffective actions-or no action-for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| Department of Transportation | The Secretary of Transportation should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 4) |
The Department of Transportation (DOT) agreed with this recommendation when we issued the report in November 2024. In April 2025, the Assistant Secretary for Administration reported that DOT planned to update its acquisition guidance regarding procurement and IT to assign responsibility for identifying and managing the potential impacts of restrictive software licensing practices, unless otherwise indicated by applicable federal policies and guidance. DOT also planned to establish a checklist with guidance for effectively identifying and coordinating activities related to restrictive software licensing practices. As of January 2026, the department has not yet provided evidence that it has finalized and implemented the guidance. We will continue to follow-up with the agency on its efforts to address this recommendation.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 5) |
The Department of Veterans Affairs (VA) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, the Chief of Staff reported that the department planned to stand up a working group to identify, analyze, and mitigate the impacts of restrictive software licensing practices on cloud computing efforts by the end of fiscal year 2026. As of January 2026, VA has not yet established the working group or established and implemented any related guidance. As such, VA has not yet identified related cost savings. Until VA implements sufficient guidance for managing the impact of restrictive software licensing practices, VA investments will likely continue to take ad hoc, potentially ineffective actions-or no action-for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 6) |
The Department of Veterans Affairs (VA) agreed with this recommendation when we issued the report in November 2024. In May 2025, the Chief of Staff stated that VA planned to stand-up a working group composed of IT and acquisition staff to develop a proposal to assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. As of January 2026, VA has not yet provided evidence that it has assigned or documented responsibility for restrictive software licensing practices. We will continue to follow-up with the agency on its efforts to address this recommendation.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 7) |
The National Aeronautics and Space Administration (NASA) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, the NASA Administrator reported that the Office of the Chief Information Officer planned to revise and re-issue its Cloud Procurement Best Practices guidance, including updating the guidance to include information such as a clear definition of restrictive software licensing practices in the cloud, example scenarios where such practices may be encountered, and how to report such practices for further analysis and mitigation. As of January 2026, that guidance has not yet been established and implemented, As such, NASA has not yet identified related cost savings. Until NASA implements sufficient guidance for managing the impact of restrictive software licensing practices, NASA investments will likely continue to take ad hoc, potentially ineffective actions-or no action-for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 8) |
NASA concurred with the recommendation. In July 2025, NASA reported that the Office of the Chief Information Officer had updated its Cloud and Computing Services guidance to assign the Services' director responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. We reviewed the updated guidance and confirmed that it documented and outlined the director's responsibility for identifying and managing potential impacts of such practices. By establishing this responsibility, NASA should be better prepared to address situations where it encounters restrictive practices in the future.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 9) |
The Office of Personnel Management (OPM) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, the Acting Director of OPM reported that the agency planned to transfer procurement functions to the General Services Administration. OPM reported that the agency completed the transfer of most procurement actions and requirements in fiscal year 2025, as planned. However, the agency has not yet developed or identified and implemented guidance addressing restrictive software licensing practices. As such, OPM has not yet identified related cost savings. Until OPM implements sufficient guidance for managing the impact of restrictive software licensing practices, OPM investments will likely continue to take ad hoc, potentially ineffective actions-or no action-for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 10) |
The Office of Personnel Management (OPM) agreed with this recommendation when we issued the report in November 2024. Specifically, the Acting Director of OPM reported that the agency planned to transfer procurement functions to the General Services Administration. OPM reported that the agency completed the transfer of most procurement actions and requirements in fiscal year 2025, as planned. However, as of January 2026, the agency has not yet assigned or documented responsibility for identifying and managing potential impacts of restrictive software licensing practices. We will continue to follow-up with the agency on its efforts to address this recommendation.
|
| Social Security Administration | The Commissioner of the Social Security Administration should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 11) |
The Social Security Administration (SSA) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, we reviewed the agency's Cloud Services Guidance, updated in February 2025, and determined that the updates did not fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. As of January 2026, the agency has not yet developed and implemented guidance that specifically addresses such practices, and, as such, has not yet identified related cost savings. Until SSA implements sufficient guidance for managing the impact of restrictive software licensing practices, SSA investments will likely continue to take ad hoc, potentially ineffective actions-or no action-for managing restrictive software licensing practices. In addition, the full extent of impacts from restrictive software licenses on the department remains unknown.
|
| Social Security Administration | The Commissioner of the Social Security Administration should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 12) |
The Social Security Administration (SSA) agreed with this recommendation when we issued the report in November 2024, but has not yet taken action to fully address it. Specifically, we reviewed SSA's February 2025 Cloud Services Guidance and determined that the updated guidance did not fully address assigning and documenting responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. As of January 2026, the agency has not yet developed and implemented guidance specifically assigning and documenting this responsibility. We will continue to follow-up with the agency on its efforts to address this recommendation.
|