Cloud Computing: Federal Government Needs to Address Procurement Challenges
Fast Facts
Federal agency IT provides essential services affecting the health, economy, and defense of the nation. Cloud computing helps provide these services at potentially lower costs.
But agencies have had trouble acquiring cloud services because:
Cloud-related definitions were outdated in federal acquisition regulations
Tracking cloud costs requires agencies to change their day-to-day IT management
There also wasn't enough guidance on the best ways to implement cloud environments with multiple vendors.
We recommended Congress consider updating these regulations and the General Services Administration and other agencies address these other issues.
A person at a desk wearing a business suit is signing a contract. Above the contract is an image of an electronic cloud.
Highlights
What GAO Found
Senior agency officials from 22 of 24 selected agencies reported primarily relying on historical procurement data to help make cloud decisions. Timely implementation of the many recommendations GAO has made to federal agencies to improve these data could result in high-quality information.
Senior officials in the 24 agencies most frequently reported the following cloud procurement challenges.
Challenges Reported by 24 Selected Federal Agencies on Cloud Procurement
|
Challenge identified |
Number of agencies reporting challenge |
|---|---|
|
Control of cloud costs required changes in IT management approaches. |
17 |
|
Conflicting Office of Management and Budget and National Institute of Standards and Technology-issued software guidance caused confusion. |
17 |
|
Outdated Federal Acquisition Regulations impeded cloud procurements. |
15 |
|
Agencies encountered difficulties in obtaining authorized cloud solutions. |
15 |
|
Multi-vendor cloud adoption faced new technical considerations such as interoperability. |
11 |
|
Resource constraints hindered cloud workforce acquisition. |
10 |
Source: GAO analysis of agency interviews and federal guidance documentation. | GAO-26-107530
Agencies are addressing challenges in controlling cloud costs, obtaining authorized cloud solutions, and issuing guidance and responding to cloud staffing limitations. Agencies’ ongoing and planned actions, if implemented effectively, demonstrate promise for tackling these challenges and could lead to substantial savings.
In contrast, the challenges of conflicting software guidance, outdated Federal Acquisition Regulations (FAR), and multi-vendor cloud solutions remain.
- The Office of Management and Budget (OMB) and National Institute of Standards and Technology issued conflicting guidance to agencies that created unnecessary burdens for collecting and storing key software components. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency is well positioned to address this conflict by providing additional guidance on implementation to agencies.
- The FAR remains out of date in areas impacting cloud procurement. Although significant changes were made to the FAR between April 2025 and October 2025, the FAR still does not have a definition of cloud computing, the definition of IT is 20 years old, and the definition of a commercial product or service does not align with cloud computing. Updating the FAR to reflect present day computing is essential to effectively contracting for cloud services.
- Several larger agencies are using multiple cloud vendors to achieve efficiencies but are also experiencing new challenges such as interoperability. Sharing multi-cloud leading practices would enable other agencies to learn from each other and improve implementation efforts.
Why GAO Did This Study
Federal IT acquisitions of cloud services have the potential to reduce costs and improve operational efficiencies. Cloud computing enables on-demand access to shared computing resources. Cloud services use a consumption-based model, and providers generally bill customers based on actual usage of resources (i.e., data storage, computing power, backup, development tools, applications).
GAO was asked to review agencies’ efforts to address cloud procurement. This report assesses, among other things, (1) the cloud procurement data agencies and OMB use and collect to inform acquisition decision making, and (2) agency challenges procuring cloud services and efforts to address the challenges. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement data, policies, and guidance. Further, GAO interviewed senior officials in the 24 agencies’ Offices of the Chief Information Officer (CIO) and Senior Procurement Executive. GAO also interviewed staff in OMB’s Office of the Federal CIO and Office of Federal Procurement Policy and staff in the General Services Administration’s (GSA) Office of Government-wide Policy and Federal Acquisition Service.
Recommendations
Congress should consider requiring changes to the FAR to update cloud-related definitions. GAO is also making three recommendations to GSA, DHS, and the Federal CIO Council to address cloud cost management practices, conflicting cloud guidance, and multi-vendor cloud solutions. DHS concurred with our recommendation, GSA disagreed with our recommendation, and the CIO Council did not provide comments. GAO maintains that its recommendations are warranted.
Matter for Congressional Consideration
| Matter | Status | Comments |
|---|---|---|
| Congress should consider: 1) updating the statutory definitions of commercial products and commercial services, and (2) requiring acquisition regulations be updated to reflect these definitions. (Matter for Consideration 1) | When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. | |
| Congress should consider requiring acquisition regulations be updated to (1) define information technology to be consistent with the definition in FITARA and (2) define the term cloud computing to be consistent with the National Institute of Standards and Technology's definition. (Matter for Consideration 2) | When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information. |
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| General Services Administration | The Administrator of General Services, as the Executive Agent in charge of all government-wide IT acquisition contracts, should require agencies to use FinOps practices and report the extent of benefits resulting from the use of the practices. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should direct the Director of the Cybersecurity and Infrastructure Security Agency to issue additional SBOM implementation guidance to agencies. This should include information on how agencies should integrate SBOM generation, consumption, and analysis into their risk management, purchasing, and software development practices, and how to leverage tools where appropriate. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Chief Information Officers Council | The Federal CIO Council, working with its chair, the Office of Management and Budget's Deputy Director for Management, should collect and share examples of leading practices in the federal government on multi-vendor cloud solutions, including containerization and testing platform interoperability. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|