Outdated, conflicting guidance causes cloud procurement problems, watchdog says
Outdated and conflicting official guidance, coupled with imprecise historical procurement data, has caused challenges at most federal agencies when acquiring cloud computing tools, the Government Accountability Office found in a new report Tuesday.
Across all cabinet and some independent agencies, cost control and conflicting official software guidance from the Office of Management and Budget and the National Institute of Standards and Technology created “unnecessary burdens” in cloud procurement and use, the report said.
The GAO said federal spending on contracts for cloud services has “grown rapidly” over the past decade, from $2.3 billion to over $10 billion each year.
“Federal agency IT provides essential services affecting the health, economy, and defense of the nation, serving as a foundation for the federal government’s ability to deliver on its mission,” the report said. “Accordingly, agencies need to maximize the impact of taxpayer dollars and make procurement decisions that deliver on their missions securely and reliably.”
Other challenges identified by over half of the agencies included difficulties obtaining authorized cloud solutions and the outdated Federal Acquisition Regulation, which still does not include a definition of cloud computing. Proposed rules to overhaul and simplify several sections of the FAR were posted on the Federal Register on Tuesday for public comment.
“Updating the FAR to reflect present-day computing is essential to effectively contracting for cloud services,” the report said.
However, GAO said agencies are addressing cost control and obtaining cloud solutions, as well as issuing guidance and responding to cloud staffing limitations.
“Agencies’ ongoing and planned actions, if implemented effectively, demonstrate promise for tackling these challenges and could lead to substantial savings,” the report said.
Some larger agencies use multiple cloud vendors for efficiency, but often run into interoperability problems. The GAO said sharing leading multi-cloud practices would enable other agencies to learn from one another and improve implementation.
“Federal IT acquisitions of cloud services have the potential to reduce costs and improve operational efficiencies,” the report said.
All but two of the 24 agencies reviewed said they used the now-retired Federal Procurement Data System to make cloud procurement decisions. FPDS functionality is now within SAM.gov, the report said.
“However, the agency-reported obligations on cloud contracts in FPDS were imprecise due to how IT-related product and service codes (PSC) are assigned to contracts in this system,” the report said. “Issues with having reliable data in FPDS are not new and we have made numerous recommendations to address them.”
From the cross-governmental analysis, the GAO issued three recommendations.
First, it said the General Services Administration should require agencies to use FinOps practices and report their benefits, to which the GSA disagreed, saying they should only promote best practices to support FinOps adoption for interested agencies.
“GSA does not have the authority to mandate that agencies use FinOps practices,” Administrator Edward Forst said in response. “However, GSA IT contracts can be used by agencies to procure products, services, and solutions supporting FinOps practices, which can improve agencies’ real-time cloud management.
Also, DHS should direct CISA to issue additional Software Bill of Materials implementation guidance to agencies, and the Federal Chief Information Officers Council should work with OMB to collect and share examples of leading practices in the federal government on multi-vendor cloud solutions.
While the CIO Council did not respond, DHS concurred, saying the final version of a Software Bill of Materials Minimum Elements document will be published by the end of fiscal 2026.
The GAO also offered two congressional matters for consideration, including updating relevant statutory definitions.
