Skip to main content

Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses

GAO-25-107114 Published: Nov 13, 2024. Publicly Released: Nov 13, 2024.
Jump To:

Fast Facts

Cloud computing offers on-demand access to shared IT resources like networks and servers.

Federal agencies must move their data and software to the cloud when possible. But software licenses and restrictive vendor practices can limit or prevent such efforts. For example, some vendors charge extra fees to use their software with third-party cloud providers. Five agencies we interviewed said restrictive practices generally affected the cost of cloud services or their choice of cloud providers.

We recommended the agencies assign responsibility and update and implement guidance to lessen the effects of restrictions on moving software to the cloud.

Technology icons superimposed over a laptop

Skip to Highlights

Highlights

What GAO Found

Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies' efforts to use software in cloud computing. Officials from five of the six selected agencies described multiple impacts that they had experienced from restrictive software licensing practices. The agencies impacted were the Departments of Justice (DOJ), Transportation (DOT), and Veterans Affairs (VA); the National Aeronautics and Space Administration (NASA); and the Social Security Administration (SSA). Officials from the remaining agency, the Office of Personnel Management (OPM), reported that it had not encountered any restrictive licensing practices. The following table summarizes the impacts.

Impacts from the Restrictive Licensing Practices Experienced by Five Selected Agencies

Type of impact

Description of restrictive practice

Number of agencies experiencing impact

Cost increase

(4 agencies)

Vendor required repurchase of same licenses for use in cloud.

3

Vendor charged additional fees to use its software on infrastructure from other cloud service providers.

2

Vendor charged more (e.g., a conversion fee) to migrate its software to the cloud under an agency's existing licenses used in on-premise systems.

1

Limit on choice of cloud service provider or cloud architecture

(3 agencies)

Vendor required or encouraged agencies to use its software on that vendor's own cloud infrastructure (i.e., encouraged vendor lock-in).

3

A contractor that migrated an agency's data into a vendor's cloud infrastructure required the agency to pay to regain ownership of the data at the end of the contract, which encouraged vendor lock-in.

1

A vendor for an on-premise private cloud did not allow another vendor's software to be used with its hardware, thereby creating vendor lock-in.

1

Source: GAO analysis of information provided by agency officials. | GAO 25 107114

None of the six selected agencies had fully established guidance that specifically addressed the two key industry activities for effectively managing the risk of impacts of restrictive practices. These activities are to (1) identify and analyze potential impacts of such practices, and (2) develop plans for mitigating adverse impacts. Furthermore, of the five agencies that reported encountering restrictive practices, three agencies partially implemented the key activities to manage those restrictive practices and the other two agencies—DOT and VA—did not demonstrate that they had fully implemented either of the activities.

Key causes for the selected agencies' inconsistent implementation of the two activities included that (1) none of the agencies had fully assigned responsibility for identifying and managing restrictive practices, and (2) the agencies did not consider the management of restrictive practices to be a priority. Until the agencies (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices, they will likely miss opportunities to take action to avoid or minimize the impacts.

Why GAO Did This Study

Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices.

GAO was asked to review the impacts of restrictive software licensing on federal agencies. This report (1) describes how restrictive software licensing practices impacted selected agencies' cloud computing services and (2) evaluates the extent to which selected agencies effectively managed the potential impact of such practices.

To do so, GAO interviewed IT and acquisition officials from six randomly selected agencies and 11 selected cloud investments within those agencies. These investments included a mix of cloud computing types, among other things. GAO also assessed relevant policies and documentation of agency efforts to manage restrictive licensing practices and compared them to key activities for risk and acquisition management identified by industry.

Recommendations

GAO is making 12 recommendations—two to each agency—to (1) fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices. Five agencies concurred with the recommendations. One agency—DOJ—did not agree with the recommendations. GAO continues to believe its recommendations to DOJ are warranted, as discussed in this report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Justice The Attorney General should update and implement Department of Justice guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the department. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The Administrator of the National Aeronautics and Space Administration should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of the Office of Personnel Management should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 9)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of the Office of Personnel Management should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 10)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of the Social Security Administration should update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 11)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of the Social Security Administration should assign and document responsibility for identifying and managing potential impacts of restrictive software licensing practices across the agency. (Recommendation 12)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

GAO Contacts

Carol C. Harris
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Acquisition managementAudit objectivesBest practicesChief information officersCloud computingFederal agenciesIT acquisitionsIT investmentsInformation technologyInternal controlsLicense agreementsPersonnel managementRisk managementSoftware