Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses

What GAO Found

Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies' efforts to use software in cloud computing. Officials from five of the six selected agencies described multiple impacts that they had experienced from restrictive software licensing practices. The agencies impacted were the Departments of Justice (DOJ), Transportation (DOT), and Veterans Affairs (VA); the National Aeronautics and Space Administration (NASA); and the Social Security Administration (SSA). Officials from the remaining agency, the Office of Personnel Management (OPM), reported that it had not encountered any restrictive licensing practices. The following table summarizes the impacts.

Impacts from the Restrictive Licensing Practices Experienced by Five Selected Agencies

Source: GAO analysis of information provided by agency officials. | GAO 25 107114

None of the six selected agencies had fully established guidance that specifically addressed the two key industry activities for effectively managing the risk of impacts of restrictive practices. These activities are to (1) identify and analyze potential impacts of such practices, and (2) develop plans for mitigating adverse impacts. Furthermore, of the five agencies that reported encountering restrictive practices, three agencies partially implemented the key activities to manage those restrictive practices and the other two agencies-DOT and VA-did not demonstrate that they had fully implemented either of the activities.

Key causes for the selected agencies' inconsistent implementation of the two activities included that (1) none of the agencies had fully assigned responsibility for identifying and managing restrictive practices, and (2) the agencies did not consider the management of restrictive practices to be a priority. Until the agencies (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices, and (2) assign responsibility for identifying and managing such practices, they will likely miss opportunities to take action to avoid or minimize the impacts.

Why GAO Did This Study

Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices.

GAO was asked to review the impacts of restrictive software licensing on federal agencies. This report (1) describes how restrictive software licensing practices impacted selected agencies' cloud computing services and (2) evaluates the extent to which selected agencies effectively managed the potential impact of such practices.

To do so, GAO interviewed IT and acquisition officials from six randomly selected agencies and 11 selected cloud investments within those agencies. These investments included a mix of cloud computing types, among other things. GAO also assessed relevant policies and documentation of agency efforts to manage restrictive licensing practices and compared them to key activities for risk and acquisition management identified by industry.