Why It Matters

Federal agencies are struggling to procure and manage cloud services due to a tangle of outdated regulations, conflicting government guidance, and inadequate cost controls. The Government Accountability Office found that about 90% of major federal agencies lack the tools and clarity to make smart cloud purchasing decisions, a problem that ripples across the government's ability to modernize IT systems that underpin everything from tax collection to national defense.

The stakes are direct: agencies cannot move efficiently to cloud computing if the rules of the road are broken. Federal cloud computing procurement has become a bottleneck that affects not just IT budgets but the government's capacity to respond to security threats, manage sensitive data, and deliver services to the public.

The Big Picture

The GAO examined 24 major federal agencies governed by the Chief Financial Officers Act to understand how they acquire and manage cloud services. The findings reveal systemic problems across government.

The most basic issue is that 22 of the 24 agencies examined reported they primarily rely on historical procurement data to guide cloud decisions.

The cost control problem is acute. Seventeen of 24 agencies reported that managing cloud costs requires changes to how they conduct IT management day-to-day. Without these changes in place, agencies overspend.

Guidance from Washington has made the problem worse, not better. Seventeen of 24 agencies reported that conflicting guidance issued by the Office of Management and Budget and the National Institute of Standards and Technology created confusion about how to handle software procurement and security requirements.

Outdated Regulations and Authorization Bottlenecks

The Federal Acquisition Regulations, the rulebook for federal purchasing, have not kept pace with cloud computing. Fifteen of 24 agencies reported that outdated acquisition regulations impeded their cloud procurement efforts.

The Federal Acquisition Regulations contain no definition of cloud computing at all. The regulations' definition of information technology is 20 years old. The definition of "commercial product or service" does not align with how cloud services are actually delivered and priced in the market.

Fifteen of 24 agencies reported encountering difficulties in obtaining authorized cloud solutions.

Between April 2025 and October 2025, significant changes were made to the Federal Acquisition Regulations, suggesting some effort to modernize.

Multi-Vendor Complexity and Workforce Gaps

But eleven of 24 agencies reported that multi-vendor cloud adoption introduced new technical challenges, particularly around interoperability between different platforms.

Ten of 24 agencies reported that resource constraints prevented them from hiring or training staff with the cloud computing expertise needed to manage modern IT infrastructure.

The Bottom Line

The GAO made three recommendations for executive action and two matters for congressional consideration.

For Congress, the GAO recommended updating statutory definitions of commercial products and commercial services to reflect how cloud services are actually bought and sold. The GAO also recommended that Congress require acquisition regulations be updated to define information technology consistent with the Federal IT Acquisition Reform Act and to define cloud computing consistent with NIST's definition.

For the executive branch, the GAO recommended that the General Services Administration require agencies to adopt FinOps practices, a set of financial management techniques designed specifically for cloud environments, and report on the benefits achieved. The GSA disagreed with this recommendation, arguing it should remain voluntary rather than mandatory.

The GAO recommended that the Department of Homeland Security direct the Cybersecurity and Infrastructure Security Agency to issue additional guidance on implementing Software Bill of Materials requirements. DHS concurred with this recommendation. The GAO also recommended that the Federal Chief Information Officers (CIO) Council collect and share examples of leading practices in multi-vendor cloud solutions, though the Council did not provide comments on this recommendation.

Access the Legis1 platform for comprehensive political news, data, and insights.

Spot something wrong? Report an issue with this article