Cloud computing enables on-demand access to shared computing resources. As the Department of Defense (DOD) implements IT projects and migrates systems to the cloud, it may encounter restrictive software license practices. These practices include enterprise agreements or vendor processes that limit, impede, or prevent agencies’ efforts to use software in cloud or multi-cloud computing.
The House report accompanying the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for the Government Accountability Office (GAO) to review the impact that restrictive software licensing practices could have on DOD cloud computing.
Officials from all three selected DOD components and two of the six selected investments told GAO of restrictive software license practices that impacted their cloud computing efforts. Officials from the selected components and investments stated that restrictive practices generally impacted the cost of cloud computing, choice of cloud service providers, and other related impacts such as interoperability.
GAO found that four of the six selected investments did not identify impacts from restrictive software licensing practices. According to officials, they may not have had impacts because these investments were configured to deploy software within the cloud instead of transferring software to the cloud.
Key industry activities for managing the risk of impacts from restrictive practices include identifying and analyzing impacts and mitigating those impacts. However, the six selected investments GAO reviewed did not consistently address these key activities. Specifically, two investments identified an impact but did not analyze or develop plans for mitigating it, while four other investments did not address identifying, analyzing, or mitigating. GAO said a lack of relevant guidance allowed these shortfalls to occur.
The watchdog is concerned that DOD’s guidance and plans do not fully address identifying and analyzing the impacts of restrictive practices. Moreover, GAO said DOD’s plans and guidance do not address mitigating impacts of restrictive practices. Until DOD updates and implements guidance and plans for managing the impacts of restrictive software licensing practices, GAO believes the department will not be well-positioned to identify and analyze the impact of such practices or to mitigate the risks.
GAO is making one recommendation to DOD to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices. The department concurred with the recommendation and said that it intends to issue guidance to, among other things, close the gaps identified in this report, further streamline and enhance the procurement process, and expand collaboration among stakeholders. In addition, DOD plans to provide a clear definition of restrictive software license practices and their potential risk on cloud computing efforts. The DOD CIO intends to publish this updated guidance by the end of fiscal year 2024.
Alongside these findings, GAO has also issued a separate report, which says DOD could improve its tracking of data user fees in its cloud computing efforts. Federal agencies, including DOD, can deliver better IT services for less money by using the cloud. In fiscal year 2022, the Department of Defense committed about $3 billion for cloud computing contracts.
Cloud service providers charge user fees for transferring data from the cloud. DOD officials have negotiated some discounts for such fees. But GAO has found that DOD does not have a way to track and report on these fees department-wide.
GAO found that GAO has begun to consider data egress fees when procuring and implementing cloud services. The department’s recent contract negotiations with commercial providers resulted in discounts on data fees, including data fees. Vendor lock-in can happen in cloud computing when the cost of moving to a new provider is so high that a user stays with their incumbent provider. However, DOD officials stated that data fees had not been a primary cause for vendor lock-in. These officials added that other factors could cause vendor lock-ins, including a lack of specific skills by government staff, or the reliance on cloud services unique to a specific cloud provider.
DOD has mechanisms that could mitigate the impact data fees could have as it procures and implements cloud services across the department. DOD officials told GAO that data egress fees account for less than one percent of known cloud expenditures. However, the watchdog found the department does not have the capability to track and report on these fees. In addition, GAO said DOD’s contract-specific tools do not track cloud expenditures, including data fees department-wide.
GAO recommends that DOD develop a plan and time frame for adopting a tool to track data fees across the department. DOD concurred with the recommendation and stated that by the third quarter of fiscal year 2025, it will develop a plan to expand the department’s cloud financial operations to include the management of data egress fees.