HomeSubject Matter AreasCybersecurity
CybersecurityFederal GovernmentInformation Technology

GAO: Outdated Procurement Rules Continue to Hinder Federal Cloud Adoption

Homeland Security Today
By Homeland Security Today
June 25, 2026

Key Takeaways

Federal agency IT provides essential services affecting the health, economy, and defense of the nation. Cloud computing helps provide these services at potentially lower costs.

But agencies have had trouble acquiring cloud services because:

  • Cloud-related definitions were outdated in federal acquisition regulations
  • Tracking cloud costs requires agencies to change their day-to-day IT management
  • There also wasn’t enough guidance on the best ways to implement cloud environments with multiple vendors.

The GAO recommends Congress consider updating these regulations and the General Services Administration and other agencies address these other issues.

What GAO Found

Senior agency officials from 22 of 24 selected agencies reported primarily relying on historical procurement data to help make cloud decisions. Timely implementation of the many recommendations GAO has made to federal agencies to improve these data could result in high-quality information.

Senior officials in the 24 agencies most frequently reported the following cloud procurement challenges.

Challenges Reported by 24 Selected Federal Agencies on Cloud Procurement

Source: GAO analysis of agency interviews and federal guidance documentation. | GAO-26-107530

Agencies are addressing challenges in controlling cloud costs, obtaining authorized cloud solutions, and issuing guidance and responding to cloud staffing limitations. Agencies’ ongoing and planned actions, if implemented effectively, demonstrate promise for tackling these challenges and could lead to substantial savings.

In contrast, the challenges of conflicting software guidance, outdated Federal Acquisition Regulations (FAR), and multi-vendor cloud solutions remain.

  • The Office of Management and Budget (OMB) and National Institute of Standards and Technology issued conflicting guidance to agencies that created unnecessary burdens for collecting and storing key software components. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency is well positioned to address this conflict by providing additional guidance on implementation to agencies.
  • The FAR remains out of date in areas impacting cloud procurement. Although significant changes were made to the FAR between April 2025 and October 2025, the FAR still does not have a definition of cloud computing, the definition of IT is 20 years old, and the definition of a commercial product or service does not align with cloud computing. Updating the FAR to reflect present day computing is essential to effectively contracting for cloud services.
  • Several larger agencies are using multiple cloud vendors to achieve efficiencies but are also experiencing new challenges such as interoperability. Sharing multi-cloud leading practices would enable other agencies to learn from each other and improve implementation efforts.

Why GAO Did This Study

Federal IT acquisitions of cloud services have the potential to reduce costs and improve operational efficiencies. Cloud computing enables on-demand access to shared computing resources. Cloud services use a consumption-based model, and providers generally bill customers based on actual usage of resources (i.e., data storage, computing power, backup, development tools, applications).

GAO was asked to review agencies’ efforts to address cloud procurement. This report assesses, among other things, (1) the cloud procurement data agencies and OMB use and collect to inform acquisition decision making, and (2) agency challenges procuring cloud services and efforts to address the challenges. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement data, policies, and guidance. Further, GAO interviewed senior officials in the 24 agencies’ Offices of the Chief Information Officer (CIO) and Senior Procurement Executive. GAO also interviewed staff in OMB’s Office of the Federal CIO and Office of Federal Procurement Policy and staff in the General Services Administration’s (GSA) Office of Government-wide Policy and Federal Acquisition Service.

Recommendations

Congress should consider requiring changes to the FAR to update cloud-related definitions. GAO is also making three recommendations to GSA, DHS, and the Federal CIO Council to address cloud cost management practices, conflicting cloud guidance, and multi-vendor cloud solutions. DHS concurred with our recommendation, GSA disagreed with our recommendation, and the CIO Council did not provide comments. GAO maintains that its recommendations are warranted.

Read the full GAO report here.

Previous article
GAO: DHS Still Needs to Improve Border Security Metrics Reporting
Next article
GAO: FEMA Requires Cost-Benefit Analysis for Renewable Energy Hazard Mitigation Projects

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

Latest Articles

Load more