Federal agencies face persistent challenges in acquiring and managing cloud computing services due to outdated procurement rules, conflicting federal guidance, and workforce constraints, according to a new Government Accountability Office (GAO) report.
Senior officials at 22 of the 24 agencies GAO reviewed said they primarily rely on historical procurement data to inform cloud acquisition decisions, according to the report. The watchdog said implementing prior recommendations to improve federal acquisition data quality could provide agencies with more reliable information for decision-making.
Among the most frequently cited cloud procurement challenges, 17 agencies reported difficulties changing IT management practices to better control cloud costs. Seventeen agencies also cited conflicting guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST). Fifteen agencies pointed to outdated Federal Acquisition Regulation (FAR) requirements and challenges obtaining authorized cloud solutions, while 11 agencies reported multivendor interoperability issues and 10 cited workforce hiring and resource constraints.
GAO said conflicting guidance from OMB and NIST has created unnecessary burdens for agencies collecting and storing software bills of materials and other key software components. The report said the Cybersecurity and Infrastructure Security Agency is well positioned to help resolve the issue through additional implementation guidance.
The FAR remains outdated for cloud procurement, the report also noted. Although revisions were made between April and October 2025, GAO said the regulation still lacks a definition of cloud computing, relies on a 20-year-old definition of information technology, and uses commercial product and service definitions that do not align with cloud-based offerings.
According to GAO, updating those definitions is critical to improving federal cloud acquisition practices and ensuring agencies can effectively contract for cloud services.
The report also highlighted the growing use of multicloud strategies among larger agencies seeking greater flexibility and efficiency. However, agencies reported continued interoperability challenges when integrating services across multiple cloud providers. GAO said broader sharing of best practices could help agencies improve implementation efforts.
Despite those challenges, agencies are taking steps to improve cloud cost management, expand access to authorized cloud solutions, develop guidance, and address workforce limitations. GAO said those efforts show promise and could generate substantial savings if implemented effectively.
To address the issues identified in the report, GAO recommended that Congress consider requiring updates to the FAR to modernize cloud-related definitions.
The watchdog also recommended that General Services Administration (GSA) require agencies to implement FinOps practices, that DHS issue additional SBOM implementation guidance, and that the Federal CIO Council collect and share examples of leading practices on multi-vendor cloud solutions.
DHS concurred with GAO’s recommendation. GSA disagreed with the recommendation directed to the agency, while the Federal CIO Council did not provide comments. GAO said it continues to believe its recommendations are warranted.