LegiStorm

Summary:
What GAO Found

Agencies had mixed results in setting policies and guidance that addressed the five key procurement requirements established by the Office of Management and Budget (OMB) in its 2019 Cloud Smart Strategy. Specifically, as of July 2024, all 24 agencies had established guidance to ensure the agency Chief Information Officer (CIO) oversaw modernization and almost all had guidance in place to improve their policies and guidance related to cloud services. However, most agencies did not establish guidance related to service level agreements (SLA), which define the levels of service and performance that the agency expects its cloud providers to meet. In addition, nearly one-third of agencies did not have guidance to ensure continuous visibility in high value assets (systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise).

Table 1: Extent to Which Federal Agencies' Guidance Has Addressed the Five Procurement-Related Cloud Computing Requirements, as of July 2024


Requirement


Fully Addressed


Partially Addressed


Not Addressed


Ensure the agency's chief information officer oversees modernization.


24


0


0


Iteratively improve agency policies and guidance.


23


0


1


Have cloud service level agreement in place.


6


10


8


Standardize cloud contract service level agreements


9


2


13


Ensure continuous visibility in high value asset contracts.a


11


2


5

Legend: Fully addressed = The agency provided evidence that addressed the requirement. Partially addressed = The agency provided evidence that it had addressed some, but not all of the requirement. Not addressed = The agency did not provide evidence that it had addressed any of the requirement.

Source: GAO analysis of agency documentation. | GAO-24-106137

aThe requirement was not applicable for six agencies because high value assets were not stored in the cloud.

Agency officials provided different reasons as to why guidance had not been developed for the requirements. For example, six agencies reported that they had used SLAs provided by the cloud service providers. One agency reported that it had included language in its blanket purchase agreement and two agencies reported they were in the process of finalizing guidance. Regarding high value asset guidance, one agency reported that it had included language in their contracts to meet the requirement but had not developed corresponding guidance. One agency reported that it had relied on standard acquisition practices and had not developed separate processes for these assets.

In addition, agency officials reported that additional guidance, including standardized SLA language and high value asset contract language, would be helpful. The CIO Council, as a forum for improving agency practices, could facilitate the collection of examples of guidance and language from agencies that have met these requirements. By sharing examples of agency guidance and contract language related to the SLA and high value asset requirements, agencies would be able to more readily address OMB's requirements.

Why GAO Did This Study

Cloud computing enables on-demand access to shared computing resources, providing services more quickly and at a lower cost than having agencies maintain these resources themselves. In 2010, OMB began requiring agencies to shift their IT services to cloud services when feasible. In 2019, OMB updated its Federal Cloud Computing Strategy (called Cloud Smart) and established five key cloud procurement requirements.

GAO was asked to examine agencies' efforts to implement OMB's Cloud Smart initiative. This report assesses the extent to which agencies' cloud guidance addresses OMB's five Cloud Smart procurement requirements. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement and security policies, guidance, and SLAs. GAO then assessed the results of the analysis against the five requirements. GAO also interviewed officials in the 24 agencies' Offices of the CIO.