Cloud Computing: Agencies Need to Address Key OMB Procurement Requirements
Fast Facts
In 2019, the Office of Management and Budget established 5 key requirements for agencies related to procuring secure, cost-effective cloud services.
As of July 2024, the 24 major agencies set policies and guidance that addressed some of these requirements but not others. For example, all the agencies had established guidance to ensure their chief information officer oversees agency modernization efforts.
But most hadn't established guidance on service level agreements—which define the levels of service and performance the agency expects its cloud providers to meet.
Our 47 recommendations address these and other issues.
Highlights
What GAO Found
Agencies had mixed results in setting policies and guidance that addressed the five key procurement requirements established by the Office of Management and Budget (OMB) in its 2019 Cloud Smart Strategy. Specifically, as of July 2024, all 24 agencies had established guidance to ensure the agency Chief Information Officer (CIO) oversaw modernization and almost all had guidance in place to improve their policies and guidance related to cloud services. However, most agencies did not establish guidance related to service level agreements (SLA), which define the levels of service and performance that the agency expects its cloud providers to meet. In addition, nearly one-third of agencies did not have guidance to ensure continuous visibility in high value assets (systems that process high-value information or serve a critical function in maintaining the security of the civilian enterprise).
Table 1: Extent to Which Federal Agencies' Guidance Has Addressed the Five Procurement-Related Cloud Computing Requirements, as of July 2024
Requirement |
Fully Addressed |
Partially Addressed |
Not Addressed |
---|---|---|---|
Ensure the agency's chief information officer oversees modernization. |
24 |
0 |
0 |
Iteratively improve agency policies and guidance. |
23 |
0 |
1 |
Have cloud service level agreement in place. |
6 |
10 |
8 |
Standardize cloud contract service level agreements |
9 |
2 |
13 |
Ensure continuous visibility in high value asset contracts.a |
11 |
2 |
5 |
Legend: Fully addressed = The agency provided evidence that addressed the requirement. Partially addressed = The agency provided evidence that it had addressed some, but not all of the requirement. Not addressed = The agency did not provide evidence that it had addressed any of the requirement.
Source: GAO analysis of agency documentation. | GAO-24-106137
aThe requirement was not applicable for six agencies because high value assets were not stored in the cloud.
Agency officials provided different reasons as to why guidance had not been developed for the requirements. For example, six agencies reported that they had used SLAs provided by the cloud service providers. One agency reported that it had included language in its blanket purchase agreement and two agencies reported they were in the process of finalizing guidance. Regarding high value asset guidance, one agency reported that it had included language in their contracts to meet the requirement but had not developed corresponding guidance. One agency reported that it had relied on standard acquisition practices and had not developed separate processes for these assets.
In addition, agency officials reported that additional guidance, including standardized SLA language and high value asset contract language, would be helpful. The CIO Council, as a forum for improving agency practices, could facilitate the collection of examples of guidance and language from agencies that have met these requirements. By sharing examples of agency guidance and contract language related to the SLA and high value asset requirements, agencies would be able to more readily address OMB's requirements.
Why GAO Did This Study
Cloud computing enables on-demand access to shared computing resources, providing services more quickly and at a lower cost than having agencies maintain these resources themselves. In 2010, OMB began requiring agencies to shift their IT services to cloud services when feasible. In 2019, OMB updated its Federal Cloud Computing Strategy (called Cloud Smart) and established five key cloud procurement requirements.
GAO was asked to examine agencies' efforts to implement OMB's Cloud Smart initiative. This report assesses the extent to which agencies' cloud guidance addresses OMB's five Cloud Smart procurement requirements. For each of the 24 Chief Financial Officers Act agencies, GAO analyzed relevant cloud procurement and security policies, guidance, and SLAs. GAO then assessed the results of the analysis against the five requirements. GAO also interviewed officials in the 24 agencies' Offices of the CIO.
Recommendations
GAO is making one recommendation to the CIO Council to collect and share examples of guidance on cloud SLAs and contract language. GAO is also making 46 recommendations to 18 agencies to develop or update guidance related to OMB's Cloud Smart procurement requirements. Fourteen agencies agreed with all recommendations, one agency did not explicitly agree but provided planned actions, the CIO Council and three agencies neither agreed nor disagreed, and one (Department of Education) disagreed. GAO continues to believe its recommendation to Education is warranted, as discussed in this report.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Chief Information Officers Council | The CIO Council, working with its chair, the Office of Management and Budget's Deputy Director for Management, should collect and share examples of agency guidance and contract language related to OMB's requirements in the Federal Cloud Computing Strategy on: (1) the four key SLA elements, (2) standardizing SLAs, and (3) ensuring that contracts affecting federal agencies' HVAs, including those managed and operated in the cloud, include requirements that provide agencies with continuous visibility of the asset. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance on standardizing cloud SLAs. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture finalizes its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Agriculture | The Secretary of Agriculture should ensure that the CIO of Agriculture updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Commerce | The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Commerce | The Secretary of Commerce should ensure that the CIO of Commerce finalizes guidance on standardizing cloud SLAs (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Education | The Secretary of Education should ensure that the CIO of Education updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance regarding standardizing cloud SLAs. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Energy | The Secretary of Energy should ensure that the CIO of Energy develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Energy | The Secretary of Energy should ensure that the CIO of Energy updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Homeland Security | The Secretary of Homeland Security should ensure that the CIO of DHS updates its guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Homeland Security | The Secretary of Homeland Security should ensure that the CIO of DHS develops guidance regarding standardizing cloud SLAs. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance regarding standardizing cloud SLAs. (Recommendation 15) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 16) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Housing and Urban Development | The Secretary of Housing and Urban Development should ensure that the CIO of HUD updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 17) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Justice | The Attorney General of the United States should ensure that the CIO of Justice updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 18) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Labor | The Secretary of Labor should ensure that the CIO of Labor develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 19) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Labor | The Secretary of Labor should ensure that the CIO of Labor develops guidance regarding standardizing cloud SLAs. (Recommendation 20) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 21) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation updates its guidance regarding standardizing cloud SLAs. (Recommendation 22) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation develops guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 23) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Transportation | The Secretary of Transportation should ensure that the CIO of Transportation updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 24) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA updates guidance to put a SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and clear performance metrics. (Recommendation 25) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance regarding standardizing cloud SLAs. (Recommendation 26) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 27) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Department of Veterans Affairs | The Secretary of Veterans Affairs should ensure that the CIO of VA updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 28) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Environmental Protection Agency | The Administrator of EPA should ensure that the CIO of EPA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; and remediation plans for non-compliance. (Recommendation 29) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Environmental Protection Agency | The Administrator of EPA should ensure that the CIO of EPA updates guidance regarding standardizing cloud SLAs. (Recommendation 30) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
General Services Administration | The Administrator of GSA should ensure that the CIO of GSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed for the agency. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 31) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
General Services Administration | The Administrator of GSA should ensure that the CIO of GSA develops guidance regarding standardizing cloud SLAs. (Recommendation 32) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 33) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
National Science Foundation | The Director of the NSF should ensure that the CIO of NSF develops guidance regarding standardizing cloud SLAs. (Recommendation 34) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates its guidance to require that contracts affecting the agency's high value assets that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 35) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
National Science Foundation | The Director of the NSF should ensure that the CIO of NSF updates its existing contracts for high value assets that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 36) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 37) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance regarding standardizing cloud SLAs. (Recommendation 38) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC develops guidance to require that contracts affecting the agency's HVAs that are managed and operated in the cloud include language that provides the agency with continuous visibility of the asset. (Recommendation 39) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Nuclear Regulatory Commission | The Chairman of NRC should ensure that the CIO of NRC updates its existing contracts for HVAs that are managed and operated in the cloud to meet OMB's requirement once guidance from the CIO Council is available on language that provides the agency with continuous visibility of the asset. If modifying the existing contract is not practical, the agency should incorporate language into the contract that will meet OMB's requirement upon option exercise or issuance of a new award. (Recommendation 40) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Office of Personnel Management | The Director of OPM should ensure that the CIO of OPM updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required element for SLAs: remediation plans for non-compliance. (Recommendation 41) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance that requires a periodic review of the agency's policies related to cloud services, including any technical guidance and business requirements, to determine if improvements should be made. (Recommendation 42) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's four required elements for SLAs, including: continuous awareness of the confidentiality, integrity, and availability of its assets; a detailed description of roles and responsibilities; clear performance metrics; and remediation plans for non-compliance. (Recommendation 43) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Small Business Administration | The Administrator of SBA should ensure that the CIO of SBA develops guidance regarding standardizing cloud SLAs. (Recommendation 44) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Social Security Administration | The Commissioner of SSA should ensure that the CIO of SSA updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: clear performance metrics and remediation plans for non-compliance. (Recommendation 45) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
U.S. Agency for International Development | The Administrator of USAID should ensure that the CIO of USAID updates guidance to put a cloud SLA in place with every vendor when a cloud solution is deployed. The guidance should include language that addresses OMB's required elements for SLAs, including: remediation plans for non-compliance. (Recommendation 46) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
U.S. Agency for International Development | The Administrator of USAID should ensure that the CIO of USAID develops guidance regarding standardizing cloud SLAs. (Recommendation 47) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|