The Government Accountability Office has released a report regarding a review it conducted about the effects of restrictive software licensing and vendor practices on federal agencies working to migrate their data and software to the cloud.
Table of Contents
Scope of the GAO Review
The review covered six agencies, namely the Departments of Justice, Transportation and Veterans Affairs; NASA; the Social Security Administration; and the Office of Personnel Management. The agencies were randomly selected.
The review process involved interviewing IT and acquisition officials from the agencies. The process also looked into 11 cloud investments within those agencies and relevant policies and documentation concerning the management of restrictive licensing practices.
Impacts of Restrictive Vendor Practices
According to the report, all the agencies, with the exception of OPM, were impacted by restrictive vendor practices. The negative practices described by the agencies include vendors requiring the repurchase of the same licenses to allow for their use in the cloud; the charging of various additional fees, including for the use of a vendor’s software on a competitor’s cloud service; and encouraging ways of using software, data or cloud services that effectively promoted vendor lock-in.
These practices were found to result in increased costs or limited cloud service or architecture choices.
Shortcomings of the Agencies
The report noted, however, that the agencies inconsistently implemented two key industry activities meant to manage the impacts of restrictive vendor practices. The first activity involves identifying and analyzing the possible impacts of such practices while the second activity involves developing plans to mitigate the impacts. The agencies either partially implemented the activities or failed to demonstrate that either activity was fully implemented.
The report attributes these shortcomings to the agencies’ failure to fully assign the responsibility of identifying and managing restrictive practices, which the agencies did not consider to be a priority in the first place.
GAO called on the agencies to not only assign someone to be responsible for managing the impacts of restrictive vendor practices but also update and implement relevant guidance, particularly when it comes to the effects on cloud computing efforts.