The Government Accountability Office (GAO) reports that the US Department of Defense (DoD) has failed to keep cloud costs in check due to poor practices and a lack of guidelines.
The GAO did not cite specific over-spending but shared that the DoD's cloud spending has increased significantly. In 2021, it was $1.4 billion, while in 2023 that budget has increased to $2bn.
The report states that the DoD failed to take steps upon identifying issues with restrictive cloud licensing agreements, beyond acknowledging that they are restrictive.
"DoD's policy and guidance documents addressed identifying impacts related to restrictive software licensing practices during the acquisition process," the GAO said.
But, according to the GAO, there was no attempt to analyze the impacts of those licenses. The report goes on to say: "DoD's plans also did not require components to mitigate impacts of restrictive software licensing practices."
Those limitations include factors such as cloud vendors charging extra fees to use their software with third-party cloud providers, providers offering software only in "bundles," meaning that the DoD was paying for some software it wasn't going to use, and vendors requiring interoperability with a previous version of a different vendors software which is not compatible unless using their cloud platform.
To analyze the department's cloud spending, the GAO looked into six cloud investments. Of those six, four did not even "identify impacts from restrictive software licensing," and while the remaining two did note some restrictions, they did nothing to mitigate them.
The GAO summed up the problem as follows: "The lack of relevant guidance allowed these shortfalls to occur. DoD's guidance and plans do not fully address identifying and analyzing the impacts of restrictive practices.
"Moreover, DoD's plans and guidance do not address mitigating impacts of restrictive practices. Until DoD updates and implements guidance and plans for managing the impacts of restrictive software licensing practices, the department will not be well-positioned to identify and analyze the impact of such practices or to mitigate the risks.
The GAO recommends that the DoD "fully address" this.