DOD Software Licenses: Better Guidance and Plans Needed to Ensure Restrictive Practices Are Mitigated
Fast Facts
Cloud computing offers on-demand access to shared IT resources like networks, servers, and databases.
Federal agencies like DOD must move their data and software to the cloud when possible. But software licenses and restrictive vendor practices can limit or prevent such efforts. For example, some vendors charge extra fees to use their software with third-party cloud providers. DOD officials said that restrictive practices generally affected the cost of cloud services and their choice of cloud providers.
We recommended that DOD update guidance and implement plans to lessen the effects that restrictions have on moving software to the cloud.
Highlights
What GAO Found
Officials from all three selected Department of Defense (DOD) components and two of the six selected investments described restrictive software license practices that impacted their cloud computing efforts. Officials from the selected components and investments stated that restrictive practices generally impacted the (1) cost of cloud computing, (2) choice of cloud service providers, and (3) other related impacts. The table provides examples of each of these types of impacts.
Examples of Reported Restrictive Software License Practices by Selected Department of Defense (DOD) Components and Investments
Impact type |
Impact description |
---|---|
Cost of cloud computing
|
Infrastructure costs increased because vendors required additional fees to use their software with third party cloud service providers. |
Licensing costs increased because a vendor bundled frequently used software with other software, making it available only at the bundled price. |
|
Choice of cloud provider
|
A vendor limited its use to only selected commercial cloud service providers. |
A vendor required a specified cloud service provider. |
|
Other
|
Vendors required interoperability with a previous version of a different vendor's software, but that vendor does not allow customers to use the previous version unless they are using its cloud service platform. |
A vendor may not help sustain a certain product if a customer is not using the specified cloud service provider. |
Source: GAO analysis of data reported by selected Department of Defense components and investments. | GAO-23-106290
Four of the six selected investments did not identify impacts from restrictive software licensing practices. According to officials, they may not have had impacts because these investments were configured to deploy software within the cloud instead of transferring software to the cloud.
Key industry activities for managing the risk of impacts from restrictive practices include (1) identifying and analyzing impacts and (2) mitigating those impacts. However, the six selected investments GAO reviewed did not consistently address these key activities. Specifically, two investments identified an impact but did not analyze or develop plans for mitigating it, while four other investments did not address identifying, analyzing, or mitigating. The lack of relevant guidance allowed these shortfalls to occur. DOD's guidance and plans do not fully address identifying and analyzing the impacts of restrictive practices. Moreover, DOD's plans and guidance do not address mitigating impacts of restrictive practices. Until DOD updates and implements guidance and plans for managing the impacts of restrictive software licensing practices, the department will not be well-positioned to identify and analyze the impact of such practices or to mitigate the risks.
Why GAO Did This Study
Cloud computing enables on-demand access to shared computing resources. As DOD implements IT projects and migrates systems to the cloud, it may encounter restrictive software license practices. These practices include enterprise agreements or vendor processes that limit, impede, or prevent agencies' efforts to use software in cloud or multi-cloud computing.
The House report accompanying the James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 includes a provision for GAO to review the impact that restrictive software licensing practices could have on DOD cloud computing. The objectives of this review were to (1) describe how restrictive enterprise software licensing practices impact DOD cloud computing services and (2) evaluate the extent to which DOD is mitigating the potential impact of restrictive software licensing practices.
GAO selected three DOD components (the Army, Air Force, and Navy) with the largest cloud budget requests for fiscal year 2023 and interviewed IT and acquisition officials from these components to describe the impacts of restrictive software licensing practices. GAO also selected six investments based on several factors, including IT budget size, and compared DOD documentation to key activities for mitigation identified by industry.
Recommendations
GAO is making one recommendation to DOD to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices. The department concurred with the recommendation.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Defense | The Secretary of Defense should direct the DOD CIO, in coordination with ESI, to update and implement guidance and plans to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. (Recommendation 1) |
The Department of Defense (DOD) concurred with this recommendation. As of November 2023, DOD has not yet implemented guidance and plans to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices on cloud computing efforts. DOD officials stated that the Office of the Chief Information Officer plans to issue guidance, including a clear restrictive software licenses definition and addressing remaining gaps identified in this report, by the end of fiscal year 2024. We will continue to monitor the department's efforts to fully implement this recommendation.
|