VETERANS AFFAIRS
Actions Needed to Address Software License Challenges
Statement of Carol C. Harris, Director, Information Technology and Cybersecurity
Before the Subcommittee on Technology Modernization, Committee on Veterans’ Affairs, House of Representatives
For Release on Delivery Expected at 3:00 p.m. ET
United States Government Accountability Office
For more information, contact Carol C. Harris at harriscc@gao.gov.
Highlights of GAO-25-108475, a testimony before the Subcommittee on Technology Modernization, Committee on Veterans' Affairs, House of Representatives
Actions Needed to Address Software License Challenges
Why GAO Did This Study
VA depends on critical underlying IT systems to manage benefits and provide care to millions of veterans and their families. VA obligated about $21 billion in fiscal years 2022 through 2024 for a range of IT products, systems, and services.
In 2015, GAO identified the management of software licenses as a focus area in its High-Risk report. GAO has also previously reported on the need for federal agencies—including VA—to ensure better management of software licenses.
GAO was asked to testify on VA’s software licensing practices. GAO summarized its government-wide January 2024 and November 2024 reports specific to VA’s efforts to track software license usage and manage restrictive licensing practices. GAO also compiled information from its past reports on leading software license management practices and summarized VA’s actions in response to recommendations made in those reports.
What GAO Recommends
GAO made four recommendations in its two recent 2024 reports for VA to improve its management of software licenses and mitigate the effects of restrictive software licensing practices. Although VA concurred with the recommendations, it has not yet implemented them. Implementation of the recommendations is essential to minimizing costs and mitigating restrictive licensing impacts.
What GAO Found
The Department of Veterans Affairs (VA) spends billions of dollars annually for IT and cyber-related investments, including commercial software licenses. In a January 2024 government-wide report, GAO noted that while VA identified its five most widely used software vendors with the highest quantity of licenses installed, VA faced challenges in determining whether it was purchasing too many or too few of these software licenses. Specifically, VA was not tracking the appropriate number of licenses for each item of software currently in use. Additionally, the department did not compare inventories of software licenses that were currently in use to purchase records on a regular basis (see table).
GAO January 2024 Report Assessing the Department of Veterans Affairs’ Management of Widely Used Software Licenses
|
Key Activity |
Assessment |
|
Track software licenses that are currently in use |
Not met |
|
Regularly compare the inventories of software licenses that are currently in use to purchase records |
Not met |
Source: GAO analysis of agency data. I GAO-25-108475
Until VA adequately assesses the appropriate number of licenses, it cannot determine whether it is purchasing too many licenses or too few. GAO recommended that VA track licenses in use within its inventories and compare them with purchase records. VA concurred with the recommendations and is taking preliminary actions to track software license usage. Implementation of these recommendations would allow VA to identify opportunities to reduce costs on duplicate or unnecessary licenses.
In a November 2024 government-wide report, GAO found that restrictive software licensing practices adversely impacted federal agencies’ cloud computing efforts, including those of VA. These practices either increased costs of cloud software or services or limited VA’s options when selecting cloud service providers. VA had not established guidance for effectively managing impacts from restrictive practices for cloud computing or determined who is responsible for managing these impacts.
Until VA establishes guidance and assigns responsibility for mitigating the impacts of restrictive software licensing practices, it will likely miss opportunities to avoid or minimize these impacts. GAO made two recommendations to VA to mitigate the impacts of restrictive software licensing practices. VA concurred with the recommendations and stated that it would provide the actions it plans to take to address both recommendations in its update to the final report.
Chairman Barrett, Ranking Member Budzinski, and Members of the Subcommittee:
Thank you for the opportunity to discuss our prior work on the Department of Veterans Affairs (VA) management of software licenses. As you know, VA depends on its IT systems to manage benefits and provide care to millions of veterans and their families.
The department spends billions of dollars annually on its IT and cyber-related investments, including for purchases of commercial software licenses.[1] According to the Federal Procurement Data System (FPDS), VA has obligated approximately $21 billion on contracts to procure a range of IT products, systems, and services between fiscal years 2022 and 2024.[2] For fiscal year 2025, the department plans to spend about $985 million on software including commercial software licenses.
Effective management of commercial software licenses can help organizations avoid purchasing too many licenses that result in unused software (which we refer to as over-purchasing). In addition, effective management can help avoid purchasing too few licenses (which we refer to as under-purchasing), which may result in noncompliance with license terms and cause the imposition of additional fees.
As early as 2014, we reported on the need for agencies—including VA— to ensure better management of software licenses. We noted that, to maximize the value of these investments, agencies should effectively manage them by, among other things, regularly (1) tracking and maintaining a comprehensive inventory of software licenses, and (2) analyzing agencywide software license data.[3]
We also first identified IT acquisitions and operations as a high-risk area in our 2015 High-Risk report.[4] In that report, we identified the management of software licenses as a focus area, in part, because of the potential for cost savings. Since 2014, agencies have reported about $4.6 billion in cost savings related to better management of software licenses.
In this statement, I will summarize the results of our two prior reports that include details on VA’s software licensing practices.[5] In developing this testimony, we summarized these two 2024 government-wide reports[6] that included VA’s efforts to determine the appropriate number of licenses for its five software vendors[7] with the highest quantity of licenses installed[8] and the impacts of restrictive software licensing practices.[9] We also compiled information from our past reports on leading software license management practices. Detailed information on the objectives, scope, and methodology of this work can be found in each issued report. For this statement, we also reviewed VA documentation related to the status of efforts to implement our recommendations since the two reports were issued.
We conducted the work on which this statement is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
Software licenses specify the government’s legal rights to use software in accordance with terms and provisions agreed to by the software copyright owner.[10] Rights to use software are separate from the legal rights to the software itself, which are normally kept by the software manufacturer or other third party. Licenses may be purchased and are normally required whenever externally acquired software is used, which will typically be when the software is installed on a computer (or when executed on a computer even if installed elsewhere, such as on a server). Licenses may be purchased in bundle packages, which are multiple software products offered under a single license agreement. They may also be defined in enterprise terms, such as number of workstations or employees, in which case a license is required for each qualifying unit or individual regardless of actual usage.
Many software products are commercial-off-the-shelf, meaning the software is sold in substantial quantities in the commercial marketplace. Commercial software typically includes fees for initial and continued use of licenses. These fees may include, as part of the license terms, access to product support and/or other services, including upgrades.
License models and definitions may differ significantly depending on the software product and vendor. For example, the basic types of licenses vary by duration and measure of usage.
Duration
· Perpetual licenses: use rights are permanent once purchased.
· Subscription or rental licenses: are used for a specific period of time, which can vary from days to years and may or may not include upgrade rights.
· Term licenses: are used for a limited period of time and are not owned in perpetuity.
Measure of Use
· Per copy, by workstation/seat/device, name used: Historically most licenses sold have been on a per-copy-used basis, with several different units of measure possible. Sometimes multiple users will be allowed per license.
· Concurrent usage: This type of license allows agencies to permit a specified number of users to connect simultaneously to a software application.
· Per server speed or per processor: These licenses are linked to the speed or power of the server on which they run, or the number of processors.
· Enterprise or site: These licenses are sold on an enterprise or site basis.
· Other complexities: Other, more complex situations related to usage also exist with regard to licensing and the use of techniques such as cloud computing.[11] For example, software can be used as part of different cloud service models (e.g., software as a service, platform as a service, and infrastructure as a service).[12]
We have previously reported that software license management is intended to manage, control, and protect an organization’s software assets, including management of the risks arising from the use of those assets.[13] Proper management of software licenses helps to minimize risks by ensuring that licenses are used in compliance with licensing agreements and deployed in a cost-effective manner. It also ensures that software purchase and maintenance expenses are properly controlled.
Federal Laws and Guidance and GAO’s Leading Practices Call for Agencies to Manage Software Licenses
In December 2014, Congress enacted IT acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act or FITARA) as part of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015.[14] FITARA provides a mechanism for Congress to monitor covered agencies’ increased efficiency and effectiveness of IT investments, as well as holding agencies accountable for reducing duplication and achieving cost savings.[15] FITARA contained specific requirements related to seven areas, including expanding government-wide software licensing that is available for use by agencies.[16]
Additionally, the Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 further enhanced management of software licenses by requiring agency CIOs to establish an agency software licensing policy and a comprehensive software inventory to track and maintain licenses, among other requirements.[17]
In June 2016, OMB issued a memorandum that provided software license management guidance to federal agencies.[18] Specifically, the guidance required, among other things, that agencies:
· move to a more centralized and collaborative software management approach that includes appointing a software manager to be responsible for managing software licenses;
· maintain an agencywide inventory of software licenses; and
· analyze inventory data to ensure compliance with software license agreements, consolidate redundant applications, and identify other cost-saving opportunities.
We have previously identified leading practices that federal agencies can follow for managing their software licenses. Table 1 describes these practices.
|
Leading practice |
Description |
|
Centralize management of software licenses |
Employ a centralized software license management approach that is coordinated and integrated with key personnel (e.g., the acquisition and IT management personnel responsible for software purchases and decisions). Such an approach allows for centralized recordkeeping of software licensing details including the terms of the licenses. Further, agencies should centralize the governance and oversight of specific enterprise and commercial software licenses consistent with agency policy (e.g., software licenses reflective of the majority [80 percent] of agency software license spending and/or agency enterprise licenses) in order to make department-wide decisions. |
|
Establish a comprehensive inventory of software licenses |
Establish a comprehensive inventory of the software licenses consistent with agency policy (e.g., an inventory representative of the majority [80 percent] of the agency’s software license spending and/or enterprise licenses). This inventory should incorporate automated discovery and inventory tools that provide easy search and access to software license information (e.g., contract terms and agreement records). Such a repository allows managers to monitor performance (e.g., how many employees are using software compared to the amount of software purchased) and conduct analysis reporting needed for management decision-making. A comprehensive inventory will better ensure compliance with software license agreements and allow for agencywide visibility that consolidates redundant applications and identification of other cost-saving opportunities. |
|
Regularly track and maintain comprehensive inventories of software licenses using automated discovery and inventory tools and metrics |
Regularly track and maintain comprehensive inventories of software licenses using automated discovery and inventory tools and metrics (e.g., metrics related to employee usage and number of licenses purchased) to ensure that the agency has the appropriate number of licenses for each item of software in use. Agencies should track inventories and compare software licenses purchased with licenses installed regularly (e.g., at least annually) and consistent with their policies. |
|
Analyze the software license data to inform investment decisions and identify opportunities to reduce costs |
Make decisions about software license investments that are informed by an analysis of department-wide software license data (e.g., costs, benefits, usage, and trending data). Such an analysis helps agencies make cost-effective decisions, including decisions about what users need. |
|
Provide appropriate agency personnel with sufficient software license management training |
Provide appropriate agency personnel (e.g., legal, acquisition, technical, and user) with sufficient training on managing software licenses, including training on contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. Sufficient training allows organizations to develop the skills and knowledge of employees so they can perform their roles effectively and efficiently. |
Source: GAO‑14‑413 I GAO‑25‑108475
VA Has Previously Faced Challenges in its Efforts to Manage Software Licenses
In May 2014, we reported on federal agencies’ management of software licenses and stressed that better management was needed to achieve significant savings government-wide.[19]
Regarding VA, we noted that the department did not have comprehensive policies that included establishing clear roles and central oversight authority for managing enterprise software license agreements, among other things. We also noted that it had not established a comprehensive software license inventory, a leading practice that would help the department to adequately manage its software licenses.
The inadequate implementation of these and other leading practices in software license management was partially due to weaknesses in the department’s licensing management policies. We therefore made six recommendations to VA to improve its policies and practices for managing licenses. For example, we recommended that the department regularly track and maintain a comprehensive inventory of software licenses and analyze the inventory to identify opportunities to reduce costs and better inform investment decision-making.
Since our 2014 report, VA has taken actions to implement all six recommendations. Among these actions, the department created a solution to generate and maintain a comprehensive inventory of software licenses using automated tools for the majority of agency software license spending and/or enterprise-wide licenses. Additionally, the department implemented a solution to analyze agencywide software license data, including usage and costs; it subsequently identified approximately $65 million in cost savings over 3 years from analyzing one of its software licenses.
VA’s Role for Managing IT and Fiscal Year 2025 Budget Request
Since 2007, VA has operated a centralized organization, the Office of Information and Technology, which performs most key functions intended for effective IT management. This office is led by the Assistant Secretary for Information and Technology, also known as VA’s Chief Information Officer (CIO). It is responsible for providing strategy and technical direction, guidance, and policy related to how IT resources are to be acquired and managed for the department. It also is responsible for working with its business partners—such as the Veterans Health Administration—to identify and prioritize business needs and requirements for IT systems. Further, the Office of Information and Technology is responsible for managing the majority of VA’s IT-related functions including the purchase of software licenses.
VA’s budget request for fiscal year 2025 was about $6.2 billion in total for the Office of Information and Technology, which included over $4.5 billion for operations and maintenance, nearly $1.7 billion for staffing and administrative support, and about $960,000 for new development.[20] The 2025 budget request included several key areas related to software licenses:
· $476.7 million for end user software;[21]
· $47.5 million for the IT Enterprise Agreement platform investment;[22] and
· $17.5 million for the Office of Strategic Sourcing software maintenance.[23]
Recent GAO Reports Highlighted VA’s Challenges with Managing Software Licenses and Restrictive Practices
In January 2024, we reported that agencies faced challenges managing licensing agreements and that certain agencies—including VA—did not address the two key activities that can assist agencies’ software license management efforts and enable them to assess whether they purchased the appropriate number of software licenses. Accordingly, we made two recommendations to VA to consistently assess the appropriate number of software licenses for its most widely used software licenses. In addition, in November 2024, we reported that restrictive software licensing practices adversely impacted federal agencies’ cloud computing efforts—including VA—and that the department had not established guidance for effectively managing impacts from restrictive practices for cloud computing. We therefore made two recommendations to VA to mitigate the impacts of restrictive software licensing practices.
VA Did Not Determine Over- or Under-Purchasing of Widely Used Software Licenses
As previously noted, our prior 2014 report and OMB guidance identify leading practices for effectively managing software licenses.[24] These leading practices include two key activities that can assist agencies’ software license management efforts and result in assessing the appropriate number of software licenses:
· tracking software licenses that are currently in use; and
· regularly comparing the inventories of software licenses that are currently in use to purchase records to determine if licenses have been over- or under-purchased.
As noted earlier in this statement, VA has implemented our six prior recommendations to improve its software license management practices. However, our recent report highlighted current challenges the department faces in assessing its software licenses.[25] In alignment with the key activities described above, sound software license management includes a regular reconciliation review by agencies to ensure they have the appropriate number of licenses for each item of software in use. Vendors also perform reviews to assess the number of licenses in use to ensure that the legal agreements associated with procured software licenses are adhered to and that organizations avoid purchasing unnecessary licenses. These reviews are called true-up and true-down. The more common true-up review compares the current software deployment to the software purchase data to revalidate and reconcile software utilization with historical software procurement data and terms and conditions. On the other hand, the true-down review determines if fewer licenses are required. These reviews generally occur prior to software license renewals or exercising of options under a software license agreement.
While VA reported its five most widely used software vendors with the highest quantity of licenses installed[26], as of July 31, 2022,[27] VA did not track software licenses that are currently in use for all five of these software licenses. For the five most widely used licenses, the agency provided screenshots of count data by product, but it did not provide documentation tracking the appropriate number of licenses for each item of software currently in use.
In addition, the agency did not compare the inventories of software licenses that are currently in use to purchase records on a regular basis. Specifically, it did not analyze usage of its five most widely used software licenses per its defined process. For example, VA officials stated that the department had established varying processes with each vendor to analyze usage and purchasing of its most widely used software licenses. VA also stated that in fiscal year 2022, the agency reviewed its licenses and reported an increase of 10,000 licenses at a cost of $678,610.40 for one of its most widely used licenses, HCL Technologies. However, VA did not provide documentation as evidence of these analyses.
VA officials stated that they had not developed and implemented procedures for tracking software licenses in use and comparing inventories of these software licenses with known purchases. Officials provided various reasons, including that in most software contracts, the Office of Information and Technology has a contract line item to allow for purchasing of additional licenses on an as needed basis. Additionally, officials stated that the Office of Information and Technology utilizes the features within software products to track licenses and monitors the historical data and trends to determine if usage is increasing or decreasing. However, VA did not demonstrate how it utilizes these tools to compare software licenses purchased with licenses currently in use for any of its five most widely used licenses on a regular basis.
As a result, in our January 2024 report, we made two recommendations to VA to consistently track software license usage and compare its inventories with purchased licenses. At a minimum, VA should develop and implement procedures for tracking license usage and comparing the inventories of licenses in use to purchase records. VA concurred with our recommendations, but it has not yet implemented them.
As of February 2025, VA reported it had implemented new procedures for 12 of the top 15 widely used software licenses and will implement a centralized software approach to ensure software is tracked throughout its entire lifecycle by June 30, 2025. However, it is unclear why VA selected these 12 licenses or whether these licenses are part of the five most widely used licenses VA reported during our review. Additionally, it has yet to demonstrate that it has developed and implemented procedures to track license usage and compare the number of licenses in use with the number of licenses purchased, in line with this recommendation. We will continue to monitor VA’s actions to fully implement these recommendations.
Until VA consistently tracks software licenses and compares its inventories to known purchases for each of its five most widely used software licenses, it will not be able to readily determine whether its software licenses were over- or under-purchased. As a result, the department is likely to miss opportunities to reduce costs on duplicative or unnecessary software licenses. If implemented, the potential savings could be significant. The agency has previously reported that it had realized approximately $65 million in cost savings over 3 years due to analyzing just one of its software licenses. Additionally, by developing and implementing procedures that define the steps to be taken to determine over- and under-purchasing, VA can better ensure it is consistently reviewing usage of what it purchased to optimize costs. As a result, VA would be better positioned to negotiate with vendors regarding user needs when analyzing the purchasing of licenses.
VA Is Not Effectively Managing the Impacts of Restrictive Software Licensing Practices
In our November 2024 government-wide review, we reported on the impacts of restrictive software licensing on VA.[28] Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices. Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies’ efforts to use software in cloud computing.
Effectively managing software licenses for cloud computing involves, among other things, applying industry best practices for acquisition and risk management.[29] Key activities for managing impacts of restrictive software licensing practices for cloud computing include (1) identifying and analyzing impacts of restrictive practices during the acquisition process and for established IT investments or projects, and (2) developing plans for mitigating adverse impacts.[30]
Our government-wide review of federal agencies—including VA—found that restrictive software licensing practices adversely impacted VA’s cloud computing efforts. According to VA officials, the restrictive practices that they encountered included, among other things, a vendor
· requiring the agency to pay additional fees to use the vendor’s software on infrastructure provided by other cloud service providers;
· charging more for (e.g., a conversion fee) or requiring the agency to repurchase the existing software licenses that the agency had been using in its on-premise systems for use in the cloud;
· requiring or promoting vendor lock-in via the cloud service provider’s terms and conditions or acquisition practices; and
· lacking accurate or sufficiently detailed cost data to support agency planning for moving on-premise licenses to the cloud.
Officials reported that the restrictive practices generally impacted the (1) cost of cloud computing and (2) choice of cloud service provider or cloud architecture.
VA did not establish guidance for effectively managing impacts from restrictive practices for cloud computing. Officials stated that they would manage restrictive practices as risks, but the department did not provide supporting documentation demonstrating that such practices are to be managed as risks. Officials also stated that VA’s existing IT and acquisition management policies and procedures could be used to help identify and manage restrictive practices and their potential impacts. However, the agency was not able to identify parts of these policies and procedures that specifically addressed identifying, analyzing, and mitigating impacts from such practices.
Further, VA had not assigned responsibility for managing such practices. Specifically, officials reported they had encountered restrictive licensing practices, but that managing impacts from such practices was either the responsibility of the agency CIO or was a shared responsibility among multiple offices that manage IT and acquisitions or provide legal counsel. However, VA had not specifically assigned or documented this responsibility. As such, it was unclear who was accountable for ensuring the consistent implementation of the two key activities for managing restrictive practices.
Additionally, according to officials, they had not focused on how to address restrictive licensing practices because, as of July 2024, VA had not encountered many instances of such practices. The officials also stated that the impacts from such practices had not been a significant issue impacting their cloud computing services. As such, the officials stated that they either did not consider it necessary or did not consider it a priority to develop or update agency guidance to specifically address the management of such practices and their impacts. However, until VA focuses on managing restrictive practices, the full extent of impacts from such practices on the department will remain unknown.
Without implementing comprehensive guidance for managing the impacts of restrictive software licensing practices, VA is not well positioned to identify and analyze the impact of such practices or to mitigate any risks they present in an efficient and effective manner. In addition, without consistently implementing the two key activities for managing restrictive licensing practices, VA will likely miss opportunities to take action to avoid or minimize the impacts.
Accordingly, we made two recommendations to VA to (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices; and (2) assign and document responsibility for identifying and managing such practices across the department. VA concurred with our recommendations and stated that it would provide the actions it plans to take to address both recommendations in its update to the November 2024 final report.
In conclusion, fully assessing software licenses and effectively managing impacts from restrictive licensing practices at VA is an issue of vital importance. It presents VA with opportunities to reduce costs on duplicate or unnecessary licenses and take action to mitigate the impact of restrictive practices.
We have made four recommendations to VA in the reports summarized in this testimony. As of today, VA has not implemented them. If the department continues to experience the challenges we have previously identified and does not take actions to address our recommendations, it may jeopardize its ability to effectively manage its software licenses that provide critical services to veterans.
Chairman Barrett, Ranking Member Budzinski, and Members of the Subcommittee, this concludes my prepared statement. I would be happy to answer any questions that you may have at this time.
GAO Contact and Staff Acknowledgments
If you or your staff have any questions about this testimony, please contact Carol C. Harris at harriscc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement.
GAO staff who made key contributions to this testimony include Niti Tandon (Assistant Director), Jacqueline Mai (Analyst-in-Charge), Amanda Andrade, Robert Bullock, Jess Lionne, Andrew Stavisky, Adam Vodraska, and Merry Woo.
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
A. Nicole Clowers, Managing Director, CongRel@gao.gov
General Inquiries
[1]Commercial software is software that is ready-made and commercially available to the public. According to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS), software licenses specify the government’s legal rights to use software in accordance with terms and provisions agreed to by the software copyright owner. FAR § 52.227-19(a) and DFARS § 227.7202-3(a).
[2]FPDS is the federal government’s central database of information on federal procurement actions. Agencies are generally required to report contract actions to FPDS. See 41 U.S.C. § 1122(a)(4), 1712(d)(2). See also, Federal Funding Accountability and Transparency Act of 2006, Pub. L. No. 109-282, 120 Stat. 1186 (Sept. 26, 2006) 31 U.S.C. § 6101 note. According to the August 2024 FPDS Government User’s Manual, FPDS can identify who bought what, from whom, for how much, when, and where.
[3]GAO, Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide, GAO‑14‑413 (Washington, D.C.: May 22, 2014).
[4]GAO, High-Risk Series: An Update, GAO‑15‑290 (Washington, D.C.: Feb. 11, 2015).
[5]GAO, Federal Software Licenses: Agencies Need to Take Action to Achieve Additional Savings, GAO‑24‑105717 (Washington, D.C.: Jan. 29, 2024) and Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses, GAO‑25‑107114 (Washington, D.C.: Nov. 13, 2024).
[7]For the purposes of this statement, we use the term vendor to also include original equipment manufacturers and publishers.
[8]Installed licenses are software licenses deployed for use on department or agency owned or controlled computers. For purposes of this report, we used the terms “installed” and “deployed” interchangeably.
[9]We defined restrictive software licensing practices as any software licensing agreements or vendor processes that limit, impede, or prevent agency efforts to use software in cloud computing.
[10]See, for example, FAR § 52.227-19(a) and DFARS § 227.7202-3(a). Note that while the DFARS does not itself apply to VA, its language about commercial software is instructive here.
[11]According to the National Institute of Standards and Technology (NIST) guidance, cloud computing is a means for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. National Institute of Standards and Technology, The NIST Definition of Cloud Computing, Special Publication 800-145 (Gaithersburg, MD: Sept. 2011).
[12]According to NIST guidance, infrastructure as a service delivers and manages the basic computing infrastructure of servers, software, storage, and network equipment; platform as a service delivers and manages the infrastructure, operating system, and programming tools and services that an agency can use to create applications; and software as a service delivers one or more applications and all the resources (operating system and programming tools) and underlying infrastructure, which an agency can use on demand. National Institute of Standards and Technology, Special Publication 800-145.
[13]See GAO-24-105717.
[14]Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
[15]The provisions apply to the agencies covered by the CFO Act, 31 U.S.C. § 901(b). However, FITARA has generally limited application to the Department of Defense.
[16]The government-wide software purchasing program, to be led by the General Services Administration, is to be available for use by all executive agencies. FITARA also included requirements for covered agencies to enhance agency CIO authority and transparency, improve risk management in IT investments, and advance portfolio review and the federal data center consolidation initiative.
[17]Pub. L. No. 114-210, 130 Stat. 824 (2016).
[18]Office of Management and Budget, Category Management Policy 16-1 Improving the Acquisition and Management of Common Information Technology: Software Licensing, M- 16-12 (Washington, D.C.: June 2, 2016).
[20]Department of Veterans Affairs, U.S. Department of Veterans Affairs FY 2025 Budget Submission, Information Technology Programs and Electronic Health Record Modernization Vol. 5 of 5, March 2024.
[21]The VA’s End User Operations Software project outcome is intended to provide sustainment and maintenance of existing software licenses for ongoing operations across the department.
[22]The VA IT Enterprise Agreement Platform investment provides platform IT solutions and resources through enterprise agreements for VA. This investment supports the Oracle Enterprise License Agreement and Oracle Java Enterprise Agreement.
[23]The enterprise agreements within the Office of Strategic Sourcing software maintenance provide software licenses, subscriptions, and associated services and support capabilities as part of the core Office of Information and Technology infrastructure.
[24]GAO‑14‑413; and Office of Management and Budget, Category Management Policy 16-1 Improving the Acquisition and Management of Common Information Technology: Software Licensing, M-16-12 (Washington, D.C.: June 2, 2016).
[26]For the purposes of this statement, the phrase “most widely used software licenses” refers to the licenses that come from a specific vendor and means the aggregate number of software licenses an agency uses that originate with a particular vendor.
[27]According to VA, the five most widely used software vendors with the highest quantity of licenses installed, as of July 31, 2022, include Microsoft (identified twice by VA), HCL Technologies, 1E, and Raytheon Technologies.
[29]ISACA, CMMI Model V3.0 (Pittsburgh, PA: Apr. 6, 2023). CMMI Model and ISACA ©[2023] All rights reserved. Used with permission.
[30]ISACA, CMMI Model V3.0 (Pittsburgh, PA: Apr. 6, 2023). CMMI Model and ISACA ©[2023] All rights reserved. In particular, we reviewed and selected relevant practices from the CMMI practice areas of supplier agreement management, service delivery management, risk management, and causal analysis and resolution.