VETERANS AFFAIRS
Further Actions Needed to Address Software License Management Challenges
Statement for the Record by Carol C. Harris, Director, Information Technology and Cybersecurity
Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs, House of Representatives
For Release on Delivery Expected at 2:15 p.m. ET
United States Government Accountability Office
A statement for the record to the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, House of Representatives
Contact: Carol C. Harris at harriscc@gao.gov
What GAO Found
The Department of Veterans Affairs (VA) spends billions of dollars annually for IT and cyber-related investments, including commercial software licenses. In a January 2024 government-wide report, GAO noted that while VA identified its five most widely used software vendors with the highest quantity of licenses installed, it faced challenges in determining whether it was purchasing too many or too few of these software licenses. Specifically, VA was not tracking the appropriate number of licenses for each item of software currently in use. Additionally, the department did not compare inventories of software licenses that were currently in use to purchase records on a regular basis (see table).
GAO January 2024 Report Assessing the Department of Veterans Affairs’ Management of Widely Used Software Licenses
Key activity
Assessment
Track software licenses that are currently in use
Not met
Regularly compare the inventories of software licenses that are currently in use to purchase records
Not met
Source: GAO analysis of agency data. I GAO-26-109060
Until VA adequately assesses the appropriate number of licenses, it cannot determine whether it is purchasing too many licenses or too few. In January 2024, GAO recommended that the department track licenses in use within its inventories and compare them with purchase records. VA concurred with the recommendations and is taking preliminary actions to track software license usage. In early March 2026, VA officials reported that the department plans to implement initial functionality for a centralized software license inventory in late March 2026. If successful, this could be a critical first step in improving the department’s ability to track and analyze licenses across the department. Implementation of these recommendations would allow VA to identify opportunities to reduce costs on duplicate or unnecessary licenses.
In a November 2024 report, GAO found that restrictive software licensing practices (e.g., certain vendors’ processes) adversely impacted federal agencies’ cloud computing efforts, including those of VA. These practices either increased costs of cloud software or services or limited the department’s options when selecting cloud service providers. VA had not established guidance for effectively managing impacts from restrictive practices for cloud computing or determined who is responsible for managing these impacts.
Until VA establishes guidance and assigns responsibility for mitigating the impacts of restrictive software licensing practices, it will likely miss opportunities to avoid or minimize these impacts. GAO made two recommendations to VA to mitigate the impacts of restrictive software licensing practices. The department concurred with the recommendations. In May 2025, VA officials reported that the department planned to stand up a working group composed of IT and acquisition subject matter experts to identify, analyze, and mitigate the impacts of restrictive software licensing practices on cloud computing efforts by September 2026. However, it has not provided an update on the status of the working group. GAO will continue to monitor VA’s actions to fully implement these recommendations.
Why GAO Did This Study
VA depends on critical underlying IT systems to manage benefits and provide care to millions of veterans and their families. For fiscal year 2025, the department planned to spend about $985 million on software, including commercial software licenses.
In 2015, GAO identified the management of software licenses as a focus area in its High-Risk report. GAO has also previously reported on the need for federal agencies—including VA—to ensure better management of software licenses.
This statement summarizes two 2024 GAO reports on VA software license management, including VA’s efforts to track software license usage and manage restrictive licensing practices. The statement also addresses the status of VA’s actions in response to recommendations from those reports. GAO reviewed its prior work, VA documentation related to the status of efforts to implement the recommendations, and information provided by VA in March 2026 as part of GAO’s ongoing work.
What GAO Recommends
GAO made four recommendations in its two recent 2024 reports for VA to improve its management of software licenses and mitigate the effects of restrictive software licensing practices. The department concurred with the recommendations; however, it has not yet implemented them. It is essential that VA implements the recommendations to minimize costs and mitigate restrictive licensing impacts.
Chairwoman Kiggans, Ranking Member Ramirez, and Members of the Subcommittee:
I am pleased to have the opportunity to comment on our prior work on the Department of Veterans Affairs’ (VA) management of software licenses. As you know, VA depends on its IT systems to manage benefits and provide care to millions of veterans and their families.
The department spends billions of dollars annually on its IT and cyber-related investments, including for purchases of commercial software licenses. For fiscal year 2025, the department planned to spend about $985 million on software, including commercial software licenses.
Effective management of commercial software licenses can help organizations avoid purchasing too many licenses that result in unused software (which we refer to as over-purchasing). In addition, effective management can help avoid purchasing too few licenses (which we refer to as under-purchasing), which may result in noncompliance with license terms and cause the imposition of additional fees.
As early as 2014, we reported on the need for agencies—including VA— to ensure better management of software licenses. We noted that, to maximize the value of these investments, agencies should effectively manage them by, among other things, regularly (1) tracking and maintaining a comprehensive inventory of software licenses, and (2) analyzing agencywide software license data.[1]
We also first identified IT acquisitions and operations as a high-risk area in our 2015 High-Risk report.[2] In that report, we identified the management of software licenses as a focus area, in part, because of the potential for cost savings. In May 2025, we reported that, since 2014, agencies had reported about $4.6 billion in cost savings related to better management of software licenses.
In this statement, I will summarize the results of our two prior reports from January and November 2024 that include details on VA’s software licensing practices. My statement also addresses the status of VA efforts to address recommendations we made in those reports.[3]
In developing this statement, we summarized VA’s prior efforts to determine the appropriate number of licenses for its five software vendors[4] with the highest quantity of licenses installed[5] and the impacts of restrictive software licensing practices.[6] We also compiled information from our past reports on leading software license management practices.[7] Detailed information on the objectives, scope, and methodology of this work can be found in each issued report. For this statement, we also reviewed prior testimonies from May and July 2025,[8] VA documentation related to the status of efforts to implement our recommendations since the two reports were issued, and information provided by VA in March 2026 as part of our ongoing work.
We conducted the work on which this statement is based in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Background
Software licenses specify the government’s legal rights to use software in accordance with terms and provisions agreed to by the software copyright owner. Rights to use software are separate from the legal rights to the software itself, which are normally kept by the software manufacturer or other third party. Licenses may be purchased and are normally required whenever externally acquired software is used, which will typically be when the software is installed on a computer (or when executed on a computer even if installed elsewhere, such as on a server). Licenses may be purchased in bundle packages, which are multiple software products offered under a single license agreement. They may also be defined in enterprise terms, such as number of workstations or employees, in which case a license is required for each qualifying unit or individual regardless of actual usage.
Many software products are commercial-off-the-shelf, meaning the software is sold in substantial quantities in the commercial marketplace. Commercial software typically includes fees for initial and continued use of licenses. These fees may include, as part of the license terms, access to product support and/or other services, including upgrades. License models and definitions may differ significantly depending on the software product and vendor and may vary based on their duration and how their use is measured (e.g., per copy or on an enterprise basis).
We have previously reported that software license management is intended to manage, control, and protect an organization’s software assets, including management of the risks arising from the use of those assets.[9] Proper management of software licenses helps to minimize risks by ensuring that licenses are used in compliance with licensing agreements and deployed in a cost-effective manner. It also ensures that software purchase and maintenance expenses are properly controlled.
Federal Laws and Guidance and GAO’s Leading Practices
In December 2014, Congress enacted IT acquisition reform legislation (commonly referred to as the Federal Information Technology Acquisition Reform Act or FITARA) as part of the Carl Levin and Howard P. ‘Buck’ McKeon National Defense Authorization Act for Fiscal Year 2015.[10] FITARA provides a mechanism for Congress to monitor covered agencies’ increased efficiency and effectiveness of IT investments, as well as to hold agencies accountable for reducing duplication and achieving cost savings.[11] FITARA contained specific requirements related to seven areas, including expanding government-wide software licensing that is available for use by agencies.[12]
Additionally, the Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 further enhanced management of software licenses by requiring agency Chief Information Officers (CIO) to establish an agency software licensing policy and a comprehensive software inventory to track and maintain licenses, among other requirements.[13]
In June 2016, OMB issued a memorandum that provided software license management guidance to federal agencies.[14] Specifically, the guidance required, among other things, that agencies:
· move to a more centralized and collaborative software management approach that includes appointing a software manager to be responsible for managing software licenses;
· maintain an agencywide inventory of software licenses; and
· analyze inventory data to ensure compliance with software license agreements, consolidate redundant applications, and identify other cost-saving opportunities.
More recently, Congress has proposed legislation on improving software license management. Specifically:
· In September 2025, legislation was re-introduced in Congress titled the Strengthening Agency Management and Oversight of Software Assets Act (SAMOSA) to provide Congress improved visibility of federal agency software asset management practices.[15] If enacted, the proposed legislation would build upon the 2016 MEGABYTE Act by requiring each agency to complete a comprehensive assessment of their software entitlements[16] and software inventories, which would be used to develop a plan for addressing costly, unnecessary licenses.
In particular, the proposed legislation specifies that each agency must use the information from these assessments to develop a plan to consolidate software licenses and adopt enterprise license agreements by type or category of software. It also states that in order to ensure the standardization of such assessments across the federal government, OMB, in consultation with GSA, may share information, best practices, and recommendations related to these activities.
Furthermore, the proposed legislation states that OMB, in coordination with others—including the Chief Information Officers Council, the Chief Acquisition Officers Council, and the Administrator—may also establish processes to identify, define, and harmonize common definitions and other information and criteria to support agencies.
· In December 2025, additional legislation was introduced in Congress titled the Veterans Affairs Management and Oversight of Software Assets (VAMOSA).[17] The proposed legislation calls for VA to develop a comprehensive policy for managing software assets, including establishing a comprehensive inventory of the department’s software licenses, identifying under-utilized licenses and vendor billing inconsistencies, and adopting cost-effective licensing strategies.
We have previously identified leading practices that federal agencies can follow for managing their software licenses. Table 1 describes these practices.
Table 1: Leading Practices for Managing Software Licenses
|
Leading practice |
Description |
|
Centralize management of software licenses |
Employ a centralized software license management approach that is coordinated and integrated with key personnel (e.g., the acquisition and IT management personnel responsible for software purchases and decisions). Such an approach allows for centralized recordkeeping of software licensing details including the terms of the licenses. Further, agencies should centralize the governance and oversight of specific enterprise and commercial software licenses consistent with agency policy (e.g., software licenses reflective of the majority [80 percent] of agency software license spending and/or agency enterprise licenses) in order to make department-wide decisions. |
|
Establish a comprehensive inventory of software licenses |
Establish a comprehensive inventory of the software licenses consistent with agency policy (e.g., an inventory representative of the majority [80 percent] of the agency’s software license spending and/or enterprise licenses). This inventory should incorporate automated discovery and inventory tools that provide easy search and access to software license information (e.g., contract terms and agreement records). Such a repository allows managers to monitor performance (e.g., how many employees are using software compared to the amount of software purchased) and conduct analysis reporting needed for management decision-making. A comprehensive inventory will better ensure compliance with software license agreements and allow for agencywide visibility that consolidates redundant applications and identification of other cost-saving opportunities. |
|
Regularly track and maintain comprehensive inventories of software licenses using automated discovery and inventory tools and metrics |
Regularly track and maintain comprehensive inventories of software licenses using automated discovery and inventory tools and metrics (e.g., metrics related to employee usage and number of licenses purchased) to ensure that the agency has the appropriate number of licenses for each item of software in use. Agencies should track inventories and compare software licenses purchased with licenses installed regularly (e.g., at least annually) and consistent with their policies. |
|
Analyze the software license data to inform investment decisions and identify opportunities to reduce costs |
Make decisions about software license investments that are informed by an analysis of department-wide software license data (e.g., costs, benefits, usage, and trending data). Such an analysis helps agencies make cost-effective decisions, including decisions about what users need. |
|
Provide appropriate agency personnel with sufficient software license management training |
Provide appropriate agency personnel (e.g., legal, acquisition, technical, and user) with sufficient training on managing software licenses, including training on contract terms and conditions, negotiations, laws and regulations, acquisition, security planning, and configuration management. Sufficient training allows organizations to develop the skills and knowledge of employees so they can perform their roles effectively and efficiently. |
Source: GAO‑14‑413. I GAO‑26‑109060
Previously Identified Challenges for VA in Managing Software Licenses
In May 2014, we reported on federal agencies’ management of software licenses and stressed that better management was needed to achieve significant savings government-wide.[18]
Regarding VA, we noted that the department did not have comprehensive policies that included establishing clear roles and central oversight authority for managing enterprise software license agreements, among other things. We also noted that it had not established a comprehensive software license inventory, a leading practice that would help the department to adequately manage its software licenses.
The inadequate implementation of these and other leading practices in software license management was partially due to weaknesses in the department’s licensing management policies. We therefore made six recommendations to VA to improve its policies and practices for managing licenses. For example, we recommended that the department regularly track and maintain a comprehensive inventory of software licenses and analyze the inventory to identify opportunities to reduce costs and better inform investment decision-making.
Since our 2014 report, VA has taken actions to implement all six recommendations. For example, the department provided documentation in November 2017 showing that it had implemented software management training that addressed aspects of software license management, including terms and conditions, acquisition, and security planning. These actions positioned VA employees to develop skills and knowledge to perform their software license management roles effectively and efficiently. Additionally, the agency previously reported that it had realized approximately $65 million in cost savings over 3 years due to analyzing just one of its software licenses.
VA’s Role for Managing IT and Fiscal Year 2026 Budget
Since 2007, VA has operated a centralized organization, the Office of Information and Technology, which performs most key functions intended for effective IT management. This office is led by the Assistant Secretary for Information and Technology, also known as VA’s CIO. It is responsible for providing strategy and technical direction, guidance, and policy related to how IT resources are to be acquired and managed for the department. It also is responsible for working with its business partners—such as the Veterans Health Administration—to identify and prioritize business needs and requirements for IT systems. Further, the Office of Information and Technology is responsible for managing the majority of VA’s IT-related functions including the purchase of software licenses.
VA’s budget for fiscal year 2026 is about $5.9 billion in total for the Office of Information and Technology, which includes over $3.9 billion for operations and maintenance, nearly $1.4 billion for staffing and administrative support, and about $578 million for new development.[19]
Prior GAO Reports Highlighted VA’s Challenges with Managing Software Licenses and Restrictive Practices
In January 2024, we reported that agencies faced challenges managing licensing agreements and that certain agencies—including VA—did not address the two key activities that can assist agencies’ software license management efforts and enable them to assess whether they purchased the appropriate number of software licenses. Accordingly, we made two recommendations to VA to consistently assess the appropriate number of software licenses for its most widely used software licenses. In addition, in November 2024, we reported that restrictive software licensing practices, such as found in certain software licensing agreements and certain vendor processes, adversely impacted federal agencies’ cloud computing efforts—including VA—and that the department had not established guidance for effectively managing impacts from restrictive practices for cloud computing. We therefore made two recommendations to VA to mitigate the impacts of restrictive software licensing practices.
VA Did Not Determine Over- or Under-Purchasing of Widely Used Software Licenses
As previously noted, our prior 2014 report and OMB guidance identify leading practices for effectively managing software licenses.[20] These leading practices include two key activities that can assist agencies’ software license management efforts and result in assessing the appropriate number of software licenses: (1) tracking software licenses that are currently in use and (2) regularly comparing the inventories of software licenses that are currently in use to purchase records to determine if licenses have been over- or under-purchased.
As noted earlier in this statement, VA had implemented our six prior recommendations from 2014 to improve its software license management practices. However, our analysis of data for our January 2024 report highlighted current challenges the department faces in assessing its software licenses.[21] In alignment with the key activities described above, sound software license management includes a regular reconciliation review by agencies to ensure they have the appropriate number of licenses for each item of software in use. Vendors also perform reviews to assess the number of licenses in use to ensure that the legal agreements associated with procured software licenses are adhered to and that organizations avoid purchasing unnecessary licenses. These reviews are called true-up and true-down. The more common true-up review compares the current software deployment to the software purchase data to revalidate and reconcile software utilization with historical software procurement data and terms and conditions. On the other hand, the true-down review determines if fewer licenses are required. These reviews generally occur prior to software license renewals or exercising of options under a software license agreement.
While VA identified for us its five most widely used software vendors with the highest quantity of licenses installed[22] as of July 31, 2022,[23] the department did not track how many of those installed licenses it was using. Specifically, for the five most widely installed licenses, VA provided screenshots of count data by product, but it did not provide documentation tracking the appropriate number of licenses for each item of software currently in use.
In addition, the department did not compare the inventories of software licenses that are currently in use to purchase records on a regular basis. Specifically, it did not analyze usage of its five most widely used software licenses per its defined process. For example, VA officials stated that the department had established varying processes with each vendor to analyze usage and purchasing of its most widely used software licenses. VA also stated that in fiscal year 2022, it reviewed its licenses and reported an increase of 10,000 licenses at a cost of $678,610.40 for one of its most widely used licenses, HCL Technologies. However, VA did not provide documentation as evidence of these analyses.
VA officials stated that they had not developed and implemented procedures for tracking software licenses in use and comparing inventories of these software licenses with known purchases. Officials provided various reasons, including that in most software contracts, the Office of Information and Technology has a contract line item to allow for purchasing of additional licenses on an as needed basis. Additionally, officials stated that the Office of Information and Technology utilizes the features within software products to track licenses and monitors the historical data and trends to determine if usage is increasing or decreasing. However, VA did not demonstrate how it utilizes these tools to compare software licenses purchased with licenses currently in use for any of its five most widely used licenses on a regular basis.
As a result, in our January 2024 report, we made two recommendations to VA to consistently track software license usage and compare its inventories with purchased licenses. At a minimum, VA should develop and implement procedures for tracking license usage and comparing the inventories of licenses in use to purchase records. VA concurred with our recommendations.
Since our report, VA has taken steps to begin addressing our recommendations, but it has not yet fully implemented them. In early March 2026, VA officials reported that the department plans to implement initial functionality for a centralized software license inventory in late March 2026. If successful, this could be a critical first step in improving the department’s ability to track and analyze licenses across the department.
VA also reported that, as of March 2026, it had assessed its use of the top 15 most widely used software licenses and begun moving them to enterprise product ownership and enterprise license agreements. Further, the department has drafted (1) an update to its 2015 software asset management policy and (2) procurement guidance to support planning and acquisition of enterprise-level software solutions.
However, the policy and procurement guidance have not yet been approved. Moreover, the department has not yet developed and implemented procedures to track license usage and compare the number of licenses in use with the number of licenses purchased, in line with our recommendation. We will continue to monitor VA’s actions to fully implement these recommendations.
Until VA consistently tracks software licenses and compares its inventories to known purchases of widely used software licenses, it will not be able to readily determine whether its software licenses were over- or under-purchased. As a result, the department is likely to miss opportunities to reduce costs on duplicative or unnecessary software licenses. If implemented, the potential savings could be significant. In 2025, VA reported that it expected to realize another $136 million in cost avoidance from fiscal years 2025 through 2029 by ensuring that it is only purchasing necessary software licenses from one vendor. Additionally, by developing and implementing procedures that define the steps to be taken to determine over- and under-purchasing, VA can better ensure it is consistently reviewing usage of what it purchased to optimize costs. As a result, VA would be better positioned to negotiate with vendors regarding user needs when analyzing the purchasing of licenses.
VA Was Not Effectively Managing the Impacts of Restrictive Software Licensing Practices
In our November 2024 review, we reported on the impacts of restrictive software licensing on VA, among other agencies.[24] Cloud computing can often provide access to IT resources through the internet faster and for less money than owning and maintaining such resources. However, as agencies implement IT and migrate systems to the cloud, they may encounter restrictive software licensing practices. Restrictive software licensing practices include vendor processes that limit, impede, or prevent agencies’ efforts to use software in cloud computing.
Effectively managing software licenses for cloud computing involves, among other things, applying industry best practices for acquisition and risk management. Key activities for managing impacts of restrictive software licensing practices for cloud computing include (1) identifying and analyzing impacts of restrictive practices during the acquisition process and for established IT investments or projects; and (2) developing plans for mitigating adverse impacts.[25]
Our review of federal agencies—including VA—found that restrictive software licensing practices adversely impacted VA’s cloud computing efforts. According to VA officials, the restrictive practices that they encountered included, among other things, a vendor
· requiring the agency to pay additional fees to use the vendor’s software on infrastructure provided by other cloud service providers;
· charging more for (e.g., a conversion fee) or requiring the agency to repurchase the existing software licenses that the agency had been using in its on-premise systems for use in the cloud;
· requiring or promoting vendor lock-in via the cloud service provider’s terms and conditions or acquisition practices; and
· lacking accurate or sufficiently detailed cost data to support agency planning for moving on-premise licenses to the cloud.
Officials reported that the restrictive practices generally impacted the (1) cost of cloud computing and (2) choice of cloud service provider or cloud architecture.
In our November 2024 report, we found that VA did not establish guidance for effectively managing impacts from restrictive practices for cloud computing. Officials stated that they would manage restrictive practices as risks, but the department did not provide supporting documentation demonstrating that such practices are to be managed as risks. Officials also stated that VA’s existing IT and acquisition management policies and procedures could be used to help identify and manage restrictive practices and their potential impacts. However, the agency was not able to identify parts of these policies and procedures that specifically addressed identifying, analyzing, and mitigating impacts from such practices.
Further, we found that VA had not assigned responsibility for managing such practices. Specifically, officials reported they had encountered restrictive licensing practices, but that managing impacts from such practices was either the responsibility of the agency CIO or was a shared responsibility among multiple offices that manage IT and acquisitions or provide legal counsel. However, VA had not specifically assigned or documented this responsibility. As such, it was unclear who was accountable for ensuring the consistent implementation of the two key activities for managing restrictive practices.
Additionally, according to officials, they had not focused on how to address restrictive licensing practices because, as of July 2024, VA had not encountered many instances of such practices. The officials also stated that the impacts from such practices had not been a significant issue impacting their cloud computing services. As such, the officials stated that they either did not consider it necessary or did not consider it a priority to develop or update agency guidance to specifically address the management of such practices and their impacts. However, until VA focuses on managing restrictive practices, the full extent of impacts from such practices on the department will remain unknown.
Without implementing comprehensive guidance for managing the impacts of restrictive software licensing practices, VA is not well positioned to identify and analyze the impact of such practices or to mitigate any risks they present in an efficient and effective manner. In addition, without consistently implementing the two key activities for managing restrictive licensing practices, VA will likely miss opportunities to take action to avoid or minimize the impacts.
Accordingly, in our November 2024 report, we made two recommendations to VA to (1) update and implement guidance to fully address identifying, analyzing, and mitigating the impacts of restrictive software licensing practices; and (2) assign and document responsibility for identifying and managing such practices across the department. VA concurred with our recommendations.
In response to our recommendations, in May 2025, VA officials reported that the department planned to stand up a working group composed of IT and acquisition subject matter experts to identify, analyze, and mitigate the impacts of restrictive software licensing practices on cloud computing efforts. The department expects to implement additional actions to address the recommendations by September 30, 2026. As of March 2026, VA has not provided an update on the status of the working group. We will continue to monitor VA’s actions to fully implement these recommendations.
In conclusion, fully assessing software licenses and effectively managing impacts from restrictive licensing practices at VA is an issue of vital importance. It presents VA with opportunities to reduce costs on duplicate or unnecessary licenses and take action to mitigate the impact of restrictive practices.
We have made four recommendations to VA in the reports summarized in this statement that, as of today, it has not fully implemented. If the department continues to experience the challenges we have previously identified and does not take further actions to address our recommendations, it may jeopardize its ability to effectively manage its software licenses that provide critical services to veterans.
Chairman Kiggans, Ranking Member Ramirez, and Members of the Subcommittee, this concludes my statement for the record.
GAO Contact and Staff Acknowledgments
If you or your staff have any questions about this statement, please contact Carol C. Harris at harriscc@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement.
GAO staff who made key contributions to this statement include Emily Kuhn (Assistant Director), Amanda Gill (Analyst-in-Charge), Anh-Thi Le, Rebecca Eyler, Niti Tandon, Walter Vance, and Adam Vodraska.
This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.
Order by Phone
The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.
Place orders by calling (202) 512-6000, toll free (866) 801-7077,
or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.
Connect with GAO
Connect with GAO on X,
LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.
To Report Fraud, Waste, and Abuse in Federal Programs
Contact FraudNet:
Website: https://www.gao.gov/about/what-gao-does/fraudnet
Automated answering system: (800) 424-5454
Media Relations
Sarah Kaczmarek, Managing Director, Media@gao.gov
Congressional Relations
David A. Powner, Acting Managing Director, CongRel@gao.gov
General Inquiries
[1]GAO, Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide, GAO‑14‑413 (Washington, D.C.: May 22, 2014).
[2]GAO, High-Risk Series: An Update, GAO‑15‑290 (Washington, D.C.: Feb. 11, 2015).
[3]GAO, Federal Software Licenses: Agencies Need to Take Action to Achieve Additional Savings, GAO‑24‑105717 (Washington, D.C.: Jan. 29, 2024); and Cloud Computing: Selected Agencies Need to Implement Updated Guidance for Managing Restrictive Licenses, GAO‑25‑107114 (Washington, D.C.: Nov. 13, 2024).
[4]For the purposes of this statement, we use the term vendor to also include original equipment manufacturers and publishers.
[5]Installed licenses are software licenses deployed for use on department or agency owned or controlled computers. For purposes of this report, we used the terms “installed” and “deployed” interchangeably.
[6]We defined restrictive software licensing practices as any software licensing agreements or vendor processes that limit, impede, or prevent agency efforts to use software in cloud computing.
[8]GAO, Veterans Affairs: Leading Practices Can Help Achieve IT Reform Goals, GAO‑25‑108627 (Washington, D.C.: Jul. 11, 2025); and Veterans Affairs: Actions Needed to Address Software License Challenges, GAO‑25‑108475 (Washington, D.C.: May 16, 2025).
[9]See GAO‑24‑105717.
[10]Carl Levin and Howard P. “Buck” McKeon National Defense Authorization Act for Fiscal Year 2015, Pub. L. No. 113-291, division A, title VIII, subtitle D, 128 Stat. 3292, 3438-50 (Dec. 19, 2014).
[11]The provisions apply to the agencies covered by the CFO Act, 31 U.S.C. § 901(b). However, FITARA has generally limited application to the Department of Defense.
[12]The government-wide software purchasing program, to be led by the General Services Administration, is to be available for use by all executive agencies. FITARA also included requirements for covered agencies to enhance agency CIO authority and transparency, improve risk management in IT investments, and advance portfolio review and the federal data center consolidation initiative.
[13]Pub. L. No. 114-210, 130 Stat. 824 (2016).
[14]Office of Management and Budget, Category Management Policy 16-1 Improving the Acquisition and Management of Common Information Technology: Software Licensing, M- 16-12 (Washington, D.C.: June 2, 2016).
[15]H.R. 5457, 119th Cong. (Sep. 18, 2025). Similar legislation was also introduced in March 2023 (H.R. 1695, 118th Cong. (Mar. 22, 2023); S. 931, 118th Cong. (Mar. 22, 2023)).
[16]According to the proposed legislation, the term software entitlements would mean any software that has been purchased, leased, or licensed by or billed to an agency under any contract or other business arrangement; and is subject to use limitations.
[17]H.R. 6654, 119th Cong. (Dec. 11, 2025).
[19]Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026, Pub. L. 119-37, 139 Stat. 495, 605 (Nov. 12, 2025).
[20]GAO‑14‑413; and Office of Management and Budget, Category Management Policy 16-1 Improving the Acquisition and Management of Common Information Technology: Software Licensing, M-16-12 (Washington, D.C.: June 2, 2016).
[22]For the purposes of this statement, the phrase “most widely used software licenses” refers to the licenses that come from a specific vendor and means the aggregate number of software licenses an agency uses that originate with a particular vendor.
[23]According to VA, the five most widely used software vendors with the highest quantity of licenses installed, as of July 31, 2022, include Microsoft (identified twice by VA), HCL Technologies, 1E, and Raytheon Technologies.
[24]GAO‑25‑107114. The other agencies in this review were the Departments of Justice and Transportation, the National Aeronautics and Space Administration, the Office of Personnel Management, and the Social Security Administration.
[25]ISACA, CMMI Model V3.0 (Pittsburgh, PA: Apr. 6, 2023). CMMI Model and ISACA ©[2023] All rights reserved. Used with permission. In particular, we reviewed and selected relevant practices from the CMMI practice areas of supplier agreement management, service delivery management, risk management, and causal analysis and resolution.