Outdated, conflicting guidance causes cloud procurement problems, watchdog says

Executive Summary

A GAO report finds that outdated FAR (Federal Acquisition Regulation) guidance, conflicting OMB/NIST standards, and imprecise procurement data are creating significant challenges in federal cloud procurement. The report’s recommendations include GSA (General Services Administration) implementing FinOps practices, CISA issuing SBOM guidance, and the CIO Council sharing multi‑cloud best practices. The Summary also notes that federal cloud spending exceeds $10 billion annually and that proposed FAR updates are now in formal rulemaking. Taken together, this signals a near‑term period of evolving procurement requirements, greater emphasis on cost control, and tighter software/component transparency expectations.

Segments explicitly named in the Tags — Cloud Services, IT Services, Cybersecurity, IaaS, PaaS, SaaS, FinOps, and Multi‑Cloud Management — will be most affected. Contractors in these areas should pay attention now to avoid bid disqualification or pricing surprises as agencies adopt FinOps and SBOM expectations and as FAR updates move through rulemaking. Preparing capabilities, documentation, and pricing models now will reduce risk as agencies translate the GAO recommendations into procurement practice.

Impact Matrix

Cloud Services

• Risk Level: High
• Opportunity: Increased demand for vendors who can demonstrate cost transparency, multi‑cloud interoperability, and compliance posture. Specific NAICS codes: 518210; 541511; 541512; 541513; 541519; 541990. Contract vehicles referenced in Tags that may be relevant: SEWP, STARS III, 8(a) STARS III, Alliant 2, OASIS+, CIO‑SP4.
• Timeline: Proposed FAR updates now in formal rulemaking; agency implementation timelines TBD pending source review.
• Action Required: Prepare to document cost drivers, support FinOps practices, and show multi‑cloud best practices; align cloud service offerings with fed compliance surfaces (FedRAMP (Federal Risk and Authorization Management Program), NIST 800‑171, NIST 800‑53, SBOM, FAR, FISMA) where applicable.
• Competitive Edge: Establish and advertise demonstrable FinOps metrics and repeatable multi‑cloud onboarding processes to shorten procurement risk reviews.

IT Services

• Risk Level: High
• Opportunity: Demand for integration, migration, and managed operations that help agencies achieve cost control and multi‑cloud consistency. Specific NAICS codes: 518210; 541511; 541512; 541513; 541519; 541990. Relevant contract vehicles: SEWP, STARS III, 8(a) STARS III, Alliant 2, OASIS+, CIO‑SP4.
• Timeline: Proposed FAR updates now in formal rulemaking; agency response to GAO recommendations TBD pending source review.
• Action Required: Tighten cost-accounting for cloud projects, adapt SOWs to reflect FinOps principles, and prepare to supply SBOMs or support agency SBOM requirements once issued.
• Competitive Edge: Offer packaged service lines that map to FinOps outcomes (e.g., cost optimization + governance) and include SBOM-ready delivery for software-intensive engagements.

Cybersecurity

• Risk Level: Critical
• Opportunity: Agencies will need cybersecurity solutions that reconcile conflicting OMB/NIST guidance and address SBOM expectations; this opens work for firms that can simplify compliance and supply-chain transparency. Specific NAICS codes and vehicles from Tags apply.
• Timeline: CISA SBOM guidance recommended by GAO; formal FAR rulemaking is underway; timelines for agency adoption TBD pending source review.
• Action Required: Align security offerings to NIST frameworks listed in Tags (NIST 800‑171, NIST 800‑53), prepare SBOM generation and maintenance processes, and track any emergent agency guidance tied to OMB/NIST reconciliation.
• Competitive Edge: Package cybersecurity services that integrate SBOM creation/verification with NIST‑aligned controls to reduce agency integration work and risk appetite concerns.

Infrastructure as a Service (IaaS)

• Risk Level: High
• Opportunity: Agencies re‑evaluating cloud costs and procurement approaches may prefer providers who can demonstrate transparent unit costs and support FinOps. Specific NAICS/vehicles from Tags apply.
• Timeline: Formal FAR rulemaking underway; agency implementation timelines TBD pending source review.
• Action Required: Prepare granular cost reporting, validate FedRAMP/other compliance posture where required, and document multi‑cloud porting/interoperability capabilities.
• Competitive Edge: Differentiate with standardized, auditable cost and usage reporting that supports agency FinOps objectives.

Platform as a Service (PaaS)

• Risk Level: High
• Opportunity: PaaS providers that enable cost visibility and multi‑cloud portability stand to gain as agencies seek standardized practices and CIO Council best practices are shared. Specific NAICS/vehicles from Tags apply.
• Timeline: Proposed FAR updates in formal rulemaking; timelines for CIO Council action TBD pending source review.
• Action Required: Ensure pricing models and deployment tooling support FinOps transparency and multi‑cloud operational models; prepare SBOM artifacts for platform components.
• Competitive Edge: Offer platform modules with built‑in cost telemetry and SBOM capabilities to accelerate agency approval.

Software as a Service (SaaS)

• Risk Level: High
• Opportunity: SaaS vendors capable of producing SBOMs and showing interoperable licensing/cost models for multi‑cloud deployments will be preferred. Specific NAICS/vehicles from Tags apply.
• Timeline: Proposed FAR updates are in formal rulemaking; agency adoption timelines TBD pending source review.
• Action Required: Build SBOM/CBOM generation into CI/CD pipelines, document licensing and cost transparency, and align with FedRAMP and other compliance surfaces in Tags as relevant.
• Competitive Edge: Present SBOM-enabled releases and cost‑granular subscription options that map to agency FinOps reporting needs.

FinOps

• Risk Level: High
• Opportunity: GAO specifically recommends GSA implement FinOps practices, creating demand for FinOps consulting, tooling, and managed services across cloud portfolios. Specific NAICS/vehicles from Tags apply.
• Timeline: GAO recommendation in place; implementation by GSA and other agencies TBD pending source review; proposed FAR updates are in formal rulemaking.
• Action Required: Mature FinOps frameworks, develop playbooks that map to procurement/evaluation criteria, and be ready to demonstrate measurable cost‑control outcomes.
• Competitive Edge: Offer turnkey FinOps engagements (assessment + tooling + managed ops) with case studies proving dollar and risk reduction tied to multi‑cloud environments.

Multi‑Cloud Management

• Risk Level: High
• Opportunity: CIO Council sharing multi‑cloud best practices is a GAO recommendation, increasing interest in multi‑cloud management solutions and consulting. Specific NAICS/vehicles from Tags apply.
• Timeline: CIO Council recommended to share best practices; timelines for dissemination and agency uptake TBD pending source review.
• Action Required: Codify multi‑cloud architecture best practices, provide policy/migration templates, and align management tooling with anticipated procurement and FinOps requirements.
• Competitive Edge: Provide repeatable multi‑cloud reference architectures and automation that shorten agency adoption cycles and demonstrably reduce procurement friction.

Cross-Segment Implications

• FinOps expectations (GAO → GSA) create a common requirement that will cascade across Cloud Services, IaaS/PaaS/SaaS, IT Services, and Multi‑Cloud Management: cost transparency and unitized reporting will be evaluated contractually, altering pricing models and SOWs.
• CISA SBOM guidance affects Cybersecurity directly but also forces SaaS/PaaS vendors and IT integrators to adapt development and delivery pipelines to produce SBOMs, increasing integration work for IT Services.
• CIO Council multi‑cloud best practices, if published and adopted, will standardize requirements across Cloud Services and Multi‑Cloud Management, increasing demand for vendors that can demonstrate adherence to a shared set of practices.
• Conflicting OMB/NIST standards highlighted by the GAO increase the importance of cybersecurity vendors who can translate multiple compliance regimes (NIST 800‑171, NIST 800‑53, FedRAMP, FISMA) into procurement‑ready artifacts, affecting bid readiness across segments.