Cloud Computing: Private Sector Leading Practices in Acquisition, Cybersecurity, and Workforce Development
Government Accountability Office03/24/2025
Fast Facts
Federal agencies must address the risks and challenges that come with their move to cloud computing.
What lessons can they learn from the private sector?
We surveyed 18 companies about their practices in areas that pose key cloud computing challenges: acquisition, cybersecurity, and workforce development.
The companies shared 19 leading practices in these areas, such as negotiating clear terms and agreements for cloud services and shifting internal culture. They reported needing to invest in workforce training and cybersecurity tools.
These and other insights could help federal policymakers and program managers transition to cloud computing.
Highlights
What GAO Found
Eighteen private sector companies surveyed by GAO reported using the majority of 19 leading practices across three management areas—acquisition, cybersecurity, and workforce development—when adopting and implementing cloud computing solutions. Subject matter experts from academia agreed these are leading practices for cloud adoption, and the majority of companies found them very or extremely important for an effective cloud adoption strategy.
Examples of leading practices reported by private sector companies included:
- Acquisition: Companies reported using 7 leading practices, including defining the business case for the cloud adoption, negotiating clear terms and agreements, and assessing service performance against expectations.
- Cybersecurity: Companies reported using 6 leading practices, including implementing incident response procedures, establishing continuous monitoring, and clarifying cloud security responsibilities.
- Workforce Development: Companies reported using 6 leading practices, including identifying skill gaps, retaining and recruiting staff, and shifting internal culture.
Companies also identified potential challenges that organizations may encounter when adopting new cloud solutions, including approaches for addressing those challenges and related technical considerations. Companies reported that addressing these technical considerations enhanced flexibility, mitigated risks, and optimized cloud resource utilization. For example, one company reported implementing a multi-cloud strategy early in its migration to a cloud environment, which helped enable flexibility across different providers. However, to realize these benefits, companies reported requiring additional investments, such as in workforce training and cybersecurity tools.
Why GAO Did This Study
Private sector companies spend billions of dollars adopting cloud computing, with the federal government making other substantial investments. Across the private and public sectors, organizations adopt cloud computing solutions to realize a range of potential benefits, such as lowering IT costs. In pursuing these benefits, organizations may also encounter various risks and challenges.
Given the evolving nature of cloud computing, identifying leading practices used by the private sector could provide valuable insights. These insights could help inform federal policymakers and program managers in their efforts to adopt cloud solutions.
This report identifies (1) leading practices in the private sector for adopting cloud solutions and (2) approaches to address challenges in the private sector regarding the adoption of cloud solutions.
GAO reviewed prior work and federal and nonfederal guidance related to cloud computing. GAO then surveyed a nongeneralizable sample of 18 private sector companies identified as leaders in business and technological innovation across multiple industries about their experiences adopting cloud computing solutions. We also asked companies about their approaches for addressing challenges and related technical considerations associated with adopting cloud computing solutions. GAO validated the leading cloud adoption practices by soliciting and incorporating feedback from cloud computing subject matter experts at academic institutions.
For more information, contact Brian Bothwell at BothwellB@gao.gov or Vijay A. D’Souza at DSouzaV@gao.gov.