Veterans Affairs Faces Critical Gaps in Software License Management
The U.S. Government Accountability Office (GAO) recently released a report titled "Veterans Affairs: Actions Needed to Address Software License Challenges", presented by Carol C. Harris, Director of Information Technology and Cybersecurity. The report outlines significant shortcomings within the Department of Veterans Affairs (VA) in managing its software licenses—a multi-billion dollar area vital to supporting care for millions of veterans and their families. Despite spending approximately $21 billion between FY 2022 and FY 2024 on IT systems and services, including commercial software licenses, the VA has yet to implement key internal controls necessary to ensure efficient and cost-effective software license management.
The GAO found that the VA had failed to meet two fundamental requirements: tracking software licenses currently in use and regularly comparing those inventories against actual purchase records. Without these basic oversight mechanisms, VA remains unable to determine whether it is over-purchasing (leading to wasted taxpayer dollars) or under-purchasing (which could result in noncompliance fees and service disruptions). The GAO specifically identified a lack of documentation and process implementation for VA’s five most widely used software licenses, even though one such review had already saved the department $65 million over three years.
In parallel, the GAO’s November 2024 government-wide report uncovered another alarming issue: the negative impact of restrictive software licensing practices on VA’s cloud computing initiatives. These practices—imposed by software vendors—often limit the government’s flexibility to migrate systems to cloud environments or significantly increase the cost of doing so. The VA had not established agency-wide guidance to manage these restrictive practices nor designated responsibility for addressing them. As a result, the department is ill-prepared to identify, mitigate, or plan around vendor-driven constraints that jeopardize its digital modernization efforts.
While VA officials acknowledged these deficiencies and concurred with the GAO’s recommendations, implementation remains pending. For instance, although VA claims it has initiated procedures for tracking twelve of its top fifteen licenses, it has not clearly linked these actions to the five key licenses under scrutiny in the GAO’s review. Similarly, there is no assurance that these new procedures include regular reconciliation (or "true-up") with purchase records, a best practice critical for legal compliance and cost control.
The GAO reiterated the importance of both congressional mandates and best practices, including those set forth in the Federal Information Technology Acquisition Reform Act (FITARA), the MEGABYTE Act, and Office of Management and Budget guidance. These frameworks emphasize centralized license management, comprehensive inventories, data-driven investment decisions, and personnel training. Yet, the VA’s progress lags in several of these areas, despite years of prior recommendations from GAO.
Ultimately, failure to address these issues puts the VA at risk of continued financial inefficiencies and jeopardizes its ability to deliver technology-dependent services to veterans. The GAO concluded with four recommendations: two focused on license tracking and reconciliation, and two on managing the impacts of restrictive cloud licensing. Until these are fully implemented, VA risks wasting millions of dollars and undermining critical IT capabilities.
This report was authored by the U.S. Government Accountability Office and presented by Carol C. Harris. The full report is available at: https://www.gao.gov/products/GAO-25-108475.
Disclaimer:
This blog post summarizes a GAO report for informational purposes only and is not guaranteed to be accurate. It does not constitute legal advice.
