Private Sector Insights for Smarter Cloud Adoption in Government
The March 2025 GAO report titled Cloud Computing: Private Sector Leading Practices in Acquisition, Cybersecurity, and Workforce Development (GAO-25-106369), authored by Brian Bothwell and Vijay A. D’Souza, offers valuable guidance for federal agencies by analyzing how 18 top-performing private sector companies approach cloud computing. The report focuses on three critical domains—acquisition, cybersecurity, and workforce development—and underscores how private sector strategies can inform and improve government cloud adoption efforts.
GAO found that all participating companies adopted a majority of the 19 leading practices identified in the report. In acquisition, these include developing a strong business case, conducting rigorous market research, negotiating clear terms, and piloting cloud solutions before full-scale implementation. The companies also emphasized assessing service performance continually, underscoring that acquisition doesn't stop with contract award but continues throughout the lifecycle of cloud services.
Cybersecurity was treated as a shared responsibility between the company and cloud providers, depending on the service model (IaaS, PaaS, or SaaS). Effective identity and access management policies, continuous monitoring, clearly defined security roles, and robust incident response procedures were cornerstones of their security strategies. Interestingly, one company described a previous misconception that cloud security was mostly the provider’s responsibility. The reality, as they found, required a detailed understanding of shared roles, reinforcing the need for joint planning and communication.
In terms of workforce development, private sector leaders stressed the importance of identifying skills gaps, reskilling or hiring qualified personnel, and shifting organizational culture to support cloud-native thinking. Many companies highlighted the use of frameworks such as FinOps (for managing cloud costs effectively), DevOps (for software delivery), and DevSecOps (for integrating security into development pipelines) to streamline cloud operations and ensure cross-functional alignment. These approaches promoted financial accountability, agility, and more secure deployments.
Notably, the report describes how some organizations encountered technical and contractual hurdles, such as vendor lock-in and unexpected data egress fees. However, companies who embraced multi-cloud strategies or containerization technologies reported greater operational flexibility. To navigate these complexities, they invested in training, integration tools, and proactive monitoring systems.
One unique feature of this report is GAO’s effort to validate these practices by consulting academic experts, adding an independent layer of credibility. The report's conclusions affirm that while government and private industry operate under different constraints, private sector practices—particularly those grounded in transparency, iterative feedback, and stakeholder engagement—can meaningfully inform federal acquisition reform and cloud modernization strategies.
This GAO report provides a critical benchmark for policymakers and agency leaders seeking to modernize their IT infrastructures responsibly. It illustrates that adopting leading practices isn't just about technology—it's about strategic planning, stakeholder alignment, and continuous performance assessment. As federal agencies continue to scale up cloud computing initiatives, they would do well to integrate these tested methods to manage risk, control costs, and enhance mission outcomes.
Disclaimer: This blog post is a summary interpretation of GAO Report GAO-25-106369 and is not guaranteed to be accurate or complete. It does not constitute legal advice or professional consulting.
