How can DOGE fix federal IT? Lock out vendor lock-in
In the midst of Elon Musk’s Department of Government Efficiency’s headline-making actions, it’s a good time to remember that DOGE’s mandate is to “maximize governmental efficiency and productivity” by “modernizing federal technology and software.” Federal IT is a worthy target for Musk and his team of efficiency hackers. It’s overpriced, with various estimates pegging the government’s costs at two to four times the private sector’s. It underdelivers compared to what’s available outside of government, as anyone who has held positions in both sectors will attest. And it is difficult to defend against cyber-attacks — not least because IT vendors upcharge for security features against flaws in their own products.
I contributed to two efforts that chipped away at the cybersecurity aspects of the problem: President Obama’s Cybersecurity National Action Plan and President Trump’s executive order on cybersecurity. After I left the White House in 2017, the first Trump administration and the Biden administration both made additional, incremental progress, especially in migrating agencies to the cloud. And yet federal IT has proven remarkably resistant to reform while also facing the most challenging cyber threat environment of any organization in the world. If DOGE is looking for the most difficult problem in IT, this is it.
To take up federal IT reform, DOGE must address the IT equivalent of the “Deep State:” vendor lock-in, which happens when the incumbent vendor uses restrictive licensing practices that make it prohibitively expensive for the government to fire them and switch to a different vendor.
Lock-in appears to be a business strategy for the vendors. Microsoft, with its 85% share of the public sector’s productivity software market, uses restrictive licensing practices that lock government agencies into the company’s products and services, and it bundles products together — like Active Directory with Defender — to disadvantage competitors by forcing its ancillary products onto existing customers. It also prohibits federal agencies from running on-premise Microsoft workloads, including already-paid-for customer licenses, on other cloud providers.
For example, whistleblowers allege that Microsoft baited the government into buying expensive cloud security offerings by initially offering them for free, confident that the government could never feasibly reduce security once accepted. At that point, Microsoft had the government locked in, because it would be too expensive for the government to switch to a competitor’s service. Vendors use lock-in as economic theory would predict: to bleed the customer, in the form of licensing restrictions and arbitrary support fees, and to box innovative competitors out.
Meanwhile, no other government vendor has as many flaws in its products as Microsoft. In 2024, Microsoft accounted for 20% of the known exploited vulnerabilities added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Index — 190% more than the next closest government technology vendor. Federal agencies have repeatedly been impacted by breaches of Microsoft’s vulnerabilities, including in attacks by Chinese and Russian hackers. Despite these problems, Microsoft is rewarded with more federal business, not less. This is not a sign of a healthy, competitive marketplace.
There are two actions that DOGE must take to begin to ensure meaningful competition in the procurement process.
First, DOGE must streamline procurement processes with new requirements and specifications that thwart vendor-lock by prohibiting restrictive licensing practices, with the goal of making it easier for companies to compete for federal IT dollars and for agencies to buy new technologies. This requires changes not only to federal procurement regulations but also to the business mindsets of entrepreneurs, venture capitalists and go-to-market strategists who are deterred from even trying to market their products to the government because they view the government as impenetrable. While DOGE’s policy hackers focus on the finer points of procurement regulations, Musk is uniquely positioned to deliver a pitch that the federal government is open for business.
Second, DOGE must unite federal CIOs to use their collective purchasing power to drive a harder bargain with vendors on pricing. Doing so would bring IT innovators to the table and give the government negotiating leverage for superior products at competitive prices. For the government to retain this leverage, IT vendors must feel the competitive heat throughout the lifecycle of their contracts and believe that the government can — and will — walk away at the end of the contract term in favor of one of their competitors.
Attempts at market reform will fall short without one of the most elementary market principles in play: that the government must be able to hire and fire IT vendors. This has proven to be the most difficult problem in IT, and DOGE should seize the moment to modernize and maximize efficiency in this market.
Andrew Grotto is a research fellow at Stanford University and former senior director for cyber policy on the National Security Council in the Obama and Trump administrations. He also advises technology companies on digital risks, including companies that compete with Microsoft.
The post How can DOGE fix federal IT? Lock out vendor lock-in first appeared on Federal News Network.