The Defense Department is one of the world’s largest bureaucracies, and as a byproduct of that, it needs to do a better job of keeping track of the software it uses. That is a key takeaway from a DOD Inspector General report, issued in December.
The report found that the Marine Corps, the Navy and the Air Force commands and divisions it reviewed did not consistently rationalize their software applications. Software rationalization is the process of determining which applications an entity has, and which ones are necessary, duplicative or obsolete.
Although the report does not explicitly call for an agencywide software asset management program, that is the implication of the report’s key recommendations. Specifically, the report recommends that DOD “develop an enterprise-wide process for conducting the software application rationalization process.”
The State of Software Management at DOD
The Marine Corps divisions and the Navy commands had processes in place to prevent duplication when purchasing software applications, but the Air Force did not, the report says.
“In addition, the U.S. Fleet Forces Command was the only command we reviewed that had a process in place for eliminating duplicative or obsolete software applications it owned. Furthermore, none of the commands or divisions we reviewed maintained accurate software inventories to facilitate that process.”
As FedScoop reports, the Army “was not subject to this audit because its own Army Audit Agency conducted a similar review in 2017.”
The Pentagon is in this state because the DOD CIO’s office has implemented “an enterprisewide solution for software application rationalization in response to Federal Information Technology Acquisition Reform Act requirements and, instead, limited rationalization to data center consolidation efforts.”
As a result, the report found, the DOD and its components are exposing the DOD Information Network to “unnecessary cybersecurity risks because they lack visibility over software application inventories and, therefore, are unable to identify the extent of existing vulnerabilities associated with their owned software applications.”
The DOD is also leaving money on the table and is not “realizing the cost savings associated with the elimination of duplicate and obsolete software applications that it has already procured and is paying to maintain.” The report adds later that the DOD “may be paying support costs such as maintenance costs for security patches, software fixes, and general updates for unnecessary software applications and not realizing the cost savings associated with eliminating them.”
How DOD Can Improve Software Asset Management
The report recommends that the DOD establish guidance requiring the department components to conduct software application rationalization. Further, component CIOs should be required to “develop implementing guidance that outlines responsibilities and processes for software application rationalization” within their components.
The policy should also require Pentagon components to “regularly, at least annually, validate the accuracy of their owned and in-use software applications inventory.”
Additionally, the DOD should conduct periodic reviews to ensure that components are regularly validating the accuracy of their inventory of owned and in-use software applications and that they are eliminating duplicate and obsolete software applications.
The most effective way to accomplish all of that is through the deployment of automated software asset management tools. There are numerous SAM tools on the market, including those from Snow Software and Ivanti, among others.
In July 2016, President Barack Obama signed into law the Making Electronic Government Accountable by Yielding Tangible Efficiencies Act of 2016. The law, better known as the MEGABYTE Act, requires agency CIOs to develop a comprehensive software licensing policy. Further, starting fiscal year 2017 and continuing for the next five fiscal years, CIOs must submit to the director of the Office of Management and Budget a report that details the financial savings or avoidance of spending that has resulted from improved software license management.
Under the MEGABYTE Act, agencies are required to create a comprehensive, regularly updated inventory of software licenses and analyze software use to make cost-effective decisions.
“A comprehensive inventory is key to determining whether duplicate or obsolete software exists,” the DOD IG report notes. “However, none of the commands or divisions maintained a comprehensive inventory of the software applications installed on their networks.” DOD Instruction 8530.01 requires agency components to “capture, correlate, analyze, and provide continuous visibility into DOD assets, including software applications.”
In a July 10, 2018, memorandum to DOD officials, DOD CIO Dana Deasy stated that the Pentagon had yet to report over 30 percent of its software inventory, according to the IG report.
“Because the reporting of software inventory for the congressional software inventory reporting cycle is not complete, the DoD and its Components lack visibility over their assets and, therefore, are unable to determine the extent of existing vulnerabilities that could impact operations if information processed, stored, or transmitted by software applications is compromised,” the report states.
Protecting software applications against cybersecurity risks consists of implementing cyber hygiene practices, such as patching authorized software and deploying anti-virus software, the report adds.