Report On NASA’s Software Asset Management
WHY WE PERFORMED THIS AUDIT
NASA uses thousands of unique software products from hundreds of vendors in its efforts to advance science, technology, aeronautics, Earth studies, and space exploration. Each software application and program comes with a license—a contract between the entity creating or supplying the software and the end user—governing its use. Managing software licensing is deceptively complex due to the sheer volume of software vendors and applications yet is crucial to effectively secure NASA operations and track tens of millions of dollars in license fees. Software Asset Management is the business practice that administers the processes, policies, and procedures that support the software life cycle of planning, acquisition, use, management, and disposal.
Effective Software Asset Management helps reduce information technology (IT) costs and mitigate operational, cybersecurity, and financial risks related to software ownership and use. NASA’s software portfolio consists of purchased software programs subject to varying types of licenses as well as internally developed mission and institutional software applications that are not licensed by the Agency. Purchased software must be used in accordance with the terms of its license with potential financial penalties if vendor audits find violations of license agreements or during the “true-up” process (the yearly vendor evaluation of qualified software licenses deployed within an organization). Internally developed software also needs to be tracked to identify duplicate or obsolete applications.
In this audit, we assessed whether NASA is managing its software assets in an effective and efficient manner while maintaining compliance with applicable requirements and security best practices. This included analyzing documentation relevant to NASA’s software management activities, assessing NASA’s centralized Software Asset Management program, and discussing internal software development activities with responsible officials.
WHAT WE FOUND
Software Asset Management practices at NASA currently expose the Agency to operational, financial, and cybersecurity risks with management of the software life cycle largely decentralized and ad hoc. Efforts to implement an enterprisewide Software Asset Management program have been hindered by both budget and staffing issues and the complexity and volume of the Agency’s software licensing agreements. We rated NASA’s Software Asset Management as “basic”— the lowest of the four rating options in the Software Asset Management Maturity and Optimization Model developed by Microsoft and adopted from the International Organization for Standardization/International Electrotechnical Commission. Consequently, NASA is likely years away from moving to an enterprise computing model in which IT capabilities, such as software asset management and cybersecurity, are centralized and consolidated. In the meantime, the Agency has yet to embrace key best practices or fully implement federal guidance required to appropriately manage its Software Asset Management program.
NASA has not implemented a centralized Software Asset Management tool to discover, inventory, and track license data as required by federal policy. This shortcoming has resulted in NASA spending approximately $15 million over the past 5 years on unused licenses, an amount we found wasteful and are therefore questioning. We also found internally developed mission and institutional software applications suffer from a lack of centralization and inventory visibility, limiting the Agency’s ability to identify duplicative or obsolete software. NASA’s Software Asset Management policy is not comprehensive or standardized, leaving roles, responsibilities, and processes unclear. In addition, the Agency’s Software Asset Management Office and Software Manager positions are misaligned and do not report to the Chief Information Officer as required by federal policy. The Agency also does not have consistent processes for legal representation during software contract negotiations and vendor audits, which can expose the Agency to increased costs because of penalties for violations of software license agreements. Furthermore, training for software license use and management is inconsistent across the Agency, with aging web-based training randomly assigned to personnel and a lack of a general software licensing training course available to the entire workforce.
NASA has failed to implement processes necessary to manage financial risks as software purchases are not sufficiently tracked and authorized by the Office of the Chief Information Officer (OCIO)—allowing some users to bypass OCIO authorization (and Software Asset Management team scrutiny) to purchase software through alternative means such as purchase cards. Moreover, NASA’s current efforts to compile a complete and accurate report of annual software spending is a time consuming and mostly manual effort. Given all of these shortcomings, NASA has historically experienced a large influx of software into its network environment that is not sufficiently tracked for license compliance resulting in more than $20 million unnecessarily spent on software fines and penalties over the last 5 years. We estimate the Agency could have saved approximately $35 million ($20 million in fines and overpayments and $15 million in unused licenses) and moving forward could save $4 million over the next 3 years by implementing an enterprise-wide Software Asset Management program.
Lastly, NASA has not implemented the enterprise-wide processes necessary to appropriately manage the cybersecurity risks related to Software Asset Management. Software downloaded with privileged access is not tracked for license compliance and life-cycle management, and NASA does not have a consistent, Agency-wide process for limiting privileged access or using “least privilege” permissions, which gives users only the software permissions necessary for their job. This deviation from best practices is a cybersecurity risk because software deployed within the Agency raises both cybersecurity and software license compliance risks.
WHAT WE RECOMMENDED
To strengthen operational and cyber aspects of Software Asset Management, we recommended the Chief Information Officer (1) establish enterprise-wide (institutional and mission) Software Asset Management policy and procedures; (2) implement a single Software Asset Management tool across the Agency; (3) align the Agency Software Manager position to report to the Agency Chief Information Officer; (4) establish formal legal representation and guidance for vendor software audits; (5) establish a software license awareness training ‘short course’ focusing on approvals, compliance, and other issues a general user might encounter; (6) implement a centralized repository for NASA’s internally developed software applications; and (7) develop an Agency-wide process for limiting privileged access to computer resources in accordance with the concept of least privilege. Additionally, to strengthen the financial aspects of NASA’s Software Asset Management, we recommended the Chief Financial Officer (8) implement a “penalty spend” classification in SAP to track license infractions and true-up payouts and (9) centralize software spending insights to include purchase cards. We provided a draft of this report to NASA management, who concurred or partially concurred with Recommendations 1, 2, 4, 5, 6, 7, 8, and 9. We consider the proposed actions responsive and therefore those recommendations are resolved and will be closed upon completion and verification of the proposed corrective actions. The Agency also partially concurred with Recommendation 3, however, we consider the proposed actions to this recommendation unresponsive. The Agency stated that the Software Asset Manager will establish a regular cadence of reporting to the Agency Chief Information Officer and senior management boards to provide insight into software management activities. We disagree that these actions meet the federal requirement for the software manager to report directly to the Chief Information Officer. Consequently, Recommendation 3 will remain unresolved pending further discussions with the Agency.
