Agencies’ incomplete software application inventories are creating security risks, a government watchdog believes.
The Government Accountability Office’s recently published review of 24 agencies found three had not fully met any of the four practices needed for a complete software application inventory. Only four agencies had fully met the practices, and 17 met some of them.
An incomplete inventory creates a security risk because “agencies can only secure assets if they are aware of them,” the auditors noted.
To be considered a complete inventory, the GAO said, agencies must include business and enterprise IT systems, as well as those of their organizational components; specify application name, description, owner and function supported; and perform regular updates.
Most of the agencies met the first three requirements, the GAO noted, because of an Office of Management and Budget requirement to complete an IT asset inventory by the end of May 2016.
The GAO recommended that 20 of the agencies “improve their inventories and five of the selected agencies take actions to improve their processes to rationalize their applications more completely.”
Agencies are also risking missing out on potential savings by not knowing what applications are on their networks, the GAO added
“Agencies that did not fully address these practices stated, among other things, their focus on major and high risk investments as a reason for not having complete inventories,” the auditors wrote. “However, not accounting for all applications may result in missed opportunities to identify savings and efficiencies.”
The departments of Defense, Homeland Security and Justice, and the General Services Administration all met the four requirements for a complete inventory, the auditors found.
Conversely, the departments of Transportation and Labor, and the Small Business Administration hadn’t fully met any of the four requirements.
The Labor Department’s CIO and several other department officials told the GAO “there is no comprehensive inventory of enterprise IT and business systems.” The list they did have also didn’t include the business function of the applications, and the department didn’t provide evidence it had a process to regularly update the inventory.
The Small Business Administration’s inventory didn’t include all of its business and enterprise IT systems. The agency said a number of field offices are running unsupported applications, though it has started an initiative to identify and report those.
Its inventory also doesn’t include business function or evidence that it was actually using automated tools it says it has started using to update the inventory.
The auditors found DOT’s inventory partially met each the four requirements, but it did not include all enterprise IT systems. The department’s inventories also don’t include applications used by all of its components, such as applications used by the Federal Highway Administration and the Federal Transit Administration.
In an August, Transportation CIO Richard McKinney said the department had hired a company to do a network assessment that had been running for the past six to eight months. McKinney also said at the time the company installed software to help them understand the whole network, including device location and health, and traffic between various points on the network.
McKinney noted then the department’s future plan would be to “take everything we’ve discovered and everything we’ve learned, and then take in to account all of our applications and the services that are going to ride on our network now and in the future.”
“And we’re going to come up with an end-state design that’ll shape our planning and our architectural redesign, if you will, over the next few years,” he said.
McKinney told FedScoop Friday that now the DOT understands the physical network and is “well underway” with a software application assessment.
“We’ve moved on to tackle that issue,” he said.