It’s been more than a year since the MEGABYTE Act became law, and federal agencies will soon have to demonstrate their compliance with it.
Short for the Making Electronic Government Accountable By Yielding Tangible Efficiencies, the law requires agency CIOs to establish comprehensive inventories of their software management licenses and their lifecycles for five fiscal years, starting with 2017, which ends Sept. 30.
But years of decentralized networks have left agencies in a complex quest for both an inventory of the software they use as well as more secure policies on how to manage licenses on their systems.
“That’s a problem from an efficiency and effectiveness perspective,” said Carol Harris, director of information technology at the Government Accountability Office. “When you have a decentralized inventory, you are not able to effectively [assess] the needs of your mission or your agency if you don’t know what you have.”
The June release of the most recent Federal IT Acquisition Reform Act scorecard — which included MEGABYTE Act compliance scores as a new metric — showed that of the 24 cabinet-level agencies, all but three (the General Services Administration, Department of Education and U.S. Agency for International Development) failed in their software licensing practices. MEGABYTE Act scores did not factor into agencies’ FITARA scores.
“That didn’t surprise us at all,” said Adam McIlwain, senior manager at SIE Consulting, an Arlington, Virginia-based contractor that services the General Services Administration’s Software License Management Service program.
“If you look at the FITARA scores there, they are slowly ticking in the right direction, but not remarkably. Most of the time when we sit with a new customer and listen to their problems, there are things we’ve heard over and over,” McIlwain said. “But that also, I think, goes to show that problems themselves are similar, but the solutions aren’t that different either. But this is a common problem, without a doubt.”
Harris, writing in a 2014 GAO report, was among the first to identify the software licensing problems agencies faced. She said the lack of a managing policy over software licenses allowed agencies to add product to their networks without a detailed inventory of what was there.
The 2014 report went on to advise the Office of Management and Budget develop an agencywide policy, as well as crafting 131 recommendations for the 24 agencies. Harris said the progress that has been made in the wake of the report was aided greatly by the MEGABYTE Act and OMB’s 2016 guidance on centralizing license management. But development is still slow, with only 24 recommendations implemented as of July.
Enter programs like GSA’s SLMS, which provides an analysis of the software license gaps on an agency network, finds vulnerabilities and advises on how to remedy them with a roadmap for correcting problems.
But McIlwain said that some agencies may not have the resources to apply the fixes, pointing to the Office of Personnel Management as one.
SIE Consulting did an assessment of OPM’s software license management running between November 2016 and March 2017.
“We heard it over and over when we were there: ‘We don’t have resources, we don’t have the staff, we can’t hire,’” McIlwain said. “So it was kind of a perfect storm of things working against them. A lot of it comes down to whether they have the resources to commit to it. And how do they manage all of the issues, all of the compliance and keep the lights on.”
OPM declined to offer an immediate response to FedScoop’s requests for comment.
But the irony remains that while some agencies are stretching budgets to incorporate more compliance, there are savings to be found in maintaining an accurate software inventory.
“In this current climate, if you are looking to save some dollars, this is a great area where you can certainly cut the fat,” Harris said.