Cyber, talent challenges sideline USPS software license management

A new report from the U.S. Postal Service’s inspector general has found that the agency’s software license management program is noncompliant with both its policies and industry best practices.

The report looks at USPS efforts to manage its software license management environment—on which the agency spent $174 million in fiscal 2016 alone—finding delays in efforts to deliver an updated system and contract management flaws.

“Without a fully implemented centrally managed software license program, the Postal Service cannot readily track and analyze software license usage across the organization to ensure it does not purchase unnecessary software licenses and ensure compliance with software license agreements,” the report said. “This could result in missed opportunities for volume pricing, purchasing of unneeded licenses or penalties for non-compliance with software license agreements.”

One such instance of noncompliance penalties occurred in fiscal 2015, when the USPS racked up $26.8 million in penalties it paid to a supplier for “inappropriate software license usage for two applications.”

The agency began work on an updated system in fiscal 2014, but investigators said that delays have pushed its projected rollout back to fiscal 2020. In the meantime, the current system fails to meet USPS policies by not possessing an enterprisewide software license inventory that utilizes automated discovery or metrics capabilities.

The report found that the USPS’s IT Acquisition Support group, which manages the agency’s software license inventory, does operate a database of license information that it monitors annually for contract compliance, but it is done manually. Officials told the OIG it could take them three works or more to determine the contract compliance of larger software contracts.

Officials said the enhanced system delays resulted from management focusing its priorities on agencywide cybersecurity-related improvements, coupled with significant personnel turnovers within the office.

The OIG also looked at USPS’s software contract management, which is maintained by its IT software group within the supply management program.

Investigators reviewed seven of the 263 active software license contracts, finding three missing clauses centering on information security, one missing a provision on system integrity, and one missing both a system integrity provision and a clause centering on indefinite quantity.

The OIG said that the missing system integrity provision would leave the USPS without protection against “compromise or degraded integrity of the operating system.” Likewise, the missing information security clauses would leave the agency open to cyber exposure and the indefinite quantity clause could result in higher liability costs in a contract dispute.

“According to management, this occurred because the IT Software group within Supply Management has experienced challenges related to staffing and retaining an experienced contracting workforce,” the report said. “New personnel were not aware of the requirements for IT-related provisions and clauses in software contracts.”

The OIG offered three recommendations:

• Complete implementation of the centrally managed software license program that complies with Postal Service policy and best practices.
• Review current Information Technology (IT) software contracts and modify those that do not include the required IT-related provision and clauses.
• Implement a process to ensure that future Information Technology (IT) software contracts include the required IT-related provision and clauses.

Regarding the first recommendation, USPS officials agreed to automate the new software license management system, but disagreed that they were not in compliance with agency policy.

The OIG said that during the investigation, officials could not provide it with a comprehensive enterprisewide software license inventory listing, which is against the intent of the policy.

Regarding the second recommendation, officials said the contracts predated the information security clause issue date. They added that one contract wasn’t missing the system integrity provision and indefinite quantity clause and they would submit additional evidence.

Officials added that they would review all active IT software contracts and would add a solicitation/contract template to provide staff.

The updated software license management system is expected to be implemented in March 2020.