NASA ‘Light Years’ from a Centralized Software Management Program

In a report released last Thursday, the NASA Office of Inspector General (IG) identified shortcomings in the agency’s current software asset management practices. Federal law and policy require agencies to manage software assets effectively, with a software manager who reports directly to the CIO and the use of a suite of tools to manage, monitor, inventory and optimize software licenses. The IG found that NASA does not fully comply with these measures, resulting in operational inefficiencies, overspending, and exposing the agency to cyber risks.

Giving the agency the lowest rating in the Software Asset Management Maturity and Optimization Model, the IG states that, “NASA’s management of its software life cycle remains decentralized and ad hoc with the Agency’s efforts to implement an enterprise-wide Software Asset Management program challenged by budget and staffing issues as well as the complexity and volume of its software licensing agreements.

The results of the IG’s audit reveal several areas the agency will need contractor support to regain cadence in the enterprise-wide management of its software and IT assets. The IG’s recommendations from the report give a glimpse at future agency steps for a centralized software management program.

Operational Effects

The IG found that NASA has not implemented a centralized Software Asset Management tool for complete visibility into the agency’s software assets. The lack of a centralized inventory database results in unnecessary spending and labor-intensive efforts to assess the risk and compliance of each piece of software. NASA also lacks a process for software rationalization, resulting in duplicate software development and misuse of commercial software license agreements. In fact, the IG uncovered an estimated $15M in wasted spending over the past five years on unused Oracle licenses.  Moreover, NASA’s business rules, user training, and legal processes for managing software assets were found unclear and inconsistent by the IG.

In the report, the IG described a joint effort that has begun between NASA’s Office of Chief Information Officer (OCIO) and the NASA Shared Services Center (NSSC) with the purchase of a Software Asset Management component of ServiceNow to integrate into NSSC’s existing ServiceNow environment. The initiative aims to track, evaluate and management the agency’s enterprise software licenses, compliance, and optimization. The pilot framework for the joint effort is slated to begin in April 2023.

Financial Effects

NASA’s IG also identified a lack of insight to software spending by the OCIO, due to the federated nature of agency’s IT, procurement, and finance data sources. This is despite a $300M OCIO software budget in FY 2022, according to the IG. Furthermore, NASA has a lack of insight into software acquired by purchase cards, as obscure policy allows some purchase card users to bypass OCIO authorization for business and engineering software.

This inability to identify what software is purchased puts NASA at risk for increased software expenses. The IG calculated that NASA has spent more than $20M in unplanned software expenses through penalties and vendor audits in the past five years. Due to the agency’s lack of tracking payouts for software license infractions in NASA’s SAP financial management system, the IG estimates unplanned software expenses could even be higher. The IG reported that in August 2022, the OCIO agreed to explore a method to implementing a “penalty spend” classification in the SAP system to track infraction payouts.

Cyber Effects

Citing key cybersecurity components in the federal management of software assets, the IG found that NASA does not track software downloaded with privileged access for license compliance and software lifecycle management, nor does it have an enterprise-wide process to limit privileged access to computers. This places the agency at high risk for cyber-attacks, including malware on NASA networks.

In its audit, the IG found that between 2020 and 2022, almost 11,000 NASA users were granted privileged access to install software, in addition to another 6,500 users granted privileged access at a particular NASA center due to a resource vs. permission decision made at that center. Though the IG acknowledged that NASA has made some progress in controlling the use of privileged access on institutional systems, the audit found that 60% of NASA’s assets remain managed by Mission Directorates and outside the OCIO’s purview. Taken altogether, the fragmented IT governance at NASA leaves the agency with higher than necessary cyber risk, according to the IG.

IG Recommendations

As a result of its findings, the IG issued seven recommendations to the OCIO, and two recommendations for the Office of the Chief Financial Officer (OCFO). Agency management generally agreed with all recommendations.

1. Establish enterprise (institutional and mission-related) Software Asset Management policy and procedures
2. Implement a single Software Asset Management tool
3. Align the Agency Software Manager to report directly to the NASA’s CIO
4. Establish formal legal guidance for vendor software audits
5. Establish software license awareness training to general users
6. Implement a centralized repository for NASA’s internally developed software applications
7. Develop an enterprise process for limiting privileged access to computer resources in accordance with the least privilege concept
8. Implement a penalty spend classification in SAP (OCFO)
9. Centralize software spending insights to include purchase cards (OCFO)