Federal IT officials are starting to consider another side effect of the demand for near-universal telework: the need for better inventorying of their software licenses, especially now that agencies have bought more mobile devices and made other changes to their networks.
Consider the U.S. Department of Agriculture, which has about 35,000 unique software applications across agency devices, with an average of only two installations each, according to Tim McCrosson, associate chief information officer for the department’s Client Experience Center.
Each update or version of an app counts as a separate license, but even considering that fact, the overall number of licenses is unscalable in the long run, McCrosson says. With that in mind, USDA wants all of its approximately 110,000 employees installing the same apps when possible,
“Increasing that average installation rate is something that’s very important to me,” McCrosson said, during an Advanced Technology Academic Research Center (ATARC) webinar Thursday. “And decreasing the number of overall software applications is also interesting because it’s going to make my service desk, my support group, more efficient.”
Fewer apps mean less testing and less that can go wrong, because each version of a piece of software represents an additional cybersecurity threat vector, he said.
The Air Force confronted its license inventory issues head-on as it moved to telework, said Chief Technology Officer Frank Konieczny. The service had to prioritize hardware like laptops because its airmen were used to working from desktops in the office.
A bring-your-own-device (BYOD) pilot was quickly launched, but that policy quickly depleted the telework funding money provided under the Coronavirus Aid, Relief, and Economic Security Act, Konieczny said.
Agencies inventory software licenses using automated discovery tools and metrics on usage and numbers purchased to ensure they have what they need. The challenge is hardly a new one.
In May 2014, the Government Accountability Office found only two of the 24 CFO Act agencies had comprehensive policies for managing software licenses, and only two kept an inventory. Missed savings could be as high as $181 million at some agencies, according to the GAO report.
Two years later the Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act was passed requiring agencies to continually inventory software licenses, analyze their use, and report savings.
Still, 19 of the 135 recommendations for improving software license management that GAO made in its 2014 report remained unimplemented as of November 2019. Six such recommendations had to do with maintaining and analyzing software license inventories, according to the GAO audit.
Sizing up the problem
Improved software license management becomes all the more critical because of the cost savings associated with deprovisioning apps like Skype, which Microsoft is retiring on July 31, 2021, in favor of Teams. Both USDA and the Air Force primarily use Microsoft Teams since the start of the coronavirus pandemic.
Rationalization — the process of keeping, replacing, retiring or consolidating apps — reduces license duplication and allows funds to be reallocated possibly to COVID-19-related initiatives, said Kim Weins, vice president of cloud strategy, at Flexera.
Companies might be forgiving with license cost estimates during the pandemic, Weins said, but eventually agencies will be hit with audits and possibly “true ups” — when a software provider measures the actual number of licenses and bills for that higher number.
“Now we need to sort of get our arms around what we’ve done,” she said. “We maybe want to prevent the coming hangover, so to speak.”
Vendors “always” come to the Air Force looking for true-ups, which has about 150 bases worldwide — often with their own unique set of apps, Konieczny said.
As a result, the Air Force needs to improve its inventorying, especially when an insecure version of software needs to be quickly identified across all bases, he said. Cybersecurity software is potentially a problem area, Konieczny said.
“We have an initiative to actually decrease the number of cybersecurity tools because there are too many now,” he said. “And you can’t really operate effectively with that many toolsets.”
Telework-related licenses aren’t going away, with McCrosson estimating 90% of USDA IT support will remain remote once the pandemic ends and Konieczny adding the Air Force is discussing permanent telework positions.
“The shift to our digital experience has been accelerating,” said John Moses, director of governance and enterprise management services at the Nuclear Regulatory Commission. “Plus any barriers you might have experienced in the past, those seem to be diminished or almost washed away.”
NRC formed teams to centralize software and hardware assets, with the former assigning portfolios of software license agreements for companies like Microsoft and IBM to individuals. Different versions of software are evaluated, and the agency tries to buy in larger quantities per agreement, Moses said.
New tools and features are offered to employees in an effort to replace and consolidate software “chaff,” he said.
The Air Force is running a number of other mobile-tech pilots, like video-to-text capability and augmented reality consultations for aircraft repairs.
Another pilot program under consideration would allow teleworkers on mobile devices to securely connect, using zero-trust architecture, to apps like Office 365. Implementing zero-trust technology would necessitate other changes, Konieczny said.
“Do I have something that could actually change my endpoint security?” he said. “Which means the licensing would change; the inventory would change.”