SAM Practices - The NASA Experience

Internal Audit Report highlights flaws in NASA's SAM Practices that many organizations will relate to.

Oh oh ... it's 2023 yet we see it all here again: "Software Asset Management practices at NASA currently expose the Agency to operational, financial, and cybersecurity risks with management of the software life cycle largely decentralized and ad hoc."

The OIG summary of their SAM audit says it all: 

• Efforts to implement an enterprise-wide Software Asset Management program have been hindered by both budget and staffing issues and the complexity and volume of the Agency’s software licensing agreements.
• NASA has not implemented a centralized Software Asset Management tool to discover, inventory, and track license data as required by federal policy.
• NASA’s Software Asset Management policy is not comprehensive or standardized, leaving roles, responsibilities, and processes unclear.
• Training for software license use and management is inconsistent across the Agency, with aging web-based training randomly assigned to personnel and a lack of a general software licensing training course available to the entire workforce.
• NASA’s current efforts to compile a complete and accurate report of annual software spending is a time consuming and mostly manual effort.

... with all of the above quantified in cost terms as:

​We estimate the Agency could have saved approximately $35 million ($20 million in fines and overpayments and $15 million in unused licenses) and moving forward could save $4 million over the next 3 years by implementing an enterprise-wide Software Asset Management program.

All very compelling to implement improvements and progress NASA’s Software Asset Management from “basic” — the lowest of the four rating options in the Software Asset Management Maturity and Optimization Model developed by Microsoft — through the scale as per tiers and representations below:

• Basic. Software is managed on an ad hoc basis with few, if any, comprehensive policies.
• Standardized. The agency uses a discovery tool or data repository for tracking assets, although the information may not be complete or accurate enough for decision-making.
• Rationalized. Assets are actively managed, and the agency has put in place policies, procedures, and tools integrated into the full IT asset life cycle.
• Dynamic. Assets are optimized, with near real-time alignment with changing business needs.

The report is an insightful read for all SAM practitioners - and responsible management and executives - with clear language and succinct descriptions of the scope and challenges in the field of software asset management, and a pragmatic approach to the creation of an effective SAM Practice that applies to any size organization with a notable software inventory, not just those on the NASA scale.

So, to the findings ...

It was recommended that the Chief Information Officer:
(1) establish enterprise-wide (institutional and mission) Software Asset Management policy and procedures;
(2) implement a single Software Asset Management tool across the Agency;
(3) align the Agency Software Manager position to report to the Agency Chief Information Officer;
(4) establish formal legal representation and guidance for vendor software audits;
(5) establish a software license awareness training ‘short course’ focusing on approvals, compliance, and other issues a general user might encounter;
(6) implement a centralized repository for NASA’s internally developed software applications; and
(7) develop an Agency-wide process for limiting privileged access to computer resources in accordance with the concept of least privilege.

Additionally, to strengthen the financial aspects of NASA’s Software Asset Management it was recommended that  the Chief Financial Officer:
8) implement a “penalty spend” classification in SAP to track license infractions and true-up payouts and
9) centralize software spending insights to include purchase cards.

Nothing fresh there, just the usual (and often unheeded) advice.