The Office of Inspector General (OIG) at NASA says the aeronautics and space agency’s Software Asset Management practices currently expose it to operational, financial, and cybersecurity risks with management of the software life cycle largely decentralized and ad hoc. OIG found that efforts to implement an enterprise-wide Software Asset Management program have been hindered by both budget and staffing issues and the complexity and volume of the agency’s software licensing agreements.
OIG rated NASA’s Software Asset Management as “basic”— the lowest of the four rating options in the Software Asset Management Maturity and Optimization Model developed by Microsoft and adopted from the International Organization for Standardization/International Electrotechnical Commission. Consequently, OIG said NASA is likely years away from moving to an enterprise computing model in which IT capabilities, such as software asset management and cybersecurity, are centralized and consolidated. In the meantime, OIG found that the agency has yet to embrace key best practices or fully implement federal guidance required to appropriately manage its Software Asset Management program. The watchdog said NASA has not implemented a centralized Software Asset Management tool to discover, inventory, and track license data as required by federal policy.
This shortcoming has resulted in NASA spending approximately $15 million over the past five years on unused licenses, an amount OIG determined to be wasteful and is therefore questioning.
The audit found that NASA has not implemented the enterprise-wide processes necessary to appropriately manage the cybersecurity risks related to Software Asset Management. Specifically, OIG found software downloaded with privileged access is not tracked for license compliance and life-cycle management and may inadvertently introduce cyber vulnerabilities including malware into NASA network. In addition, inspectors noted that NASA does not have a consistent, agency-wide process for limiting privileged access or using “least privilege” permissions, which gives users only the software permissions necessary for their job. OIG stated that over the last 15 years, through three enterprise-wide IT management contracts, NASA has struggled to gain control over the use of privileged access.
According to OIG’s analysis, data indicated that between 2020 and 2022 almost 11,000 users agency-wide were granted privileged access, primarily to install software. Alarmingly, the watchdog identified that all of another NASA Center’s approximately 6,500 users have been granted privileged access to their computers— essentially, including the ability to download and install software at will. NASA officials told OIG that while the use of privileged access by approximately 6,500 users at the Center has received scrutiny over the years, operational constraints, conflicts due to the complexity and scale of NASA’s federated environment, and funding continue to delay restrictions on privileged access.
OIG also found internally developed mission and institutional software applications suffer from a lack of centralization and inventory visibility, limiting the agency’s ability to identify duplicative or obsolete software. Inspectors found that NASA’s Software Asset Management policy is not comprehensive or standardized, leaving roles, responsibilities, and processes unclear. In addition, the agency’s Software Asset Management Office and Software Manager positions were found to be misaligned and do not report to the Chief Information Officer as required by federal policy.
OIG’s audit also revealed that NASA does not have consistent processes for legal representation during software contract negotiations and vendor audits, which can expose the agency to increased costs because of penalties for violations of software license agreements. Furthermore, OIG said training for software license use and management is inconsistent across the agency, with aging web-based training randomly assigned to personnel and a lack of a general software licensing training course available to the entire workforce.
The watchdog said NASA has failed to implement processes necessary to manage financial risks as software purchases are not sufficiently tracked and authorized by the Office of the Chief Information Officer (OCIO)—allowing some users to bypass OCIO authorization (and Software Asset Management team scrutiny) to purchase software through alternative means such as purchase cards. Moreover, OIG said NASA’s current efforts to compile a complete and accurate report of annual software spending is a time consuming and mostly manual effort.
Without these shortcomings, OIG estimates NASA could have saved approximately $35 million ($20 million in fines and overpayments and $15 million in unused licenses) and moving forward could save $4 million over the next three years by implementing an enterprise-wide Software Asset Management program.
OIG made a raft of recommendations – including that NASA develop an agency-wide process for limiting privileged access to computer resources in accordance with the concept of least privilege – with which NASA partially agreed. The agency stated that the Software Asset Manager will establish a regular cadence of reporting to the Agency Chief Information Officer and senior management boards to provide insight into software management activities.