NASA uses thousands of unique software products from hundreds of vendors in its efforts to advance science, technology, aeronautics, Earth studies, and space exploration. Each software application and program comes with a license—a contract between the entity creating or supplying the software and the end user—governing its use. Managing software licensing is deceptively complex due to the sheer volume of software vendors and applications yet is crucial to effectively secure NASA operations and track tens of millions of dollars in license fees. Software Asset Management is the business practice that administers the processes, policies, and procedures that support the software life cycle of planning, acquisition, use, management, and disposal.

Effective Software Asset Management helps reduce information technology (IT) costs and mitigate operational, cybersecurity, and financial risks related to software ownership and use. NASA’s software portfolio consists of purchased software programs subject to varying types of licenses as well as internally developed mission and institutional software applications that are not licensed by the Agency. Purchased software must be used in accordance with the terms of its license with potential financial penalties if vendor audits find violations of license agreements or during the “true-up” process (the yearly vendor evaluation of qualified software licenses deployed within an organization). Internally developed software also needs to be tracked to identify duplicate or obsolete applications.

In this audit, we assessed whether NASA is managing its software assets in an effective and efficient manner while maintaining compliance with applicable requirements and security best practices. This included analyzing documentation relevant to NASA’s software management activities, assessing NASA’s centralized Software Asset Management program, and discussing internal software development activities with responsible officials.

WHAT WE FOUND

Software Asset Management practices at NASA currently expose the Agency to operational, financial, and cybersecurity risks with management of the software life cycle largely decentralized and ad hoc. Efforts to implement an enterprisewide Software Asset Management program have been hindered by both budget and staffing issues and the complexity and volume of the Agency’s software licensing agreements. We rated NASA’s Software Asset Management as “basic”— the lowest of the four rating options in the Software Asset Management Maturity and Optimization Model developed by Microsoft and adopted from the International Organization for Standardization/International Electrotechnical Commission. Consequently, NASA is likely years away from moving to an enterprise computing model in which IT capabilities, such as software asset management and cybersecurity, are centralized and consolidated. In the meantime, the Agency has yet to embrace key best practices or fully implement federal guidance required to appropriately manage its Software Asset Management program.

NASA has not implemented a centralized Software Asset Management tool to discover, inventory, and track license data as required by federal policy. This shortcoming has resulted in NASA spending approximately $15 million over the past 5 years on unused licenses, an amount we found wasteful and are therefore questioning. We also found internally developed mission and institutional software applications suffer from a lack of centralization and inventory visibility, limiting the Agency’s ability to identify duplicative or obsolete software. NASA’s Software Asset Management policy is not comprehensive or standardized, leaving roles, responsibilities, and processes unclear. In addition, the Agency’s Software Asset Management Office and Software Manager positions are misaligned and do not report to the Chief Information Officer as required by federal policy. The Agency also does not have consistent processes for legal representation during software contract negotiations and vendor audits, which can expose the Agency to increased costs because of penalties for violations of software license agreements. Furthermore, training for software license use and management is inconsistent across the Agency, with aging web-based training randomly assigned to personnel and a lack of a general software licensing training course available to the entire workforce.

NASA has failed to implement processes necessary to manage financial risks as software purchases are not sufficiently tracked and authorized by the Office of the Chief Information Officer (OCIO)—allowing some users to bypass OCIO authorization (and Software Asset Management team scrutiny) to purchase software through alternative means such as purchase cards. Moreover, NASA’s current efforts to compile a complete and accurate report of annual software spending is a time consuming and mostly manual effort. Given all of these shortcomings, NASA has historically experienced a large influx of software into its network environment that is not sufficiently tracked for license compliance resulting in more than $20 million unnecessarily spent on software fines and penalties over the last 5 years. We estimate the Agency could have saved approximately $35 million ($20 million in fines and overpayments and $15 million in unused licenses) and moving forward could save $4 million over the next 3 years by implementing an enterprise-wide Software Asset Management program.

Lastly, NASA has not implemented the enterprise-wide processes necessary to appropriately manage the cybersecurity risks related to Software Asset Management. Software downloaded with privileged access is not tracked for license compliance and life-cycle management, and NASA does not have a consistent, Agency-wide process for limiting privileged access or using “least privilege” permissions, which gives users only the software permissions necessary for their job. This deviation from best practices is a cybersecurity risk because software deployed within the Agency raises both cybersecurity and software license compliance risks.