Federal agencies purchase thousands of software licenses annually. But the Office of Management and Budget (OMB) and the majority of agencies lack adequate policies for managing those licenses, said the congressional watchdog agency.
In the course of its investigation, the GAO found that only two of the 24 major federal agencies have comprehensive polices that include the establishment of clear roles and central oversight authority to manage enterprise software license agreements. Of the remainder, 18 agencies have policies in place but they are not comprehensive, and four agencies have no policies in place.
The potential savings could be significant, the GAO said, noting that one major federal agency reported saving $181 million in fiscal year 2012 by consolidating its enterprise license agreements.
The report was prepared for Sen. Thomas Carper (D-Del.), chairman of the Senate Committee on Homeland Security and Governmental Affairs.
Ineffective management of software licenses can lead not only to the purchase of too many licenses, resulting in unused software, but also can help avoid the purchase of too few licenses, which can incur additional costs, said the GAO.
The GAO found that the majority of federal agencies lack comprehensive policies to manage software agreements largely because they do not adhere to best practices in this area. Best practices include centralizing management, establishing software license inventory, tracking and maintaining inventory, analyzing software license data, and providing sufficient training.
Only four federal agencies have fully implemented centralized software licensing management, and only two have fully implemented a software license inventory, said the GAO.
Improper software license inventory tracking across the major federal agencies makes it impossible to accurately estimate whether software licenses are over or under purchased, said the GAO.
The data that agencies were able to provide regarding the most widely used applications had limitations, said the GAO. This was because agencies furnished data in a variety of different ways, including by license count, use, and cost. In addition, the data agencies furnished on the most widely used applications was not always complete.
The GAO recommended that OMB issue a directive to help guide agencies in managing licenses. It also advised the 24 agencies to improve their policies and practices for managing licenses.
"The weaknesses in agencies' policies were due, in part, to the lack of a priority for establishing software license management practices and a lack of direction from OMB," the report said. "Without an OMB directive and comprehensive policies, it will be difficult for the agencies to consistently and effectively manage software licenses."
In its comment on the findings, OMB disagreed with the need for a directive, said the GAO. However, most agencies generally agreed with the watchdog group's recommendations.
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.
William Welsh is a contributing writer to InformationWeek Government. He has covered the government IT market since 2000 for publications such as Washington Technology and Defense Systems. View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.