In today’s uber-connected computing environment, the concept of an air-gapped, locked down, and stand-alone data center running proprietary special use software is an anachronism. Even the most secure military data systems use some commercial off-the-shelf (COTS) software and almost all IT environments are networked. Procurement and IT managers and officers look for the best hardware and software configurations needed to meet a specific goal and integrate them into existing data centers and networks. Having been common practice for a period of years, this model raises the questions, “What exactly are we running?” and “What do we need?” A secure, approved and flexible IT asset (ITAM) management solution can help answer those questions.
Improving the Software Acquisition Process
The software that is in place, and the acquisition process itself, was the topic of a recent presentation made by the Secretary of the Air Force, Heather Wilson. In her address, she noted that “We are facing a rapidly innovating adversary who is challenging us, and we have to be willing to accept more risk in our acquisition process.” She added that “This is particularly true when it comes to software. We’ll also be buying software as a ‘service,’ paying by actual usage, rather than by individual license, or the so-called consumptive license model. All of this adds up to faster decisions, faster analysis, faster strikes, faster assessments and more success in combat.” However, that change will require the IT managers and officers to measure their actual consumption levels, which will require an in-depth understanding of the details of their configurations. An approved ITAM solution would make that all possible, and support Secretary Wilson’s objectives.
The Problem with Legacy Systems
In her speech, Secretary Wilson also addressed the problem of legacy systems. By way of example, she spoke about the in-air refuelling software. She described how tacticians were using a software program written for the first Gulf War, nearly 30 years ago. The software was “grossly” out of date, and despite spending millions of dollars, software engineers were not able to update it. She noted that five or six Airmen were spending all day, every day, moving colored plastic shapes on a whiteboard to match tankers to fighters, to locations and times. In an unrelated article published by Computerworld, Tony Scott, the former federal CIO is quoted telling Congress that legacy systems “often pose significant security risks, such as the inability to utilize current security best practices, including data encryption and multi-factor authentication, which make them particularly vulnerable to malicious cyber activity.” In fact, the article reported that the U.S. government has over 3,400 IT professionals employed to maintain legacy programming languages. Clearly, being able to discover, and inventory legacy systems, and understand the software they operate and develop a migration plan is key to cybersecurity, operational efficiency and effective use of scarce budgets.
Keeping Software Current
However, legacy systems are not the only components that need to be upgraded or replaced. Commercial software must be kept up-to-date with patches and new releases. In a public report entitled “Take Advantage of Software Improvements”, the National Security Agency (NSA) emphasized the critical need to keep software current. Citing the need to keep software patched, the report said “The Common Vulnerabilities and Exposures (CVE) database demonstrates the sheer volume of vulnerabilities that are reported daily and patched by vendors. Responsible enterprises — and malicious adversaries — act on this information. Malicious actors race to develop working exploits by analyzing and reverse engineering each software patch. Delaying or ignoring patches for vulnerabilities considerably increases the chance of systems being exploited, in particular Internet connected systems.” Without a Software Asset Management (SAM) program in place, it is difficult to determine what exact software various systems are running, and to what extent they are patched or running the most current version of the software.
The FITARA and MEGABYTE Acts
The critical need for military and governmental agencies to establish a comprehensive inventory of their data center equipment, and the installed software, has now been mandated by law. Congress passed two pieces of legislation: the Federal Information Technology Acquisition Reform Act (FITARA) and the Making Electronic Government Accountable by Yielding Tangible Efficiencies Act of 2016 (MEGABYTE). The focus of these laws and the requirements included in both make it mandatory for federal agencies to maintain accurate inventories of both hardware and software.
Specifically, the MEGABYTE Act mandates that the Chief Information Officer of each executive agency to:
• establish a comprehensive inventory, including 80% of software license spending and enterprise licenses in the executive agency, by identifying and collecting information about software license agreements using automated discovery and inventory tools
• regularly track and maintain software licenses to assist the executive agency in implementing decisions throughout the software license management life cycle
• analyze software usage and other data to make cost-effective decisions
• provide training relevant to software license management
• establish goals and objectives of the software license management program of the executive agency
• consider the software license management life cycle phases, including the requisition, reception, deployment and maintenance, retirement, and disposal phases; to implement effective decision making and incorporate existing standards, processes, and metrics.
Notwithstanding the mandates in the laws, recent reports indicate that very few federal departments are in compliance, or even come close. Perhaps, one obstacle is identifying an ITAM solution approved for use in secure and government IT environments.
Overcoming the ITAM Challenge
Even though there are several commercial ITAM and SAM solutions and tools available, there are critical factors that are required for use in a secure, military or governmental computing environment.
• Having formal certification for use on the SIPRNET network
• Not installing new software or agents into existing systems
• Operating across multiple architectures
• Being scalable to very large environments
• Priced to fit into existing budgets
• Providing fast time-to-value
• Being fully supported in a military environment
• Being available either as a secure cloud application or as an on-premises solution
The requirements make the list of available ITAM solutions very short. In fact, the xAssets ITAM/ND solution is the only ITAM software product on the AF approved/certified list of software. The xAssets ITAM-ND solution meets all the requirements and is immediately available as COTS software. As such, proposing xAssets ITAM-ND can justify a sole-source award and shorten the acquisition timeframe.