Taking the Risk Out of Software Supply Chain Management: Sponsored
Automating software life-cycle oversight improves efficiency, cuts costs.
Supply chain management is vitally important to running and maintaining an organization’s IT systems, but like logistics systems, it is not inherently sexy and has historically drawn little attention from the C suite. When it is carried out, in many federal agencies it’s traditionally a manual process managed on spreadsheets. In recent years new directives have mandated that the Department of Defense (DOD) and civilian agencies must all begin monitoring this, especially for cybersecurity considerations within the Department’s Risk Management Framework (RMF).
Because of internal and external cyber threat issues, many department directors are paying more attention to life-cycle management from an acquisitions perspective, says Frank Young, director of Flexera Software LLC’s DOD business operations. But while they now have to account for this, in many cases directors and chief information officers (CIOs) still don’t have any visibility into how their department or agency actually manages its software from acquisition to use to its retirement.
Speaking from the perspective of a director in this situation, Young asks: “How do I get an understanding of what I purchased? And then if it is deployed, was it over-deployed or under-deployed? And are there inherent risks that I’m operating with right now that I’m not aware of?”
The risk level for manually managing software supply chains isn’t acceptable any more, Young says. These cybersecurity-related issues are now a pressing concern in the DOD and the C suites of companies doing business with the government. He adds that not knowing what is happening in an organization prevents it from conducting effective continuous network monitoring or managing its RMF requirements.
“If I don’t know my software life cycle, I don’t know if I have software in my inventory that I can reuse. If I don’t understand it, I don’t know whether I can take this to the cloud or not,” Young says.
From the C suite, as long as networks were running, corporate officers and agency directors weren’t as concerned about the software underpinning their networks. However, new requirements like RMF and health records systems like the continuous monitoring risk scoring system have forced organizations and their top leadership to be aware of their software life cycles and have a standardized, repeatable process to manage it, Young explains.
“It can bite you in the backside if you don’t have control over it, and cost can really get out of control,” Young says.
Getting it right with automation
Automation is the key to helping federal agencies tackle the challenges of software life-cycle management to make their operations more efficient.
One DOD agency contacted Flexera to help automate the part of its software life-cycle process where the purchase information from its acquisition offices is merged with data from a deployment perspective. This allows the agency to have a process and a discovery mechanism to see what’s happening on its network, Young says.
For example, the system might allow IT staff to know that while 1,000 copies of Tanium are deployed, it would note that purchase orders say the agency only paid for 900 and highlight the cost for the additional copies. This creates a risk picture for just one product in the agency’s inventory which is displayed on a user dashboard.
This allows an organization’s officers, such as the CIO, to directly monitor software status from their dashboards every day. Another important aspect of this process for DOD agencies is that it isn’t manual any more. Instead it is a repeatable automated process that doesn’t pull data from systems representing real-time data on the network, Young says. It merges this information in with purchase order data.
Managers can also access the organization’s software catalog and make use of the vendor’s SKU library to determine what products and capabilities they’re entitled to when they purchase and install software onto the network. This system also helps the agency identify failure points and risks that each software system and its related vendor contracts and services entails, Young says.
In the agency’s case, Flexera was brought in to help automate the entire software life-cycle management process. Automation helps DOD agencies come to grips with managing their various software systems.
“How do I know as I’m maintaining a system like SA Oracle—what I’m authorized to run there and what I’m not authorized to run? Have I added more risk and more exposure from a cost perspective? If you don’t understand the whole supply chain of the software products that you’re working with, you’re just running blind,” Young says.
Putting it all together
A DOD customer brought Flexera in almost five years ago after looking for a supply chain management solution to meet its needs. One of the agency’s goals was mitigating the risk associated with unbudgeted expenses associated with software license costs through reuse and saving money by reducing what it was spending on software license maintenance, Young says.
Putting all of a software product’s life-cycle information in one place also attracted the attention of other parts of the organization besides the C suite. This included information assurance personnel, program management staff and others who wanted to know if there were any unexpected costs associated with the DOD’s mandated continuous software monitoring program. All of these questions and means to solve what had been a manual process were met by centralizing all of this commercial software information, Young says.
Besides the advantages of placing purchase order information in one place and merging it with discovery data to streamline the life-cycle management process, it allows DOD agencies to get close to a desired end-goal: to have an app store or similar capability to provide users with workflow and approval.
“When [people] say they need software—if it’s available, they can just get it,” Young says.
Helping DOD customers
Another area where Flexera helps the DOD with is what to do with software at the end of its service life—the issue of end-of-life and obsolescence. Young notes that some of the military’s legacy systems have been in use since the 1990s, adding that the U.S. Army alone has millions of endpoints to manage.
But managing that many endpoints and understanding what is on them and other systems is hard, if not impossible, without the right tools to view them and bring that data into one place. Additionally, there is the constant worry of determining if everything is current and up to data in the software supply chain, Young asks.
This is where Flexera fits into the picture because supply chain management is the piece many DOD agencies often miss, he says. Besides aligning this data with DOD requirements such as identifying and patching known cybersecurity vulnerabilities in commercial software products, there is also the issue that many DOD systems are semi-siloed and don’t necessarily interoperate with each other.
From an IT asset management standpoint, Flexera brings hardware, software and supply chain support into one central repository. Information is also pulled from siloed DOD systems and procurement data to provide users with a clear picture of their enterprise’s software status, Young says.
IT leaders across the federal government are turning to Flexera to help them reduce costs, mitigate risk and meet the goals of federal initiatives. Flexera solutions are available through distribution on several GWACs, including NASA SEWP and GSA.