It was no surprise to industry experts that agency performance on the initial scorecard for MEGABYTE Act compliance was poor. Twenty-one of 24 agencies graded received Fs. Managing software licenses can be complex and agencies had little time to begin the task before they were evaluated, they said.
But there are steps agencies can take to improve both their management of enterprise software licenses and their compliance with this latest mandate.
The Making Electronic Government Accountable By Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 is simple. Each Executive Branch agency must develop a comprehensive software licensing policy, laying out clear roles and responsibilities with central oversight. Agencies must inventory 80 percent of software license spending, analyze software usage, provide needed software license management training, and establish goals and objectives for the program that cover the entire software license life cycle, from requisition to disposal.
This should save money and improve cybersecurity. “Thirty percent of software spending typically is wasted,” said Walker White, vice president of data platforms for the IT asset management company Flexera. And running software that has reached its end of supported life increases vulnerabilities and expands the attack surface.
Agencies were not prepared for the new mandate, said Curtis Cote, who heads the procurement practice at Censeo Consulting Group. “MEGABYTE caught a lot of people by surprise,” he said. The bill did not get a lot of press coverage, and “as a result it wasn’t high on agencies’ radars.” Agencies also were confused by an Office of Management and Budget (OMB) memo that had goals similar to MEGABYTE, but with different specific requirements. “They asked themselves, ‘Should I follow OMB’s guidance or follow the language of the act?’”
The answer is, follow the act. But that is not simple. Agencies are decentralized, said David Harrington, managing director of SIE Consulting Group. The people tracking costs and sourcing aren’t the same as those who have inventory data, and there is inadequate visibility for a comprehensive software license inventory. Also, most agencies don’t have inventory management tools deployed, he said.
In moving toward MEGABYTE compliance, “you’ve got to start with the people first,” Harrington said. It can take six to eight months to get the right technology in place, and in the meantime agencies should bring together the people needed to begin a software license inventory.
Cote also recommends that agencies not wait for discovery tools before beginning an inventory. “We’ve found that agencies can collect 80 percent of their license information from simple data calls or contract reviews,” he said. Then they can begin looking at software usage and actual needs.
Because MEGABYTE grading is on a simplified A-C-F scale, having a good inventory should get an agency up to a C. Once that is in place, agencies can take advantage of commercially available asset management solutions. “It’s a big waste of time to reinvent the wheel,” with homegrown solutions, White said.
The right solutions can then help make decisions that will save money, improve cybersecurity, and move to an A on the scorecard.