Software licenses are agreements between suppliers and customers about the guidelines for use and distribution of software. Effective software license management allows organizations to maintain an accurate software inventory to improve accountability, security, and compliance.
In fiscal year (FY) 2016, the U.S. Postal Service’s Information Technology (IT) spent about $174 million on software licenses. Two groups are responsible for acquiring and managing these licenses: IT Software and IT Acquisition Support. The IT Software group within Supply Management is responsible for acquiring software and providing contract support and the IT Acquisition Support group within IT is responsible for software license management.
The Postal Service uses supplier contracts to purchase software licenses. Each IT software contract requires a specific provision related to system integrity and IT-related clauses based on the type of contract. Contracting officers (CO) in the IT Software group are required to incorporate the provision and clauses into software contracts.
The Postal Service has recognized the need to improve its ability to identify, document, configure, and manage software licenses throughout their lifecycle. In July 2015, the Postal Service approved an investment of about $35 million for a software asset management program, which includes software discovery, centralized inventory license management, and a new IT Asset Management group within IT with the responsibility for making strategic software-related decisions.
Our objective was to determine whether the Postal Service’s software license management program is functioning according to Postal Service standards and industry best practices.
What the OIG Found
The Postal Service is in the process of implementing an initiative to enhance its software license management program. Planning for this effort began in FY 2014. After delays, it is now estimated to be completed by March 2020. Meanwhile, the current program is not functioning in compliance with Postal Service policies and does not reflect industry best practices. For example, the Postal Service does not have a comprehensive enterprise-wide software license inventory that uses automated discovery and inventory tools and metrics.
We also judgmentally selected seven out of 263 active software contracts as of March 2017, where the supplier had multiple contracts and supported enterprise-wide software licenses. We found that the required provision and certain clauses were not always included.
This occurred because management has been focused on implementing cyber security-related enhancements across the organization. In addition, there have been significant personnel changes since the investment approval, which has delayed the establishment of a centralized software license management program.
According to management, this occurred because Supply Management’s IT Software group has experienced challenges related to staffing levels and retaining an experienced contracting workforce. New personnel were not aware of the requirements for having IT-related provisions and clauses in software contracts.
Without a fully implemented centrally managed software license program, the Postal Service cannot readily track and analyze software license usage across the organization to ensure that it is not purchasing unnecessary software licenses and that its software license agreements are in compliance. This could result in purchasing of unneeded licenses, missed opportunities for volume pricing, or penalties for non-compliance with software license agreements. In FY 2015, the Postal Service paid a $26.8 million penalty to a supplier due to inappropriate software license usage for two applications.
Without the required provision and clauses, Postal Service operating systems could lack protection against compromise or degraded integrity of the operating system. In addition, data could be at risk for potential exposure. Finally, the Postal Service’s liability amount could be higher in the event of a contractual dispute and there would be no remedy for unauthorized use of disclosed Postal Service data.
What the OIG Recommended
We recommended management complete implementation of the centrally managed software license program. Management should also modify current IT software contracts that do not include the required IT-related provision and clauses. In addition, management should implement a process to ensure that future IT software contracts include the required IT-related provision and clauses.