The US Senate Homeland Security and Governmental Affairs Committee has approved a bill that would direct federal agencies to conduct thorough inventories of software they use. The long-term goal of the Strengthening Agency Management and Oversight of Software Assets Act is to help consolidate software contracts and licenses, and encourage the adoption of open-source software.
- Good start, since for any Software Bill of Materials to be useful, it has to be based on an accurate software asset inventory. The USG has to make sure the inventory includes all software, not just formally procured software – i.e. open source, rouge IT, tools used by in-house contractors, etc.
- CDM already requires this software inventory; the trick is mining that data to discover and prioritize remediation of issues. If you don’t know what’s running in your environment, spend time on discovery and remediation planning before implementing any sort of penalty phase to prevent negative impact to mission or operations.
- This is a step in the right direction, but only “top down.” The agencies can fairly easily identify what they installed. However, absent a digital software bill of materials that is bottom up, the government will still not know what code it is running.
Read more in