The Department of Health and Human Services is working on a proof of concept for software asset management, otherwise known as SAM, to bring visibility, risk-reduction and cost-savings into software across the agency.
In October 2019, HHS CIO Jose Arrieta initiated the process of achieving SAM across the enterprise to have transparency into the agency's software assets. Rather than meeting the expectations of a set policy, Arrieta said his team is working on a SAM proof of concept to shape the policy.
That concept, called "Implementing Software Asset Management," is using a subset of HHS data to test its scalability across the department, said Brigette Gordon, the enterprise architect on the project.
Starting with a small-scale project will allow for minimized risk in achieving the end goal, Arrieta added.
“If you want to cross a creek, you hop from rock to rock to get across, so that when you think about Brigette describing this proof of concept that she’s doing, she’s jumping from rock to rock, and then kind of planning out what’s next and allows us to minimize our risk,” Arrieta said. “It allows us to iterate our way toward the other side of the creek, or in our case toward our goal, which is full visibility into the assets that are functioning on the network.”
The incremental, small start of the Implementing SAM proof of concept also enables a significant potential for cost-savings and efficiency in the management of HHS software. This approach has become more common across federal IT projects. If it doesn’t work, Arrieta's team gets to learn from their mistakes.
Given his policies focusing on lowering costs and delivering better value to customers while maintaining a robust cybersecurity posture, Arrieta said the proof of concept can help contribute to that broader mission through the visibility it brings to the agency's software, which will in turn reap various benefits for the department.
“Once you have visibility, what can you do?” Arrieta said. “You can lower your costs because you can leverage your buying power, you can create an increased level of security because you have visibility into what state, what data is being shared, so it gives you all of these benefits.”
The visibility Arrieta wants to achieve is more specifically visibility into the price the department is paying for software licenses, an understanding of the install base and what is operating on the network. Having that internal transparency, Arrieta said, will allow maximized use of licenses across the agency.
To measure success in the proof of concept, Gordon said she will have to get buy-in from leadership, ensure that there is governance and change management around the project, and ensure that traditionally manual processes of SAM are automated.
“Right now, there are a lot of processes that are manual around how do we collect the assets? How do we college license information?” Gordon said. “Someone has to manually go in there and look through the contracts and pull out the license information from the asset contracts and maybe put them in a spreadsheet.”
Gordon added that automating these processes will allow SAM to run more smoothly and accurately while realizing saved time and resources.
“If we had automation, like with Accelerate, we can go in and view those contracts, pull out the license information, and put that into the system without someone having to hand jam it,” Gordon said. “It’s automated, it’s more accurate, it saves our resources and it’s better to integrate with other pieces of information.”
If the proof of concept is successful, Gordon said there’s potential to not only expand its success across HHS, but also with other federal agencies. HHS launched the project in light of federal-wide compliance requirements called for under legislation like Making Electronic Government Accountable By Yielding Efficiencies (MEGABYTE) Act and Federal Information Technology Acquisition Reform Act (FITARA).
“There are other agencies that are struggling to bring some management around their assets,” Gordon said. “When we do this successfully, we can then share this out to other agencies."
In the meantime, Gordon’s team is collaborating with a variety of business areas in HHS — including in cybersecurity, enterprise architecture, network operations and vendor management — to realize a successful proof of concept.
The proof of concept is targeted to be ready for production by April or May 2020.