Taking the Risk out of Software
Supply Chain Management
SPECIAL INTEREST EDITORIAL
Automating software life-cycle oversight
improves eciency, cuts costs.
BY HENRY S. KENYON
Supply chain management is
vitally important to running and
maintaining an organization’s IT
systems, but like logistics systems,
it is not inherently sexy and has
historically drawn little attention
from the C suite. When it is carried
out, in many federal agencies it’s
traditionally a manual process
managed on spreadsheets. In recent
years new directives have mandated
that the Department of Defense
(DOD) and civilian agencies must
all begin monitoring this, especially
for cybersecurity considerations
within the Department’s Risk
Management Framework (RMF).
Because of internal and external
cyber threat issues, many
department directors are paying
more attention to life-cycle
management from an acquisitions
perspective, says Frank Young,
director of Flexera Soware LLC’s
DOD business operations. But
while they now have to account for
this, in many cases directors and
chief information ocers (CIOs)
still don’t have any visibility into
how their department or agency
actually manages its soware from
acquisition to use to its retirement.
Speaking from the perspective of a
director in this situation, Young asks:
“How do I get an understanding
of what I purchased? And then if it
is deployed, was it over-deployed
or under-deployed? And are there
inherent risks that I’m operating with
right now that I’m not aware of?”
e risk level for manually
managing soware supply chains
isn’t acceptable any more, Young
says. ese cybersecurity-related
issues are now a pressing concern
in the DOD and the C suites of
companies doing business with
the government. He adds that not
knowing what is happening in
an organization prevents it from
conducting eective continuous
network monitoring or managing its
RMF requirements.
“If I don’t know my soware life
cycle, I don’t know if I have soware
in my inventory that I can reuse. If
I don’t understand it, I don’t know
whether I can take this to the cloud
or not,” Young says.
From the C suite, as long as networks
were running, corporate ocers and
agency directors weren’t as concerned
about the soware underpinning
their networks. However, new
requirements like RMF and health
records systems like the continuous
monitoring risk scoring system
have forced organizations and
their top leadership to be aware of
their soware life cycles and have a
standardized, repeatable process to
manage it, Young explains.
“It can bite you in the backside if you
don’t have control over it, and cost can
really go out of control,” Young says.
GETTING IT RIGHT
WITH AUTOMATION
Automation is the key to helping
federal agencies tackle the
challenges of soware life-cycle
management to make their
operations more ecient.
One DOD agency contacted Flex-
era to help automate the part of its
soware life-cycle process where the
purchase information from its acquisi-
tion oces is merged with data from
a deployment perspective. is allows
the agency to have a process and a dis-
covery mechanism to see what’s hap-
pening on its network, Young says.
For example, the system might allow
IT sta to know that while 1,000 cop-
ies of Tanium are deployed, it would
note that purchase orders say the
agency only paid for 900 and highlight
the cost for the additional copies. is
creates a risk picture for just one prod-
uct in the agency’s inventory which is
displayed on a user dashboard.
is allows an organization’s ocers,
such as the CIO, to directly monitor
soware status from their dashboards
every day. Another important aspect
of this process for DOD agencies is
that it isn’t manual any more. Instead
it is a repeatable automated process
40 SIGNAL, MARCH 2020 | www.afcea.org/signal
