For too long, the U.S. government has remained in the clutches of a wasteful and unsecure IT ecosystem, ensured by the “vendor-lock” practices of a few incumbent software providers. These providers lock their customers – U.S. federal government agencies – into contracts with restrictive licenses, punitive audits, fixed fees and more.
In one case, a dominant software provider allegedly utilized a predatory audit to lock a federal government agency into a 5-year, $265 million contract by inflating alleged noncompliance costs. A recent paper by IT procurement expert Michael Garland found that as little as a five percent reduction in vendor-lock practices could save the government up to $750 million annually. Vendor-lock not only wastes valuable taxpayer dollars but may also leave open significant cybersecurity vulnerabilities as a result of widespread software usage from a single provider.
The good news is that one solution to create that cost savings and more secure, higher quality government IT infrastructure is on the horizon.
Yesterday, the bipartisan Strengthening Agency Management and Oversight of Software Assets Act (SAMOSA Act), sponsored by Sens. Gary Peters (D-MI) and Bill Cassidy (R-LA) in the Senate and Reps. Matt Cartwright (D-PA) and Brian Fitzpatrick (R-PA) in the House. This bill would require government agencies to report in more detail on their software contracts and procurement practices, and share their findings with agency inspectors general.
The SAMOSA Act will ultimately require agencies to identify their restrictive licensing agreements – the very crux of vendor-lock – to maximize flexibility and eliminate barriers to cost savings. As Garland writes in his paper, “The data collected by SAMOSA can serve multiple purposes, including asset management visibility for the reduction of vendor-lock.”
Further, increased diversification and flexibility in software licensing can reduce the vulnerabilities inherent in an over-reliance on a single software provider. Cyber-insecurities exploited in a provider’s software can be extrapolated across several government agencies that use those products – putting our nation’s most sensitive information and national security at risk. A recent Pentagon leak on an incumbent email cloud server in February of this year is illustrative of the vulnerability left exposed by an over-reliance on dominant software providers.
The SAMOSA Act also builds on successes seen in the 2016 MEGABYTE Act by giving government agencies the teeth to more aggressively seek out savings in their software portfolio. First introduced in the 117th Congress, the SAMOSA Act has strong bipartisan support, and it passed unanimously out of the Senate Homeland Security and Government Affairs Committee in September 2022.
The requirements in the SAMOSA Act will drive greater transparency of government spending and procurement practices. Timely, complete and accurate software and cloud inventory is essential to achieving better interagency coordination and communication, ensuring better returns on IT investments made with taxpayer dollars and stronger cybersecurity practices for the entire federal infrastructure.
The U.S. government is the largest buyer of IT software in the world, spending around $10 to $15 billion annually. The SAMOSA Act – a piece of bipartisan, common-sense and cost-saving legislation – is a strong first step towards more effective and efficient federal agencies. The 118th Congress should prioritize this legislation to promote a more cost-effective and cybersecure federal government.