Each October, Cybersecurity Awareness Month serves as a reminder of how much our digital safety depends on secure, resilient systems. But while public attention often centers on passwords, data breaches and foreign cyber threats, there’s another vulnerability quietly undermining federal cybersecurity from within: how the government buys its software.
In our recent report, Defeating Vendor Lock-in and Gaining Pricing Power, author Michael Garland reveals how the government’s reliance on a small circle of software vendors, and its inability to track what software it actually owns and uses, has become a serious national security concern. The report’s findings are clear: this is not only an economic problem but also a cybersecurity one.
The federal government spends nearly $20 billion a year on commercial software, yet no agency can produce a comprehensive inventory of its licenses, usage or costs. Instead, the system is fragmented, opaque and largely controlled by a handful of incumbents. That means if one vendor’s products are compromised, as Microsoft’s were earlier this year, the consequences cascade across agencies that all depend on the same systems.
Worse still, locked-in contracts and “brand name or equivalent” procurements make it almost impossible for agencies to pivot when new security risks arise. Once a vendor has secured a multi-year enterprise agreement, agencies have little incentive or ability to switch providers, even if newer, more secure options exist. What starts as a procurement convenience ends as a cybersecurity liability. The result is a government that cannot easily modernize its systems, even as threats evolve at an accelerating pace.
Garland’s report makes the case that restoring competition and centralizing procurement would not only save taxpayers billions, it would also strengthen the federal government’s digital defenses.
When agencies can move freely between providers, vendors must continually improve their security posture and patch vulnerabilities quickly to stay competitive. A fragmented, data-poor procurement environment does the opposite: it rewards incumbency and penalizes innovation.
To fix this, the report calls for Congress to establish the Software Accountability, Value, and Efficiency (SAVE) Initiative, a centralized procurement authority that would track licenses, usage and pricing across the federal government. SAVE would bring visibility where there is now opacity and strategic oversight where there is currently chaos. In cybersecurity terms, it would give federal IT leaders the situational awareness they need to defend what they own, a basic principle of any security strategy.
Cybersecurity is ultimately about the ability to anticipate, adapt and recover from disruption. The federal government cannot be resilient to cyber threats if it doesn’t even know what software it’s running or if it remains bound to a small number of suppliers. Breaking vendor lock and restoring competitive discipline must be a cybersecurity imperative.
Image via Unsplash.