The US National Aeronautics and Space Administration (NASA) has overspent about $15 million on Oracle software over the past five years because it lacked a centralized software asset management practice, according to an audit report published by the space agency’s office of the inspector general (OIG).
The report attributes the huge over-expenditure to vendor lock-in and NASA’s unwillingness to risk a license audit by Oracle because of its lack of visibility into software management.
Vendor lock-in, according to the report, is a situation when an enterprise customer using a product or service cannot easily transition to a rival product or service.
“NASA purchased large amounts of Oracle products to support Space Shuttle processing and other mission operations during that timeframe containing licensing terms that made transitioning to a competitor difficult due to proprietary technologies,” the OIG wrote in the report.
NASA was unwilling to commit to an Oracle audit as it was scared that the resultant penalties from the audit would cost more than the $15 million, the report showed.
“OCIO (office of the chief information officer) officials explained that they ‘knew better than to try our luck with an audit.’ Simply put, merely the potential threat of being audited by the vendor encouraged overbuying when the accuracy of agency software asset management was suspect,” the report said.
An email sent to Oracle about easing “lock-in” practices didn’t immediately receive a response.
Non-existence of a software asset management (EAM) program
The space agency’s problem, according to the report, is the absence of a centralized software asset management practice and its current “ad-hoc” practices, which could expose NASA to operational, financial, and cybersecurity risks.
Software asset management is the practice of controlling and optimizing the purchase, deployment, maintenance, and utilization of software applications or suites in an organization or institution.
“Efforts to implement an enterprise-wide software asset management program have been hindered by both budget and staffing issues and the complexity and volume of the agency’s software licensing agreements,” the OIG wrote in the report, giving the agency’s software management practices a “basic” rating—the lowest rating as per the International Organization for Standardization.
The agency uses over 49,000 desktops, laptops and engineering computers.
Further, the report showed that NASA was years away from moving to an enterprise computing model and was in violation of the federal policy to implement a centralized software asset management program that tracks inventory and license data.
“We also found internally developed mission and institutional software applications suffer from a lack of centralization and inventory visibility, limiting the agency’s ability to identify duplicative or obsolete software,” the OIG wrote.
In addition, NASA’s current organizational setup, which is against federal policy, hinders the effective implementation of a centralized software management policy.
“The agency’s software asset management office and software manager positions are misaligned and do not report to the chief information officer as required by federal policy,” the OIG wrote as part of the report.
Other challenges plaguing the space agency includes inconsistent processes for legal representation during software contract negotiations or vendor audits, unsupervised training software and unsupervised software buying.
These challenges expose the agency to increased costs because of penalties for violations of software licensing agreements, the report showed.
“NASA has failed to implement processes necessary to manage financial risks as software purchases are not sufficiently tracked and authorized by the Office of the Chief Information Officer (OCIO)—allowing some users to bypass OCIO authorization (and software asset management team scrutiny) to purchase software through alternative means such
as purchase cards,” the OIG wrote.
NASA overspent more than $35 million
The OIG also pointed out an additional $20 million expense in fines and overpayments, which could have been avoided.
“We estimate the agency could have saved approximately $35 million ($20 million in fines and overpayments and $15 million in unused licenses) and moving forward could save $4 million over the next 3 years by implementing an enterprise-wide software asset management program,” the OIG report said.
According to the OIG’s analysis, almost 11,000 users, between 2020 and 2022, were granted privileged access (the ability to control one’s computer system akin to administrative rights) to download software at will due to operational constraints and delay in funding.
In 2017, NASA had to pay $18.9 million to IBM post an audit to bring its software usage in compliance with license agreements.
In 2021, multiple vendors such as SAP, Dassault and Ansys, collectively were paid about $4.4 million by the agency to settle software usage penalties.