US federal software reform bill aims to strengthen software management controls

Software management struggles that have pained enterprises for decades cause the same anguish to government agencies, and a bill making its way through the US House of Representatives to strengthen controls around government software management holds lessons for enterprises too.

The Strengthening Agency Management and Oversight of Software Assets (SAMOSA) bill, H.R. 5457, received unanimous approval from a key US House of Representative committee, the Committee on Oversight and Government Reform, on Tuesday.

SAMOSA is mostly focused on trying to fix “software asset management deficiencies” as well as requiring more “automation of software license management processes and incorporation of discovery tools,” issues that enterprises also have to deal with.

In addition, it requires anyone involved in software acquisition and development to be trained in the agency’s policies and, more usefully, in negotiation of contract terms, especially those that put restrictions on software deployment and use.

This training could also be quite useful for enterprise IT operations. It would teach “negotiating options” and specifically the “differences between acquiring commercial software products and services and acquiring or building custom software and determining the costs of different types of licenses and options for adjusting licenses to meet increasing or decreasing demand.”

The mandated training would also include tactics for measuring “actual software usage via analytics that can identify inefficiencies to assist in rationalizing software spending” along with methods to “support interoperable capabilities between software.”

Outlawing shadow IT

The bill also attempts to rein in shadow IT by “restricting the ability of a bureau, program, component, or operational entity within the agency to acquire, use, develop, or otherwise leverage any software entitlement without the approval of the Chief Information Officer of the agency.” But there are no details about how such a rule would be enforced.

It would require agencies “to provide an estimate of the costs to move toward more enterprise, open-source, or other licenses that do not restrict the use of software by the agency, and the projected cost savings, efficiency measures, and improvements to agency performance throughout the total software lifecycle.” But the hiccup is that benefits will only materialize if technology vendors change their ways, especially in terms of transparency.

However, analysts and consultants are skeptical that such changes are likely to happen.

CIOs could be punished

Yvette Schmitter, a former Price Waterhouse Coopers principal who is now CEO of IT consulting firm Fusion Collective, was especially pessimistic about what would happen if enterprises tried to follow the bill’s rules.

“If the bill were to become law, it would set enterprise CIOs up for failure,” she said. “The bill doubles down on the permission theater model, requiring CIO approval for every software acquisition while providing zero framework for the thousands of generative AI tools employees are already using without permission.”

She noted that although the bill mandates comprehensive assessments of “software paid for, in use, or deployed,” it neglects critical facets of today’s AI software landscape. “It never defines how you access an AI agent that writes its own code, a foundation model trained on proprietary data, or an API that charges per token instead of per seat,” she said. “Instead of oversight, the bill would unlock chaos, potentially creating a compliance framework where CIOs could be punished for buying too many seats for a software tool, but face zero accountability for safely, properly, and ethically deploying AI systems.”

Schmitter added: “The bill is currently written for the 2015 IT landscape and assumes that our current AI systems come with instruction manuals and compliance frameworks, which they obviously do not.”

She also pointed out that the government seems to be working at cross-purposes. “The H.R. 5457 bill is absurd,” she said. “Congress is essentially mandating 18-month software license inventories while the White House is simultaneously launching the Genesis Mission executive order for AI that will spin up foundation models across federal agencies in the next nine months. Both of these moves are treating software as a cost center and AI as a strategic weapon, without recognizing that AI systems are software.”

Scott Bickley, advisory fellow at Info-Tech Research Group, was also unimpressed with the bill. “It is a sad, sad day when the US Federal government requires a literal Act of Congress to mandate the Software Asset Management (SAM) behaviors that should be in place across every agency already,” Bickley said. “One can go review the [Office of Inspector General] reports for various government agencies, and it is clear to see that the bureaucracy has stifled all attempts, assuming there were attempts, at reining in the beast of software sprawl that exists today.”

Right goal, but toothless

Bickley said that the US government is in dire need of better software management, but that this bill, even if it was eventually signed into law, would be unlikely to deliver any meaningful reforms. 

“This also presumes the federal government actually negotiates good deals for its software. It unequivocally does not. Never has there been a larger customer that gets worse pricing and commercial terms than the [US] federal government,” Bickley said. “At best, in the short term, this bill will further enrich consultants, as the people running IT for these agencies do not have the expertise, tooling, or knowledge of software/subscription licensing and IP to make headway on their own.”

On the bright side, Bickley said the goal of the bill is the right one, but the fact that the legislation didn’t deliver or even call for more funding makes it toothless. “The bill is noble in its intent. But the fact that it requires a host of mandatory reporting, [Government Accountability Office] oversight, and actions related to inventory and overall [software bill of materials] rationalization with no new budget authorization is a pipe dream at best,” he said. 

Sanchit Vir Gogia, the chief analyst at Greyhound Research, was more optimistic, saying that the bill would change the law in a way that should have happened long ago.

“[It] corrects a long-standing oversight in federal technology management. Agencies are currently spending close to $33 billion every year on software. Yet most lack a basic understanding of what software they own, what is being used, or where overlap exists. This confusion has been confirmed by the Government Accountability Office, which reported that nine of the largest agencies cannot identify their most-used or highest-cost software,” Gogia said. “Audit reports from NASA and the Environmental Protection Agency found millions of dollars wasted on licenses that were never activated or tracked. This legislation is designed to stop such inefficiencies by requiring agencies to catalogue their software, review all contracts, and build plans to eliminate unused or duplicate tools.”

Lacks operational realism

Gogia also argued, “the added pressure of transparency may also lead software providers to rethink their pricing and make it easier for agencies to adjust contracts in response to actual usage.” If that happens, it would likely trickle into greater transparency for enterprise IT operations. 

Zahra Timsah, co-founder and CEO of i-GENTIC AI, applauded the intent of the bill, while raising logistical concerns about whether much would ultimately change even if it ultimately became law.

“The language finally forces agencies to quantify waste and technical fragmentation instead of talking about it in generalities. The section restricting bureaus from buying software without CIO approval is also a smart, direct hit on shadow IT. What’s missing is operational realism,” Timsah said. “The bill gives agencies a huge mandate with no funding, no capacity planning, and no clear methodology. You can’t ask for full-stack interoperability scoring and lifecycle TCO analysis without giving CIOs the tools or budget to produce it. My concern is that agencies default to oversized consulting reports that check the box without actually changing anything.”

Timsah said that the bill “is going to be very difficult to implement and to measure. How do you measure it is being followed?” She added that agencies will parrot the bill’s wording and then try to hire people to manage the process. “It’s just going to be for optic’s sake.”

This article originally appeared on CIO.