In September, the White House released new guidance calling for federal agencies to create a full inventory of the software they use within the next 90 days. It’s the first of a required series of action steps that stems from the May cybersecurity executive order handed down by President Biden. This order directed the National Institute of Standards and Technology (NIST) to publish guidance on how the agencies could better protect government systems with more secure software.
Most federal agencies are now scrambling to meet the requirement. If you’re like other organizations outside of the public sector, you’re probably thankful this doesn’t include you. If you’re part of the wide-reaching government supply chain, however, it’s time to begin preparations for what’s likely to come. Let’s look at why this required action step is important, why it comes with such a quick turnaround and how you can get started on your own asset inventory.
Why a software inventory?
In today’s digital landscape information is king. Organizations know this and, unfortunately, so do cyber criminals. Securing that information needs to be high on the list of priorities. The first step in making that happen is visibility, because you can’t protect what you can’t see.
Comprehensive insight across your active software inventory and your entire technology estate gives you the ability to shore up security vulnerabilities and protect your data. It also helps you save money and avoid nasty audit surprises through cost avoidances and optimization. By knowing the status of your software, you can manage cost, usage, and risk across your IT estate.
A full view enables you to:
- Manage and optimize your software licenses
- Plan for strong positioning during renewals and contract negotiations
- Prepare for audits with fewer surprises
Why the 90-day timeline?
Given federal agencies’ heavy (and growing) reliance on software, they are undoubtedly feeling the pressure of completing a full inventory in just 90 days. It’s a tight turnaround, especially for organizations that lack some form of proactive software asset management. The time to act, though is now. In truth, it’s long overdue.
It’s been nearly three years since the 2020 breach of SolarWinds, a Texas-based company that builds software for protecting networks and systems. The cyberattack on SolarWinds put their own corporate IP at risk, but it also gave cyber criminals a foothold into their customers’ systems. This was a stark reminder to everyone that digital supply chain attacks are the new reality and downstream risk management tactics, together with vendors and partners, are critical. How can you manage these supply chain risks if you aren’t sure which vendors you rely on or which distributors you partner with? Today’s global conflicts and escalating cyberattacks, nation-state sponsored or otherwise, indicate more security is necessary. Economic uncertainty is another reason more visibility over your software estate is best performed sooner rather than later. As organizations work to digitally transform and future-proof their business against inflation and other risks, there’s no better time to optimize your software costs and prevent potentially costly compliance issues.
How to get started
For a head start on implementing NIST-authored cybersecurity guidance and to get a jump start on your software inventory, consider downloading the top 20 Critical Security Controls® from the Center for Internet Security® (CIS). The prioritized steps were created to guide organizations in improving their data security. Step two emphasizes creating an inventory of all software in use across the organization.
The best way to discover, inventory, manage and optimize your software in the long-term is through an ongoing strategic IT asset management (ITAM) program. To organize such an initiative, Snow has included how to define program goals and set the milestones necessary for formulating a roadmap to strategic ITAM in a helpful new e-book, the 12-Month ITAM Roadmap.
Technology plays a central role in any ITAM program. The difference is in how you simplify the discovery, inventory and normalization of your software assets and consolidate that into a single view. You can learn more about how Snow helps with Snow Asset Discovery & Inventory and Snow Asset Management.