Email comment: Symantec comments on OMB software policy

[OMBPublicComments]

To whom it may concern:

Thank you for the opportunity to submit comments to the Draft Policy related to:
“Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing.”

We would be happy to schedule time at your convenience to discuss our following comments in more detail:

1. Recommendation: Broaden the scope of the policy to include comprehensive software management. The capabilities of the CDM Tools that cover Software Management go well beyond requirements outlined in this draft policy. The US CIO should implement more of the CDM Tool capabilities to gather additional information to be used in making decisions on software usage. For example, a traditional Software Management tool can report on the patch status of installed software. It would be useful for agencies to know if installed software requires a patch, how long it has gone unpatched, how often a patch is required, etc. It may be worth considering another application if patching is a concern with the current software.

Benefits to Federal Government: Further consolidation of vendors (and software in use) by leveraging the full extent of data provided by software management tools. Risk management and reduction through patch management.

1. Recommendation: Possible exemption for Cybersecurity tools.

Benefit to Federal Government: Improved public perception. Acquisition is already perceived as the roadblock to obtaining cutting edge cyber tools needed to protect Fed IT Systems. This policy could exacerbate the problem.

1. Recommendation: Reflect unique circumstances in the policy.

Benefit to Federal Government: In many cases, discounts are negotiated to fit certain unique circumstances (quantity, term of contract, combined with a larger purchase, to help align with customer budget, etc.) As such, a discount to Agency X may not apply to Agency Y.

1. Recommendation: The SW Inventory Report should note if the product is installed, or simply sitting on a shelf (known as “shelf-ware”.) Without such granular reporting, an agency report can reflect having a certain capability, but there is no way to determine if the capability is being used.

Benefit to Federal Government: Lowered risk profile and cost of ownership, and compliance with various Federal mandates. If it is determined that an agency owns but is not using certain tools (especially those used for patching and security) the agency could lower its risk profile by deploying those tools. Similarly, once tools are deployed the agency would be in compliance with applicable mandates. Ensuring software is actually deployed benefits the government (the capability of the software is realized) and the taxpayer (money spent is actually providing a service.)

1. Recommendation: SW Inventory Report should note if the product is ‘end of life’ or out of maintenance.

Benefit to Federal Government: Lowered risk and improved compliance. If a product is at its end of life, or is no longer covered by a maintenance contract, chances are great that Vulnerabilities are no longer being patch. This creates a Threat Vector which can be easily exploited by a would be attacker.

Please feel free to contact the undersign should you wish to discuss our comments further.

Ken Durbin
Unified Security Practice Manager
Public Sector
www.symantec.com