• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

HHS Policy for Software Asset Management (SAM)

Document #: HHS-OCIO-CPO-2019-11-010
Version #: 1.0
Last Reviewed: 10/2019
Next Review: 10/2022
Owner: OCIO/CPO
Approved By: Jose Arrieta, Chief Information Officer (CIO)

Table of Contents

  1. Nature of Changes
  2. Purpose
  3. Background
  4. Scope
  5. Authorities
  6. Policy
  7. Roles and Responsibilities
  8. Information and Assistance
  9. Effective Date and Implementation
  10. Approval
  11. Concurrence

Appendix A: Procedures

Appendix B: Standards

Appendix C: Guidance

Appendix D: Forms and Templates

Glossary and Acronyms


1. Nature of Changes

This is the first issuance of this Policy.

2. Purpose

The purpose of this Policy is to establish the Department of Health and Human Services (HHS) standard for the management of software assets in compliance with the Making Electronic Government Accountable By Yielding Tangible Efficiencies Act of 2016 (MEGABYTE) and the Office of Management and Budget (OMB) Memo 16-12 Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing.

3. Background

The HHS is responsible for ensuring legislative and organizational information technology (IT) strategic goals are aligned to receive consistent implementation across the agency. The Federal Information Technology Acquisition Reform Act (FITARA), passed by Congress in December 2014, has evolved with the release of each scorecard, resulting in new processes and policies within HHS. The MEGABYTE Act and OMB Memorandum 16-12 addresses IT category management challenges, and more specifically, software asset management, in order to help agencies improve the acquisition and management of common IT goods and services.
The HHS fulfills its IT compliance responsibilities by developing and implementing robust policies that support federal mandates. This Policy is in place to formalize HHS Software Asset Management (SAM) centralization capabilities to reduce IT costs, improve ability to negotiate with IT vendors, minimize risk of software licensing agreement violations, decrease infrastructure cyber-attack vulnerabilities, and adopt software management best practices.

4. Scope

The Policy sets forth requirements for the HHS Chief Information Officer (CIO) and the HHS Operating Division (OpDiv) CIOs to optimize current SAM tools and procedures, as well as develop a more mature SAM program, including implementation of best practices for the management of software licenses throughout the software lifecycle. This Policy applies to all HHS OpDivs and all software in an OpDivs’ portfolio. This Policy does not supersede any applicable law or higher-level agency directive or policy guidance. OpDivs may create a supplemental policy that is more stringent. 

5. Authorities

Legislation

  • Clinger-Cohen Act (40 U. S.C. §§ 11101-11 704)
  • Making Electronic Government Accountable By Yielding Tangible Efficiencies (MEGABYTE) Act of 2016 40 USC 11302, Public Law 114–210—JULY 29, 2016
  • E-Government Act of 2002 Public Law 113–291—Dec. 19, 2014: Title VIII National Defense Authorization Act For Fiscal Year 2015, Subtitle D—Federal Information Technology Acquisition Reform (FITARA), 2014
  • Title 48 Chapter 1 of the Code of Federal Regulations, 48 C.F.R. 1. Federal Acquisition Regulation (FAR) 2005-99

Federal Guidance

  • Office and Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource”
  • Office and Management and Budget (OMB) M-16-12 “Memorandum for The Heads of Departments And Agencies, Category Management Policy 16-1: Improving the Acquisition and Management of Common Information Technology: Software Licensing” June 2, 2016 Office and Management and Budget (OMB) M-15-14, Memorandum for Heads of EXECUTIVE DEPARTMENTS AND AGENCIES: Management and Oversight of Federal Information Technology, June I 0, 2015
  • GAO 14-413 Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide, 2014
  • FASAB, SFFAS No. 10, Accounting for Internal Use Software
  • FASAB, Federal Financial Accounting Technical Release 16, Implementation Guidance for Internal Use Software, January 19, 2016

HHS Policies and Guidance

  • Software Management Centralization Plan Template for Software Managers, Enterprise Software Category Team (ESCT), 2016
  • HHS Policy for Accounting for Internal Use Software 2019)
  • Department of Health and Human Services (HHS) Federal Information Technology Acquisition Reform Act (FITARA) Implementation-Revised HHS IT Governance Framework, HHS, Office of the Chief Information Officer (OCIO), October 25, 2016
  • Department of Health and Human Services (HHS) Federal Information Technology Acquisition Reform Act (FITARA) HHS Implementation Plan, September 2015.

6. Policy

In accordance with the MEGABYTE Act and OMB Memorandum M-16-12, Agencies are required to develop and participate in the HHS Enterprise SAM Program.  The SAM Program is based on an overarching framework to support the centralization and management of HHS software assets. Further, the focus of the SAM Program is expected to reduce lifecycle costs and improve software asset management practices including, but not limited to, the following activities:

  • Developing a software management centralization plan;1
  • Identifying or appointing a software manager;
  • Establishing a baseline inventory of all commercial software licenses purchased, deployed and in use across the agency;
  • Utilizing automated tools to maintain, track, and analyze software license inventory data;
  • Providing Software License Management (SLM) training to key HHS personnel;
  • Complying with OMB and Enterprise Software Category Team (ESCT) reporting requirements; and
  • Incorporating Internal Use Software (IUS) data into the data collection and reporting schedule.

The HHS VMO will conduct semi-annual integrated data collections (IDCs) of HHS OpDivs software licenses to update the HHS software license inventory.  While each OpDiv may maintain a software inventory independently, all OpDivs must report OpDiv specific data using the designated standard to support the central collection of data, detailed at Appendix C.  The data submission must also include requirements from the Office of the Assistant Secretary for Financial Resources’ (ASFR) HHS Policy for Accounting for Internal Use Software (IUS), also detailed at Appendix C.

7. Roles and Responsibilities

7.1. HHS Chief Information Officer (CIO)

The HHS CIO, or designee, must:

  1. Maintain overall responsibility for execution of this Policy and ensure compliance with legislative requirements;
  2. Coordinate personnel and processes across HHS, in support of this initiative, including key areas such as finance, acquisitions, IT and security;
  3. Collaborate with the HHS cross-functional leadership team, in support of the SAM Program, to include the Chief Financial Officer, Chief Acquisition Officer, Chief Human Capital Officer, and other critical partners; and
  4. Appoint a HHS Enterprise Software Manager.

7.2. HHS Office of the Chief Product Officer (CPO)

The HHS Office of the CPO must:

  1. Oversee execution of the SAM Program, as specified in Section 6 of this Policy.

7.3. HHS Vendor Management Office(VMO)

The HHS VMO must:

  1. Implement this policy;
  2. Oversee consolidation of OpDiv software inventories annually for review and OMB reporting;
  3. Establish SAM program goals and objectives in alignment with federal requirements, stakeholder input, and existing HHS protocols;
  4. Serve as the HHS Enterprise Software Manager to work within the OCIO and support the central management of HHS OpDiv inventories; and
  5. Perform and review semi-annual IDCs from HHS OpDivs to update HHS software license inventory.

7.4. HHS Enterprise Software Manager

The HHS Enterprise Software Manager must:

  1. Escalate adjudication issues or concerns, with creation of the SAM strategy and implementation of the policy, to HHS CIO;
  2. Process OpDiv and ESCT Reports;
  3. In accordance with OMB 16-12, manage planning and strategy of all HHS-wide commercial software agreements and licenses
  4. Ensure relevant agency personnel are trained in SAM practices in various phases of the acquisition lifecycle across the Department;
  5. Compile and continually update an inventory of all software licenses, including all licenses purchased, deployed and in use, as well as spending on subscription services to include provisional software as a service (SaaS) agreement;
  6. Implement improvements to reduce duplication and ensure the adoption of software management best practices;
  7. Leverage automated tools2 that will support the SAM Program; and
  8. Submit consolidated report of software license inventories to OMB, the Office of the Assistant Secretary for Financial Resources (ASFR), and other entities, as required.

7.5. HHS Chief Financial Officer (CFO)

The HHS CFO must:

  1. Ensure compliance with the HHSHHS Policy for Accounting for Internal Use Software from the Assistant Secretary for Financial Resources (ASFR) .

7.6. ASFR/Office of Acquisition Workforce and Strategic Initiatives

The Office of Acquisition Workforce and Strategic Initiatives must:

  1. Identify key personnel to facilitate data collection and communication related to the IUS policy

7.7. HHS Office of Acquisitions (OA)

The OA must:

  1. Identify key personnel and relevant SAM training topics to comply with OMB requirements;
  2. Ensure relevant agency personnel are trained in SAM practices in various phases of the acquisition lifecycle across the Department;
  3. Ensure changes to acquisitions data systems will account for the structured license data and automated SAM capabilities; and
  4. Facilitate structured data collection in HHS procurement systems that can be synced with SAM tools.

7.8. Operating Division Chief Information Officers (OpDivs); Staff Division IT Leads (StaffDivs)

The OpDivs/StaffDivs must:

  1. Implement and ensure compliance with this Policy; and
  2. Appoint an OpDiv/StaffDiv Software Manager.

7.9. OpDiv/StaffDiv Software Manager

The OpDiv/StaffDiv Software Manager must:

  1. Assist the HHS Enterprise Software Manager in defining the SAM Program, processes, and artifacts, as it relates to the OpDiv/StaffDiv;
  2. Communicate plans and requirements to OpDiv/StaffDiv;
  3. Discover all software components of IT inventory on the IT infrastructure, in accordance with the criteria detailed in Appendix C;
  4. Submit OpDiv/StaffDiv inventory, as required; and
  5. Collaborate with the HHS Enterprise Software Manager to ensure quality data submission.

8. Information and Assistance

The HHS Vendor Management Office (VMO) within the Office of the Chief Product Officer (CPO) is responsible for the development and management of this policy.  Direct questions, comments, suggestions, and requests for information about this policy to HHS-VMO@hhs.gov.

9. Effective Date and Implementation

The effective date of this policy is the date on which the policy is approved.  This policy must be reviewed, at a minimum, every three (3) years from the approval date. The HHS CIO has the authority to grant a one (1) year extension of the policy.  To archive this policy, approval must be granted, in writing, by the HHS CIO.

10. Approval

/S/

Jose Arrieta, Chief Information Officer (CIO)

10/29/2019

11. Concurrence

/S/

Scott W. Rowell, Assistant Secretary for Administration (ASA)

10/30/2019

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No procedures are applicable at this time.  A centralization plan is being developed as part of the creation of the Software Asset Management (SAM) Program.  This appendix will be updated with the centralization plan in FY 2020, upon approval.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No standards are required to comply with this policy.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

MEGABYTE Act Requirements:

The table below captures the data collection requirements detailed in the MEGABYTE Act.  OpDivs continue to meet periodically to refine this set of data elements to ensure consistent reporting from all HHS stakeholders. These data elements are subject to change for further refinement as the OpDiv SAM programs are better defined. Changes will be communicated during each IDC reporting cycle.

  DATA ELEMENT DATA DEFINITION SAMPLE DATA
a Publisher Publisher/original equipment manufacturer Cisco
b Product Name Official name of the product as defined by the publisher CON-ECDN-SMS-1, 1811
c Product Item number or SKU Publisher-provided item # or SKU CON-ECDN-SMS
d End of Life? Is the product and/or version considered end of life? Yes or No No
e Product Version Official version # of the product as defined by the publisher 6.2.2
f Product Detailed Description Description of the software product provided, if applicable Essential Comm. Service
g Vendor Classification Business/socioeconomic classification of the vendor/ reseller Large Business
h Re-Seller Name Vendor who sold the product CDW-G
i Purchasing Agency Specify agency purchasing software licenses / maintenance HHS
j Purchasing Sub-Agency / Org Specify Sub-agency/ Org purchasing licenses / maintenance PSC
k Sub-Agency / Org.  POC Primary Point of contact and contact information Joe Nameth, JNameth@hhs.gov
l Contracting Office / Officer CO Name and contact details Dan Marino, DMarino@hhs.gov
m Type of Contract ELA (Identify OpDiv and if IAA is used); Free or Pcard ELA
n Requisition Order Number Number that is assigned GS-07F-9926H
o (Purchase) Order Number Awarded number in Prism HHSM-500-2013-00294G
p Contract Line Item Number Specific CLIN, if applicable 3
q Period of Perform. End Date Last day of the current contract option year 09/27/2017
r License vs. Maintenance Designation of the product: license or maintenance License
s License Type Designation of the type of license being provided Annual
t Unit Price -S70 List unit price per the Schedule 70 contract $330
u Unit Type Unit of measure Each
v Baseline Price Initial price paid for license $300
w Unit Price Unit price paid per license/maintenance provided $330
x Unit Count Total number of units purchased 1
y Additional Discounts Any additional discounts provided 20%
z Total Cost Savings Value of savings $60
aa Total Unit Savings Value of savings per unit $60
ab Total Cost Final cost of licenses purchased $240

HHS Policy for Accounting for Internal Use Software Requirements:

As part of the effort to consolidate data collection activities, OpDivs must also provide the annual Internal Use Software inventory results to the OCIO VMO.  The OCIO VMO will provide the inventory to ASFR/OF, upon the Chief Product Officer approval.  The IUS policy remains unchanged and the data collected is maintained as separate data calls.

For reference purposes, the IUS data requirements request the following information:
OpDivs must maintain an inventory of capitalized IUS acquired or developed.  At a minimum, inventory records must include:

  • Name of software;
  • Location of software;
  • Method of acquisition Commercial Off-the-Shelf (COTS), contractor-developed, internally developed);
  • Cost of capitalized software (account for in development and in-use costs separately);
  • Useful life of capitalized software;
  • Amortization per accounting period;
  • Cost of expensed software associated with the capitalized IUS; and
  • Enhancement costs to software (both capitalized and expensed).

Other Requirements:

Inventory records must include copies of invoices and contracts, labor cost methodologies, licensing arrangements, and other necessary documentation related to the software costs. 

An inventory of all capitalized software and software in development must be performed annually, at a minimum.  OpDivs must provide inventory results to the OCIO VMO.  OpDivs may request assistance to maintain accountability of software in specific locations and to resolve the issue of missing or found software.  The inventory must also include:

  • Any software not yet installed; and
  • Software residing on laptop computers, but not on the network.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

No forms or templates are applicable to this Policy.

Glossary and Acronyms

Definitions:

  • Information Technology (IT): Computers, ancillary equipment peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services, and related Information Technology Asset any IT related item (tangible or intangible) that have value to an organization Assets are the lowest level at which IT is planned, acquired, implemented, and operated.
  • Software: Refers to (i) computer programs that comprise a series of instructions, rules, routines, or statements, regardless of the media in which recorded, that allow or cause a computer to perform a specific operation or series of operations; and (ii) recorded information comprising source code listings, design details, algorithms, processes, flow charts, formulas, and related material that would enable the computer program to be produced, created, or compiled. Software does not include computer databases or computer software documentation.
  • Software Asset Management (SAM): The process of tracking, monitoring and reporting the use and ownership of software assets throughout their lifecycle, including licenses, versions, and installed endpoints. This includes enterprise software license agreements, subscriptions and commercial software licenses.
  • Software License Management (SLM): The proactive approach to SAM that enables accurate procurement and deployment of software licenses based on contract entitlements, product use rights, and actual usage.
  • Software Management Centralization Plan: A detailed plan that establishes a framework to centralize HHS software assets and authorizes the Software Manager to apply organizational resources to reduce life cycle costs and improve software asset management practices, in accordance with OMB Category Management Policy 16-1.

Acronyms:

  • ASA – The Office of the Assistant Secretary for Administration
  • ASFR – The Office of the Assistant Secretary for Financial Resources
  • CFO – Chief Financial Officer
  • CIO – Chief Information Officer
  • COTS – Commercial Off-The-Shelf
  • ESCT - Enterprise Software Category Team
  • FAR – Federal Acquisition Regulation
  • FITARA – Federal Information Technology Acquisition Reform
  • HHS – Department of Health and Human Services
  • IDC – Integrated Data Collection
  • IT – Information Technology
  • IUS – Internal Use Software
  • MEGABYTE – Making Electronic Government Accountable By Yielding Tangible Efficiencies
  • OCIO – Office of the Chief Information Officer
  • OCPO – Office of the Chief Product Officer
  • OMB – Office of Management and Budget
  • OpDiv – HHS Operating Division
  • SaaS – Software as a Service
  • SLM – Software License Management
  • SAM – Software Asset Management
  • VMO – Vendor Management Office
  • 1. Appendix A of this Policy will be updated to include the centralization plan in FY2020, and this footnote will be removed.
  • 2. Tools will be defined as part of the development of the FY 2020 SAM centralization plan. OpDivs will have the flexibility to choose their own tool set and work with the Enterprise to send appropriate data, as defined by the SAM program
Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed on November 21, 2019