On September 12, the White House ordered U.S. agencies to create a complete inventory of all third-party software they use within 90 days for IT security reasons. This could pose a real challenge for the heads of Executive Departments and Agencies, but with the right tool, this task can be easily automated.
Back in May, President Joe Biden asked the National Institute of Standards and Technology (NIST) to guide agencies to effectively protect government systems through more secure software, and now that said guidance is finished, the White House Office of Management and Budget (OBM) director ordered its implementation.
To comply with the executive order, agencies must start by knowing which software is installed on their devices. Hence, the 90-day deadline. However, in our experience, there's no need for this to become a headache. With , U.S. agencies can automate the creation of a software asset inventory.
Keep reading to discover how to accomplish this and what to expect from the new regulation.
White House guidelines to secure agencies
To accomplish the goal of better-protecting government systems, the White House guidance established a roadmap that consists of several steps – each of which with its own deadline. We already mentioned the first one, creating a software inventory.
Once that's done, agency chief information officers will have 120 days to create a process to communicate to third-party vendors that their software must be compliant with the NIST guidelines and that they'll need to send agencies a "self-attestation" letter detailing the product's security features, recent changes, and secure development practices.
Agencies must collect the letters for "critical" software providers within 270 days, while the rest of the vendors have time to send theirs until next September.
After the CIOs collect the letters, they'll have six months to train employees to confirm that what the vendors said in the letter is actually true. This procedure should ensure that U.S. agencies only use secure third-party software.
According to the Federal Chief Information Security Officer and Deputy National Cyber Director Chris DeRusha, one of the reasons behind this measure is the SolarWinds 2020 incident that compromised several federal agencies.
How to create a software asset inventory for U.S. agencies with InvGate Insight
With these deadlines in mind, it's obvious that time is of the essence. So, your best shot is to find an efficient software inventory solution that takes over much of your work. And that's exactly what will do for you.
InvGate Insight's Agent is the one that does all the work for you. All you need to do is install it on your agency's devices – and you can do this remotely by running a few commands and configurations thanks to the Agent Deployment feature.
Once installed, the agent will immediately report everything that's going on in that device (whether it's hardware or software). So, as soon as you upload it on the devices, your software inventory will be automatically populated with all the software installed in them.
You can see the list of software from the Software menu, as well as by clicking on a particular asset. What data will you see? The number of installations, software version, and software usage in the last seven days, to name a few.
But having your software inventory up-to-date is not the only thing you'll be able to do with . You can also create reports with a few clicks with, for instance, all the software vendors used in your agency – which comes in handy for the contact stage! Plus, reports can be shared with external users, so your team can start the contact process to get it done faster.
And let's not forget that, once you have your software inventory in place, InvGate Insight allows you to do a lot of things. For example, filter your devices by installed software to see if they’re compliant with your agency’s regulations. This would be particularly helpful at the last stage of the White House guidelines, to monitor if unauthorized software is effectively uninstalled – and to avoid it being restored in the future.
Finally, you'll also be able to create alerts for any particular software you need to monitor, making it really simple to keep an eye on it.
As you saw, InvGate Insight's agent is the one that does the hard work. Your team only has to install it on every device in your agency (which can be done remotely), so that it can start reporting automatically.
And once you have all that data, there's almost anything you can do:
- Create reports to act upon vendors.
- Monitor the effective uninstallation of software.
- Observe software usage regularly.
- Detect the use of unauthorized software.
- Control the use (and need) of software licenses.
Moreover, since InvGate Insight is an IT asset management solution, it can also help with hardware management (for instance, by tracking it with QR codes), stock monitoring, software audits, and more!