[House Hearing, 119 Congress]
[From the U.S. Government Publishing Office]
IMPROVING SOFTWARE LICENSING
MANAGEMENT
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION
of the
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED NINETEENTH CONGRESS
FIRST SESSION
__________
MONDAY, MAY 19, 2025
__________
Serial No. 119-22
__________
Printed for the use of the Committee on Veterans' Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via http://govinfo.gov
U.S. GOVERNMENT PUBLISHING OFFICE
61-164 WASHINGTON : 2025
COMMITTEE ON VETERANS' AFFAIRS
MIKE BOST, Illinois, Chairman
AUMUA AMATA COLEMAN RADEWAGEN, MARK TAKANO, California, Ranking
American Samoa, Vice-Chairwoman Member
JACK BERGMAN, Michigan JULIA BROWNLEY, California
NANCY MACE, South Carolina CHRIS PAPPAS, New Hampshire
MARIANNETTE MILLER-MEEKS, Iowa SHEILA CHERFILUS-MCCORMICK,
GREGORY F. MURPHY, North Carolina Florida
DERRICK VAN ORDEN, Wisconsin MORGAN MCGARVEY, Kentucky
MORGAN LUTTRELL, Texas DELIA RAMIREZ, Illinois
JUAN CISCOMANI, Arizona NIKKI BUDZINSKI, Illinois
KEITH SELF, Texas TIMOTHY M. KENNEDY, New York
JEN KIGGANS, Virginia MAXINE DEXTER, Oregon
ABE HAMADEH, Arizona HERB CONAWAY, New Jersey
KIMBERLYN KING-HINDS, Northern KELLY MORRISON, Minnesota
Mariana Islands
TOM BARRETT, Michigan
Jon Clark, Staff Director
Matt Reel, Democratic Staff Director
SUBCOMMITTEE ON TECHNOLOGY MODERNIZATION
TOM BARRETT, Michigan, Chairman
NANCY MACE, South Carolina NIKKI BUDZINSKI, Illinois, Ranking
MORGAN LUTTRELL, Texas Member
SHEILA CHERFILUS-MCCORMICK,
Florida
Pursuant to clause 2(e)(4) of Rule XI of the Rules of the House, public
hearing records of the Committee on Veterans' Affairs are also
published in electronic form. The printed hearing record remains the
official version. Because electronic submissions are used to prepare
both printed and electronic versions of the hearing record, the process
of converting between various electronic formats may introduce
unintentional errors or omissions. Such occurrences are inherent in the
current publication process and should diminish as the process is
further refined.
C O N T E N T S
----------
MONDAY, MAY 19, 2025
Page
OPENING STATEMENTS
The Honorable Tom Barrett, Chairman.............................. 1
The Honorable Nikki Budzinski, Ranking Member.................... 3
WITNESSES
Mr. Jeff VanBemmel, Executive Director of End User Operations,
End User Services, Office of Information Technology (OIT), U.S.
Department of Veterans Affairs................................. 4
Accompanied by:
Mr. Don Carter, Executive Director for Contract and
Operations Management, Office of Information Technology
(OIT), U.S. Department of Veterans Affairs
Ms. Carol Harris, Director, Information Technology and
Cybersecurity Issues, U.S. Government Accountability Office.... 6
APPENDIX
Prepared Statements Of Witnesses
Mr. Jeff VanBemmel Prepared Statement............................ 31
Ms. Carol Harris Prepared Statement.............................. 33
IMPROVING SOFTWARE LICENSING MANAGEMENT
----------
MONDAY, MAY 19, 2025
Subcommittee on Technology Modernization,
Committee on Veterans' Affairs,
U.S. House of Representatives,
Washington, DC.
The subcommittee met, pursuant to notice, at 3:02 p.m., in
room 360, Cannon House Office Building, Hon. Tom Barrett
(chairman of the subcommittee) presiding.
Present: Representatives Barrett, Luttrell, Budzinski, and
Cherfilus-McCormick.
OPENING STATEMENT OF TOM BARRETT, CHAIRMAN
Mr. Barrett. All right. Good afternoon, everyone, and thank
you all for being here today. The subcommittee will come to
order. We are here today to talk about software license
management, an issue that affects every veteran who expects the
U.S. Department of Veterans Affairs (VA) to function
efficiently, securely and transparently, while also keeping
costs in mind.
The VA spends over $1 billion on software licenses every
year and the Department has never done a good job of managing
it all or knowing how many they have. Without good data the VA
has no way of knowing how much money they are wasting on
duplicative or unnecessary licenses.
In some ways, software licenses are a lot like library
cards. Just like a library card allows you to check out a book
from a library, a software license gives you access to the
software product. Each library represents a different software
product, and VA purchases software licenses, or library cards,
for their employees to use that product. We would have used to
call these Blockbuster cards back in the day, but those are no
longer applicable.
VA purchases hundreds of thousands of library cards for
thousands of different libraries every year. VA simply cannot
make smart decisions about how many software licenses they buy
if they do not have complete and accurate data. At the
fundamental level, VA needs to understand what licenses they
own, and whether they are being used.
Government Accountability Office (GAO) published a report
last year with several alarming findings about the state of
software license management at the VA. VA could not explain
what they paid for specific software products that are bundled
into a single license agreement because the cost for each
individual product are not broken down.
VA could not track whether the licenses they purchased for
their most widely used software licenses are actually being
used. They can track some of them, but not all.
VA is not able to compare software license usage to
purchase records so they can have the information they need to
negotiate better deals and identify cost savings. This basic
information that any organization needs to make sure they are
buying the right licenses for the right number of people at a
fair price.
I understand that VA has made some progress resolving these
issues, and I expect to hear more about that from our VA
witnesses during this hearing.
GAO and other organizations have been calling out the
Federal Government's problems with software license management
for over a decade. As long as this problem is unresolved, there
will be waste and inefficiencies to be realized.
Earlier this year, the Federal Chief Information Officer
(CIO) asked each agency to submit inventories of the software
licenses they purchased from the five largest software vendors
in the Federal Government. I reviewed the VA's response last
week. For tens of millions of dollars worth of licenses, VA
wrote that the license usage in quantities were unknown. It is
clear that VA still has a long way to go.
VA was supposed to produce a full inventory of all software
licenses by the end of April, but we have not seen that yet.
I recognize that this problem was not created in 1 day, and
will not be solved in a single day either. I believe that the
VA wants to get this right, and I am committed to working with
the new administration to finding a solution to do that.
I applaud the Trump administration's effort to put a stop
to this wasteful spending on software licensing by reviewing VA
and other software--other agency's software inventories.
President Trump's executive order consolidating aspects of
Information Technology (IT) procurement into the general
services administration is another step in the right direction.
Let me be clear, consolidation alone will not solve the
problem. Agencies must be responsible and accountable.
The VA must maintain an accurate software inventory to keep
track of what licenses are being used. They must track license
usage in real time, analyze performance data and hold vendors
accountable. These are not lofty ideals. They are basic good
business practices.
Today I want to focus on three things: First, what is
preventing VA from keeping and a full and accurate inventory of
their software licenses that has clear price breakdowns and
tracks the usage by user?
Second, how has software mismanagement impacted broader
technology and modernization efforts at the VA?
Last, what can Congress do to help make sure that the VA is
not wasting valuable resources on software licenses that could
be spent on veterans?
At the end of the day, every unused or duplicative software
license that VA pays for is not just a line item, it is a waste
of taxpayer dollars and a missed opportunity. An upgrade that
never happened, a fix that got delayed, a veteran waiting
longer for the care they earned. Let us change that.
I can tell you I know that this is not a unique issue alone
to the VA, but this is the committee that I have jurisdiction
over and want to work with my committee members to fixing, and
that is why we are here today working on the VA.
With that I yield to Ranking Member Budzinski for her
opening statement.
OPENING STATEMENT OF NIKKI BUDZINSKI, RANKING MEMBER
Ms. Budzinski. Thank you very much, Mr. Chairman. Thank you
for holding today's hearing about software licensing concerns
at the Department of Veterans' Affairs. I do look forward to
working with you to address this issue and coming up with
appropriate and commonsense solutions for the employees of the
VA, and our Nation's veterans. We owe it to them, and we do owe
it to the American taxpayer.
I also want to thank our witnesses for attending today's
hearing to discuss the future of how VA manages its catalog of
software licenses and how it will procure them in light of the
recent executive order that could centralize all Federal
acquisitions of IT services under the General Services
Administration, GSA.
As I have said many times, pretty much everything VA does
have some relationship to a computer, whether it is documenting
in a medical record, reviewing a veteran's benefits' claim, or
tracking staff schedules. VA's catalog of software is an
essential tool for the provision--for the provision of
healthcare and benefits to our Nation's veterans.
I am concerned about VA's inability to account for the
number of software licenses they currently have, how many are
in actual use, and how much money has been wasted by the lack
of this accountability.
A January 2024 Government Accountability Office report
identified several issues with 24 Federal agencies, including
the VA, where they observed wasteful spending--wasteful
spending of taxpayer funds on software licenses and systems
that at a time were not needed.
In the report, GAO made two recommendations to the VA. One,
VA should track all licenses in its portfolio that are
currently in use; two, VA should compare the number of licenses
in use with the number of licenses VA actually paid for to
identify waste.
As I understand it, VA Office of Information Technology
(OIT) leadership has acknowledged GAO's recommendations, and is
working diligently to implement solutions by the end of Fiscal
Year 2025. I am happy to hear the VA is making progress, but I
am curious if VA has looked at the higher-order processes. It
is easy to treat inspector general and GAO report findings like
a punch list, but is VA looking at the processes that
contributed to this mess?
Shadow IT is a struggle that many major organizations
contend with. What is VA doing to get a handle on it? Software
is only part of the solution, how is VA addressing the policy
and process issues that have allowed it to explode?
Also, in many--in my short time on this committee, I have
heard many times that poor requirements development has
contributed to almost every IT modernization failure at VA. How
is VA refining that process to ensure that the software end
user receive meets their needs? We need to stop playing whack-
a-mole and start thinking strategically.
Finally, I am concerned about a recent executive order from
President Trump that will consolidate the procurement of all
common goods and services, including IT products under GSA. The
intent is to reduce waste and improve efficiencies. I fully
support making sure that VA is more efficient, but we must be
sure that any changes to IT procurement do not create
downstream disasters.
I think we can have a conversation about how this can be
done with software like Microsoft and Adobe, but I am concerned
that this executive order does not take into account the unique
mission VA provides to our veterans.
Most of the software used at VA is not commercial off-the-
shelf, or COTS products, but unique to VA because--I am sorry--
unique to VA providing care and benefits to veterans. This
executive order would remove VA's oversight in the purchasing
of the software and increase the risk of wasteful spending on
software that does not meet the VA's needs. Not to mention that
the Trump administration shuttered GSA's tech unit and plans to
cut its budget in half. How are we supposed to trust that GSA
can handle taking on VA's IT purchasing?
The focus should be on serving our veterans and empowering
VA to make its own software purchasing decisions while
accounting for the number of software licenses it currently
has, and if they are being used. The focus should be on VA
using GAO's recommendations to improve its accountability over
its software licenses, and future purchasing of software
licenses. We owe it to our veterans and to the VA employees to
get this right. Thank you, Mr. Chairman, and I yield back.
Mr. Barrett. Thank you so much. I will now introduce our
witnesses. From VA's Office of Information Technology, Mr. Jeff
VanBemmel, Executive Director of End User Operations. Thank you
for being here, sir.
Mr. Don Carter, Executive Director for Contract and
Operations Management. Thank you.
A familiar face to this committee is Ms. Carol Harris,
Director of Information Technology and Cybersecurity at the
Government Accountability Office. Thank you for being here as
well.
I will now ask the witnesses to please stand for your oath,
and we will swear you in. Please raise your hand, right hand.
[Witnesses sworn.]
Mr. Barrett. Thank you. Let the record reflect all
witnesses have answered in the affirmative.
Mr. VanBemmel, you are now recognized for 5 minutes to
deliver your opening statement on behalf of VA.
STATEMENT OF JEFF VANBEMMEL
Mr. VanBemmel. Chairman Barrett, Ranking Member Budzinski,
and distinguish members of the subcommittee, thank you for the
opportunity to testify regarding the software asset management
(SAM) program at VA. Your long-standing support of veterans and
their families is greatly appreciated.
I am accompanied today by Mr. Don Carter. He is our
executive director for contract and operations management, the
Office of Information Technology, OIT.
OIT recognizes that software is a critical component in
delivering the care and services our veterans deserve. This
recognition has led to substantial investments in both
commercial and VA developed software solutions.
The increase in software solutions has required VA to
constantly review and update its management policies and
practices, especially in areas such as decentralized
procurement and license oversight.
In this vein, OIT has launched a strategic initiative to
address the recommendations documented in GAO's report,
``Federal Software Licenses: Agencies Need to Take Action to
Achieve Additional Savings.''
OIT software asset management program mitigates risks, such
as decentralized software procurement, lack of product
ownership, loose license and data management. OIT will identify
existing capability gaps in software and asset visibility,
especially establishing a single source of truth for all
software data usage data and developing and implementing new
SAM policies and formal governance procedures.
The SAM program is building a centralized software
repository to streamline software management and stakeholder
communication. OIT is also working to automate tasks within the
SAM lifecycle framework, where feasible, and leveraging
existing tools and systems for efficient implementation,
integration and reporting.
This comprehensive approach allows VA to effectively plan
for future software needs, manage updates and ensure proper
disposal of outdated or unused software. OIT's recent progress
in the deployment management and retirement phases of software
asset lifecycle has realized significant software license cost
avoidance across its top 15 most widely used titles.
OIT recognizes that software procured or deployed outside
of approved channels poses security, compliance and financial
risks. VA is working to mitigate those risks by establishing
this program, by providing training and facilitating a culture
of change, through continuous improvement and metrics, and by
rigorously applying policies on procurement and oversight. We
are strengthening governance mechanisms, improving software
visibility, and working with VA business owners to rationalize
requirements and minimize unauthorized software acquisitions.
OIT is issuing guidance for all related--relevant staff,
focusing on requirements definition, acquisition planning,
software lifecycle management, and the risks associated with
unauthorized software procurement. Training staff on SAM
processes and policy compliance is a crucial aspect of the
program. By educating staff early in the acquisition process,
we aim to foster a culture of accountability and proactive
software management.
VA is committed to refining our policies and practices to
ensure the most efficient use of resources and the best
possible outcomes for our veterans.
VA's way forward includes improvements to VA directive
6008, which governs all IT acquisitions and enforces the chief
information officer oversight for software purchases ensuring
compliance with Federal laws. These procurements also go
through the Federal Information Technology Acquisition Reform
Act, FITARA, review processes.
VA is also working on new guidance for product service
codes used in procurement and medical devices that have a
software component that are connected to the VA network, or
standalone medical devices that store persistent patient
information. These updates close many previous gaps that
allowed licenses to be purchased without centralized review.
OIT is also establishing ways to measure the effectiveness
of the SAM program, including capturing our cost savings,
assessing compliance rates, utilization efficiency, and
resolving audit findings.
OIT is committed to continuing our progress, strengthening
our governance, and fully optimizing our software portfolio,
but effective software management is not just the
responsibility of a single office, rather a collective effort
across VA's entire enterprise.
Through OIT's ongoing efforts in the SAM program, VA aims
to ensure that every dollar spent on technology supports the
critical mission of serving America's veterans with excellence.
Thank you for your continued support, and for the
opportunity to testify here today.
[The Prepared Statement Of Jeff VanBemmel Appears In The
Appendix]
Mr. Barrett. Very good. Thank you, sir. Mr. Carter, do you
have testimony, or were you guys joined together?
Mr. Carter. We are joined together.
Mr. Barrett. Okay. Very good. Ms. Harris, you are now
recognized for 5 minutes.
STATEMENT OF CAROL HARRIS
Ms. Harris. Thank you. Chairman Barrett, Ranking Member
Budzinski, and members of the subcommittee, thank you for
inviting us to testify today on VA's software license
management.
As requested, I will briefly summarize our prior work on
the Department's effort to track software license usage and
manage restrictive licensing practices.
As you know, the use of IT is crucial to helping VA
effectively serve our Nation's veterans. The investment in IT
is substantial. In Fiscal Year 2025, VA plans to spend roughly
$985 million on software, including commercial software
licenses. I appreciate this subcommittee's attention on this
topic, because software licenses has been problematic across
the Federal Government for a long time, and especially at VA.
With more effective management, the potential for cost savings
could be huge.
This afternoon I will highlight two key points. The first
is that VA lacks the ability to know if it is purchasing too
many or too few licenses. Last January we reported that VA did
not track software licenses currently in use, nor did it
regularly compare the inventories of those licenses to purchase
records. These are key activities needed to effectively manage
software licenses.
While the Department was able to report to us its 5 most
widely used software vendors at that time, officials could not
demonstrate that they were tracking the appropriate number of
licenses for each item of software currently in use.
In contrast, vendors perform these activities all the time
to ensure that customers are adhering to contract terms, and
can apply true-up penalties when customer use exceeds those
stated terms. Without data of its own, VA cannot verify whether
the vendor's information is accurate.
Moreover, VA will continue to miss opportunities to reduce
costs on duplicate or unnecessary licenses. As such, we made
two recommendations to VA to fully address these key management
activities.
In response to our recommendations, the VA has told us it
has implemented new procedures for its most widely used
software licenses, and will implement a centralized approach to
ensure software is tracked throughout the entire lifecycle. The
Department fully expects to address our recommendations by the
end of the year. We will continue to monitor VA's actions to do
so.
My second point relates to work we did this past November
on restrictive software licensing practices which adversely
impacts agency's cloud-computing efforts, including those at
VA.
According to VA officials, some of the restrictive
practices that they have encountered, including a vendor
requiring the agency to pay additional fees to use the vendor's
software on infrastructure from third-party clouds, making the
agency repurchase the existing software licenses being used on
its on-premise systems for use in the cloud, and also requiring
or promoting vendor lock-ins, such as not allowing another
vendor's software to be used with its own hardware.
VA officials reported that the restrictive licensing
practices generally impacted the cost of cloud computing and
the choice of cloud service provider. However, the Department
had not established guidance for effectively managing the
impacts from these restrictive licensing practices.
Further, VA had not assigned responsibility for managing
such practices.
Accordingly, we made two recommendations to VA to address
these gaps. VA has concurred and stated it will provide actions
it plans to take to address both of these recommendations.
Moving forward in the two areas I noted, it will be
critical for VA to fully implement our recommendations as soon
as possible. Doing so will present the VA with opportunities to
reduce costs on duplicate or unnecessary licenses, and also
take action to mitigate the impact of restrictive licensing
practices.
As I mentioned earlier, the cost savings potential is
tremendous. The Department had previously reported it had saved
about $65 million over 3 years due to analyzing just one of its
software licenses. You can imagine the possibilities when you
apply that across the entire inventory of licenses.
That concludes my statement, and I look forward to
addressing your questions.
[The Prepared Statement Of Carol Harris Appears In The
Appendix]
Mr. Barrett. Thank you. The written statement of both Ms.
Harris and Mr. VanBemmel will both be entered into the record,
so thank you.
We will now proceed to questioning, and I am going to
recognize myself first for 5 minutes for questions.
Ms. Harris, when you were saying that in your testimony,
vendors know very carefully if any contract that they are
under, if there is a level of usage in excess of the terms of
the contract, if they buy 10,000 licenses and 10,001 people try
and use it, they are going to know that and they are going to
charge the agency for that additional usage, it sounds like,
based upon your testimony today?
Ms. Harris. That is right. It is called a true-up penalty.
Mr. Barrett. Okay. It is not also the case that we are
being noticed if we bought 10,000 licenses and only 6,000 are
being used over the last, you know, 6 months to a year, some
period of time that we can get a pretty good indication whether
or not it was ever going to get used.
Ms. Harris. Well, given that vendors do track the usage,
they most likely do know if the licenses are being
underutilized, but most likely they are not going to present
that information to the government.
Mr. Barrett. Do we know if any of the terms that the
contract has would require that notice to be given back to--
specifically to the VA, or any other Federal agency that you
may have come across?
Ms. Harris. We have not seen those terms stated in the VA
contracts during the course of our audit.
Mr. Barrett. Okay. Is there a best practice that would call
for that type of awareness with a vendor contract, if you go
out and buy a number of licenses, to know how many are being
utilized?
Ms. Harris. I would consider that to be a leading practice,
to have that included in the contract, but it is also important
for the government to do its own tracking of usage----
Mr. Barrett. Sure.
Ms. Harris [continuing]. because we need to be able to
verify that the vendor information is accurate.
Mr. Barrett. Okay. Thank you. Then Mr. VanBemmel, you said
that this--back at the end of--or sometime in 2024, the SAM
office, right, remind me again what that stands for, the . . .
Mr. VanBemmel. Software Asset Management program.
Mr. Barrett. Okay. That is sort of designed to be an office
that really takes this into account; is that correct?
Mr. VanBemmel. Yes, sir, that is correct.
Mr. Barrett. If that is the case, I know we have got still
some lingering findings from Ms. Harris' review of this, can
you give us an update on the progress that is been made in that
effort to kind of true up what needs we have versus what we are
actually using?
Mr. VanBemmel. Yes. On the two recommendations, we are
close to getting ready to close out with GAO formally the
tracking of the top 15 titles. That was one of their first
recommendations. We are now able to do that and reliably take
that inventory against our acquisition records and do true-ups
in real-time, as she indicated.
The second one is a much larger recommendation. Getting
beyond the 15 titles you start--you know, we have very good
visibility on more than 80 percent of that. We can see almost
all of the software today, and we have made some investments in
visibility on the endpoints. We can actually not just see the
licenses assigned to this user, but we can actually tell if
that user is using that license, and that is a piece of
software that we did not have even a year ago.
That improved visibility is really getting that visibility,
and then tying that together with the acquisition data is the
work that we still have together with us for all of those
larger----
Mr. Barrett. To me, it is less about who is being granted
the license and more about whether or not they are using it.
There may be a portfolio of things as a basic package that an
employee may get, but if they do not need one of those
licenses, that is where I think the rub comes from is where do
you split out, yes, they need this, this, and this, but do they
need this enhancement of other products available?
The other question I had for you is if I work at a local VA
hospital, say, perhaps in Michigan, not far from where I live
even, just to use an example, what--if I were working there and
I thought, Hey, I need this additional software program, what
is the process that is used by the VA to determine if that is
already under contract, and if I can just add onto that
contract, or are we duplicating efforts where the VA facility
close to my home is buying the exact same product that a VA
facility 500 miles away is purchasing and we have not bundled
that into a more efficient purchasing agreement?
Mr. VanBemmel. That is right. That is one of the, I think,
longer term challenges that we are facing with the SAM program,
getting visibility on what is in use today and being able to
track license usage in real time and reconciling that so we are
not overbuying, underbuying, and that people are really using
the software that they have asked for.
The second one is being able to rationalize requirements
with our business stakeholders. The hospital, for example,
has----
Mr. Barrett. You said rationalize----
Mr. VanBemmel. Requirements. When somebody asks for a
product, we often look at that as a requirement. In a software
category, we might have already purchased software that
fulfills that same requirement, and they could use one of the
existing softwares available in the catalog today, or it might
have--it might be part of a new requirement.
Having a discussion with the stakeholders on the business
side and asking them about the requirements and making sure
that we buy smartly, and then to your point, this is a
submission from Michigan, how pervasive is this across the
entire enterprise? How common is this practice? Making sure
that we buy once and we do an enterprise approach to a
solution.
I think that is really where the challenge is for this
program stem from, is the historical legacy of the way VA was
organized. That hospital in Michigan, for example, 5 or 10
years ago was an independent operating unit within the
Department of VA, and they made their own local procurement
decisions on software like that if it was related to the care
of veterans. Now we are trying to get a business side to look
at an enterprise approach as IT has been centralized over the
last 5 or 6 years, and taking those independent titles that are
out there--we have--a lot of our software catalog titles are
comprised of those individual titles and rationalizing them
down into a subset of softwares.
Mr. Barrett. Okay. Thank you. Ranking Member Budzinski for
5 minutes.
Ms. Budzinski. Thank you, Mr. Chairman. Mr. VanBemmel, the
VA's Software Access Management policy, VA Directive 6403,
outlines the roles and responsibilities of VA leadership, OIT
leadership, IT acquisition professionals and service legal
agreements, SLA, concerning VA OIT operations, this policy was
initially issued back in July 2015. Has the policy been updated
since then?
Mr. VanBemmel. We are staffing changes that we are--we have
really learned a lot over the last year. This GAO report, as
you mentioned, in January 2024 prioritized software asset
management for the OIT. We put a lot of effort into it, and we
are learning a lot of things. We think that policy, along with
6008, and some of our other policies, and the processes that
stem from policy, need some updating.
Ms. Budzinski. It is not updated yet, but it sounds like
you are working----
Mr. VanBemmel. That is part of the overall plan of
establishing this program, updating that document, as well as
others.
Ms. Budzinski. Okay. Great. Then maybe just to follow up a
little bit on what you were just discussing about kind of the
tracking system for the current user licenses. So what, I think
from what I understood, you are saying that currently it is
kind of tracked at the local level, but that you are trying to
move it more toward the enterprise where the enterprise is
tracking it, moving it out of the local kind of jurisdiction;
is that accurate?
Mr. VanBemmel. Yes, for the most part, I would say that we
have good visibility now across the entire enterprise. The real
challenge is putting all of that into a central repository and
tying it to acquisition data so that we do not have to do a
manual reconciliation across different systems.
Ms. Budzinski. That was going to lead to my next question.
What offices within the VA are going to be responsible, if they
are not already fully responsible for the enterprise, you know,
view of this work, what offices will be or are in charge of
understanding and storing the list of user licenses currently?
Mr. VanBemmel. End user operations is the lead for this
effort, but we are doing it in partnership with several
different groups within OIT. Don's office, Office of Strategic
Sourcing which does a lot of the acquisition work is another
partner in that. Then we have a team that does a lot of the
cloud software development, platform management, those types of
product offerings. Software as a Service (SaaS) is largely in
their footprint. That is why we have these different
repositories because different groups had different
responsibilities. We are going to pull all of that into a
central system. My organization will be the lead for that
aggregation of data, and then pulling all of that together as a
corporate process.
Ms. Budzinski. Am I understanding this correctly, there are
like 3 entities within the VA----
Mr. VanBemmel. Largely, yes.
Ms. Budzinski. Then eventually that is all going to be
consolidated into your kind of purview?
Mr. VanBemmel. Right.
Ms. Budzinski. Okay. Who has currently access to all of
this different--these different sets of information?
Mr. VanBemmel. Can you clarify what you mean? Like people
in OI&T or----
Ms. Budzinski. Well, the people in OIT, who in the VA,
outside of the VA, might have access to this type of data?
Mr. VanBemmel. Okay. All of these repositories are internal
use really for the IT staff.
Ms. Budzinski. Okay.
Mr. VanBemmel. Our intention when we get into the central
repository is to be able to expose the software catalog to our
population of supported users. To your point about the user in
Michigan, when they have a software request they can look it up
and say, Hey, have we already bought this thing, and they could
see, oh, we do have this, we have 10 licenses we purchased, we
have five available.
That is the overarching intent is that it is internal for
VA use. Right now, that data is really just the IT operators,
but we would like to be able to share that in a request-type
way with our end users.
Ms. Budzinski. Am I understanding this correctly, using the
Michigan example, currently they kind of make that decision
locally, but eventually what is going to happen is they are
going to go to the VA, to your office specifically and kind of
inquire whether there is a license or a contract already--
Mr. VanBemmel. Yes.
Ms. Budzinski. They do not duplicate, basically, a contract
or recreate a license that exists.
Mr. VanBemmel. That is correct.
Ms. Budzinski. Thank you. Ms. Harris, my question, your
recent reports identified the need for clear roles and
responsibilities for effective software license management.
What steps has the VA taken to create, kind of speaking, I
think, a little bit to these earlier questions, better
ownership around these processes, what does the VA still need
to accomplish in this space from GAO's perspective?
Ms. Harris. We are still waiting for information from the
VA in terms of what steps they are going to take to implement
our recommendations.
You know, to Mr. VanBemmel's point, you know, I think he
did a really good job of laying down the groundwork for the
culture at VA of the decentralization of the software licenses,
and so now this movement to centralize is a very positive step
that is essential to effective license management. Then having,
you know, a single point of accountability is also something
that is going to be important. It sounds like it is going to be
funneled through his office, the buck will stop with him.
It sounds like all the key, you know, the key things that
they are doing all sounds good. We are going to, you know, have
more dialog with VA and verify those activities, and then come
back to you with what we think.
Ms. Budzinski. It looks like. Okay. Thank you. I will yield
back.
Mr. Barrett. Thank you. Mr. Luttrell, 5 minutes.
Mr. Luttrell. Thank you. Just for absolute clarification
for myself, Mr. VanBemmel, off the chair and the ranking
member, so I have DeBakey in my district, or in my area, excuse
me, Michigan, each of the 170-plus VA facilities will now have
to come directly to your office to get a software update,
upgrade or enhancement for their facility instead of going to
Microsoft or Oracle or Adobe or ServiceNow or Splunk, is that a
fair statement?
Mr. VanBemmel. All of those procurements already come
through OI&T. The difference is that we are going to start
having a requirements discussion instead of, you know, we
talked about this one software for this one local hospital, we
will be looking at that as an enterprise approach. All of--in
terms of the large titles, the Microsofts, the Oracles, all of
those kinds of things, those are already under enterprise
license agreements. We already have a process in place by which
they request those licenses. We manage all of that software
inventory for them.
Mr. Luttrell. When that request comes into your office, how
many people are responsible for making the decision for
DeBakey? Is it one person? Is there like a representative
inside your office that is speaking directly to me and--
proverbial me, and saying, Hey, you have got the green light on
this?
Mr. VanBemmel. This is the part, when we talked about
governances processes and updating policies, establishing a
correct mix of stakeholders that can do those software reviews
and make those decisions--it will not be me all by myself. We
want to have representation from the business. We--you know,
this is relatively new construct in VA. Oftentimes we took, you
know, the Veterans Affairs Medical Center (VAMC) director's
request and we fulfilled that request if we had the software
dollars available. If we did not have the software dollars
available we worked on, you know, the tradeoffs there.
In the future, what we really want to do is have a
collective conversation, and so, that also means that on the
stakeholders side of the house, for Veterans Health
Administration (VHA), Veterans Benefits Administration (VBA),
those sorts of entities, that they have representation on these
titles.
The first thing we want to be able to do in this central
repository is expose the total--the totality of licenses in use
today.
Mr. Luttrell. Is this something--forgive me. I need to
interject.
Mr. VanBummel. Yes.
Mr. Luttrell. Is this something that we are going to have
to purchase more software to do? If you are going to have to
build out an internal VA enclave infrastructure or something to
process what we are asking, will it be more money that we are
going to have to spend, or does something like this currently
exists?
Mr. VanBemmel. Currently exists.
Mr. Luttrell. Then how are we in this problem?
Mr. VanBummel. How did we get into this problem?
Mr. Luttrell. How are we here? If this already exists, how
are we here? I mean, we are $33 million on Oracle,
$438--annually, $438 million for Microsoft every year.
Mr. VanBemmel. Yes.
Mr. Luttrell. $12 million on Adobe. Splunk, I have never
even heard of that, but it apparently search and makes
excessive large amounts of data, obviously it is not doing a
very good job, I mean, what are we missing here? If it already
exists currently inside the VA and we have this problem--how
long have you been in this position?
Mr. VanBemmel. Two and a half years. The investment that I
am talking about was made very recently. In the last year, we
made two major investments that are improving our visibility.
One is a piece of software that gives us visibility across all
600,000 end points for VA, so I can see real-time usage of the
software. That is a different----
Mr. Luttrell. Who is doing that?
Mr. VanBummel. We have already done that.
Mr. Luttrell. No, no, no. What is the name of the----
Mr. VanBemmel. The vendor?
Mr. Luttrell. Yes.
Mr. VanBummel. The project is called Tachyon, it is from a
company called 1E.
Mr. Luttrell. How much did that cost us?
Mr. VanBemmel. It is about $12 million for the entire
fleet.
Mr. Luttrell. We need to add that on to this list?
Mr. VanBemmel. It was already paid for last year.
Now, the other piece that we bought is a repository
software asset management module that goes on to our existing
IT Enterprise Resource Planning (ERP) that we use for all of
our incident and problem management. This is a place where we
are--we also have a module for hardware asset management, we
will now have a software asset management, again, it is a place
to store inventory. It is a place to----
Mr. Luttrell. Is this in every single VA or specifically in
the VA department?
Mr. VanBemmel. No. It is managed at the OIT centrally. All
those endpoints now will report back to the central repository
and be able to do reconciliations against that repository.
Mr. Luttrell. I still do not understand why if that is the
case--then why cannot our hospitals talk to each other? I am--
--
Mr. VanBemmel. I am not sure I understand.
Mr. Luttrell. I know you are not--I am just kind of
throwing that out there. It seems that with the large amount of
money that we are spending on all these different software
profiles, you would think like one could do it alone. I am
assuming that is just not the case?
Mr. VanBemmel. No, sir.
Mr. Luttrell. I yield back, Mr. Chairman. Thank you, Mr.
VanBemmel.
Mr. Barrett. Thank you. Mrs. Cherfilus-McCormick for 5
minutes.
Ms. Cherfilus-McCormick. Thank you so much, I think both
sides will agree that there is a lot of money being wasted
based on the mismanagement of the software, and I do have some
concerns on how we are going through and streamlining the
process, so please indulge me as we go through these questions.
Ms. Harris, how much money is wasted because VA does not
aggressively manage its licenses?
Ms. Harris. We do not know that figure because VA does not
have the information available in terms of what they are
tracking because they are just unable to track the full
inventory at this time.
Ms. Cherfilus-McCormick. Now, Mr. VanBemmel, who is the
executive in charge of the software assets management?
Mr. VanBemmel. That is me.
Ms. Cherfilus-McCormick. You are responsible for it?
Mr. VanBemmel. Yes.
Ms. Cherfilus-McCormick. Okay. This is a $7 billion a year
management system, correct?
Mr. VanBemmel. No. Are you talking about the service
asset--the software asset management module in our ERP?
Ms. Cherfilus-McCormick. Yes.
Mr. VanBummel. Service now?
Ms. Cherfilus-McCormick. Yes.
Mr. VanBummel. No.
Ms. Cherfilus-McCormick. How much is it?
Mr. VanBemmel. I would have to take that back for the
record. I do not know, to be honest with you.
Ms. Cherfilus-McCormick. How much would it cost to catalog
and maintain the catalog of all VA assets to include staff and
other costs?
Mr. VanBemmel. How much would it cost to maintain this
entire program?
Ms. Cherfilus-McCormick. Uh-huh.
Mr. VanBemmel. Let me take that back for the record. It is
probably an evolving picture.
Ms. Cherfilus-McCormick. Are you engaging in any use of
Artificial Intelligence (AI) to help manage?
Mr. VanBemmel. Yes.
Ms. Cherfilus-McCormick. How many are you actually using at
this current moment?
Mr. VanBemmel. Again, let me take that back for the record.
There are a potential for AI involved in this process.
Ms. Cherfilus-McCormick. Now, how long have you been using
any of these AIs?
Mr. VanBemmel. In terms of the software asset management
system, that is a relatively new investment, and we have not
finished the work on fully fielding that. It will not be done
until the end of this year. Our intention is to be able to get
real-time feeds from the field, and then reconcile that data
against other data feeds. We do see an opportunity on the
platform to introduce AI to help with that work, but we have
not today integrated AI because we have not fully deployed the
system.
Ms. Cherfilus-McCormick. Have you found any promising
information showing that it is actually going to identify any
costs, or help you with cost management?
Mr. VanBemmel. Yes. We have already made--we have already
had some significant cost avoidance just in the top 15 titles.
To date, I think the number is somewhere about $136 million
that we have had in terms of getting better visibility.
Ms. Cherfilus-McCormick. Have they done a good job in
identifying any redundancy or idle contracts in licensing?
Mr. VanBemmel. I think the bigger issue that we have in
terms of redundancy is not duplicative software, but in a
software category, we have 4 or 5 titles that do the same types
of things just in a different way. Then the question would be,
what is the best value for VA in terms of reducing those four
or five titles to, say, one or two different options.
Ms. Cherfilus-McCormick. Well, my question----
Mr. VanBemmel. That is the work that we have ahead of us,
even after we get the asset management system in place, that is
a long term effort to try to go through all of those titles
today.
Ms. Cherfilus-McCormick. My concern, and the reason I am
asking these questions is because I am wondering if we would be
better suited by having an actual executive, like people in
place to go through, or is AI a better way for us to actually
find these and identify these redundancies, especially since we
are limiting how much money you are going to have access to,
and the impact of those cuts into making sure that we can
identify.
That is why I was asking to see what is actually promising,
or should the funding actually be put toward having individuals
there to actually map out how we can actually find those costs,
and have you found any AI programs that actually are working.
To that extent, could you also provide us at a later time a
full list of all the AIs you have been using so we can actually
be watching that to see what is working and what is not?
Mr. VanBemmel. Yes. Let me clarify, we are not in full
operation today, so we are not currently. We do have our eye on
some opportunities in this space.
AI will help us with the aggregation of large datasets and
help us understand what is in use and what are the most likely
choices. Ultimately, conversations with the business, people
conversation, and then actually doing the work to migrate to do
an acquisition for, say, one to two titles versus the four or
five that we have in that product category, and then migrating
people from one set of softwares to those one and two titles
instead of the three or four that they may have. That is a
people-led issue. I would say that the investment in at least
the near term is going to be a people-led issue.
Ms. Cherfilus-McCormick. If you do not have that investment
with people-led issues, how do you think the whole process and
really bringing down the cost that we are seeing, do you think
that is going to be successful, or will we have another year
where we are fighting the same problem?
Mr. VanBummel. I also think that there is a lot of
opportunity here for us to do more with less. When you start to
get the information coming back from all of the endpoints and
you put it into a great repository there--right now that
process is very manual. We have to do manual reconciliations on
some of these products, and so that is much more labor
intensive. I think the automation piece and the ability, then,
to see data in one place is going to really reduce the overall
manpower requirements.
Ms. Cherfilus-McCormick. Thank you so much. I yield back.
Mr. Barrett. Thank you. I appreciate it. I will recognize
myself again for 5 more minutes.
We have, Mr. VanBemmel, we have 170 independent VA hospital
facilities; is that correct?
Mr. VanBemmel. I manage it by areas, and there are 137
areas, and within that we have a couple of hospitals--there are
a few areas that have more than one hospital in it, but yes, it
is 137 areas.
Mr. Barrett. Well over a hundred.
Mr. VanBemmel. Yes.
Mr. Barrett. You know, more than 150 even.
Mr. VanBemmel. Correct.
Mr. Barrett. Prior to this establishment of the office that
you described, they were all kind of independent autonomous
agencies within VA, almost as if they were their own department
to a degree, more or less, purchasing their own software and
all of those things on their own. Through the formation of your
office, that IT purchasing should be consolidated through your
efforts; is that correct?
Mr. VanBemmel. That is correct.
Mr. Barrett. We are not quite a year and a half into this
now?
Mr. VanBemmel. Well, so centralization in IT has been
ongoing for more than 6 or 7 years. We wrote VA Directive 6008
to help clarify what they could spend their non-IT acquisition
appropriations on, and what we would spend the IT appropriation
on. That regulation is evolving as we move forward. Yes,
essentially, you know, in the past, they were all operating as
independent units, and now we are managing IT centrally, and
software is one of those.
Mr. Barrett. Yes. I see a little parallel to a degree
between this electronic health record rollout that we have been
dealing with on this committee, as well as some of this other
stuff where we had independent systems, and to Mr. Luttrel's
point, they could not even then send files directly to one
another because they had evolved separately over time, and then
you have IT systems that are procured in different ways, and
you may not know if the agency across town or across the State
or across the country is purchasing that same IT equipment.
There is not currently a catalog that you could go to to see if
another agency is already purchasing software through this
particular vendor that you could then add on to. Is that
correct?
Mr. VanBemmel. That is correct. From the end user
perspective, there is not.
Mr. Barrett. Then do you manage the contracts themselves,
or just the purchasing of them?
Mr. VanBemmel. Just the purchasing of them.
Mr. Barrett. The license?
Mr. VanBemmel. Yep. Don's team does a lot of the
acquisition work. We have another team that does the software--
the software has a service, this cloud-based software.
Mr. Barrett. Mr. Carter, then, perhaps this question is
best to you, is there anything that is standard boilerplate in
our contracts as we are going out for large scale acquisition,
not a 1s and 2s kind of acquisition of very, you know,
something irregular, but a large portfolio that would require
feedback to the VA as to actual license usage so we would know
if we are over purchasing or not.
Mr. Carter. Thank you, Congressman, for that question. We
actually do look at that when we develop the vehicle. A lot of
times, and I think there is a misconception, all software
purchased has to be reviewed. They have to use a correct
product service code. That is what we have been harping on
through the FITARA process since 2015. When the product is
requested, it has to go through the process, reviewed, and then
it is tracked from that point on.
The issue we have had is that at times, some of the medical
folks purchase this, it might be for a medical device, and they
focus on it as a medical device not letting us know that--or
using the correct product service code, and that is when you
get that IT purchase that we miss. The CIO does not have an
opportunity to review it or add it into the catalog only until
after the maintenance time comes around.
Mr. Barrett. Would that be a medical device like the
program where people have a pacemaker that relays information
to their cardiologist and there is an interfacing on the
cardiologist's side, a piece of equipment that receives that
information?
Mr. Carter. Yes, sir.
Mr. Barrett. Okay. Then, would it be also the case that
sometimes there is a projection made where we buy, you know, a
bulk number of licenses expecting them to get filled out over
time, like we are not just going to buy for the 10 people that
want it now, we are maybe going to buy more than that expecting
it to be a greater need and that thing goes underutilized, are
we over time calibrating that to the appropriate usage?
Mr. Carter. I can only speak to the ones that we have done.
A great example is our award of the Microsoft contract
recently. In the contract, what we have added in that contract
is a clause that allows us, if the amount goes below 10
percent, we see an adjustment, then we are allowed to go back
and readjust that contract. That was something that we did not
have in before.
Mr. Barrett. Below 10 percent, so if 90 percent are going
unused?
Mr. Carter. No. I mean, sir, 10 percent usage.
Mr. Barrett. Okay.
Mr. Carter. Below 10 percent usage of the total. We have
over 570,000 license, so if 10 percent is not being used, we
can go back and readjust that contract. During that contract,
the award of that contract this past year, over the lifecycle
of that contract for 5 years, we avoided $136 million.
Mr. Barrett. By calibrating it more precisely.
Mr. Carter. Overall cost avoidance on that contract.
Mr. Barrett. Okay. Thank you. I will have a few more
questions, but I am going to yield to Ranking Member Budzinski
for 5 minutes.
Ms. Budzinski. Thank you, Mr. Chairman. I think picking up
on questions that some of my colleagues have had,
Mr. VanBemmel, if I could ask you, we are talking about how
we are dealing with what is a largely decentralized licensing
process, and so, how do we eliminate duplications and how do we
coordinate, a local coordinate with the VA enterprise.
I am curious, the VA's business integration and outcome
service, BIOS, what role would they play in getting at these
questions and issues?
Mr. VanBemmel. The BIOS' office is an office within OI&T
that essentially does that stakeholder engagement and
management and has representatives from business on the other
side of that conversation.
Ms. Budzinski. They are useful to this process as far as
eliminating redundancies, being a resource to the local VAs
that are looking for additional software support?
Mr. VanBemmel. In some way we need to manage those
conversations with our business partners, yes.
Ms. Budzinski. That makes sense to me. They seem like an
important--they play an important role.
I do want to ask you, what is the current status of BIOS?
We have heard that BIOS, the BIOS team has been told that their
work is not mission critical, that they are expecting to be a
part of the reduction in force (RIF) plan. Do you know of any--
are they included in the RIF planning?
Mr. VanBemmel. I am not managing that for larger OI&T. I
have to take that back for the record.
Ms. Budzinski. Okay. Would Mr. Carter know?
Mr. Carter. No, ma'am. We would have to take that back for
the record.
Ms. Budzinski. Okay. I would be very interested to know
because I think there has been a lot of conversation around who
is helping local VAs and how are they--they seem to be an
entity that could be helpful moving forward.
Mr. VanBemmel, can I also ask, so going back to your
testimony, you stated that when centralized data repository is
completed at the end of the year, OIT will be able to establish
clear key performance indicators to measure the effectiveness
of the SAM program. Have those key performance indicators
already been established?
Mr. VanBemmel. They have not. We are learning a whole lot
over the course of this install, and as we get visibility on
the software, and we want to start setting some goals. One of
those questions is, to your point, what opportunities do we
have for consolidation? We are looking at the totality. Now
that we can see the totality of the endpoints and the software,
breaking those down into the software product categories, and
then saying is it reasonable to expect that we could get down
to one or two titles per software category, and what does that
timeline look like? Those would be the kinds of metrics that we
are looking for.
Ms. Budzinski. That you are looking for. Okay. Thank you.
I would like to switch gears, Mr. VanBemmel, and ask you, I
have read President Trump's executive order calling for the
consolidation of common goods and services acquisition under
the General Services Administration. I do have some concerns
about how that would impact software purchasing at VA. How does
the VA plan to respond to President Trump's executive order
requiring GSA to take over IT procurement for the entire
Federal Government?
Mr. VanBemmel. I am going to refer to Don, since he does
acquisitions.
Ms. Budzinski. Sure. Yep.
Mr. Carter. Ms. Congresswoman, when we work with GSA, we
have been involved in their category management, as well as
conversations for the past year. Obviously, we still use the
vehicles that are available, and when they come with a plan, we
will be ready to support. We still go for the best value for
the government when we are looking at contracts.
Ms. Budzinski. Okay. Do you think that GSA is equipped and
capable of taking over all of VA's IT purchasing in addition to
the rest of the Federal Government's? My second follow up would
be, where would you draw the line between what GSA is allowed
to take over versus what VA should maintain?
Mr. Carter. I think I would have to agree with what plan
they come with, and we have to work through it. Again, it goes
to the best value to the government. I think we have used GSA
vehicles before, but we have also gone with other vehicles that
show the best value and we have proved in the business case, so
we are allowed to work that way.
Ms. Budzinski. Have you already started to engage in
conversations, then, with the GSA over what this--what this
would potentially look like?
Mr. Carter. No, ma'am, we have not gone down that road yet.
Ms. Budzinski. Not yet. Okay. I would love to keep in touch
on that. I just, you know, want to make sure that the VA's, you
know, ability I think to procure IT is not hurt in that process
taking over such a big endeavor as GSA taking over all Federal
Government's procurement.
How would GSA's goal of cutting its budget in half impact
their abilities to carry out the VA's IT purchasing?
Mr. Carter. I cannot answer that question, ma'am.
Ms. Budzinski. Okay. Okay. I just remain concerned that
this administration seems poised to move forward with this plan
to restructure Federal IT acquisitions, but it is not clear how
the impact--how that is going to impact, as I said, the VA's
acquisition process.
Several articles have noted that they are losing too many
key people, including some Senior Executive Service (SES) in
the Federal acquisition service, so I just wanted to note that.
Mr. VanBemmel--well, actually, I am going to--I will yield
since I only have 20 some seconds left. Go ahead.
Mr. Barrett. Do you have something quick?
Ms. Budzinski. That is Okay.
Mr. Barrett. Okay. All right. Mr. Luttrell.
Mr. Luttrell. Thank you, Mr. Chairman. This may be a
question for you, Mr. Carter. Mr. VanBemmel, you said some
software--we may have three or four of the same software
profiles inside of an organization, so we are duplicating
efforts, correct?
Mr. VanBemmel. In a product, software product category, I
will give you a good example, Zoom and Teams, they both do
video conferencing, but they are different. In our legal
community very much uses Zoom, not a lot of Teams. Across
Federal Government we use a lot of Teams. The question becomes,
do we support one or both.
Mr. Luttrell. Or both. Right.
Mr. VanBemmel. There is probably two or three other titles
in that same product category.
Mr. Luttrell. That is I am sure every single VA facility
has a different argument.
Mr. VanBemmel. Correct, sir.
Mr. Luttrell. Mr. Carter, can we, when we are dealing with
our business--do we have the opportunity to--I am assuming this
is like bundling, we are saying, Hey, can we put this--can the
VA put this together themselves, or does Microsoft or Adobe
say, Hey, this is what we offer you and this is what you have
to go with?
Mr. Carter. Sir, we work with the third-party resellers, so
at times we do have an opportunity to speak to Microsoft so we
tell them what our priorities are, what we are looking for, and
then the price that we get back is what they offer the third-
party resellers to sell to us.
Mr. Luttrell. How do we--how do we--this may seem--this
seems like it may turn into a larger problem. Teams and Zoom is
a great point. When we start to upgrade software and the
expansiveness of technology starts to run, but our smaller
facilities stay with Zoom and everyone else goes something
different, we will always have to purchase Zoom for that
smaller facility because that is what they want. As this starts
to play itself out, even antiquated or dated software will
continue to remain--correct me, I may be wrong on this, I am
talking out loud to you. It seems to be that once the software
at any particular level is inside the VA it is going to have to
remain, and we are just going to start stacking things on top
of it, or am I----
Mr. VanBemmel. No. I think our strategy is probably the
opposite direction. There are a lot of local choices that were
made that were maybe appropriate to their budget at the time.
We are managing the IT software spend for VA now, and so it is
really more about requirements. Then as to your point, as we
bundle those requirements together, we do better buying and we
pick better products.
Mr. Luttrell. If each facility makes the argument, Hey, we
are a Teams facility, or we are a Zoom facility, is there going
to be a point in which the VA says, Hey, look, we are going
with a clean slate----
Mr. VanBemmel. Correct, sir. We are going to have to choose
an every product category, the best value of that--best value
for VA, and then we would reduce--and there is a lot of hidden
costs in supporting so many titles per product category, and so
reducing that really does not only make a standardized VA,
which reduces operational costs, it also reduces our IT costs.
Mr. Luttrell. It is the challenging part with what we are
dealing with with the electronic filter, each facility is
different and they are making a different argument whether or
not, Hey, look, we do not have the body count or we do not have
the expertise to implement this system, so--it is a challenge
because every single institution is its own institution
underneath the VA umbrella.
Mr. VanBemmel. I would say that if you ran this as a
business you would not want to have every one of your hospital
to be totally different. It is not cost effective.
Mr. Luttrell. True statement. Yes, sir. Thank you, Mr.
Chairman. I yield back.
Mr. Barrett. I will recognize myself for a minute. I would
say that while that may be how we would have designed it from
the beginning, we also woke up in the America of today this
morning, so we have to confront what we have, and I find myself
saying that more often as I am here longer.
To the ranking member's point about the GSA consolidating
some of the large scale purchasing, I know that there was a
report with Adobe where we achieved a 70 percent discounted
procurement based on the overall bundled nature of the software
license. I am pretty sure Adobe does not care whether you are
doing work at the VA or whether you are doing work in the
Internal Revenue Service (IRS), like, they are software is
going to operate the same in both, and that license holder is
insignificant to them, and if we are achieving a much more
bundled, you know, the Costco model of buying software licenses
versus the one off retail model that you would otherwise get,
should we expect to see more of that cost savings as this
effort is continued?
Mr. VanBemmel. Again, it is more of an acquisition question
for Don.
Mr. Barrett. Sure.
Mr. VanBemmel. I would only say that we definitely--and Don
and I spoke about this before, we agree that there is better
buying power in consolidating requirements, and in commodities
software, there is an opportunity to do that. It really is
devil is in the details, what does GSA get as a price versus
what we have negotiated on previous agreements. We really want
to look at that.
To the Congresswoman's point, that really rings true in the
commodity space, but as you start to get into specialized
software for the mission that VA does, that is probably not
true.
Mr. Barrett. Yes, the cardiologist program not the same as
Adobe.
Mr. VanBemmel. There is a lot of specialty software for
medical and benefits delivery that is unique to VA.
Mr. Barrett. Sure. Okay.
Mr. Carter, I do not know if you have anything you want to
add to that.
Mr. Carter. Oh, yes, sir. Yes, Congressman. This past year,
even about eight of our contracts, our larger contracts, we had
a cost savings--cost avoidance of over $230 million.
Mr. Barrett. Was that through GSA or was that through your
own negotiating?
Mr. Carter. Through our own negotiating.
Mr. Barrett. Okay.
Mr. Carter. I think the biggest thing of that was looking
at what we are buying and really going down to where the need
is, even lot pricing on some of the software, but also looking
at the usage level of that software. We have been working
toward that the past year and a half of looking a lot closer
when we come in.
Also understand that when we purchase software, when it
comes over the requirement, it goes through a governance board,
so all users get an opportunity to review and have comments
before it gets to the FITARA area, and we look at it to ensure
that we are getting the best value before it goes out for
solicitation.
Mr. Barrett. Thank you.
Mr. VanBemmel, I mentioned in my opening remarks that the
Federal CIO asked VA to submit software inventories for the
five vendors that GAO identified in their report. Now, for
nearly $30 million worth of licenses, VA said it was unknown
whether the licenses were being used. Does that mean that we
did not know if part of that was being spent on licenses, or we
did not know that the licenses being procured were actually
being used by the end user that is assigned to that computer
that it was installed on?
Mr. VanBemmel. I do not have that data call in front of me,
so I would have to take that back for the record, but we can
certainly help with that.
Mr. Barrett. Okay. We look forward to your response and
appreciate you looking into that.
Ms. Harris, in Michigan, I spent time in the State
legislature before coming here, and there was kind of a
department that managed a lot of this procurement for a lot of
different things, whether it was hardware, software, a lot of
different aspects of that. Not unlike--it seems to me a lot
like what the GSA is looking to do with software licensing on a
bigger scale in the Federal Government. Do we have anything
like this through the VA, or is really this GSA model the
closest thing that would somewhat resemble that?
Ms. Harris. I mean, the GSA model is probably the closest
for the Federal Government. I think within VA, I would say that
probably OIT purchasing software on behalf of the enterprise is
probably the closest--next closest at the Department level.
Mr. Barrett. Do you look at all at the best practices of
other governmental agencies like, you know, how States do it? I
understand that is obviously a much smaller scale than Federal
Government would be, but maybe some lessons learned can come
from whether or not you have autonomous agencies buying their
own, and then from there subautonomous agencies like the VA has
had through the medical, you know, hospitals for so long to
where you are really kind of diminishing your purchasing power
through that whole chain of, you know, chain of command
basically.
Ms. Harris. Sure. We have not done any work at the State
level to identify best practices, at least as it relates to
managing software licenses. We do it in other areas of work,
like in unemployment insurance systems, for example, but we
have not done that. That would be a very interesting review for
sure. We do intend to evaluate GSA's work to consolidate that
the buying power across the Federal Government, we do intend to
start that work toward the end of the year, so that is
something that we do--that I think the results of that will be
very interesting in terms of how they intend to implement that
executive order.
Mr. Barrett. Thank you. Appreciate it. Member Budzinski.
Ms. Budzinski. Thank you, Mr. Chairman. Ms. Harris,
actually, can I just follow up on my questioning around GSA
kind of taking over VA's IT procurement. Could you give, just
from GAO's perspective, any kind of concerns or opportunities
you see in that, just any reflections on that happening?
Ms. Harris. I mean, I think that certainly we have done a
lot of work in the telecommunication space as it relates to,
you know, GSA having this large government vehicle for the
government to utilize, and typically what we have seen are, you
know, cost overruns, and delays and agencies implementing, you
know, and moving off of one legacy contract to the new
contract. I think that, you know, in terms of how GSA
implements this, I think Mr. VanBemmel was very correct that,
you know, when it comes to the commodity IT, Microsoft, Adobe,
Salesforce, those are probably the areas where you can get that
economy to scale, but the devil is going to be in the details,
as he said. I agree with that.
Ms. Budzinski. Okay. That is helpful. Thank you.
Mr. VanBemmel, can I--I have heard some concerning stories
about Department of Government Efficiency's (DOGE) impact at
the VA. For example, we have heard that a DOGE employee Sahil
Lavingia has been using AI to write code and has been
integrating that code into some of VA's existing systems. What
government structures are in place to ensure that any code
added to VA's system is not going to have unintended
consequences?
Mr. VanBemmel. I have to take that one back for the record.
That is a complicated software engineering question I would not
be able to answer right here.
Ms. Budzinski. Okay. Has DOGE been required to abide by any
governing structures that you--governance structures that you
have as it relates to IT?
Ms. Harris. I would have to take that one back for the
record, ma'am.
Ms. Budzinski. Okay. Do you know what qualifications Mr.
Lavingia has--have to be modifying VA systems, any
qualifications he has to be dealing with the system is the
question?
Mr. VanBemmel. I am not aware, but I would have to take
that one back.
Ms. Budzinski. Okay. I just have obviously some grave
concerns about these special government employees who have no
experience working in government, or the programs that they are
toying with having unfettered access into the VA's IT systems.
The committee has sent several Request For Information (RFI)
about this, and we have really received zero response. While
you take it back, I appreciate that. We really would like to
see responses to these questions.
Mr. VanBemmel, I am going to switch gears. It is my
understanding that the software used by VA employees is only a
portion of the software VA purchases. Does your office also
monitor IT resources provided to veterans by the Office of
Connected Care (OCC)?
Mr. VanBemmel. No, ma'am.
Ms. Budzinski. Okay. Do you know how OCC tracks the
software that they provide to veterans?
Mr. VanBemmel. I do not.
Ms. Budzinski. Okay. Ms. Harris, when GAO did its
evaluation of software licenses at VA, did it include software
provided to veterans as well as a software purchased for
employee usage?
Ms. Harris. My understanding is that it was just employee
usage of the inventory, so I do not believe it included that
universe of software.
Ms. Budzinski. If we are going to focus on all this effort
on centralizing software license management as discussed, why
would we create a whole separate process for software provided
to veterans?
Ms. Harris. Yes. I mean, I think that, to your earlier
point about shadow IT, it is important for VA to have full
visibility into all of the software that is being purchased for
the Department, whether it is for the VA users or for veterans.
Ms. Budzinski. Okay. My last question, Mr. VanBemmel, what
would it take for the VA to adopt a more enterprise-like
approach to assistive tech procurement for veterans?
Mr. VanBemmel. Can you help me with assisted tech, what you
mean?
Ms. Budzinski. Blind and low vision veterans, excuse me,
yes.
Mr. VanBemmel. Okay. We do procure software for our
employees. A distinction on a question there, our appropriation
is for VA to provide for VA employees on the VA network, so not
to provide services or software to veterans directly. This is
the corporate internal VA usage. The Office of Connected Care,
for example, that software is procured through a different
appropriation, and it is not on the VA network, and so it is
separate. Any of those assistive technologies for veterans that
are not on the VA network, I do not manage that, but if you are
a VA employee and you need assistive technology, we do manage
that and we have the responsibility for procurement.
Ms. Budzinski. Okay. Great. Thank you. I yield back.
Mr. Barrett. Thank you. I will now recognize myself again.
Mr. VanBemmel, what is the breakdown in spending between
VA's 15 largest software titles and the rest of the VA software
spending?
Mr. VanBemmel. Can I take that one back?
Mr. Barrett. Sure.
Mr. VanBemmel. We manage the----
Mr. Barrett. I know there is quite a few, but I know the
top several account for the largest share of the total pie, but
then there is a smattering of many others beyond that.
Mr. VanBemmel. Yep.
Mr. Barrett. Does the Department know exactly how many
total software licenses they have purchased, and what they are
using currently, or is that inventory still being done?
Mr. VanBemmel. We now have 100 percent visibility. I can
tell you that we are managing about 4,400 titles, 4,433
commercial off-the-shelf titles, and about another 224 SaaS
offerings.
Mr. Barrett. Okay. Sorry. 300 some off-the-shelf. You are
talking, like, Microsoft Word, something like that?
Mr. VanBemmel. 4,433, and those are all commercial off-the-
shelf offerings, and so it goes to--you know, it is everything
that runs that gamut now. Microsoft Office 365 would be a SaaS
offering. That is in our other titles.
Mr. Barrett. What is--sorry. I can go get Microsoft 365----
Mr. VanBemmel. Right.
Mr. Barrett [continuing]. at Best Buy right now or I can go
online and download it.
Mr. VanBemmel. Right.
Mr. Barrett. How is that not a commercial off-the-shelf
product?
Mr. VanBemmel. Yes. The distinction is if you install it
locally on the machine, commercial off-the-shelf product, that
is a different category of management. SaaS is a cloud-based
offering, and so if you get Office 365, it is not actually
installed on your machine.
Mr. Barrett. Okay. What does SaaS stand for?
Mr. VanBemmel. Software as a Service.
Mr. Barrett. Okay. That is the cloud-based----
Mr. VanBemmel. Yes.
Mr. Barrett. The shift from when you used to get Microsoft
on a disk.
Mr. VanBemmel. Yes.
Mr. Barrett. You know, office products on a disk to now
getting it where you pay a subscription----
Mr. VanBemmel. Correct.
Mr. Barrett. Per year or something and it stores your
information on the cloud.
Mr. VanBemmel. Yes.
Mr. Barrett. Okay. Now, that commercial off-the-shelf, that
is still basically downloaded, or disk-installed on it on an
actual individual device?
Mr. VanBemmel. Yes.
Mr. Barrett. Okay. We have thousands of those and hundreds
of SaaS?
Mr. VanBemmel. Correct, sir.
Mr. Barrett. Okay. All right. Then the Federal CIO asked
for that information by the end of April. Have you provided
that to them already?
Mr. VanBemmel. We are largely, I would say, 90, 95 percent
through with that entire inventory.
Mr. Barrett. Okay.
Mr. VanBemmel. The gaps that we have on the inventory are
not on the identification of the software or even the licenses
in use, but it is really down to who owns the software in VA,
who is the person accountable for that license. That really is
the work that we have going forward to identify the accountable
person for every software title, and then, you know, working
with that requirements owner on the way ahead for their
product.
Mr. Barrett. Okay. Then from there, how many different
organizations within VA are currently purchasing software
licenses? Is it all now consolidated through your office?
Mr. VanBemmel. Yes. It all comes to our office.
Mr. Barrett. Battle Creek VA, you know, 40 minutes from my
house, they want to download or install something, it is got to
go through your office now.
Mr. VanBemmel. That is right, and we are reviewing every
one of those acquisitions.
Mr. Barrett. Okay. Then how many different vendors is VA
currently buying software licenses from? I assume in that
thousands and hundreds, some of those are the same vendor with
different products.
Mr. VanBemmel. Correct, sir. I would have to take that one
back to get you the correct answer.
Mr. Barrett. Okay. Thank you. I believe I had a question
for Ms. Harris, if I am not mistaken. Actually, Mr. Carter. I
apologize. GAO's recommendation on comparing data on software
license usage to purchase records is still open. What is VA
currently doing to compare what they are buying to what they
are using?
Mr. Carter. We are actually looking at what we buy. A
couple software titles like Oracle and Oracle Java, those are
unlimited license agreements that we have.
Mr. Barrett. Okay.
Mr. Carter. Also what we are doing is we are trying to
measure out what we have. It was not for the best value. When
Oracle Java, which is strictly for development, we can do that
and recheck that. This is a better value to go with unlimited
license, and we are able to prove that. Oracle is a little bit
different only because Oracle has about 190 products, so that
is an ongoing effort.
Mr. Barrett. It is not everything Oracle. It is just that
product you can buy on an unlimited basis and then if you want
to buy something else, it is a different contract.
Mr. Carter. Correct.
Mr. Barrett. Okay.
Mr. Carter. Microsoft, we are down to who is using what on
all that license.
Mr. Barrett. Okay. With Microsoft, we are not buying all-
you-can-eat buffet of Microsoft like we are with Java. It is a
different system that we have.
Mr. Carter. Correct. Just like when you buy 365, you also
have to buy a virus protection. That is included as well and
that is per license, per software, per individual user, and it
goes as well on virtual machines and everything.
Mr. Barrett. What--this will be my last question before I
yield again. What--would you say is it common or uncommon to
have the--as many as you want enterprise-wide unlimited license
versus a per user license? It feels to me like the per user is
more common.
Mr. Carter. Yes, sir. Per user is more common.
Mr. Barrett. Okay. Thank you.
Ranking Member Budzinski, you have any more questions?
Ms. Budzinski. No.
Mr. Barrett. Okay. I just have a couple more that I will
run through and then we can close out. Mr. Carter, once VA has
a complete inventory in one system and is able to compare data
on whether a license is being used to purchase records, how
long will it take to VA to go through each software title to
figure out if they are overspending?
Mr. Carter. I will have to let Mr. VanBemmel answer that,
but for the Microsoft in our new agreement, we used to do a
reclamation every 90 days.
Mr. Barrett. Okay.
Mr. Carter. We now have a written where we do it every 30.
We go back and review. If it is not being used, we can pull it
back to inventory.
Mr. Barrett. Okay. Thank you. All right. I think we are
good. Appreciate both of you being here today. Before I close
out, I will yield to the ranking member if you want to give
your closing.
Ms. Budzinski. Thank you, Mr. Chairman, and thank you again
to the witnesses for being here. I am glad to hear that the VA
is making progress in getting its software asset management
systems in order. I agree that it is important to be able to
track what the Department owns and what it is being used to
minimize waste and unnecessary cost. I am concerned, though,
that the Department is not looking strategically at ways this
program can be expanded to cover all assets purchased by the
Department. Until the Department is tracking all its assets to
include those utilized by veterans as well as employees, we can
never be totally sure that it is preventing waste.
I am also seriously concerned about the potential of
moving, especially the specialized software of VA's IT
acquisition to what I believe will be a gutted GSA. If the
Trump administration were serious about this executive order,
they would be fortifying GSA to handle the onslaught of
requirements from across the Federal Government. Instead, they
are bleeding it dry just like other agencies. There is no other
way--there is no way that an anemic GSA is prepared for this.
VA employees and veterans should not have to wait in line
behind other agencies to get their resources they need,
especially when they have fully functional processes to get
these resources in-house.
Also, I want to be real clear that we cannot allow the
Department to continue to obscure the activities of DOGE in the
VA. It is unacceptable that these people are given unfettered
access to VA, access to contracts and its IT systems with zero
transparency and zero oversight. If these actions are in the
best interest of veterans, then I ask why is the Department
hiding them? I am terrified of what kind of damage they are
doing and what the lasting impacts will be for our veterans. We
must do better and I look forward to working with the chairman
to do the necessary oversight to ensure that our veterans are
protected.
Thank you, Mr. Chairman. I yield back.
Mr. Barrett. Thank you, Ranking Member Budzinski, and I
want to thank our witnesses again for appearing today to
discuss VA software licensing and management practices. Thank
you for your candor with your answering of questions, and for
those that are being taken back, we look forward to your
response. I have made this point before, but information
technology is the backbone of every service and benefit that VA
delivers to veterans, whether you are filing a claim, whether
you are going in for an exam, whether you are receiving your
health benefits or your disability claim payment, everything
runs on information technology right now. We all understand
that.
This is not the VA of 40 years ago and software is an
essential aspect of VA operations. Mr. VanBemmel, to your
point, a generation ago, each of these VA facilities were very
autonomously operated and run, and now we are trying to do the
hard work of having some standardization. We are seeing that
with electronic health record rollout. We are seeing it with
other software licensing as well, so I am encouraged by that
desire to get that done.
As VA and the Federal Government's technology footprint has
grown over the years, it has clearly led to inefficiencies in
waste of over purchasing and underutilization, and not right-
sizing what every product would be designed for. It would be
hard-pressed to find any expert on software licensing that
would disagree with this. As I said, I know this is not unique
to the VA, but this is the committee that, you know, has
oversight of the VA and that is why I want to leave this effort
here.
VA employees need software to do their job, but there is no
good reason why VA cannot do better at cutting waste and
negotiating prices. Part of House Republicans' mission and why
the American people gave us the majority is to root out
inefficiencies and waste where they exist in government to make
it work better.
Software licensing is a clear example of this that has been
acknowledged for years by both side of the aisle. To the VA
witnesses, as I said, I appreciate your candor today, but now
this subcommittee needs a commitment, a commitment to
transparency, timelines, and accountability. We are ready to
support you, but we will also hold you accountable as well. Let
us cleanup the mess and stop the waste and keep our focus where
it belongs: Providing good, forward-thinking care and services
to veterans who earn them.
I ask unanimous consent that all members have 5 legislative
days to revise and extend their remarks and exclude
extraneous--include extraneous material. Without objection, so
ordered. This hearing is adjourned.
[Whereupon, at 4:21 p.m., the subcommittee was adjourned.]
?
=======================================================================
A P P E N D I X
=======================================================================
Prepared Statements of Witnesses
----------
Prepared Statement of Jeff VanBemmel
Introduction
Chairman Barrett, Ranking Member Budzinski, and distinguished
Members of the Subcommittee, thank you for the opportunity to testify
regarding Software Licensing at VA. Your longstanding support of
Veterans and their families is greatly appreciated. I am accompanied by
Don Carter, Don Carter, Executive Director for Contract and Operations
Management, OIT.
VA's Past Software Asset Management State
OIT recognizes that software is a critical component in delivering
the care and services our Veterans deserve. This recognition has led to
substantial investments in both commercial and VA-developed software
solutions. The increase in software solutions has required VA to
constantly review and update its management policies and practices,
especially in areas such as decentralized procurement and license
oversight.
Current Efforts of the SAM Program
In January 2024, OIT established the Enterprise Software Asset
Management (SAM) program to address the two GAO recommendations made in
GAO-240105717 including issues such as decentralized software
procurement, lack of product ownership, loose license management, and
data management. The core aspects of this program are:
1. Centralization and Standardization: Establishing a
centralized data repository for software inventory, deploying
modern tools for tracking software usage, and assigning clear
product ownership across the enterprise. Previously, software
was managed in a decentralized manner. The SAM program will
assign product ownership to enhance communications with
software stakeholders and streamline management.
2. Automation and Efficiency: Automating tasks within the SAM
lifecycle framework where feasible while leveraging existing
tools and systems for efficient SAM implementation and
improving the integration of tools, systems, and reporting
mechanisms. The process includes managing licensing, data
migration, configuration, and other related services.
3. Continuous Improvement: The SAM program incorporates
Continuous Process Improvement to meet future software needs,
manage updates, and ensure proper retirement of unused
software. OIT has implemented tools to improve software
visibility and data management, and to consolidate data on
software usage into a singular centralized enterprise
repository for better oversight and management.
OIT's comprehensive approach involves planning for future software
needs, managing updates, and ensuring proper disposal of outdated or
unused software. The software management lifecycle comprises six
phases: plan, request, procure, deploy, manage, and retire. Notable
progress has been made in the area of Centralization and
Standardization noted above including managing the software asset
lifecycle from deployment to retirement, particularly in license
management, software reclamation, and repurposing.
Current Challenges
Starting with the top 15 most widely used software titles across
VA, these improvements in license management tools and practices have
already led to over $136M in software cost avoidance but challenges
remain. Identified key challenges include:
Business Led Information Technology (IT): Software
procured or deployed outside approved channels poses security,
compliance, and financial risks. We are strengthening governance
mechanisms, improving software visibility, and working with VA business
owners to rationalize requirements and minimize unauthorized software
acquisitions.
Training and Culture Change: Training staff on SAM
processes and policy compliance is crucial. OIT is rolling out guidance
for all relevant staff, focusing on requirements definition,
acquisition planning, software lifecycle management, and the risks
associated with unauthorized software procurement. By educating staff
early in the acquisition process, we aim to foster a culture of
accountability and proactive software management.
Improving IT Visibility and Governance: Identifying
existing capability gaps in software and asset visibility, establishing
a ``single source of truth'' for software usage data, and developing
and implementing new SAM policies and formal governance procedures.
Way Forward
VA has accomplished the first recommendation made in GAO 24-10571
to track software for its most widely used titles. This improved
management has produced the cost avoidance outlined in the testimony
above. VA has made substantive progress on the second recommendation in
GAO 24-10571. All software in use on the VA network has been identified
and VA will complete the population of the centralized SAM data
repository by the end of the year. This will enable VA to compare
licenses in use against purchase records and make better informed
investment decisions. VA's way forward includes:
Strengthening Governance and Oversight: VA Directive
6008, Acquisition and Management of VA Information Technology
Resources, governs all IT acquisitions and enforces Chief Information
Officer oversight for software purchases, ensuring compliance with
Federal laws. We also track IT procurements through product service
codes and medical devices that have a software component. These
procurements also go through our Federal Information Technology
Acquisition Reform Act review process. This closes many previous gaps
that allowed licenses to be purchased without centralized review.
Metrics and Performance Measurement: When the centralized
data repository is completed at the end of the year, OIT will be able
to establish clear Key Performance Indicators to measure the
effectiveness of the SAM program, including cost avoidance, compliance
rates, utilization efficiency, and audit findings. These metrics can be
included in the Annual Performance Plan.
Ongoing Improvement: Effective software management is not
the responsibility of a single office but a collective effort across
VA's entire enterprise. The OIT team is committed to continuing our
progress, strengthening our governance, and fully optimizing our
software portfolio.
Conclusion
Through OIT's ongoing efforts in the SAM program, VA aims to ensure
that every dollar spent on technology supports the critical mission of
serving America's Veterans with excellence. Thank you for your
continued support and for the opportunity to testify here today.
Prepared Statement of Carol Harris
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]