GSA / participate-nap4

Participate in the 4th U.S. National Action Plan for Open Government
https://open.usa.gov/national-action-plan/4/
13 stars 10 forks source link

Software Identity tags #113

Open JustinHerman opened 7 years ago

JustinHerman commented 7 years ago

This unstructured suggestion came from a working group at the Emerging Tech for Open Government workshop on September 8th.

This effort is low risk, can be accomplished, and would serve as a trust anchor for blockchain acceptance both in the Federal government and elsewhere. With the work by GSA, NIST, DoD, and DHS on ISO 19770 parts 3 and 4 on Software Identity Tags,

Software License Identity (SWID) Tags containing entitlements can be inserted into a block-chain making fully traceable the ownership and use flow of the software license through the life-cycle. GSA has a mandate through FITARA and OMB M-16-12 to facilitate license reuse across federal agencies. To do so, GSA would require a way to not only collect unused licenses from agencies, but also the terms and conditions around the use and transfer of those licenses and what agencies have received them, as well as the context of how the receiving agency is using them to ensure that the terms and conditions are being met. This tracking must also be of sufficient detail to provide for either the donating or receiving agency to respond to a licensing audit from the software vendor.

The traditional way to accomplish this would be to set up a central database at a central authority such as GSA and funnel all licensing transfers and future audit activities through the central point.

The decentralized ledger capabilities of blockchain may provide a mechanism to distribute much of that workload, as well as provide greater information assurance/chain of custody around questions of compliance with licensing terms and conditions due to inherent features of blockchain around information assurance.

Longer term: Due to it's standards based and decentralized nature, it might even be possible to eventually substitute the blockchain ledger for vendor proprietary database tables for license tracking. If leveraged successfully, multiple tools working directly out of a shared blockchain ledger could eliminate data synchronization and conversion issues that plague the integration of disparate systems today (i.e. multiple IT Service Management (ITSM) systems such as CMDB, Inventory, License Management, Financial systems, etc.)

Related technologies: ISO 19770 provides the framework and taxonomy for data consistency within the blockchain

jstclair-HFT commented 7 years ago

Great description - note the Blockchain does not have to be decentralized since the participants can establish an expectation of trust and the total number of participants does not have to be infinitely scalable. An excellent use case.