An Interactive Pop Culture Guide to Understanding Complex Federal Government IT Programs:

How to distinguish between Software License Management Service (SLMS) and Continuous Diagnostic & Mitigation (CDM)?  It’s “Peanut Butter Jelly Time.”

I’m writing this blog to help folks across the spectrum (e.g., clients, colleagues, and the next generation Federal IT leaders) better understand the differences between two significant Federal IT Programs: Software License Management Service (SLMS), one near and dear to my heart, and Continuous Diagnostic and Mitigation (CDM).

I’ve been thinking about this subject for an entire year, and I’ve realized there is still a significant amount of confusion about what makes SLMS and CDM different.  When I decided to write this blog, and because it fits my personality, it made sense for me to try adding a little flare and excitement to an otherwise dry subject.  Typically, when briefing Federal Agencies on SLMS v CDM, the audience reaction is always the same: Huh!? The expressions looking back are quite similar to what my college professor must have seen during his lectures on Quantum Physics.  That’s when it dawned on me; we aren’t all Big Bang Theory, Sheldon Coopers of the IT industry, and this blog serves as a more straight ahead, less sophisticated (think Cher from Clueless) guide to eliminating any future confusion.  As you can probably already tell, I’m a pop culture junkie, and thus I’ve framed my explanation by using as many pop cultural references as possible.

First, you need some background. The Federal Government is facing a revolution in the IT space. Challenged with doing more with less, all while keeping things secure, Agencies are investing in new technology to modernize their infrastructure, and to keep the bad guys (and gals) out. Two separate but similar initiatives include Software License Management (SLM) and Continuous Diagnostic and Mitigation (CDM) that the General Services Administration (GSA) and Department of Homeland Security (DHS) have taken leads on respectively.

GSA is developing an offering to help Agencies generate the SLM capability through a shared-service. Software License Management Service (SLMS) provides agencies access to state-of-the-art SLM technology along with governance, processes and training to gain a handle on their software environments and eliminate waste. DHS has developed the CDM program that seeks to defend Federal and other Government IT networks from cyber-security threats by providing continuous monitoring sensors (tools), diagnosis, mitigation tools and Continuous Monitoring as a Service (CMaaS).

To help Agencies meet these initiatives (and to increase profit), IT companies have built tools claiming they have the complete package to manage it all. This leads to lots of confusion and in the Federal IT space, and typical discussion plays out as such:

Audience Member/Client: “I’m confused, our Agency already utilizes a CDM tool for Software Asset Management (SAM), so we can just leverage what we already have implemented for SLM, right?”

Me: To any IT Asset Management guru, this is a no brainer, but to us non-technical folk – this seems like a valid, logical question right? (Queueing my inner Alex Trebek voice), “No, I’m afraid that is not correct.”

Although SLM and CDM seem similar, both support asset identification, their objectives are unique and do not share much commonality.  CDM is defined as the dynamic ongoing review, assessment and response to network and system threats, while SLM provides services to manage and optimize the purchase, deployment, maintenance, utilization, & disposal of software applications.

Put more simply:  CDM is about Security.  SLMS is about Savings.

In an effort to keep this white paper G-rated (or at least PG-13) for mild technological complexity, I’m going to use a simple metaphor to demonstrate the relationship between the two programs: Peanut Butter & Jelly (PB&J).

PB&J – everybody’s childhood favorite (unless you’re like my brother who preferred strictly peanut butter growing up, or you have an unfortunate nut allergy, or your mom bought you the knock-off stuff).  The peanut butter provides valuable healthy fats, vitamins and minerals. And the jelly? Well, jelly is basically sugar, however it’s value added is sweet (pun intended). Each ingredient provides differing, yet essential characteristics that can theoretically be consumed independently, although when combined, they are enhanced. This concept is like the correlation between SLM and CDM.

SLM promotes cost savings by optimizing software inventories, reducing ongoing software spend on maintenance and minimizing the risk of over-purchasing. Think of it like the overlooked masterpiece, Romey and Michele’s High School Reunion. After hearing of their upcoming reunion, Romey and Michelle realize they haven’t exactly accomplished everything that they set out to do in life. They analyzed their current status and defined what was missing and what they needed to accomplish in order to reach their desired status. The duo decides to take the opportunity to reform themselves to impress their classmates and show them how much they’ve changed.

CDM, a Federal government-only program, focuses on securing those optimized assets by mitigating the risk of cybersecurity attacks. CDM’s objective (security) can best be described by using pre-weirdo Macauley Caulkin’s most famous work, Home Alone, when little Kevin secures the boundary of his house preventing the Wet Bandits from achieving their mission. Kevin strategically sets up booby traps and plans the outcome of each scenario to decrease the risk and vulnerability of a robbery occurring. CDM ensures Agencies are secure by monitoring their networks and sending alerts when security breaches/compromises have been identified. Each service brings different, yet significant value to Agencies.

Please refer to my own artistic masterpiece below, a visual representation to this explanation.

Remember when I mentioned earlier that SLM and CDM’s objectives are commonly misconstrued? Well, that is because both SLM and CDM begin with Asset Identification, and it is assumed that because they share one similarity, it is possible to leverage one tool’s capabilities for another.

Think of Asset Identification as Step #1 in preparing a PB&J; you start the process with two pieces of bread. The bread is the only common component in the sandwich, thereafter, each ingredient provides separate value. Although a CDM tool includes Asset Identification capabilities, it doesn’t necessarily mean that these capabilities address the management of software license data.  These are capabilities that a SLM-specific tool provides.  Key distinctions of an SLM tool include utilization, maintenance, terms and conditions, and compliance. Hence, the underlying reason why it is recommended that Agencies know the difference.

In conclusion, if you don’t know (how to distinguish between SLM and CDM), now you know.

If you liked this blog, please let me know. If enough people like it, maybe I’ll be making it a common occurrence, and can explain next month how FITARA is basically the Federal Version of the 1980s classic, The Breakfast Club.