Passed on 12/02/2025 by the House Oversight Committee, the Strengthening Agency Management and Oversight of Software Assets (SAMOSA) Act looks like standard housekeeping on the surface. It asks agencies to inventory their software and identify what is and isn’t being used. But a closer reading of the bill text reveals a fundamental shift in how the government views identity and access.
The SAMOSA Act isn't just asking for a list of what you own; it is mandating a strategy for autonomous governance. It applies to every federal agency, squarely placing the burden on the Chief Information Officer to eliminate waste, restrict "Shadow IT," and prove interoperability. And perhaps most importantly: you are required to do it all without an increased budget.
As of the date of publishing this article (12/3/2025), the SAMOSA Act has been passed by the House and is moving to the Senate, making it critical for federal CIOs to understand the potential impact of H.R. 5457 on their 2026 strategy.
Table of Contents
The SAMOSA Act (H.R. 5457) is a bipartisan bill designed to eliminate the estimated billions of dollars wasted annually on "Shadow IT" and unused software licenses across the federal government.
It mandates a "comprehensive assessment" of all software entitlements, including how they are used, who is using them, and whether they are interoperable.
The SAMOSA Act is short, but its requirements are specific. It moves beyond simple inventory of applications into complex financial and legal territory.
The core of the SAMOSA Act is a mandate for a comprehensive assessment of all software entitlements. This is not a simple quantity check. Section 3 of the bill explicitly outlines a rigorous inventory and audit process that digs into costs, usage, and contract details.
An Inventory of Current Software (Sec. 3(a)(1)): You must provide a master list of all current software entitlements, contracts, and agreements. This cannot be a jumbled list; it must be separated by provider and category.
Detailed Accounting Of:
Categorization (Sec. 3(a)(3)): You must organize entitlements by cost, volume, and type of software.
What This Means for CIOs: This requires a standardized taxonomy. You can’t just list "Microsoft"; you need to categorize by function and cost tiers to identify your biggest budget drains.
The Hidden Cost Audit (Sec. 3(a)(2)(B)): Congress is targeting the “iceberg costs” of federal IT. You must report not just the base contract price, but “any additional costs, including fees or costs for the use of cloud services.”
The Waste Hunt: You must specifically identify software the agency pays for but which is not deployed or in use.
The Duplication Check: You must flag items billed to the agency that create duplication or that you deem unnecessary.
What This Means for CIOs: You need effective permissions intelligence to see not just what is bought, but what is actually being used. If you are paying for cloud consumption or shelfware that no one logs into, you are required to report it as waste. Plus, if you have “hidden” consumption costs that aren’t in the original contract, you are legally required to surface them.
The Restrictive Clause Hunt (Sec. 3(a)(4)): The assessment goes beyond simple counts to examining the fine print. You are required to identify and list any contract provisions that "restrict how the software can be deployed, accessed, or used."
What This Means for CIOs: It’s no longer enough to know you have a license; you need to know where you are legally allowed to run it. If you migrate a workload to the cloud but your legacy contract restricts it to on-prem servers, you’ve just created a reportable compliance failure.
The Accuracy & Upgrades Analysis (Sec. 3(a)(5)): This is the “certify your work” clause. You must provide an analysis of the “total cost of upgrades over the life of a contract” and certify the accuracy of your own assessment.
The Compliance Check: Your analysis must address the accuracy and completeness of the assessment itself.
The Management Audit: You must report on the agency’s management of and compliance with all software contracts.
The Total Cost View: You must demonstrate the extent to which the agency captures the true total cost—including upgrades, cloud usage, maintenance, and servicing costs—and whether you are complying with your own license management policies.
What this means for CIOs: This moves you from "reporting numbers" to "certifying truth." You can no longer just look at this year's budget; you are required to conduct lifecycle modeling that predicts the future cost of upgrades. Crucially, if you sign off on a manual spreadsheet audit that turns out to be full of errors, you are effectively documenting your own lack of internal controls to Congress. You need a system of record that tracks history and projects future costs automatically.
The Silo Breaker Evaluation (Sec. 3(a)(2)(C)): Evaluate whether your software tools can exchange data effectively. If they can’t, you are required to report what is needed to fix that.
What This Means for CIOs: This elevates identity to a critical strategic role. Identity is often the only common thread between disparate systems. If your tools are siloed, you effectively have a compliance gap to report.
Contract Support & The “No Fox in the Henhouse” Rule (Sec. 3(b)): The head of an agency may enter into contracts to support these requirements. However, there is a catch: Operational Independence.
If a contractor is helping you run, install, or manage your software day-to-day, they cannot be the ones to audit it.
What This Means for CIOs: You can’t grade your own homework. You need an independent auditor or an autonomous platform that has no conflict of interest in hiding operational inefficiencies.
The Submission Sprint (Sec. 3(c) & 3(d)): The timeline for submission is incredibly tight, effectively killing the "manual spreadsheet" approach:
The Standardization Clause (Sec. 3(e)): To ensure this data isn't a mess of different formats, the Director and Administrator will share best practices and recommendations.
What This Means for CIOs: Expect a standardized "playbook" for this data. Your tooling needs to be flexible enough to adapt to these federal standards as they are released.
Once the assessment is done, Section 4 requires a forward-looking "plan for the agency." The key goals for the plan are to consolidate software entitlements and develop procedures on how the agency will reduce cost, eliminate excess licenses, and improve performance.
Remediation & Maintenance (Sec. 4(b)(1)(A) & 4(b)(1)(B)): How you will address the deficiencies found during the assessment and what your plan for ongoing maintenance of software asset management looks like.
The Automation Mandate (Sec. 4(b)(1)(C)): A detailed strategy for the “automation of software license management processes and incorporation of discovery tools.”
What this means for CIOs: Manual spreadsheets are officially dead. You must prove you have a tool that discovers and manages licenses automatically.
The Usage Analytics Requirement (Sec. 4(b)(1)(E)): The bill requires you to leverage technologies that “measure actual software usage via analytics” and “allow for segmentation of the user base” to be able to rationalize software spend.
What this means for CIOs: “Is it installed?” isn’t enough. You need to know specific attributes like last log-in date and total software usage time.
The Switch List (Sec. 4(b)(2)): The plan requires you to play offense, not just defense. You must identify specific categories of software that the agency should prioritize for conversion to more cost-effective options (like enterprise-wide licenses) as they come up for renewal.
What This Means for CIOs: This requires a proactive "renewal radar." You can’t just renew out of habit. You need data that tells you which vendors are charging you a premium for fragmented, individual licenses so you can target them for consolidation or replacement during the next negotiation window.
The Gatekeeper Clause (Sec. 4(a)(3)): A strategy to “restrict the ability of a bureau…to acquire…any software entitlement…without the approval of the Chief Information Officer of the agency.”
What this means for CIOs: This gives you the authority to stop shadow IT, but only if you have the visibility to detect it first.
The Resource Reality Check (Sec. 4(b)(6)): The plan requires you to include estimates for additional resources, services, or support the agency may need to actually implement this plan.
What This Means for CIOs: Even though Section 6 says "no new funds," this section requires you to document exactly what it would take to succeed.
The Lock-In Escape Strategy (Sec. 4(b)(4)): The bill explicitly asks for potential mitigations to minimize software license restrictions. You need a documented strategy for how you will stop signing contracts that dictate where and how you can run your own applications.
What This Means for CIOs: This is about changing your procurement culture. You need to train your procurement officers to spot and reject "restrictive clauses" (like hardware-tied licensing) before the contract is signed, rather than trying to fix them after the fact.
Support & Submission: The Final Mile (Sec. 4(c), 4(d), & 4(e))
You don’t have to navigate this completely alone. The bill allows CIOs to explicitly request support to create this plan, providing a strategic lever to secure necessary internal resources or external expertise despite the funding constraints. However, the timeline is rigid: you must submit your final Modernization Plan no later than one year after submitting your Comprehensive Assessment. This leaves no gap for delay; as soon as the assessment is filed, the planning phase effectively begins.
To ensure agencies aren't building strategies in a vacuum, the Director is required to establish harmonized processes, definitions, and requirements to support you in developing and implementing your plan. Furthermore, within two years of the bill’s enactment, the Director will submit a broader report with recommendations to increase interoperability, consolidate licenses, and modernize oversight government-wide.
What this Means for CIOs: This report will likely set the standard for the next decade of federal IT. Your agency’s plan needs to proactively align with these goals (reducing costs and improving performance), or you risk building a strategy that is obsolete before it is even implemented.
Per section 5, three years after enactment of the bill, the Comptroller General will submit a report to Congress comparing agency performance. This will effectively be a public report card on which agencies successfully modernized and which are still struggling.
What this means for CIOs: This is a public leaderboard. Agencies will be ranked against their peers on compliance and efficiency. You do not want to be in the bottom percentile of this report.
Section 6 is one sentence, but it dictates your entire strategy: "No additional funds are authorized to be appropriated for the purpose of carrying out this Act."
What this means for CIOs: You are being ordered to fix the problem, but Congress isn’t paying for the tools. The only way to comply is to leverage license reclamation - finding and cutting the waste identified in Section 3 to self-fund the automation required in Section 4.
The bill’s specific call for the "automation of software license management" confirms that manual processes are now a liability. You cannot meet the requirement for "ongoing maintenance" (Sec. 4) using static spreadsheets. Agencies must adopt tools that offer Lifecycle Management & User Access Review Automation to track access and usage in real-time.
The bill highlights interoperability as a key metric. In a hybrid federal world, siloed tools that don't share identity data are now considered a compliance failure. Unified Identity Governance must become the common language that bridges your legacy on-prem systems with modern cloud infrastructure.
Section 4 requires the plan to "restrict the ability" of any bureau or program to acquire software without CIO approval. This transforms the CIO from an advisor into a legal gatekeeper. To enforce this, you need visibility into every identity and every app—Shadow IT can no longer hide in the margins.
Because of the "No New Funds" clause, your compliance tool must also be your cost-savings tool. License Reclamation is the only mechanism to generate the budget needed for new tools. By instantly identifying and removing unused SaaS seats, you generate the "found money" to pay for the mandate.
Identity is no longer just an IT ticket. The bill requires the CIO to consult with the CFO, Chief Acquisition Officer, Chief Data Officer, and General Counsel. Your governance strategy must speak "Finance" (cost savings) and "Legal" (compliance) just as fluently as it speaks "Tech."
If the bill passes the Senate and is enacted, the clock starts immediately. The timeline is interconnected, meaning missing a deadline squeezes the time you have for the next.
Do not wait for the Senate vote. The legislative intent is clear, and the 18-month window is tighter than it appears.
To meet the demands of the SAMOSA Act, agencies need a new class of tooling. Legacy Identity Governance & Administration tools are often too expensive, too heavy, and take too long to deploy—violating the requirements of the "No New Funds" mandate and the 18-month turnaround.
Solving the "No New Funds" Challenge (Sec. 6): Clarity Security turns compliance into a cost-saving engine. By automating license reclamation, we identify unused accounts and shelfware immediately, allowing you to free up expensive licenses. This effectively "finds the money" within your existing budget to pay for the modernization mandated by the act, solving the Section 6 funding challenge.
Solving the Interoperability & Visibility Gap (Sec. 3): We don't just count installs; we map identity. Clarity connects to your entire stack—on-prem, cloud, and hybrid—creating the interoperability layer Congress demands. Our Effective Permissions Intelligence goes deeper than simple inventory, showing you exactly who has access and what they are doing with it. This allows you to satisfy the "Hidden Cost Audit" by pinpointing exactly which entitlements are paid for but never used.
Solving for Remediation, Ongoing Maintenance, & Automation (Sec. 4): The era of the "spreadsheet audit" is over. Clarity replaces manual data analysis with Autonomous Access Reviews that are audit-ready in minutes, not months. Combined with our continuous monitoring capabilities, we detect access drift in real-time and remediate it with one click. This ensures your data is always accurate, allowing you to meet the deadlines without the frantic "cleanup" scramble.
H.R. 5457 is a forcing function. It demands a level of visibility and control that manual teams simply cannot deliver.
The agencies that succeed won't be the ones with the best manual auditors; they will be the ones that automate the chaos. By leveraging Clarity Security, federal CIOs can turn the SAMOSA Act from a compliance burden into a strategic opportunity—automating the "boring" work of governance while freeing up millions in budget for the mission-critical initiatives that matter.
Don’t be at the bottom of the leaderboard; schedule a demo with Clarity Security today to get a head start.
What is SOX and why does it matter? How does SOX relate to identity governance? Read/listen to learn all about it, SOX best practices, and more.
Navigating the challenges of IGA in complex Active Directory environments can be daunting. Learn about common hurdles and how to mitigate your risk.
Learn all about the Separation of Duties (SoD), why it's crucial, and how it fits into modern Identity Governance and Administration (IGA) systems.
Be the first to know about new Identity Governance insights, cybersecurity industry news, and product updates.
