Rapid Cloud Review (RCR)

CMS teams must complete RCR for unaccredited SaaS applications before use. Business/System Owners submit an intake form. The SaaSG team assesses security within 2-3 weeks for a Provisional Authorization to Operate (P-ATO), with continuous monitoring after 90 days.

Last Reviewed: 6/3/2025

Contact: SaaS Governance team | saasg@cms.hhs.gov

What is Rapid Cloud Review (RCR)?

At CMS, all Software-as-a-Service (SaaS) products not authorized by the Federal Risk and Authorization Management Program (FedRAMP) are required to go through the Rapid Cloud Review (RCR) process. It is required by the CMS Information Systems Security and Privacy Policy (IS2P2) Cloud Computing Requirements (CMS-CLD).

An RCR helps CMS stakeholders understand the security posture of the SaaS they are considering, along with potential risks that could be introduced by using the product. In addition, if you discover that a SaaS is in use without an appropriate authorization then an RCR helps CMS understand the security posture of those systems as well. Before implementing a pilot or procuring a license, it’s important for CMS teams to understand their responsibilities in managing security risks within their SaaS applications.

The RCR process is managed by the SaaS Governance (SaaSG) team. If the RCR is approved, a Provisional Authorization to Operate (P-ATO) will be granted. If denied, the SaaSG team provides a report with reasons and recommendations.

Who needs RCR?

Even if you’ve been using a SaaS application for a while, you need to complete the RCR process if the application:

Has not been accredited in any form
Has a FedRAMP review in process, either by an agency or joint agency agreement
Is FedRAMP ready, but not yet FedRAMP authorized

You do NOT need to complete the RCR process if your application:

Is already FedRAMP authorized
Is approved in a current CMS Federal Information Security Modernization Act (FISMA) boundary
Has an Authorization to Operate (ATO)
Was part of a FISMA ATO property and has already been approved
Has a CMS-issued RCR Provisional Authorization to Operate and the use case has not changed. If the use case has changed since the initial RCR assessment, you will need a new RCR.

The SaaSG team will contact any Business/System Owners using unaccredited SaaS that has not been approved. Unaccredited means it hasn’t been approved for use at CMS (either via FedRAMP or the CMS Authorization to Operate).

RCR process

The steps of a Rapid Cloud Review are listed below. Completing RCR requests takes about 2 - 3 weeks, depending on the responsiveness of the SaaS vendor in delivering requested artifacts and follow-up information and the quality of those artifacts and information.

Intake

When you want to try a new SaaS product (or if you’re using a SaaS product that hasn’t been officially approved for use at CMS), complete the RCR intake form. This can be done by the Business/System Owner, Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), or designee. To access the form, you will need a CMS email account.

SaaS review

When a new RCR request is received through the intake form, the SaaSG team will send a request for information to the SaaS vendor to assess the security posture of the SaaS tool that is being considered for use. The team may reach out to the requestor first to clarify any necessary items entered in the intake form to ensure our team has all the necessary information to proceed. Once received, the SaaSG team will review artifacts, perform a perimeter scan, and reach out to the vendor with any follow-up questions.

The SaaSG team also collaborates with the Supply Chain Risk Management (SCRM) team to identify any concerns about Foreign Ownership Control and Influence (FOCI) in the proposed SaaS.

Decision

Following the review, the SaaSG team will submit the RCR in CFACTS for decision makers to review to approve or deny the request for a Provisional Authorization to Operate (P-ATO). The identified Business Owner, Information System Security Officer, Cyber Risk Adviser, Privacy Officer, Division of Security and Privacy Compliance Lead, Chief Information Security Officer, and Chief Information officer are part of the CFACTS approval chain. CFACTS will notify the stakeholders of the decision. Stakeholders can view all decisions, decision rationale, supporting documents, and recommendations within CFACTS. CFACTS houses all data that all RCR stakeholders need.

RCR outcomes

SaaS that is granted a P-ATO

After a SaaS product has received a P-ATO, the SaaSG team will check in with the Business/System Owner after 90 days and see if the product is proving useful to the team.

If the Business/System Owner wants to continue using the SaaS application, it will be onboarded to the continuous monitoring phase. This includes:

Single Sign On (SSO) integration so that CMS users can access the SaaS tool securely
SaaS Security Posture Management (SSPM) onboarding with AppOmni, for continuous monitoring of the tool’s configurations and settings to ensure security compliance

If the SaaS tool is no longer needed, the SaaSG team will begin the offboarding process.

SaaS that is denied a P-ATO

If your SaaS is determined to be high-risk, the P-ATO will be denied.

Work with your CRA and ISSO to understand why the SaaS was deemed high-risk.

You may choose to contact the SaaS vendor to see if they can implement any changes to reduce the risk and bring it into an acceptable risk threshold.

How can you improve the likelihood of RCR approval?

BO’s and ISSO’s, who are typically RCR submitters can improve the likelihood that their RCR will be approved by working with the SaaS vendor to determine the following before submitting an RCR Intake Form. SaaS vendors that meet the below conditions have an improved likelihood that their product (and the RCR) will be approved for use at CMS.

The SaaS was not created nor is it owned by a country on the Sanctions Programs and Country Information list maintained by the US Treasury.
The SaaS vendor has an independent security assessment report (e.g., SOC 2, ISO 27001, or equivalent third-party audit) from the last twelve months and which is applicable to the SaaS in question (e.g. not for the PaaS or IaaS that the SaaS resides on)
The SaaS product stores and processes all data within the 50 United States, District of Columbia, or approved outlying areas as defined in the CMS Business Rules for Software as a Service section BR-SAAS-8: CMS Data Must Always Reside in the U.S.
Neither the SaaS product nor the vendor use customer data to train AI/ML models without explicit opt-in.

Need help?

The SaaSG team can answer questions regarding RCR or any other part of SaaS Governance at CMS. Email them at saasg@cms.hhs.gov or find them on CMS Slack at #ispg-saas-governance.