Rapid Cloud Review (RCR)

Contact: SaaS Governance team |

saasg@cms.hhs.gov

CMS Slack Channel: ispg-saas-governance

Last Reviewed: 6/3/2025

Mandatory security review for SaaS applications not yet authorized by FedRAMP

What is Rapid Cloud Review (RCR)?

At CMS, all Software-as-a-Service (SaaS) products not authorized by the Federal Risk and Authorization Management Program (FedRAMP) are required to go through the Rapid Cloud Review (RCR) process. It is required by the CMS Information Systems Security and Privacy Policy (IS2P2) Cloud Computing Requirements (CMS-CLD).

RCR helps CMS stakeholders understand the security posture of the SaaS vendor they are considering, along with potential risks that could be introduced by using the product. Before implementing a pilot or procuring a license, it’s important for CMS teams to understand their responsibilities in managing security risks within their SaaS applications.

The RCR process is managed by the SaaS Governance (SaaSG) team. If the RCR is approved, a Provisional Authorization to Operate (P-ATO) will be granted. If denied, the SaaSG team provides a report with reasons and recommendations.

Who needs RCR?

Even if you’ve been using a SaaS application for a while, you need to complete the RCR process if the application:

Has not been accredited in any form
Has a FedRAMP review in process, either by an agency or joint agency agreement
Is FedRAMP ready, but not yet FedRAMP authorized

You do NOT need to complete the RCR process if your application:

Is already FedRAMP authorized
Is approved in a current CMS Federal Information Security Modernization Act (FISMA) boundary
Has an Authorization to Operate (ATO)
Was part of a FISMA ATO property and has already been approved
Has a CMS-issued RCR Provisional Authorization to Operate (P-ATO) and the use case has not changed. If the use case has changed since the initial RCR assessment, you will need a new RCR.

The SaaSG team will contact any Business/System Owners using unaccredited SaaS that has not been reviewed. Unaccredited means it hasn’t been approved for use at CMS (either via FedRAMP or the CMS Authorization to Operate)

If an RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any notable changes since the last review.

RCR process

The steps of a Rapid Cloud Review (RCR) are listed below. Completing RCR requests takes about 2 - 3 weeks, depending on the responsiveness of the SaaS vendor in delivering requested artifacts and follow-up information.

Intake

When you want to try a new SaaS product (or if you’re using a SaaS product that hasn’t been officially approved for use at CMS), complete the RCR intake form. This can be done by the Business/System Owner, Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), or designee.

SaaS review

When a new RCR request is received through the intake form, the SaaSG team will send a request for information to the SaaS vendor to assess the security posture of the SaaS tool that is being considered for use. The SaaSG team will review artifacts, perform a perimeter scan, and reach out to the vendor with any follow-up questions.

The SaaSG team also collaborates with the Supply Chain Risk Management (SCRM) team to identify any concerns about Foreign Ownership Control and Influence (FOCI) in the proposed SaaS.

Decision

Following the review, the SaaSG team will make a decision to approve or deny the request for a Provisional Authorization to Operate (P-ATO). The team will notify the stakeholders of the decision and provide a report summarizing the reasons for the decision, along with any relevant artifacts.

RCR outcomes

SaaS that is granted a P-ATO

After a SaaS product has received a P-ATO, the SaaSG team will check in with the Business/System Owner after 90 days and see if the product is proving useful to the team.

If the Business/System Owner wants to continue using the SaaS application, it will be onboarded to the continuous monitoring phase. This includes:

Single Sign On (SSO) integration so that CMS users can access the SaaS tool securely
SaaS Security Posture Management (SSPM) onboarding with AppOmni, for continuous monitoring of the tool’s configurations and settings to ensure security compliance

If the SaaS tool is no longer needed, the SaaSG team will begin the offboarding process.

SaaS that is denied a P-ATO

If your SaaS is determined to be high-risk, the P-ATO will be denied.

Work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand why the SaaS was deemed high-risk.

You may choose to contact the SaaS vendor to see if they can implement any changes to reduce the risk and bring it into an acceptable risk threshold.

Need help?

The SaaSG team can answer questions regarding RCR or any other part of SaaS Governance at CMS. Email them at saasg@cms.hhs.gov or find them on CMS Slack at #ispg-saas-governance.

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance

Federal Policies and Guidance

Application Security

Security Operations

Risk Management and Reporting

Agreements

Privacy Activities

Privacy Resources

Reporting & Compliance

System Security

Tests & Assessments