Skip to main content

SaaS Governance (SaaSG)

Contact: SaaSG Team | 
slack logoCMS Slack Channel: #ispg-saas-governance

Considerations and guidelines for CMS business units wanting to use SaaS applications

What is SaaS Governance at CMS?

Using Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money. 

However, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment. 

The SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities: 

  • Discover - Inventory and track SaaS application usage across the enterprise
  • Manage - Develop policies and procedures for evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) Process
  • Secure - Continuously monitor SaaS application configuration to align with agency policy, security standards, and best practices

Is SaaS the right choice for my business?

Though they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:

  • Guidance in evaluating potential risks
  • Resources to help you determine suitability
  • A clear process for review and approval

How do I get approval for SaaS?

We want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:

  1. Evaluate the product

    Use the CMS SaaS Buyer’s Guide (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.

  2. Check existing SaaS solutions

    The CMS SaaSG Dashboard is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click HERE to review the login guide.

  3. Submit a request for review

    If you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product to be reviewed by the SaaSG team to start a Rapid Cloud Review (RCR) assessment.  Complete the SaaS Request Intake Form (the Business Owner, ISSO, CRA, or designee can do this). Contact the SaaSG team via email (saasg@cms.hhs.gov) if you need help with the form.

  4. Respond to follow-up questions

    As the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard in Tableau to track the progress of your request.

The RCR (Rapid Cloud Review) Process

Added in June 2024, section CMS-CLD-1.1 of the IS2P2 requires all non-FedRAMP Authorized SaaS products used at CMS to go through a Rapid Cloud Review (RCR) process. 

The RCR aims to help CMS stakeholders understand the risk posture of a SaaS vendor, their responsibilities before they agree to implement a pilot or procuring license, and provide clear, comprehensive information about the security risk they are responsible for managing. 

Do I need to go through RCR? 

All CMS stakeholders should go through the RCR process for any SaaS applications that have not completed the FedRAMP authorization process.  

Yes, an RCR is required if any of these are true of your application:  

  • It is unaccredited — that is, it has not been accredited in any form
  • FedRAMP review is in process, either by an agency or joint agency agreement
  • It’s FedRAMP ready, but not yet FedRAMP authorized

No. Your SaaS application does not need an RCR if all of these things are true: 

  • Already FedRAMP authorized (not just ready, and the review is complete, not in process)
  • Approved in a current CMS FISMA boundary 
  • Has an Authorization to Operate (ATO)
  • Has a CMS-issued RCR P-PTO, and the use case is the same

Note: the CMS Business Owner (BO) must confirm that the use case has not changed since the initial RCR assessment. If the use case has changed, you do need an RCR. 

SaaS you’re already using needs to go through the RCR process

Even if you’ve been using your SaaS for a while, if it is unaccredited and has not received FedRAMP approval, you still need to complete an RCR.

The SaaSG Team is going through a list of discovered, unaccredited SaaS applications, and will contact any Business Owners using a SaaS that has not yet been reviewed. Unaccredited means “any SaaS that does not have approval through the CMS ATO approval process.”

The report includes risk determinations, and has incorporated routing through ServiceNow (SNOW) to obtain approvals from the CMS CISO and CIO. If you review the SaaS dashboard in Tableau, it may say some RCRs reviewed a while ago are still unaccredited. That is because they were never officially pushed through the SNOW process after review. 

SaaS that has been through the RCR Process

You can use a SaaS application that has already been through the RCR process, as long asthe use case is the same as the initial RCR assessment. You do not need to repeat the RCR process.

However, if the RCR was completed more than 6 months ago, the SaaSG team will contact the SaaS vendor for updated security artifacts (such as the SOC2 and the penetration test report) to see if there are any deltas in the results.

SaaS approved in a FISMA ATO property

If your SaaS was part of a FISMA ATO property and has already been approved, you do not need to go through the RCR process.

However, the SaaSG team would still like to know and track that in their inventory list in case another CMS Business Owner or Application User wants to use the same SaaS application.

Steps to complete the RCR process

The typical timeframe for reviewing and completing RCR requests is about 2-3 weeks. However, the duration of this process depends on the responsiveness of the vendor when providing requested artifacts and follow-up information.

  1. Kickoff and intake form

    1. Provide SaaSG overview
    2. Determine use case
    3. Discuss RCR process and next steps
    4. Send BO Intake form link from Coda

  2. Request

    Send request for information to the vendor

  3. Review

    1. Perform Artifact review
    2. Run perimeter scan
    3. Reach out to the vendor for follow-up questions (if needed) 

  4. Outcome: Approval or Denial

    1. Document findings from artifact review
    2. Review CMS Supply Chain Risk Management (SCRM) findings*
    3. Finalize RCR report
    4. Send final report to all stakeholders from SaaS Request
    5. Out brief Meeting Scheduled (Provide an opportunity to discuss report findings and recommendations with BO)
    6. Issue P-ATO (Provisional Authority to Operate) if approved by AO

  5. ConMon or Offboarding

    Check in with BO on current SaaS status after 90 days.

The RCR process incorporates some CMS SCRM functionality to help identify concerns about Foreign Ownership Control and Influence (FOCI).

Provisional ATO (P-ATO)

If your SaaS is not FedRAMP-approved, you will need to go through the RCR process to obtain a P-ATO.

This includes:

  • Your SaaS is unaccredited, because it has not been accredited in any form
  • Your FedRAMP review is in process, either by an agency or joint agency agreement
  • Your SaaS is FedRAMP ready, but not yet FedRAMP authorized

The CMS Authorization Official (AO) awards P-ATO status to SaaS that is approved through the Rapid Cloud Review (RCR) process. P-ATOs grant a SaaS compliance for one year, and will be onboarded into SSPM. SaaS will be evaluated to see if it is a candidate for Ongoing Authorization (OA).

High risk SaaS

If you complete the RCR process and your SaaS is determined to be high risk, you will most likely not obtain the CMS AO's approval. 

You will need to work with your Cyber Risk Advisor (CRA) and Information Systems Security Officer (ISSO) to understand what factors led to your SaaS being deemed high risk. You may have to work with the SaaS vendor to see if they can implement any mitigations to reduce the risk and bring it into an acceptable risk threshold.

SaaS unsuitable for FedRAMP authorization 

SaaS that is unsuitable for a FedRAMP authorization and deemed low or moderate risk will go through the ATO approval process and obtain a P-ATO from the CMS AO.

That SaaS will then be placed into the continuous monitoring process, which means it will have continuous authorization.

The SaaSG team will reassess the SaaS annually, at a minimum, unless the use case changes to warrant a more frequent evaluation.

Frequently asked questions

Will SaaS currently in use (at CMS) continue to be approved for use without the need for review?

SaaS that has been previously approved with a CMS ATO or FedRAMP authorization is not required to be reviewed by the SaaSG group.

Would the SaaS product still have to be included in the FISMA system boundary?

Yes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.

Contact the SaaS Team

The SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at saasg@cms.hhs.gov or find our team on CMS Slack at #ispg-saas-governance.