SaaS Governance (SaaSG)

What is SaaS Governance?

Software-as-a-Service (SaaS) — accessing and using software applications over the internet — is increasingly popular and encouraged at CMS. However, SaaS users have little to no visibility into the provider’s software or infrastructure. This means that SaaS, though convenient and cost-effective, can introduce unexpected risks and vulnerabilities into the CMS environment.

The SaaS Governance (SaaSG) program at CMS takes a comprehensive approach to managing this risk by: 

• Tracking SaaS application usage across the enterprise
• Evaluating and authorizing SaaS products through the Rapid Cloud Review (RCR) process
• Monitoring SaaS application security continuously through SaaS Security Posture Management (SSPM) to align with agency policy, security standards, and best practices

For Business Owners and application teams using SaaS at CMS, the SaaSG team provides:

• Guidance to evaluate SaaS suitability and risk
• A clear path for SaaS review and approval
• Ongoing support to ensure a strong security posture for in-use SaaS

Guidance for using SaaS at CMS

Proper due diligence is important before starting to use a new SaaS product. Even if your team has been using a SaaS application for a while, make sure you go through these steps to ensure compliance with CMS policy for the secure usage of SaaS.

Check if the SaaS is approved / accredited

You can check the CMS SaaS Dashboard in Tableau to see an overview of SaaS products that are approved, in review, or disapproved for use at CMS. (Note: You will need the EUA job code TABLEAU_DIR_VIEWER_PRD to access the dashboard. Review the Tableau login guide if you need assistance.)

SaaS that has already been approved for use at CMS does not require any additional review for your team to start using it. This includes SaaS that:

• Has a CMS Authorization to Operate (ATO) or Provisional Authorization to Operate (P-ATO)
• Is FedRAMP-ready or FedRAMP authorized

SaaS that has been disapproved for use at CMS has been deemed high-risk, and should not be used.

SaaS that is unaccredited may be acceptable for use — but you’ll need to send it through CMS’ required review process first (see details below).

Start RCR for unaccredited SaaS

If the SaaS product you’re considering is not officially approved for use at CMS, you need to send it through the Rapid Cloud Review (RCR) process to obtain a Provisional Authorization to Operate (P-ATO). 

The RCR process allows the SaaS Governance team to maintain visibility into all SaaS being used at CMS and make sure the risk level of SaaS at CMS is acceptably low. It is required by the CMS Information Systems Security and Privacy Policy (IS2P2) Cloud Computing Requirements (CMS-CLD).

To begin the RCR process, submit the Rapid Cloud Review Intake Form to the SaaS Governance team. The form can be completed by the Business Owner, Information System Security Officer (ISSO), Cyber Risk Advisor (CRA), or designee. Learn more about RCR and how it works.

Onboard to continuous monitoring

Once you are using any SaaS application at CMS — even if it hasn’t been through the approval process yet — you need to contact the SaaSG team to start SaaS Security Posture Management (SSPM). This tooling helps you find and remediate potential vulnerabilities in the configuration and operation of your SaaS application. 

The SaaSG team will get you set up with SSPM and provide ongoing support as you continuously monitor your SaaS to align with CMS security standards. Learn more about SSPM, or get started right away: complete the SSPM intake form (Coda link).

Contact

The SaaSG team can answer questions regarding any aspect of the SaaSG program, requirements, or processes. 

Email: saasg@cms.hhs.gov

CMS Slack: #ispg-saas-governance.