SaaS Security Posture Management (SSPM)

What is SSPM?

SaaS Security Posture Management (SSPM) is an essential security practice for any organization where various Software-as-a-Service (SaaS) applications are used. At CMS, SSPM is an initiative of the SaaS Governance program. 

SSPM provides comprehensive visibility into the security posture of cloud-based software applications across the enterprise. The SSPM platform at CMS collects and summarizes data from multiple sources so you can continuously monitor the security posture of the SaaS tools in your environments. 

SSPM gives you a holistic view of:

• Security configurations
• User access controls
• Data protection measures
• Potential vulnerabilities (such as unauthorized access attempts, misconfigured settings, or compliance violations)

Why is SSPM important?

Used in conjunction with the FedRAMP process, SSPM allows CMS to maintain a unified view of security risks and compliance gaps across the agency’s entire SaaS portfolio. This helps to ensure no “shadow SaaS” or misconfigured applications create blind spots that threat actors could exploit. SSPM strengthens CMS’ overall cyber resilience, minimizing exposure to data breaches and operational disruptions.

Operating without SSPM in a SaaS environment exposes CMS to critical security risks, including: 

• Undetected misconfigurations across security settings
• Inadequate identity and access management
• Potential data exposure through improper sharing settings or weak authentication mechanisms

Without the continuous monitoring of SSPM, security teams struggle to maintain compliance across multiple platforms. It becomes harder to detect suspicious activities and manage third-party app integrations that could introduce supply chain vulnerabilities.

Who needs SSPM?

At CMS, it is important for all Application Development Organizations (ADOs) and Business Owners / Leaders to start using SSPM tooling — regardless of whether your SaaS has been fully accredited or not. 

The only exception is for any SaaS application that isn’t compatible with our current SSPM platform. The SaaS application vendor must be able to provide visibility into system settings via Application Programming Interface (API).

Onboarding SaaS applications to SSPM takes about 1 to 2 weeks and should be done for SaaS that:

• Has not been accredited in any form
• Has a FedRAMP review in process, either by an agency or joint agency agreement
• Is FedRAMP ready, but not yet FedRAMP authorized
• Has been through the Rapid Cloud Review (RCR) process
• Is NOT FedRAMP authorized (in this case, please ensure you have completed the required RCR process)

How does it work?

The SSPM solution used at CMS enhances your existing security infrastructure through native (and in some cases, custom) integrations with: 

• Security Information and Event Management (SIEM) platforms
• Identity and Access Management (IAM) solutions
• Cloud services

The platform uses API-based connections to ingest and correlate data from your current tools. It provides unified visibility without disrupting your existing workflows. SSPM tooling continuously scans your environment and sends an alert to the appropriate stakeholders when potential issues are identified. 

Only your team and the SaaS Governance (SaaSG) team will have visibility into your environment’s data.

SSPM tooling: AppOmni

SSPM at CMS uses the cloud-based software AppOmni, which has an intuitive dashboard where you can log in to see the overall security posture of your SaaS applications. 

Watch this brief explainer video to learn more about AppOmni.

The AppOmni tool continuously scans your environment and provides information about:

• Types of issues detected (for example, misconfigured security settings or suspicious logins)
• Risks of leaving the issue unaddressed (such as the scope of impact to CMS)
• Security policies related to the issue (such as NIST 800-53 and Acceptable Risk Safeguards (ARS) controls)
• Steps to mitigate the issue

The AppOmni tool has completed the Rapid Cloud Review (RCR) assessment and received Authorization to Operate (ATO) at CMS. It is currently pursuing FedRAMP authorization with CMS as its active sponsor.

What does it cost?

Currently, access to SSPM tooling is free for groups across CMS who are using SaaS applications. However, your team should consider staff time required for initial setup, ongoing monitoring, and addressing security findings. 

Your team will need to analyze and remediate any security gaps that are discovered, as well as maintain proper SaaS configurations. While the CMS SaaS Governance team can provide support for analyzing findings, your application team should be prepared with resources to address findings in a timely manner.

Compatibility and integration

AppOmni supports standard protocols and formats, including SAML, OAuth, and REST APIs, enabling smooth integration with your SaaS applications. This tooling enhances your existing security data with SaaS-specific context and risk insights.

SSPM at CMS is now compatible with over 40 SaaS applications. To get started, complete the SSPM intake form (Coda link).

SSPM + FedRAMP

The FedRAMP program at CMS provides a standardized approach to security assessments, security authorization, and continuous monitoring for cloud products and services. While FedRAMP helps you meet baseline security requirements, specific configurations within your environment may still need monitoring to align with CMS’ security policies and risk tolerance.

That’s why SSPM is a valuable addition to your team’s risk management approach. It provides a crucial layer of continuous oversight beyond the standard FedRAMP assessments, and real-time data to improve your applications’ overall security posture (without waiting for monthly FedRAMP reports).

When FedRAMP services are combined with SSPM’s SaaS-specific monitoring, CMS gets a comprehensive security view of its entire SaaS ecosystem.

 This unified visibility allows CMS to: 

• Track configuration changes and policy compliance in near real-time, rather than waiting for monthly reports
• Correlate security events across both FedRAMP and non-FedRAMP services to identify broader patterns or risks
• Make data-driven risk decisions based on current configuration states rather than point-in-time snapshots
• Maintain consistent security monitoring practices across all SaaS applications

What happens when there are findings?

The SSPM tool continuously scans your environment and sends an alert to the appropriate stakeholders whenever a potential issue is detected. Within seven calendar days of identifying any critical finding, the SaaS Governance team will contact your team to guide you through a comprehensive analysis of the finding(s) and help you develop an actionable mitigation plan.

For any finding, your team should keep in mind:

• SSPM findings relate specifically to SaaS system configuration settings (not traditional patch or software updates) — so SPPM findings require careful attention to security control implementation.
• Each finding should be treated as a legitimate security concern and should be investigated. While “false positives” can happen, all alerts should be carefully analyzed before being dismissed.
• Specific time frames for remediating findings are prescribed in the CMS Risk Management Handbook Chapter 14. Your team should develop a rapid response plan for addressing findings from SSPM so you are prepared to mitigate issues (following applicable guidance) within the appropriate time frame after they are discovered.

SSPM onboarding

Onboarding your SaaS application to SSPM takes around 1 to 2 weeks. You must have API access to the SaaS application that you want to monitor.

If your application team is ready to get started with SSPM, follow these steps:

Ongoing SSPM management

Once your SaaS application is onboarded to SSPM, it’s important to stay engaged with the SaaSG team. They can support your team to ensure your SSPM practice is effective.

What the SaaSG team does for you:

• The SaaSG team will schedule and conduct regular reviews with your team, to ensure everything is working as expected and to address your team’s questions or concerns.
• The SaaSG team will contact your team if you get an SSPM alert about a critical finding. They will help you understand the issue and create a mitigation plan.
• The SaaSG team holds a monthly SSPM Working Group (every 3rd Wednesday) for CMS stakeholders who are using SSPM. Feedback and questions are welcome as we work to mature the SSPM practice across the agency. You’ll be invited to the Working Group meeting once you onboard to SSPM.

What you need to do:

• Collaborate with the SaaSG team during regular reviews of your SSPM practice. Work with them to update monitoring rules and maintain documentation.
• Attend to findings and mitigations that arise when SSPM tooling alerts you to security issues in your SaaS configurations or settings. Investigate all alerts thoroughly before dismissing them.
• Participate in the monthly SSPM Working Group when possible. This touchpoint allows you to hear from other teams about their experience with SSPM. It’s also a way to get custom support from the SaaSG security team. You’ll be invited to the Working Group meeting once you onboard to SSPM.

Get started with SSPM

All CMS application teams using SaaS should onboard to SSPM (for SaaS apps that are compatible with the SSPM tooling).

Complete the SSPM intake form (Coda link) to get started.

Need help?

If you need help with the onboarding process, or have questions about SSPM, contact the SaaS Governance Team.

Email: SaaSG@cms.hhs.gov 

CMS Slack: #ispg-saas-governance