SaaS Security Posture Management (SSPM) tooling provides CMS with comprehensive visibility into its cloud-based software applications’ security risks and compliance status. SSPM aims to help CMS stakeholders understand the risk posture of a SaaS application by continuously monitoring and assessing the security configurations, user access controls, data protection measures, and potential vulnerabilities. SSPM helps security teams and business owners/leaders understand their current security posture by aggregating data about misconfigured settings, unauthorized access attempts, data-sharing practices, and compliance violations.  

Do I need to onboard my SaaS application into CMS’ SSPM tooling? 

Yes. All SaaS applications should be onboarded into SSPM as it provides a unified view of security risks, compliance gaps, and potential data exposure across the Agency’s entire SaaS portfolio, ensuring no shadow SaaS or misconfigured applications create blind spots that threat actors could exploit. Conditions include: 

• Your SaaS is unaccredited – that is, it has not been accredited in any form 
• FedRAMP review is in process, either by an agency or joint agency agreement 
• It’s FedRAMP ready, but not yet FedRAMP authorized 
• All SaaS that has been through the RCR Process should be onboarded.  

In addition, if you use a non-FedRAMP Authorized SaaS application, please ensure that you have completed the required RCR (Rapid Cloud Review) Process.  

Moreover, all non-FedRAMP Authorized SaaS should be onboarded. While FedRAMP-authorized services undergo rigorous security assessments, monitoring them through SSPM alongside non-FedRAMP services provides crucial advantages for CMS’ overall security posture. Even with FedRAMP’s structured remediation timelines for vulnerabilities (30 days for High, 90 for Moderate, 180 for Low), having near real-time visibility through SSPM enables CMS to proactively track these remediations and assess their impact on your environment before your monthly report is published. 
 
Including FedRAMP services in SSPM creates a comprehensive security view across CMS’ entire SaaS ecosystem. This unified visibility allows CMS to: 

1. Track configuration changes and policy compliance in near real-time, rather than waiting for monthly reports. 
2. Correlate security events across both FedRAMP and non-FedRAMP services to identify broader patterns or risks 
3. Maintain consistent security monitoring practices across all SaaS applications 
4. Make data-driven risk decisions based on current configuration states rather than point-in-time snapshots 

Additionally, while FedRAMP services meet baseline security requirements, their specific configurations within your environment may still need monitoring to ensure alignment with CMS’ security policies and risk tolerance. SSPM provides this crucial layer of continuous oversight beyond the standard FedRAMP assessments.  

What could interfere with my team’s ability to onboard? 

• No Application Programming Interface (API) access to the SaaS application. The SaaS application vendor must be capable of providing visibility into system settings via API.  

Steps to complete the onboarding process 

The typical timeframe for onboarding a SaaS application is about 1 to 2 weeks. However, the duration of this process depends on the responsiveness of your team and our SSPM vendor when coordinating schedules.  

1. Intake & Assessment 

• Complete the SSPM Intake Form (identify application and key stakeholders). 
• Assess tool compatibility, permissions, and monitoring scope. 
• Define roles and responsibilities for ongoing management. 

2. Technical Integration 

• Set up service accounts (if needed) and API connections. 
• Validate read-only access and authentication mechanisms. 

3. Initial Configuration 

• Apply baseline security policies and additional controls as needed. 
• Configure monitoring parameters, alert thresholds, and threat detection integration. 

4. Validation & Implementation 

• Ensure all security controls, alerts, and compliance requirements are active. 
• Validate data collection and test notification workflows. 
• Document final configurations. 

5. Ongoing Management 

• Participate in the monthly SSPM Working Group (every 3rd Wednesday). 
• Conduct regular reviews, update monitoring rules, and maintain documentation. 

Responsibilities 

This table represents an overview of SSPM onboarding and ongoing tasks and their corresponding responsible parties. The table is structured in two columns – the first column lists specific tasks related to SSPM onboarding, while the second column identifies the party responsible for executing each task. The table contains 15 distinct task-responsibility pairs that outline the workflow and accountability structure for implementing SSPM at CMS. 

Frequently asked questions 

1. What’s the business value for my team specifically? 
   1. SSPM tooling enhances security visibility and risk management by continuously monitoring SaaS environments for misconfigurations, unauthorized access, and policy violations. SSPM strengthens CMS’ cyber resilience, minimizing exposure to data breaches and operational disruptions. 
2. Who will have visibility into my environment’s data through this tool? 
   1. Only your team and SaaS Governance. 
3. What are the expectations for handling and mitigating findings? 
   1. Per the CMS Risk Management Handbook, Chapter 14, stakeholders are expected to remediate findings within targeted windows based on the date in which a finding is first identified. The SaaS Governance team encourages stakeholders to compose a rapid response plan as the prescribed policy dictates tight turnaround times. Within these prescribed timeframes, teams should investigate each finding, document their analysis, and follow applicable mitigation guidance where applicable.  
4. What happens if the SSPM tool detects a critical issue? 
   1. Upon environment scanning, CMS’ SSPM tooling will send an alert to the appropriate stakeholders. In addition, within seven calendar days of any critical finding being identified, the SaaS Governance team will make contact with your team to ensure awareness & education, help guide you through a comprehensive analysis of the finding, and provide your team with an actionable, clear, and comprehensive mitigation path. Each finding identified through SSPM relates specifically to SaaS system configuration settings, rather than traditional patch or software updates, requiring careful attention to security control implementation.  
       
      All findings are mapped direct to both NIST 800-53 and ARS controls, providing environment owners with clear visibility into how these configurations align with CMS’ security policies and compliance requirements. It’s crucial to note that each finding should be treated as a legitimate security concern requiring investigation – while false positives are possible, all alerts should be thoroughly analyzed and validated before being dismissed, ensuring no genuine security gaps are overlooked.  
5. Has the CIO and/or CISO approved the SSPM tool for use? 
   1. CMS’ SSPM tool has successfully completed both the Rapid Cloud Review (RCR) assessment and has received an approved Authorization To Operate (ATO), demonstrating its security posture and compliance with stringent cybersecurity requirements. Additionally, CMS’ SSPM tool is currently in the process of pursuing FedRAMP authorization with CMS as its active sponsor- further validating its commitment to meeting the highest security standards for federal information systems.  
6. What are the key security risks of not using SSPM for a SaaS environment? 
   1. Why it matters: Operating without SSPM in a SaaS environment exposes CMS to several critical security risks, including undetected misconfigurations across security settings, inadequate identity and access management, and potential data exposure through improper sharing settings or weak authentication mechanisms. Without SSPM’s continuous monitoring capabilities, security teams struggle to maintain compliance across multiple platforms, detect suspicious activities, and manage third-party app integrations that could introduce supply chain vulnerabilities.  
7. How does SSPM integrate with my existing security tools and cloud infrastructure? 
   1. Why it matters: CMS’ SSPM solution is designed to complement and enhance your existing security infrastructure through native (and in some cases, custom) integrations with leading SIEM platforms, IAM solutions, and cloud services. The platform leverages API-based connections to seamlessly ingest and correlate data from your current tools, providing unified visibility without disrupting existing workflows. We support standard protocols and formats, including SAML, OAuth, and REST APIs, enabling smooth integration with your SaaS applications. By augmenting rather than replacing your current security investments, CMS’ SSPM solution enriches your existing security data with SaaS-specific context and risk insights, enhancing your overall security monitoring and response capabilities. 
8. What are the ongoing costs and resource commitments associated with implementing and maintaining SSPM? 
   1. Why it matters: The current implementation of SSPM is being offered at no additional cost to groups across CMS, maximizing the value proposition for enhanced security posture management. While there are no direct software licensing costs, groups should consider the staff time required for initial setup, ongoing monitoring, and addressing identified security findings as part of their resource planning. Training resources are available to ensure your team can effectively utilize the SSPM platform, though the intuitive interface minimizes the learning curve and associated training time investment. The total cost of ownership primarily centers around the operational commitment to analyze and remediate discovered security gaps and maintain proper SaaS configurations, making it essential for environment owners to be prepared with resources to address findings in a timely manner.