What the IS2P2's new Rapid Cloud Review (RCR) requirement means for you

When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process. 

If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement. 

For other SaaS products, the SaaS Governance (SaaSG) team has established a new RCR process by using the HHS Risk-Based Decision (RBD) process, and worked closely with the ISPG Policy Team to make it a mandate. 

What does the new policy say?

The policy change aligns with the overarching HHS Information Systems Security and Privacy Policy (IS2P) and adds clause CMS-CLD-1.1 to the CMS IS2P2:

CMS-CLD-1.1: If a Software as a Service (SaaS) product does not have a current FedRAMP authorization, a Rapid Cloud Review (RCR) and a CMS-issued Provisional Authority to Operate (P-ATO) would be needed to assess FedRAMP readiness. 

The P-ATO is an ATO that "evaluates" the use of the SaaS tool.

Why did we add the RCR process?

The RCR process assesses a SaaS vendor's risk posture, security program maturity, and FedRAMP readiness, all to ensure that CMS business data remains secure. 

Per policy, all SaaS consumption must be FedRAMP authorized. Sometimes, however, that isn’t a viable option for CMS employees, who needed an alternative. 

What you can do now

For each SaaS that you're using, verify: Does it have an ATO or FedRAMP authorization? 

If it does not, you need to put it through the RCR process. 

If you're not sure, and need help to verify your SaaS's status, reach out to the SaaS Governance team

Questions?

To procure a SaaS application, or to ask questions about evaluating a SaaS application, contact the SaaS Governance team at saasg@cms.hhs.gov, or ask in our CMS Slack Channel: #ISPG-SaaS-governance.