Considerations and guidelines for CMS business units wanting to use SaaS applications
What is SaaS Governance at CMS?
Using Software-as-a-Service (SaaS), where an application is delivered as a service via the Internet, is increasingly popular and encouraged at CMS. It removes the burden of deploying, maintaining, and updating software or hardware – saving time and money.
However, SaaS users have little to no visibility or control over the provider’s software or infrastructure. This means that SaaS can introduce unexpected risks and vulnerabilities into the CMS environment.
The SaaS Governance (SaaSG) program helps CMS understand and manage SaaS risk and make good business decisions around SaaS usage. We do this by taking a comprehensive approach with these ongoing activities:
- Discover - Inventory and track SaaS application usage across the enterprise
- Manage - Develop policies and procedures for evaluating and authorizing SaaS products
- Secure - Continuously monitor SaaS application configuration to align with agency policy and security standards and best practices
Is SaaS the right choice for my business?
Though they are effective and convenient, SaaS solutions are not always the best choice. It depends on the use case, adjacent technologies, and other factors. Proper due diligence is important before starting to use a new SaaS product. The SaaSG team is here to help! For Business Owners wanting to use a new SaaS product, we provide:
- Guidance in evaluating potential risks
- Resources to help you determine suitability
- A clear process for review and approval
How do I get approval for SaaS?
We want to help you get started with your new solution quickly if it meets business needs and security criteria. Follow these steps:
Use the CMS SaaS Buyer’s Guide (requires access to CMS Box) as a checklist to determine if the product will meet your business needs – and to make sure the provider is addressing important cybersecurity considerations.
The CMS SaaSG Dashboard is a list of SaaS products already approved (or going through the approval process) at CMS. Check to see if one of these will meet your needs. If you are unable to view the dashboard, please ensure you have the EUA job code: TABLEAU_DIR_VIEWER_PRD. For assistance logging into the Tableau SaaS Dashboard, click HERE to review the login guide.
If you have determined that the SaaS product you’re considering is right for your needs and is not already being used at CMS, then you can submit the product for review by the SaaSG team. Complete the SaaS Request Intake Form (this can be done by the Business Owner, ISSO, or designee). Contact the SaaSG team via email (saasg@cms.hhs.gov) if you need help with the form.
As the SaaSG team reviews your proposed SaaS product, we may ask for additional information. We may also need to schedule meetings with you or the SaaS provider. Timely and clear responses to these requests will help move the process along and lead to a faster decision. Meanwhile, you can use the SaaSG Dashboard to track the progress of your request.
Frequently asked questions
SaaS previously approved is not required to be reviewed by the SaaSG group.
Yes, but we are looking at ways to move these approved SaaS requests under a sanctioned boundary in the future that will provide some of the customer control capabilities.
Contact the SaaS Team
The SaaSG Team can answer questions regarding any aspect of the SaaSG program, policies, guidance, or processes. You can reach us by email at saasg@cms.hhs.gov or find our team on CMS Slack at #ispg-saas-governance.