CMS taking a three step approach to using more SaaS: Discover, manage, secure

The Centers for Medicare and Medicaid Services journey to the cloud is about to take a big step forward.

CMS is developing a new approach to better manage how the agency is moving more systems and applications to software-as-a-service.

Shawnte Singletary, the deputy director of the Division of Security and Privacy Compliance in the Office of Information Security and Privacy Group at CMS, said her agency’s new SaaS governance program is focused on helping the mission areas adopt cloud more easily and securely.

“We’re trying to figure out what’s the best way to manage SaaS products, track and also evaluate the risk of those SaaS products. So when I say discovery, that’s where we are right now. We identified a tool that will help us manage the discovery of SaaS in our environment,” Singletary said at a recent event sponsored by the Digital Government Institute. “With that discovery, we would love to evaluate those SaaS products, categorize them and make sense of what their usage are because we don’t want to call out things as unsanctioned if everybody’s using it and therefore it’s not shadow IT. We’ve got to understand who’s using it, why are they using it and what type of sensitive data is going in it.”

Over the last four or five years, CMS has implemented more software services in the cloud, including sponsoring them through the Federal Risk Authorization Management Program (FedRAMP).

This is why that discovery effort is so important to CMS at this point.

“We want to have that conversation around what capabilities should the SaaS products have available for them? What other security requirements should they incorporate at the agency level?” Singletary said on Ask the CIO. “That’s where we are right now, just identifying the tool and doing the discovery, and having those meaningful conversation with our counterparts within the operations on what we can do better to manage these platforms across the agency.”

Inheriting security controls

Like many agencies, CMS wants the FedRAMP approval process to move faster so they have more access to the software services in the cloud. Singletary said the agency is trying to evaluate risks from a non-FedRAMP standpoint so mission areas can begin the process of adopting some of these cloud services.

“Because we’re all still remote for the most part and we don’t see all of our stakeholders, our customers, and even our groups coming back together collectively in the office, we’re really stuck with trying to figure out how to collaborate, how to give people tools and resources in a secure way,” she said. “We are trying to give them an opportunity to adopt things that are not conventional. Our group definitely feels like we are a trailblazer in that area, and we’re hoping that … we’ll have a solid program to help our customers adopt SaaS solutions.”

The good news for CMS, Singletary said, is so many of those software services are operating in Amazon Web Services or Microsoft Azure that they are inheriting many of the security controls from FedRAMP anyways.

“While that puts some of the ownership on the cloud service provider, our customers still need to understand that they do have some responsibility to implement some of those controls,” she said. “From an assessment standpoint, we’re trying to leverage some of the native technology that AWS offers, whether it’s security hub or leveraging some of the things like security audit manager to help us assess these systems. It just changed the landscape on how we assess the software system because now we use a lot more native tools in the cloud instead of using some of the more traditional vulnerability scanning tools and stuff like that.”

Singletary added that when CMS mission areas want to use software services in the cloud, but they aren’t yet through the FedRAMP process, they are trying to find a way to make it work, such as sponsoring the approval process.

“What our group is trying to do is give people a way of evaluating a risk standpoint from a product perspective,” she said. “There’s a lot of use cases where a lot of people want to use non-FedRAMP stuff. We don’t want to be the group that says ‘no’ to everything. So we’re trying to figure out what’s the best way of evaluating some of these non-FedRAMP products and give it some type of authorization with some guardrails and hope that maybe one day this solution will become FedRAMPed so it can be leveraged across multiple federal agencies.”

Some of those other security factors CMS is looking at include SOC 2 audit, which many experts believe is a minimal requirement for SaaS products and includes evaluating a company’s security and privacy controls around its data.

CMS also is looking at the results of penetration testing against the SaaS platform and the use of software bill of materials (SBOMs).

Singletary said the goal of all of these efforts is to better understand the technical risk posture of these products.

“We’re just starting off with grass roots information from a compliance standpoint, and then whatever technical solutions we can leverage that is easily and readily available for vastly anybody,” she said.

Moving toward enterprisewide licenses

Among the early “surprises” of the discovery phase has been finding multiple instances of Salesforce and ServiceNow running across the agency. CMS now is trying to determine if they can make those and other similar SaaS programs enterprisewide.

“With SaaS, a lot of people — and we are all guilty of it — have smartphones and there’s tons of apps out there and we’re prone to download them right. You can download the app and don’t know that you’re subscribing to something and you have a fee. With IT services that are software based, that fee can bring up a lot of costs for our agency,” she said. “Another concern we have is somebody subscribed to a SaaS product and next thing you know that person leaves the agency, then that license is stale and stagnant, and we’re paying for license or subscription, which is costing the agency tons of money. Because it wasn’t done in a standardized process, we may not even know that someone purchased the software with their credit card and accessed it from the government network.”

Singletary said by managing SaaS titles like those and others enterprisewide, CMS could better manage the procurement, licenses and ensure standard minimum baseline security capabilities, including integration of those SaaS products in their security operations centers.

“At CMS, we have different centers and different areas where they’re focusing on certain health care services to provide to the public. Everybody is moving at a fast pace and we need to be more innovative with human-centered design is a big thing in our agency as well,” Singletary said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.