Software as a Service Introduction

Software-as-a-Service (SaaS) is a cloud-based software distribution model that delivers applications to end users remotely over the internet, rather than within the enterprise. Applications hosted by third-party service providers and delivered as subscription services are increasingly popular and encouraged at CMS. Instead of requiring traditional application development and maintenance, SaaS services rely on users to configure and customize their applications. As a result, CMS business owners may find that SaaS Clouds offer faster implementation and lower cost than other forms of Cloud computing.

CMS uses the NIST SP 800-145 definition of software as a service. It is recognized that mapping commercial or government products to this model is not always straightforward because many providers produce clouds that have characteristics of one or more of these models.

Government IT systems have additional requirements that are often overlooked in commercial SaaS products. Before utilizing any SaaS, it is important to understand the policies of the service provider, their security model, and the security requirements that remain the customer's responsibility. SaaS, like all cloud services, operates with a shared security responsibility model where the provider and the customer each retain important security roles and responsibilities. The FedRAMP program establishes security baseline standards for cloud services and specifies agencies’ responsibilities when using these services. However, FedRAMP does not guarantee these services are suitable for any given CMS workload. An Authority to Operate (ATO) is still required for any cloud services used. See BR-SAAS-2.

To help CMS teams understand and manage SaaS risk and make good business decisions around SaaS usage, CMS has developed a SaaS Governance Program. Through this program, CMS teams can obtain information about SaaS applications that are already approved for use within the Agency as well as request help in reviewing new SaaS providers. The CMS SaaSG Dashboard shows the applications already in use and under review. Further information is available at the CMS SaaS Governance website (see CMS SaaS Governance).

Data collection for official government business must be done on systems granted a CMS Authorization to Operate (ATO) (see CMS ATO for additional information) and that includes all clouds of all types. The responsibilities for securing the confidentiality, integrity, and availability of data throughout its life cycle remain the same regardless of implementation. SaaS services, like all CMS applications, must comply with the CMS ARS and CMS TRA, including CMS management of access policies, authorization, and user identities.

When using a SaaS to host public CMS websites and web services, it is important that those sites and services be represented as “.gov” domain names with valid SSL certificates (per Business Rule BR-F-18). As with all government websites, the HTTPS-Only Standard per OMB Memorandum M-15-13 applies. This gives visitors to those sites the confidence that they are dealing with a legitimate CMS business site and that their information is encrypted in transit with “the strongest privacy and integrity protection currently available for public web connections.”