Summary

The SaaS Governance team strategy is making it easier to discover, secure, and manage software solutions.

Graphic of large hands on a computer keyboard with a wide screen with 18 silhouettes of people working on computers to the left and right and clouds on top

 Articles

SaaSG Powers Software Management Forward

Graphic of large hands on a computer keyboard with a wide screen with 18 silhouettes of people working on computers to the left and right and clouds on top

Shawnte Singletary expects most CMS software will be cloud-based within the next few years.

“Software as a Service (SaaS) will likely become the more prevalent way of using software," says Singletary, SaaS Governance (SaaSG) team member and Deputy Director of the Division of Security and Privacy Compliance. "This means less downloading and installing on endpoint devices like laptops or phones and more access through API or direct connection through the internet.”

Though CMS is just beginning its journey into the digital stratosphere, SaaS already touches nearly every part of OIT, according to David Dougherty, Enterprise Architect for the Division of Enterprise Architecture.

Dougherty conducts the annual System Census for CMS, a survey that gathers data on budget sources, data centers, software products, and SaaS use at CMS, among other information.

“The System Census survey shows that CMS has been moving to the cloud dramatically over the past seven years, growing from 13% in 2015 to 75% of systems having moved as of last year, in 2022,” Dougherty says. “And of those cloud-hosted systems, 85% are on AWS.”

 

Pie chart of SaaS product types at CMS by category: 52 (48%) software development, 19 (17%) IT management, 11 (10%) productivity, 8 (7%) configuration management, 7 (6%) collaboration, 5 (5%) security, 3 (3%) database management systems (DBMS), 2 (2%) multimedia and graphics, 1 (1%) customer relationship management (CRM), 1 (1%) enterprise content management.

 

The data represented in the pie chart (pictured) show that the top uses for SaaS at CMS are software development, IT management, collaboration, and security.

“As SaaS becomes more used, accepted, and understood, the other pie wedges will get bigger," says Dougherty. “OIT is heavily involved in the top four but has their hand in all of them.”

Therefore, OIT will need a structured approach to stewarding its SaaS portfolio. That's where SaaSG comes in.

In just over a year since its formation, the SaaSG program is well on its way to transforming how CMS discovers, secures, and manages SaaS.

SaaSG was created to help CMS understand SaaS risks in an effort to make sound business decisions around responsible SaaS usage. Their mission is threefold - to discover, manage, and secure - as detailed below:

  • Inventory SaaS products on the CMS network (discover)
  • Establish policies and procedures for evaluating and authorizing SaaS products (manage)
  • Ensure SaaS products adhere to configuration requirements and security policies (secure).

By taking a comprehensive approach to evaluating, authorizing, and continuously monitoring SaaS products, SaaSG ensures that software products in use are identified, tracked, and managed efficiently, and, more importantly, ensures users are aware and educated on the risks of their SaaS consumption.

Managing Products

For years, software was installed and managed on a local machine, making it easy to track usage. Keeping tabs on SaaS software can prove more difficult. Someone may request a license for a SaaS product but never use it. Or they may deploy SaaS only for a pilot program and forget to remove access. Then the license goes stale. Additionally, contractors may not disclose that a SaaS product they're using is not FedRAMP compliant.

To better manage SaaS at CMS, SaaSG will use an asset management and data analytics application called Axonius SaaS Management (Axonius SM). This tool will help discover known and unknown SaaS applications and identify misconfigurations and data security risks. Axonius SM integrates with OKTA and Axonius Asset Management to identify SaaS products. It then analyzes and categorizes this data, which can be used for the System Census and other inventory management-driven processes across the agency. The data and insights Axonius SM provides will ultimately help CMS with IT management and costs.

Axonius SM also helps SaaSG determine whether products have been vetted and are FedRAMP-compliant, where SaaS was developed, and whether a tool should be considered for enterprise-wide use. SaaSG uses this data to have more meaningful conversations with stakeholders who leverage or manage SaaS products in their business environments.

When adopting SaaS, security and privacy are key considerations. SaaSG uses a rigorous approach to review products that aren't FedRAMP-compliant. The team's Rapid Cloud Review (RCR) helps identify which controls are supported by the vendor and which controls or capabilities need to be implemented by CMS's Application Development Organizations (ADOs) or stakeholders.

The RCR process leverages artifacts from the vendor – such as SOC2 audit reports and perimeter scans (BitSight) – and analyzes software bill of materials (SBOM) data. The process evaluates artifacts and identifies any vendor risk. The final report is reviewed with the requestor, and guidance is provided for authorization approval by the appropriate stakeholders.

"People want to try things out before making long-term subscriptions or commitments,” Singletary says. “Our review process gives them a chance to try something out temporarily while still adhering to a subset of controls. We're also implementing automation to oversee more technical control, like BitSight and SBOM scans.”

SaaSG also provides guidance, resources, and a clear process for business owners to adopt SaaS solutions. Using the CMS Buyer's Guide, business owners can find information on evaluating their business needs, engaging vendors about products, and asking questions about application security, compliance, data management, and other topics.

Singletary hopes SaaSG's approach can help the team optimize conversations with stakeholders and determine the best way to manage products over time.

One-Stop SaaS Management

Singletary believes that, in the long run, CMS will benefit by having a single entity procure, license, manage, and negotiate a better cost for SaaS solutions.

For example, if other HHS Operating Divisions (OpDivs) worked collectively, they could benefit from the same cost-saving strategies. This type of single-entity management and price negotiation would drive innovation around SaaS procurement and usage and possibly lead the way to a future of federated SaaS governance.

Want more information about SaaS Governance? Please check out their webpage on ISPG Cyber Geek. Reach them on Slack at #ispg-saas-governance or by email at SaasG@cms.hhs.gov.

 

Recent Articles

Recent Media