Page History

...

Low-Impact Software-as-a-Service (LI-SaaS) Approval

The NCI Security Office To use cybersecurity as an enabler in the NCI research enterprise, the NCI Chief Information Security Officer (CISO) and Chief Information Officer (CIO) will consider requests to authorize certain innovative cloud services if they are low risk cloud software services (i.e., they are rated Low impact using the FIPS-199 process) . Only products deemed cloud Software and are classified as software as a Service service (SaaS) are eligible for the cloud offering. The low impact SaaS (LI-SaaS) review and authorization .  They are is intended to streamline the authorization necessary for the NCI federal government to use SaaS products that carry low risk and are needed by the government to perform a legitimate business function in the absence of a FedRAMP authorization.  Often, the a SaaS product (1) when the cloud service provider does not have a FedRAMP cloud authorization and is not willing or does not have the resources to obtain one.  The product should not be categorized as a to obtain a FedRAMP authorization, and (2) when the product is not listed on or eligible to be approved as Third Party Websites and Applications (TPWA) as defined by the OMB memo M-10-23.  TPWAs . TPWA's are a special category of no-cost (free) online services and tools that are not subject to FedRAMP or to agency LI-SaaS reviews.  The products, and when approved by HHS are placed on the list of HHS-approved TPWAs can be found here: https://www.hhs.gov/web/policies-and-standards/terms-of-service-agreements/index.html. LI-SaaS reviews are not appropriate if you need to collect, store or process sensitive data using the tool, or if the cloud service is considered mission critical to your organization or business processes.  See the LI-SaaS Review/Approval Process and Approved SaaS Cloud Products Knowledge Article for more information.

NIH Security Assessment Tool (NSAT)

...