March 27, 2020 Appeal for Opinions on Draft Standards for the Government Information System Security Management and Assessment Program (ISMAP)

The Cabinet Secretariat (National Center of Incident readiness and Strategy for Cybersecurity and National Strategy office of Information and Communication Technology (IT)), the Ministry of Internal Affairs and Communications (MIC), and the Ministry of Economy, Trade and Industry (METI) have decided to appeal for opinions from Friday, March 27, through to Sunday, April 26, 2020, on all draft standards for security evaluation systems for the Government Information System.

1. Overview

In June 2018, the Government set the Basic Policy for the use of Cloud Services in the Government Information System (determined at a meeting of the Chief Information Officer's (CIO's) Council of government agencies on June 7, 2018). While on one hand it advocates for a cloud-by-default general rule, the need for studies concerning security assessments of cloud services is flagged in the Future Investment Strategy 2018 (determined by the cabinet on June 15, 2018) and the Cybersecurity Strategy (determined by the cabinet on July 27, 2018).

In response to this, from August 2018 to December 2019 MIC and METI served as the secretariat, held meetings of the Study Group on Safety Evaluation of Cloud Services, and in January 2020 compiled a report through public comments.

In addition, in consideration of cabinet decisions, and as per The Basic Framework for the Security Evaluation System of Cloud Services in the Government Information System (established by the Cyber Security Strategy Headquarters, January 30, 2020), the (1) basic framework for a system, (2) the approach to its use in each government ministry and agency, and (3) jurisdiction and operation systems have been determined.

This system, which has been placed under the jurisdiction of the Cabinet (National Center of Incident readiness and Strategy for Cybersecurity and National Strategy office of Information and Communication Technology (IT)), MIC and METI, is called the Information System Security Management and Assessment Program (ISMAP)n and as such MIC has decided to appeal for opinions from Friday, March 27, through to Sunday, April 26, 2020, to gain a wide range of views on all standards to be used with this system.

2. Overview of Appeal for opinions

  1. 1.
    Subjects
    • Basic Rules for the Government Information System Security Management and Assessment Program (ISMAP) (Draft)
    • Required Items for Registration of Applicants for Cloud Services (Draft) and ISMAP Cloud Service Registration Rules (Draft) - (chapter 3)
      • ISMAP Management Standards (draft)
      • Required Items for Registration of Applicant Audit Organizations (draft) and Rules for Registration of ISMAP Audit Organizations
      • ISMAP Information Security Audit Guidelines (draft)
  2. 2.
    Opinion submission deadline
    Sunday, April 26. *Note: Comments will be accepted until 12:00 a.m. (local time) on Monday, April 27, 2020.
    (If submitting by mail, it must arrive no later than Sunday, April 26, 2020).
    Submission of opinions, and an overview of the appeal for opinions, will be posted online on the Press Releases section of the MIC homepage (https://www.soumu.go.jp) at 3pm on Friday, March 27. In addition, it is also listed on the e-Government website ‘Public Comments’ (https://www.e-gov.go.jp/ Open a new window), and can be viewed, and copies handed out, at the contact window of the MIC division which is in charge.

3. References

"Digital Fund Execution Plan" (Decision of Cabinet decision on December 20, 2019)
3. Establishing a foundation for the realization of digital government
3.3 Thorough utilization of cloud services in administrative organizations
(2) Safety assessment of cloud services
In introducing cloud services into government organizations, it is necessary to procure such services with fully ensured measures for information security. Accordingly, Japan should introduce a framework for assessing cloud services taking advantage of criteria for assessing security as well as audit systems for assessing security which are utilized in introducing cloud services into the government. To this end, MIC and METI have collaboratively inaugurated the Study Group on Security Assessment of Cloud Services and have been advancing discussions. The Cabinet Secretariat, MIC and METI will continue to advance discussions on the development of environments and other issues so that all government organizations are able to embark on using cloud services, by the end of FY2020, about which ensured security is assessed by taking advantage of the framework mentioned above.

Summary of the Cloud service Safety Assessment Panel (Study Group on Safety Evaluation of Cloud Services, January 2020). Excerpt.
3. Future approaches and tasks
3.1 How to proceed with future studies and the schedule until system launch
After the various standards are discussed by future WG, the WG will formulate a draft, and a final decision shall be made by the competent ministries for the system. At that time, public comments will be solicited in advance on the main standards, centered on management standards, which are requirements for CSP.
(Omitted)
Various standards should be studied as soon as possible, and public comments will be requested within this fiscal year, and the launch of the system shall be started immediately.
(January 30, 2020) The basic framework for the security evaluation system of cloud services in the Government Information System was established by the Cyber Security Strategy Headquarters (excerpt).
1. Basic system framework
(Brief version) The rules, standards, and other details of the system shall be determined by the System Management Committee and the competent ministries described later.
(Omitted)
3. Jurisdiction of the system and operation of the system.
The Cabinet (National Center of Incident readiness and Strategy for Cybersecurity and National Strategy office of Information and Communication Technology (IT)), MIC and METIshall be the competent ministries for this system. (Rest omitted)

Contact

For further information about this press release, please fill in the inquiry form and submit it to MIC on the website
https://www.soumu.go.jp/common/english_opinions.html

International Policy Division, Global Strategy Bureau, MIC

TEL: +81 3 5253 5920

FAX: +81 3 5253 5924