June 3, 2020 ISMAP Came into Operation

  The Ministry of Internal Affairs and Communications (MIC), the Cabinet Secretariat (National center of Incident readiness and Strategy for Cybersecurity/Information and Communications Technologies [IT] Comprehensive Strategy Office), and the Ministry of Economy, Trade and Industry (METI) organized an operation committee (ISMAP Operation Committee) for the launching of an initiative called the Information system Security Management and Assessment Program (ISMAP). Various ISMAP provisions were decided at the ISMAP Operation Committee’s meeting, and ISMAP came into operation.

1.Background/Purpose

The government of Japan established a Cloud Adoption Policy for Government Information Systems in June 2018 (decided by a Chief Information Officer(CIO) liaison conference on June 7, 2018), and the government upheld a Cloud-by-Default Principle as a basic policy.
Furthermore, the government’s Future Investment Strategy 2018 (a Cabinet decision on June 15, 2018) and the Cybersecurity Strategy (a Cabinet decision on July 27, 2018) positioned the need to consider the safety evaluation of cloud services.
In response to this, the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry jointly served as a secretariat to organize a Study Group on Security Assessment of Cloud Services from August 2018 through December 2019, which issued a report in January 2020 with consideration of public comments that were received.
With consideration of the above cabinet decisions, the Outline of the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (established by the Cybersecurity Strategy Headquarters, January 30, 2020) determined (i) basic framework, (ii) concept on utilization among different governmental organizations, and (iii) administrative jurisdiction and operation.
In response to the establishment of the basic framework, on May 25, 2020, the Cabinet Secretariat, MIC and METI inaugurated an ISMAP Operation Committee, the highest decision-making body for ISMAP, which consists of: experts and representatives of the ministries and agencies with administrative jurisdiction over ISMAP, i.e., the Cabinet Secretariat (National center of Incident readiness and Strategy for Cybersecurity/Information and Communications Technologies [IT] Comprehensive Strategy Office), MIC, and METI, as members. The ISMAP Operation Committee’s first meeting was held on May 26, 2020, and the Operation Committee decided on various ISMAP provisions that were decided at the ISMAP Operation Committee’s meeting, and ISMAP came into operation.
Before the start of ISMAP, an appeal for opinions were made from March 27, 2020, on draft standards for the Government Information System Security Management and Assessment Program (ISMAP), and MIC has also decided to open the result of the appeal for opinions to the public.

  • *
    The published material is in Japanese only.

2.System overview

The ISMAP system registers cloud services in a cloud service list opened to the public if the cloud services are confirmed to implement security measures according to the standards set by this system and based on an assessment process that utilizes an audit framework of information security.
Furthermore, auditing organizations that perform assessments under this system are registered in the list of auditing organizations announced after they have been confirmed in advance that the requirements for auditing systems specified by this system are met. It is expected that this system will enable government agencies to efficiently procure cloud services for which certain information security measures have been confirmed.

Contact

For further information about this press release, please fill in the inquiry form and submit it to MIC on the website
https://www.soumu.go.jp/common/english_opinions.html

International Policy Division, Global Strategy Bureau, MIC

TEL: +81 3 5253 5920

FAX: +81 3 5253 5924