June 15, 2022 Solicitation of Opinions on Draft ISMAP-LIU Cloud Service Registration Rules

The Ministry of Internal Affairs and Communications (MIC), the National center of Incident readiness and Strategy for Cybersecurity (NISC) of the Cabinet Secretariat, the Digital Agency, and the Ministry of Economy, Trade and Industry (METI) will formulate, under the framework of the Information system Security Management and Assessment Program (ISMAP), a system of ISMAP for Low-Impact Use (ISMAP-LIU) for SaaS that is used for processing operations and information with low security risk. As relevant rules were created or revised this time, MIC will solicit opinions on those rules from Wednesday, June 15 to Tuesday, July 5, 2022.

1. Background and outline

The Information system Security Management and Assessment Program (hereinafter referred to as "ISMAP") is operated by the ministries and agencies with jurisdiction over the ISMAP systems (MIC, NISC of the Cabinet Secretariat, the Digital Agency, and METI) under the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (decided by the Cybersecurity Strategy Headquarters on January 30, 2020).

Information systems that handle confidentiality class-2 information subject to ISMAP range widely from IaaS, and PaaS to SaaS. Among these, SaaS covers a broad range of services, including services with extremely limited purposes or functions and low-risk services that only handle confidentiality class-2 information of relatively low importance. If these services are treated uniformly under the current ISMAP framework, excessive security requirements may be imposed in some cases.

Accordingly, the ministries and agencies have decided to formulate, based on the framework of ISMAP, ISMAP for Low-Impact Use (ISMAP-LIU) as a system applicable to SaaS handling confidentiality class-2 information, which is used for processing operations and information with low security risk.

This time, MIC will solicit opinions on the draft ISMAP-LIU Cloud Service Registration Rules prepared as rules to be applied to ISMAP-LIU and changes to existing rules from Wednesday, June 15 to Tuesday, July 5, 2022 to seek a wide array of opinions.

2. Subject materials

• The parts of the ISMAP-LIU Cloud Service Registration Rules (draft) that have been newly added from the conventional ISMAP Cloud Service Registration Rules (Chapters 3 to 6, 7, and 13, and information in Form 1-2 relating to security of the target SaaS).
• Revised parts of the Basic Rules for the Government Information System Security Management and Assessment Program (ISMAP) (Chapters 1, 2, 3, 5, and 6)
• Revised parts of the ISMAP Cloud Service Registration Rules (Chapter 1)
• Revised parts of the ISMAP Management Standards (Chapters 1 and 2)
• Revised parts of the ISMAP Standard Audit Procedure (Chapter 3 and Attachment 3)
• Revised parts of the ISMAP Information Security Audit Guidelines (Chapters 1 and 4)

Reference materials

The materials below are not subject to the solicitation of opinions, but may be used as reference materials.

• Regarding ISMAP-LIU (draft)
• The form for an internal audit report and the impact assessment standards to be used by governmental organizations contained in the ISMAP-LIU Cloud Service Registration Rules (draft)
• Guidance on Impact Assessment of Operations/Information under ISMAP for Low-Impact Use (draft)

• *
  The materials above are also posted on the public comment page of the e-Gov (https://www.e-gov.go.jp/en/ ).

3. Details of solicitation of opinions

For details, including how to submit opinions, please see the procedure of solicitation of opinions.

• *
  The procedure of solicitation of opinions is also posted on the public comment page of the e-Gov.

4. Solicitation period

From Wednesday, June 15 through Thursday, July 5, 2022

• *
  Opinions are accepted from 2:00 p.m., Wednesday, June 15 through 11:59 p.m., Tuesday, July 5, 2022 (JST).
• *
  The published material is in Japanese only.