1. Background and purpose

The government of Japan stipulated a Cloud Adoption Policy for Government Information Systems in June 2018 (decided by the Liaison Committee of the Chief Information Officers [CIO] of each Ministry and Office on June 7, 2018) and upheld a Cloud-by-Default Principle as a basic policy. On the other hand, the necessity of discussions on the safety assessment of cloud service was stated in the Strategy for Investments for the Future 2018 (approved by the Cabinet on June 15, 2018), and “Cybersecurity Strategy” (approved by the Cabinet on July 27, 2018).

Following this, the Study Group on Security Assessment of Cloud Services was held from August 2018 to December 2019, with METI and MIC serving as the secretariat, and a report was compiled in January 2020 following the collection of public comments.

Based on such Cabinet approvals, the Outline of the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (decided by the Cybersecurity Strategy Headquarters on January 30, 2020) decided the system’s (i) basic framework, (ii) concept on utilization among different governmental organizations, and (iii) administrative jurisdiction and operation.

The system, over which METI, the Cabinet Secretariat (National center of Incident readiness and Strategy for Cybersecurity/Information and Communications Technologies [IT] Comprehensive Strategy Office ), and MIC hold jurisdiction, is called the “Information system Security Management and Assessment Program (ISMAP).” METI and MIC will open a call for public comments on criteria used in the system from March 27 (Fri.) to April 26 (Sun.), 2020, in order to receive a broad range of opinions.

2. Document subject to the call

• "Basic provisions for the Information system Security Management and Assessment Program (ISMAP) (Draft)" (Appendix 1) (in Japanese) (PDF:229KB)PDF
• "Requirements regarding those applying for the cloud service registration (Draft)" (Chapter 3 of the Registration Rules for ISMAP Cloud Service [Draft]) (Appendix 2) (in Japanese) (PDF:224KB)PDF
• "ISMAP management criteria (Draft)" (Appendix 3) (in Japanese) (PDF:2,768KB)PDF
• "Requirements regarding those applying for auditing organization registration (Draft)" (Chapter 3 of the Registration Rules for ISMAP Auditing Organization Registration [Draft]) (Appendix 4) (in Japanese) (PDF:216KB)PDF
• "ISMAP information security guideline (Draft)" (Appendix 5) (in Japanese) (PDF:311KB)PDF

3. Details of the call

• For more information on how to submit your comments and other procedures, see the submission guidance on the call (Appendix 6) (in Japanese) .(PDF:180KB)PDF

4. Period of the call

From March 27 (Fri.) to April 26 (Sun.), 2020*
* Note: Comments will be accepted until 12:00 a.m. (local time) on April 27 (Mon.), 2020.

5. Reference

Excerpts of the Digital Government Action Plan (approved by the Cabinet on December 20, 2019)

3 Development of infrastructure for realizing digital government
3.3 Thorough utilization of cloud services in administrative organizations
(2) Security assessment of cloud services
In introducing cloud services into government organizations, it is necessary to procure such services with fully ensured measures for information security. Accordingly, Japan should introduce a framework for assessing cloud services taking advantage of criteria for assessing security as well as audit systems for assessing security which are utilized in introducing cloud services into the government. To this end, the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry have collaboratively inaugurated the Study Group on Security Assessment of Cloud Services and have been advancing discussions.
The Cabinet Secretariat, the Ministry of Internal Affairs and Communications and the Ministry of Economy, Trade and Industry will continue to advance discussions on the development of environments and other issues so that all government organizations are able to embark on using cloud services, by the end of FY2020, about which ensured security is assessed by taking advantage of the framework mentioned above.

Excerpts of Report Compiled by the Study Group on Security Assessment of Cloud Services (Study Group on Security Assessment of Cloud Services in January 2020)

3. Procedure from now on and problems

3.1. Procedure on future discussions and the schedule until the establishment of the system
The criteria will be discussed in the working group from now on, and a working group draft will be compiled. At the same time, a final decision will be made by supervisory authorities on the draft. Upon doing so, there will be a call for public comments in advance on major criteria, mainly including management criteria that will be the requirements for CS.
(Omission)
Discussion on criteria will be implemented as soon as possible. Public comments will be called upon before the end of this fiscal year, and the system will be launched promptly.

Excerpts of the Outline of the Basic Framework for the Security Assessment System for Cloud Services Introduced into Government Information Systems (Draft) (decided by the Cybersecurity Strategy Headquarters on January 30, 2020)

1. Basic framework of the system
(Omitted) Details including the provisions and criteria of the system should be decided by the system managing committee as stated hereafter and supervising ministries and departments.
(Omitted)
3. Administrative jurisdiction and management framework of the system
The system will be administrated by the Cabinet Secretariat (National center of Incident readiness and Strategy for Cybersecurity/Information and Communications Technologies [IT] Comprehensive Strategy Office), the Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry. (Omitted)

Division in Charge

Information Economy Division, Commerce and Information Policy Bureau