Skip to main content

This page has been translated using TexTra by NICT. Please note that the translation may not be completely accurate.
If you find any mistranslations, we appreciate your feedback on the "Request form for improving the automatic translation ".

Comments on the "ISMAP-LIU cloud service Registration Rules (Draft)" and others will be invited.

Published:

The Cyber security Center of the Cabinet Secretariat, Digital Agency, Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry will formulate an ISMAP for Low-Impact Use (ISMAP-LIU) mechanism for SaaS used for processing low-risk business and information in security within the framework of ISMAP (security Assessment Scheme for Government Information Systems). We have created and amended the relevant regulations, and we will seek opinions from Wednesday, June 15, 2022 to Tuesday, July 5, the same year.

1. Background and Purpose

The ministries and agencies responsible for ISMAP (the Cyber security Center of the Cabinet Secretariat, Digital Agency, Ministry of Internal Affairs and Communications, and the Ministry of Economy, Trade and Industry) operate the Information system Security Management and Assessment Program (ISMAP) based on the Basic Framework of the cloud service security Assessment Program for Government Information Systems (decision of the cybersecurity Strategic Headquarters on January 30, 2020). The ISMAP is based on the Basic Framework of the security Information System Assessment Program for Government Information Systems (decision of the Information System Security Management and Assessment Program).

Information systems that handle Confidentiality class-2 information targeted by ISMAP cover a wide range of areas, including IaaS, PaaS, and SaaS. SaaS, in particular, has a wide range of services, including services with extremely limited uses and functions and services with low risks, such as services that handle only relatively low-priority Confidentiality class-2 information. If these services are treated uniformly with the current ISMAP, there may be cases in which excessive security requests are made.

Therefore, based on the ISMAP framework, we have decided to formulate ISMAP-LIU (ISMAP for Low-Impact Use) as a mechanism for SaaS that handles Confidentiality class-2 information and is used for operations and information processing with small security risks.

From Wednesday, June 15 to Tuesday, July 5, 2022, we will seek opinions from a wide range of people on the "ISMAP-LIU cloud service Registration Rules (Draft)," which was created as the rules to be used in ISMAP-LIU, and the changes to the existing rules.

2. Materials subject to public comment

  • Parts of the "ISMAP-LIU cloud service Registry Rules (Draft)" that have been newly added from the previous "ISMAP cloud service Registry Rules" (Chapter 3 to Chapter 6, Chapter 7, Chapter 13, Form 1-2, information on the security of the subject SaaS, Exhibit 2)
  • Revised sections (Chapters 1, 2, 3, 5, and 6) of the "Basic Regulations for the security Assessment Scheme for Government Information Systems (ISMAP)"
  • Revised parts of the "ISMAP cloud service Accreditation Regulations" (Chapter 1)
  • Revised parts of the ISMAP Management Standards (Chapters 1 and 2)
  • Revised parts of the "ISMAP Standard Audit Procedures" (Chapter 3, Attachment 3)
  • Revised sections of the ISMAP Information security Auditing Guidelines (Chapters 1 and 4)

References

  • It is not subject to public comment, but please use it as a reference for the above public comment.
  • About ISMAP-LIU (draft)
  • From among the ISMAP-LIU cloud service Accreditation Regulations (draft), the report form related to internal audits and the impact assessment standards for government agencies, etc. (Forms 2-3 and Forms 2-3 Attachment and Attachment 1)
  • Guidance for Business and Information Impact Assessment in ISMAP for Low-Impact Use (Draft)

*Each document is posted in the "Public Comment" section of the e-Government in .

3. Public Comment Details

For details on how to submit opinions, etc., please refer to the Guidelines for Public Comment.
*The Guidelines for Public Comment are posted in the "Public Comment" column of the General Contact (e-gov) of the e-Government in .

4. Public Comment Period

From Wednesday, June 15 to Tuesday, July 5, 2022 *
*It will be accepted until 23:59 on July 5 (Tue), Japan time.

5. Reference

Excerpt from "Priority plan for the Realization of digital society" (Cabinet Decision on June 7, 2022)
Basic Strategies for the Fifth digitalization
4. Securing safty and security such as cybersecurity
(1) Securing cybersecurity

"Basic Framework for cloud service security Assessment Systems in Government Information Systems" (Decision of the cybersecurity Strategic Headquarters on January 30, 2020, partially revised on September 27, 2021) Excerpt
1. Basic Framework of the System
3. Jurisdiction over the System and Operation System

Share: