Hello, this is Hamamoto from TIMEWELL.
"We want to sell our SaaS to a government agency." "The moment we became a tier-one subcontractor for a large manufacturer, they made proof of our security a condition of the deal." These two kinds of questions have piled up over the past two years. One comes from the side selling to the state, the other from the side being folded into a private supply chain, but the root is the same. If you want to keep doing business with the government or with large enterprises, you have to reach a state where you can explain your security level to a third party.
In Part 1 of this Economic Security Promotion Act series, I laid out the big picture of the law itself for beginners. This second part deals with what you inevitably run into next: the security evaluation schemes required in government procurement and private transactions. There are two protagonists. One is ISMAP, the pass-list the government uses when it buys cloud services. The other is the SCS evaluation system, which is about to spread through private-sector deals. The names look unrelated, but both grew out of the same idea, which is to screen security at the entrance to a transaction.
The main subject here is procurement security, but the other pillar of economic security is export control. If you would rather first check what risks your company carries on the export-control side, you can start with the Export Control Compliance Check. From here, I will explain, in as plain terms as I can, what ISMAP and SCS each are and where they diverge.
Why government procurement needs a dedicated security scheme
The government now buys and uses private-sector cloud and SaaS far more often than it builds systems from scratch. The starting point for that shift was the "Cloud by Default" principle the government set out in 2018. When a new administrative system is built, the first candidate to consider is a cloud service[^1].
That, however, created a problem. If every ministry vetted the safety of each cloud independently, the workload would be enormous and the standards would end up inconsistent. A service that Ministry A judged acceptable would be re-examined from zero by Ministry B, which is pure waste. So the country decided to prepare a single "pass-list" in advance and let each ministry choose from it. That is the motivation behind ISMAP.
There is a second point you cannot overlook: the weakness of supply chains. Rather than attacking the main fortress head-on, attackers often use a lightly defended subcontractor or outsourcing partner as a stepping stone. No matter how robust your own defenses are, if a partner holding your sensitive information is full of holes, that is where the leak happens. So the state is trying to watch not only the cloud it buys directly but the entire chain of private-to-private transactions. ISMAP works on the former, and the SCS evaluation system now getting under way works on the latter. This article is built to help you understand the two as a pair.
A concrete picture helps here. Imagine a mid-sized parts maker that has supplied a large automaker for years. As economic-security pressure grows, the automaker begins asking every tier of its suppliers to prove a baseline of cyber hygiene, because a breach at any one of them can halt the whole line or leak design data. The parts maker has never sold anything to the government, so ISMAP is irrelevant to it. What it needs is a way to show its buyer, credibly and without a punishing audit, that its defenses clear a bar. That gap is exactly what the SCS evaluation system is meant to fill. The reference documents behind SCS even draw on the automotive industry's own guidelines, which tells you the kind of real supply chain the designers had in mind.
The first thing I want beginners to grasp is that these are not competing schemes. What they protect and where they are used are both different. Are you delivering to the government, or are you demonstrating your level to a private buyer? The scheme you need changes with your position, and it helps to hold that framing from the start.
Replace siloed classification work with AI.
METI's FY2024 data shows 52% of foreign exchange law violations stem from classification errors. Download the TRAFEED product catalog covering features and rollout.
ISMAP (the government's cloud "pass-list")
ISMAP's formal name is the Information system Security Management and Assessment Program, which in Japanese is rendered as the "security evaluation system for government information systems." It began operating in June 2020. The "ISMAP Cloud Service List" that compiles the registered services was first published the following March, in 2021[^1].
More than one body runs the scheme. It is overseen by four organizations, the National center of Incident readiness and Strategy for Cybersecurity (NISC, now the Cabinet Cyber Affairs Office), the Digital Agency, the Ministry of Internal Affairs and Communications, and METI, while the actual portal operation and administration are handled by the Information-technology Promotion Agency (IPA) as the ISMAP-MO, the operational support body[^1]. The audit itself is carried out by a third party called an ISMAP-registered auditing organization. Rather than relying on a vendor's self-declaration, an external auditor confirms conformance to the standards, including on-site verification. That is the foundation of ISMAP's credibility. Its targets are government information systems that handle mainly confidentiality-level-2 information.
What happens once you are registered on ISMAP? When the government procures cloud, the rule is that it chooses, in principle, from services on this ISMAP Cloud Service List. Flip that around, and a service that is not on the list often cannot even get onto the playing field for government work. I often describe it as a "list of those who cleared the qualifying round." Only after you are on it are you in a position to receive inquiries from ministries and government-affiliated bodies.
The number of registered services is reported to be 77 as of June 2025[^2]. You will occasionally see claims of several hundred, but I do not adopt figures I cannot confirm against a primary source. The safest way to know the exact current count is to check the Cloud Service List on the ISMAP portal[^3].
Let me speak for the vendor side for a moment: ISMAP registration is by no means a light undertaking. The management standard has roughly 1,000 items, and preparation through to registration is said to take on the order of years and cost in the tens of millions of yen[^6]. That is exactly why SaaS vendors chasing government work spend half a year or more agonizing over whether to actually go for it. This heaviness, and the lightweight version meant to escape it, bring us to ISMAP-LIU. If you want to dig deeper into ISMAP itself, my ISMAP primer goes into the management standard and the issues around AI integration, so read it alongside this piece.
ISMAP-LIU (the lightweight version for low-impact use)
The LIU in ISMAP-LIU stands for Low-Impact Use. As the name says, it is a lightweight version of ISMAP prepared for SaaS that processes low-risk operations and information. It began operating on November 1, 2022[^4].
Why was a lightweight version needed? Because the main ISMAP is simply too heavy, and it alone could not extend "Cloud by Default" far enough. Government operations range from heavy processing, such as handling classified documents across ministries, to lighter tasks like scheduling or survey aggregation that are not that sensitive. Demanding the same 1,000-item audit even for the latter is overkill. So for low-risk uses, ISMAP-LIU narrows the scope of the audit and lowers the bar to registration.
This LIU was revised on April 1, 2025, and in practical terms the change is quite large. Previously there was a pre-application stage in which the government side had to judge in advance whether a given operation could go onto the LIU list, and the process stalled whenever no cooperating ministry could be found to make that assessment. The revision abolished this pre-application, and the registration process was reorganized to run almost the same as the main ISMAP flow. At the same time, the operations eligible for LIU expanded from eight to ten[^5]. The two added are operations that check the performance and running status of system maintenance and operation, and operations that mechanically assist routine clerical work such as scheduling and task management.
Here is a realistic way to play it as a vendor. If you want government work but the main scheme is too heavy, first register through LIU and build a track record. Then, once your product looks likely to be used in the government's core operations, consider main registration. Rather than aiming straight at the main scheme and running out of breath, this two-stage approach is more realistic for most vendors, as I see it.
The SCS evaluation system (making private-sector B2B levels visible with stars: ★3 and ★4)
Now to the private-sector side. The SCS evaluation system's formal name is the "Security measures evaluation system for strengthening supply chains." It is supervised by METI and the Cabinet Secretariat's National center of Cyber affairs, and operated by IPA. The blueprint for the scheme, the "policy for building the system," was published in March 2026[^7][^10]. Where ISMAP is a government-procurement scheme, this one has private-to-private transactions as its main stage, and that is the biggest difference.
The clearest feature of this scheme is that it makes the level of security measures visible with a number of stars. It lets the ordering company set a condition such as "if you want to be in our supply chain, take ★3 or above." The aim is to make it easier to demand a level that fits each player's position along the chain. At launch, two tiers are prepared, ★3 and ★4. ★3 is the Basic level with 26 requirements, and ★4 is the Standard level with 43. ★4 wraps in ★3's 26 items and layers more advanced requirements on top. A ★5 that would address more sophisticated attacks is envisioned as a future item under study, with no launch timing decided yet[^8][^9].
It is worth pausing on why the star model was chosen at all. A single pass-or-fail badge, like the one ISMAP effectively gives, works when there is one powerful buyer, the government, setting one bar. A private supply chain is messier. A prime contractor, its tier-one suppliers, and the small shops beneath them all sit at different risk levels, and forcing every one of them to the same high bar would either exclude the small firms or become a paper exercise nobody can sustain. Stars let a buyer ask for a level that fits the sensitivity of the work it is entrusting: ★3 for a partner handling routine data, ★4 for one holding something the business truly cannot afford to lose. That graduated demand is the point of the design, and it is why I expect adoption to spread through purchasing conditions rather than through any legal mandate.
The evaluation method itself changes between ★3 and ★4. ★3 is a "self-assessment with expert confirmation." The organization seeking the rating assesses itself, has security experts inside and outside the company confirm it, and then management declares self-conformance. Because self-assessment is the starting point, it is a relatively approachable design. ★4, by contrast, requires review by a third-party evaluation body plus technical verification, such as vulnerability testing. It is not just a person reading documents but actually probing the system technically to confirm it. Once you reach that stage, things get serious. The validity period also differs: ★3 lasts one year and ★4 lasts three[^8].
The skeleton of the requirements is built on the Cybersecurity Framework (CSF) from the U.S. National Institute of Standards and Technology (NIST). It uses seven categories, formed by taking the six functions of Govern, Identify, Protect, Detect, Respond, and Recover, and adding "supplier management"[^9]. The fact that supplier management enters as its own dedicated category is a clear expression of how this scheme is designed to look at the whole supply chain. As for the launch timing, operation is planned for the second half of FY2026 (October 2026 through March 2027) onward, with around the end of FY2026, in other words about March 2027, given as one benchmark[^8].
To add a note: if you look at economic security through the wider lens of "transaction safety," procurement security is only half the story. The other half is export control, which comes up when you send sensitive technologies or products overseas. Is a counterparty connected to a sanctioned entity? Does the product you are about to export get caught in classification screening? Handling all of that by hand alone is, frankly, hard going. The service we provide, TRAFEED, uses AI to support export-control classification and counterparty screening. In a joint demonstration with Okayama University (roughly 30,000 past review records, per our own study), we confirmed an AI judgment accuracy of 95% or higher, and we hold a patent (Japanese Patent No. 7862062). More than 20 organizations have adopted it, and while we run it so that changes in each country's regulations are reflected the same day, we designed it on the premise that the final classification is made by your company's own export-control officer[^11].
How ISMAP and SCS divide the work
Let me put everything so far into a single table. Rather than memorizing the fine detail, the goal is to grasp "which one you need in which position."
| Perspective | ISMAP (including ISMAP-LIU) | SCS evaluation system |
|---|---|---|
| Purpose | A cloud-selection standard for government procurement | Making the supply-chain level of private B2B visible |
| Main target | Cloud services (IaaS, PaaS, SaaS) | A company's security measures overall, including subcontractors |
| Who uses it | Government bodies refer to it when procuring | Ordering companies ask counterparties to obtain it |
| Who evaluates | ISMAP-registered auditing organization (third party) | ★3 is self-assessment with expert confirmation; ★4 is third-party evaluation |
| How levels are graded | On the list or not | ★3 and ★4 (★5 under study) |
| Operational status | In operation since 2020 | Launch planned from the second half of FY2026 |
| Supervision and operation | NISC, Digital Agency, MIC, METI (IPA provides operational support) | METI and the Cabinet Secretariat's National center of Cyber affairs (IPA operates it) |
What I want you to sense from the table is that the two divide the work. If you want to deliver cloud to the government, that is ISMAP; if you want to show a private buyer the level of your defenses, that is SCS. Of course, some companies touch both. A vendor that supplies both the government and large private firms will end up on the ISMAP list while also going after SCS stars.
There is another point worth holding onto: the meaning of SCS's ★3 being something you can start with as a self-assessment. Because ISMAP presupposes third-party audit, for a small or mid-sized vendor the cost and time are a heavy burden. SCS's ★3, by contrast, starts from self-assessment even if experts confirm it, so it is within reach even for a fairly small company. When the country wants to raise the floor across the whole base of a supply chain, imposing third-party audit on every firm from the outset is unrealistic. So it prepared an entrance you can walk through starting from self-assessment. I take this staged design as a sound, reality-aware compromise.
Wrap-up
That is where Part 2 ends. Let me pull the key points together.
- ISMAP is the pass-list the government uses when it buys cloud; it has run since 2020 and evaluates by third-party audit.
- ISMAP-LIU is the lightweight version for low-risk operations; the April 2025 revision abolished pre-application and expanded eligible operations to ten.
- The SCS evaluation system makes private B2B supply-chain levels visible with stars, with ★3 at 26 items and ★4 at 43, and a launch benchmarked around March 2027.
- ISMAP and SCS are not competitors but a division of labor: ISMAP if you deliver to the government, SCS if you show a private buyer.
Which scheme concerns your company depends on whether your counterparty is the government or a private firm. Pin that down first, then decide whether you are chasing ISMAP or beginning your preparations from SCS's ★3. Since SCS is still a pre-launch scheme, it pays to look over the 26 requirements early, map out what your company is missing, and avoid a scramble after it goes live.
In Part 3 of the series, I take up "security clearance," the trustworthiness check required of people involved in critical infrastructure and important government operations. The conversation shifts from security as a scheme to the confirmation of trust in a person. Continue with Part 3: Critical Infrastructure and Security Clearance.
Procurement security and export control are separate entrances on the single map of economic security. If you want to sort out which entrance your company is standing at, or to start from building your export-control side, reach out through the individual consultation on economic security and export control. We are happy to help, starting from sketching the whole picture together.
References
[^1]: National center of Incident readiness and Strategy for Cybersecurity (NISC), "Information system Security Management and Assessment Program (ISMAP)." https://www.cyber.go.jp/policy/group/general/ismap.html [^2]: Codebook, "ISMAP registered services (77 services as of June 2025)." https://codebook.machinarecord.com/info-security/certification/24347/ [^3]: ISMAP Portal, "ISMAP Cloud Service List." https://www.ismap.go.jp/csm?id=cloud_service_list [^4]: Digital Agency, "Efforts to Promote ISMAP-LIU Registration." https://www.digital.go.jp/en/policies/security/ismap-liu [^5]: ISMAP Portal, "Procedures for ISMAP-LIU (for cloud service providers), revised April 1, 2025." https://www.ismap.go.jp/csm?id=kb_article_view&sysparm_article=KB0010526 [^6]: PwC Japan, "The new developments of ISMAP: overall revision of the ISMAP management standard and the outlook for ISMAP." https://www.pwc.com/jp/ja/knowledge/column/awareness-cyber-security/explanation-of-ismap2.html [^7]: IPA (Information-technology Promotion Agency), "SCS evaluation system." https://www.ipa.go.jp/security/scs/index.html [^8]: IPA, "SCS evaluation system: details." https://www.ipa.go.jp/security/scs/details.html [^9]: IPA, "Requirements and evaluation criteria (SCS evaluation system)." https://www.ipa.go.jp/security/scs/requirements-criteria.html [^10]: METI and the Cabinet Secretariat's National center of Cyber affairs, "Policy for building the security measures evaluation system for strengthening supply chains" (published March 2026). https://www.ipa.go.jp/security/scs/index.html [^11]: TIMEWELL Inc., "TRAFEED (formerly ZEROCK ExCHECK)" service information. https://timewell.jp/trafeed
