The CMS Technical Reference Architecture (hereafter referred to as the “CMS TRA”) articulates the technical architecture of all Centers for Medicare & Medicaid Services (CMS) processing environments (hereafter simply the “CMS Processing Environments”). A CMS Processing Environment is defined as:
Any computing environment (e.g., CMS data center, virtual computing environment, or cloud computing including Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS)) that creates, consumes, and/or stores CMS-related data. CMS data includes sensitive, non-sensitive, and security information and event management-related information used to provide CMS services to the public and internal CMS users.
The CMS TRA represents the Agency’s policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).
Adherence to the CMS TRA supports the Agency’s healthcare mission by providing:
-
A secure CMS Processing Environment that protects sensitive information, including CMS, beneficiary, provider, and partner information
-
Appropriate disaster recovery and business continuity capabilities
-
Timely and economic transition of CMS applications into new processing environments
-
An enterprise computing solution that responds to CMS’s evolving mission and business needs
Toward these ends, the CMS TRA defines a common set of terms and definitions to support CMS’s architecture approach and ensure an effective operating environment. It conveys required design considerations, including security policies and controls (for confidentiality, integrity, and availability), reusability, scalability, and sustainability. The common framework of the CMS TRA supports future application designs as well as architecting and engineering CMS applications. It encourages the use and creation of enterprise shared services and presents clear guidance on their appropriate use and interaction among CMS data centers. By promoting a technical reference standard for future CMS task orders and acquisitions, the CMS TRA clarifies the decision-making process and target technical environments, which helps Agency contractors develop sound and acceptable transition approaches.
Purpose
This topic introduces the CMS TRA and is the keystone of CMS TRA guidance, as shown in Essential Guidance for the Entire CMS TRA. It articulates the CMS Architectural Vision and provides guidance relevant to all stakeholders. It establishes the guiding principles of the CMS architecture that informs all guidance in subsequent topics and presents overviews of CMS Services Framework and Multi-Zone Architectures.
This topic also summarizes how to request a change to the CMS TRA through the Architecture Change Request (ACR) process.
Stakeholders interested in specific architectural topics can find detailed guidance organized in topics as follows:
-
Network Services – focuses on network infrastructure including security-related appliances that monitor network traffic
-
Infrastructure Services – focuses on physical or virtual infrastructure supporting CMS applications
-
Application Development – focuses on application-level concepts and methodology
-
Data Management – focuses on data management and data lakes
The guidance in each CMS TRA topic includes narrative providing context; Business Rules (BR), which are requirements for TRA compliance; and Recommended Practices (RP), which are strongly encouraged for use within the CMS Processing Environments but not required.
Intended Audience
The CMS TRA is intended to guide system architects, business owners, system maintainers, and security auditors in working with CMS’s technical environment. A publicly available version is located at CMS TRA. CMS restricts access to the complete CMS TRA to the following authorized users:
-
CMS staff
-
CMS Processing Environment contractors
-
Operator of the CMS Alliance to Modernize Healthcare Federally Funded Research and Development Center (the Health FFRDC)
CMS executive or management approval is required to provide this document to other entities pursuant to business need.
Complementary Documents
The CMS TRA complements CMS standards documentation. The CMS TRA supersedes and takes precedence over other existing CMS standards documentation, with the following exceptions:
-
CMS Information Security (IS) Acceptable Risk Safeguards (ARS, hereafter simply the “CMS ARS”)
-
All volumes of the CMS Risk Management Handbook (RMH)
-
CMS Information System Security and Privacy Policy (IS2P2)
-
CMS Section 508 Policy
The CMS ARS is located at: CMS Acceptable Risk Safeguards (ARS) on the CMS Information Security website.
CMS provides an orientation briefing for CMS TRA Document Development (MS PowerPoint) and the ACR Form (PDF) for initiating an Architecture Change Request.
A mailing list entitled “CIO Resource Library Communications” is available to notify subscribers when new or revised information technology (IT)-related policies, technical or TRA standards, directives, or guidelines are available. To subscribe to the new list, please select the following URL and enter your email address:
https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12066
Please direct all questions, comments, suggestions, or requests for further information to the CMS CIO Policy Officer at IT_Policy@cms.hhs.gov.