CMS Strategic Guidance and Preferred Solutions

Introduction

The architectural guidelines described by the CMS TRA are designed to provide flexibility to development teams in choosing a technical approach, and yet there are cases where CMS has a strongly preferred approach or solution option. This section provides information about such Strategic Guidance and Preferred Solutions.

CMS systems and data must be protected from a constantly evolving threat and vulnerability landscape. Aligning to strategic guidance and utilizing preferred solutions strengthens CMS security posture through extending the use of thoroughly validated and tested security controls and procedures. Maintaining CMS data within the CMS security boundary facilitates CMS stewardship of the data.

The use of preferred solutions also shortens time-to-delivery, reduces redundant development, facilitates efficient use of infrastructure, and leverages CMS strategic investments and economies of scale. This aligns to the TRA Guiding Principle of Reuse as well as broader federal IT policy (see Office of Management and Budget (OMB) memo M-19-16. and Federal Shared Services).

The goal is to speed secure system deployment by utilizing existing solutions that may provide built-in automation, approved security configurations, and pre-authorized infrastructure. Use of these solutions is strongly encouraged unless there is a more compelling business case for an alternative.

The CMS TRA will provide high-level information about preferred solutions. Detailed information including their setup and use will be found through the supplementary sources/ links to additional information.

Note that hyperlinks in this section may refer to CMS internal information sources; a CMS EUA ID and access to the CMS intranet may be required for access.

Additionally, links to Strategic Guidance and Preferred Services will be included throughout the TRA, aligned to associated TRA guidance.

PREFERRED

CMS strategic guidance and preferred solution information throughout the CMS TRA will appear like this.

Enterprise Services

The preferred solutions in this section are CMS “enterprise services”, based on an expanded definition of the term. The updated CMS definition of enterprise services reflects that these capabilities may be developed and provided by any CMS Center or Office or by a vetted partnership of Centers/Offices. This includes but extends well beyond centrally provided “shared services”. In the new model, enterprise services can be leveraged as a shared capability or provide a pattern for a new implementation if required.

A CMS enterprise service may be leveraged without onboarding with an established support organization or a central enterprise instance. CMS encourages the use of the most appropriate deployment model depending on business requirements. A project might, for example, choose to deploy a parallel instance but still use the standards and processes of the enterprise instance, potentially enabling them to utilize existing support staff. An existing, validated solution can be used as an architectural pattern, with any refinements shared back with the original.

The overall group of enterprise services form a federated set of capabilities which development teams can tap into, avoiding duplication and aligning with CMS standards.

Data Stewardship and Governance

Sound data stewardship practices are essential to the protection of CMS data. The risk of data compromise is exacerbated when CMS data is moved or copied outside of the CMS security boundary. With the shift to flexible cloud computing environments, CMS now has the capability and capacity to provide for very large and complex data storage and analytics requirements. Keeping CMS data and associated data processing and analysis within the CMS security boundary enables CMS to maintain provenance and proper stewardship of CMS data.

As such, CMS policy is that all CMS data remain within CMS authorization boundaries, except for public data released by CMS. Business requirements to do otherwise will be reviewed on an exception basis to ensure appropriate controls (which may include a Data Use Agreement) are in place. A new TRA section, Data Sharing and Governance provides additional information on this topic. It also introduces Business Rule BR-DG-1, which reinforces the imperative to keep CMS data inside CMS boundaries, while Recommended Process RP-DG-2 suggests some ways to accomplish this.

CMS Cloud is the preferred environment for CMS data storage and analytics.

Preferred Solutions

CMS Preferred Solutions are presented here in the following categories:

  • CMS Cloud
  • CMS Enterprise Data
  • CMS DevSecOps Support
    • CMS Collaboration Capabilities

Note that the list of Preferred Solutions will evolve over time. Additional sections and solutions will be added in future TRA releases.

CMS Cloud

The CMS TRA supports the Federal Cloud Computing Strategy’s (OMB/Federal CIO Kundra, February 14, 2011) Cloud First Policy as well as the Federal Cloud Computing Strategy’s (OMB/Federal CIO Kent, June 24, 2019), Cloud Smart Policy.

CMS Cloud is the strongly preferred hosting platform for all CMS developed applications. It provides the most operationally integrated and cost-effective platform solutions. CMS Cloud features managed Infrastructure-as-a-Service (IaaS) environments for both Amazon Web Services (AWS) and Microsoft Azure Government (MAG).

The CMS TRA chapters on Cloud Infrastructure and Virtualization, among others, address CMS Cloud services.

CMS Enterprise Data

CMS maintains several preferred solutions for accessing and managing CMS program data:

  • Enterprise Data Mesh (EDM) is a data connectivity channel that provides value by preventing the proliferation of replicated data sources that perpetuate data inefficiency, duplication, inconsistency, inferior quality, and increased costs for associated infrastructures. Enterprise Data Mesh is a centralized, managed, and secure point where systems and individual users can find, locate, access, and use CMS enterprise information with “data in place.” The EDM enables data owners and curators to focus on data and data quality while also enabling consumers to bring their own preferred compute resources, analytics, and APIs. Additionally, the EDM enables a wide spectrum of programs and consumers to leverage program data sets with close to zero provisioning time with their choice of tools and technologies optimal for their use case. CMS’ Enterprise Data Mesh program will include AWS cloud-based services support, data cataloging, access management, and development and operations support. Additional guidance is found in the TRA Data Management Enterprise Data Mesh chapter.

  • The Integrated Data Repository Cloud (IDRC) is a high-volume cloud data platform integrating Medicare claims with beneficiary and provider data sources, as well as such ancillary data. This robust, integrated data supports mission-essential analytics in CMS and in other government agencies.

  • CMCS DataConnect is an all-in-one cloud analytics platform for the Center for Medicaid & CHIP Services (CMCS) data. DataConnect provides a range of capabilities to streamline Medicaid and CHIP program analysis, monitoring, and oversight. It includes dashboards, tools, and datasets to enable CMCS staff, researchers, and other data experts to produce meaningful insights from complex data.

  • CMS Master Data Management (MDM) provides a single point of access to a singular, synchronized, comprehensive and authoritative source of Beneficiary, Provider, Organization, Program and Relationship data for use by CMS and other external organizations. MDM provides support across multiple CMS business units with a focus on eliminating redundancy, inconsistency, and fragmentation of CMS data. EDL Data Mesh, IDR, and CMCS DataConnect all rely on this authoritative data.

  • ResDAC (Research Data Assistance Center) provides technical assistance to researchers interested in CMS Medicare and Medicaid data. Various data sets are available; however, access is restricted to approved research requests. Public use data files (which contain no protected information) are available via data.CMS.gov

CMS DevSecOps Support

A key goal of the CMS TRA is to support sound and secure software development practices. The DevSecOps tooling landscape is vast, and it can be challenging to determine which solutions are the best match for project requirements. CMS has preferred platform and tool options available which can help development teams manage and secure development pipelines.

  • CMS batCAVE
    CMS batCAVE is a platform-as-a-service solution providing a full, integrated toolset for development, testing, and deployment of application systems. The fully managed platform is multi-tenant, where application development teams maintain control over deployment.

  • CMS DevOps Tools
    • CloudBees CI is a continuous integration, deployment, and delivery (CI/CD) server solution
    • Enterprise GitHub is the standard CMS code repository
    • JFrog Platform is comprised of Artifactory, a binary repository manager and XRay, an add-on to the Artifactory product used to enhance the security posture

  • CMS Testing
    CMS provides Testing as a Service (TaaS), a CMS Cloud offering that provides a suite of products support application teams with test case management, functional and regression test execution, and performance test execution.

  • CMS Security Posture Analysis
    These CMS Cloud inspection and analysis tools support application security and vulnerability management for both developers and the security team:

    • SonarQube, which provides static code analysis. Static code analysis attempts to highlight possible vulnerabilities within ‘static’ (non-running) source code by using analytic techniques.
    • Snyk (“sneak”), a SaaS-based system composition analysis (SCA) tool that enables applications to be developed and built securely. SCA identifies the open-source software in the codebase. This analysis is performed to evaluate security, license compliance, and code quality. It proactively finds and fixes vulnerabilities in codes, open-source dependencies, container images and Infrastructure as Code (IaC) configurations, and offers context, prioritization, and remediation.

CMS Collaboration Capabilities

A number of enterprise collaboration tools are available within the CMS environment to facilitate data sharing and team communications, supported by OIT and the Office of Communications (OC). These include:

  • Atlassian Tools, including:

    • Jira is an application lifecycle management solution that helps teams plan, manage, and report on their work. It is used for bug tracking, issue tracking and project management.
    • Confluence is a team workspace providing teams a place to create, capture, and collaborate on project information including text, tables, images, and other content.

    The CMS Cloud Agile Tools Team supports Enterprise Confluence and Enterprise Jira, with integrated TestRail. The Office of Communications provides OC Jira and OC Confluence, primarily for support of public-facing medicare.gov, healthcare.gov, cms.gov and their related applications.

  • SharePoint is an application platform that allows organizations to store and organize any content and information. That includes documents, images, videos, news, links, lists of data, web pages, and tasks. CMSnet provides employee and workplace support across CMS.

  • Slack is a workplace messaging tool through which you can send messages and files. Dozens of channels contain message threads for various interest groups.

  • GitHub is a common repository platform, used to distribute open-source software and other content. In addition to the public CMSgov repositories, CMS Cloud supports OIT Enterprise GitHub (or CMS-Enterprise GIT), which provides enterprise-grade collaboration, security, and administration, and the OC-supported internal Github, which primarily for support of public-facing medicare.gov, healthcare.gov, cms.gov and their related applications.