Samtek

Helping CMS ADOs Realize the True Potential of Cloud

Picture of Roopesh Kelambeth

Roopesh Kelambeth

Blog

  • 5 min read

From CMS Data Center Modernization to CMS Hybrid Cloud Enablement

At CMS, cloud migration is more than moving out of existing legacy data centers. It’s a strategic modernization effort aligned with federal security mandates, fiscal stewardship, and mission delivery at national scale. CMS Hybrid Cloud provides a secure, compliant Platform as a Service (PaaS) on approved commercial cloud providers like AWS and Azure, so CMS teams can focus on application development rather than undifferentiated infrastructure work.

As Hybrid Cloud Technical Advisors supporting CMS Application Development Organizations (ADOs), the Samtek Team helps ADO teams understand that moving to CMS Cloud isn’t simply about hosting a change. It’s an opportunity to unlock scalability, agility, security, and operational excellence –using CMS‑approved shared services and architectural patterns.

Starting with Architectural Reality: Reviewing CMS Legacy Systems

Many CMS systems were designed for the CMS Common Enterprise Infrastructure and physical data centers, built around static capacity and perimeter‑based trust models. CMS cloud architecture guidance explicitly recognizes that cloud‑suitable applications should leverage elasticity, multi‑zone design, and managed infrastructure rather than replicating data center VM patterns.

During architectural reviews, Hybrid Cloud Technical Advisors typically evaluate:

  • Monolithic application design
  • Stateful compute dependencies
  • Manual failover and DR strategies
  • Flat networks that rely on CMSNet trust
  • Shared service credentials and local user accounts

These reviews align with CMS Hybrid Cloud onboarding, where ADOs submit an intake request and receive architecture guidance tailored to their FISMA boundary and data classification needs.

Reframing Migration as Re-architecture Using CMS Cloud Services

CMS Hybrid Cloud explicitly supports modernization while migrating, not just “lifting and shifting” workloads. ADOs are encouraged to re-architect applications to consume CMS‑approved managed and serverless services, significantly reducing security and compliance overhead.

Examples of CMS‑approved re-architecture options include:

  • AWS Lambda, Step Functions, and EventBridge for serverless workflows
  • DynamoDB, Aurora, and RDS Data API for managed persistence
  • SQS and SNS for decoupled, event‑driven designs

All of these services are explicitly approved for use in CMS Cloud environments. By using them, ADOs can offload patching, scaling, and availability concerns to the CMS Cloud platform, dramatically improving reliability and delivery speed.

Cost Efficiency Through CMS FinOps & Architecture Choices

CMS Hybrid Cloud embeds Financial Operations (FinOps) into its service model, offering shared cost management tooling and guidance to help ADOs govern spending. With this support, teams can understand not only what they’re spending, but also why.

True cost efficiency comes from:

  • Eliminating idle servers through serverless compute
  • Leveraging autoscaling instead of static provisioning
  • Consolidating shared services across CMS portfolios

CMS leadership has publicly highlighted significant cost savings achieved through cloud platform consolidation and shared services, reinforcing that fact that smart architectural decisions drive savings more than vendor pricing alone.

Security as an Enabler: Zero Trust in CMS Cloud

Security is foundational at CMS. CMS Hybrid Cloud is designed to align with Zero Trust Architecture (ZTA) following federal directives and Executive Order 14028, “Improving the Nation’s Cybersecurity.

Key CMS Cloud security capabilities include:

  • Identitycentric access controls using role‑based permissions
  • Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) for Zero Trust inbound and private access, replacing legacy VPN models
  • Encryption in transit and at rest using CMS‑managed KMS patterns and alerting

By minimizing local user accounts and using short‑lived, role‑based access, ADOs can significantly reduce lateral movement risk and simplify audit complexity.

Designing for Scalability & Agility at CMS Scale

CMS systems often support national programs serving millions of beneficiaries, so elasticity is nonnegotiable. CMS Cloud architecture guidance emphasizes multi‑zone design and elastic scaling as core cloud expectations, not optional enhancements.

CMS ADOs can respond dynamically to enrollment periods, policy changes, or sudden data surges without pre‑provisioning infrastructure by leveraging services like:

  • Fargate, EKS, or Lambda
  • Redshift Serverless for analytics
  • Managed Streaming (MSK) for high‑throughput event pipelines

Operational Excellence Through CMS Shared Services & Automation

Operational excellence in CMS Cloud is enabled by shared platform services that reduce duplication across programs. These shared services include centralized:

  • Logging and monitoring
  • Backup and restore services
  • Infrastructure access management
  • Approved CI/CD and governance tooling

Infrastructure as Code (IaC) and automated compliance evidence generation help ADOs meet ongoing FISMA and ATO obligations with far less operational burden compared to data center environments.

The Hybrid Cloud Technical Advisor’s Role at CMS: Enabler & Partner

The CMS Hybrid Cloud model explicitly exists to remove barriers, accelerate onboarding, and help teams meet compliance requirements faster while maintaining strong security controls. At CMS, Hybrid Cloud Technical Advisors are most effective when they act as:

  • Architectural advisors during intake and modernization
  • Translators between security policy and engineering practice
  • Facilitators of CMS‑approved patterns and reusable components

Unlocking CMS Cloud’s Full Potential

CMS Cloud isn’t simply an infrastructure destination—it’s critical servicesprovided more reliably. As such, CMS Cloud stands as a model to be considered and learned from by agencies across the federal government that are seeking to modernize with the same rigor and impact.  By pairing thoughtful re-approved cloud services, Zero Trust security, FinOps discipline, and automation, ADOs can move beyond migration and realize the full promise of cloud at CMS—improved outcomes for beneficiaries, providers, and the entire agency.

References:

https://security.cms.gov/learn/cms-hybrid-cloud
https://www.cms.gov/tra/Infrastructure_Services/IS_0080_Cloud_Architecture.htm https://dev.cloud.cms.gov/cms-cloud-services/
https://govciomedia.com/cms-advances-zero-trust-ai-security-in-it-modernization-push/
https://security.cms.gov/learn/zero-trust
https://security.cms.gov/posts/linking-encryption-power-zero-trust
https://dev.cloud.cms.gov/amazon-web-services-commercial-approved-services-list/

FEATURED BLOGS

Nerris Zeuzeko

What Ownership Really Means for Cloud Engineers

Cloud infrastructure can fail even with a skilled technical team. When leaders design an environment that subtly nudges engineers toward action—through clear expectations, supportive processes, and the right tools—ownership becomes the default, not the exception.

Scott Case

Decision-Making Under Pressure: A 9-Step Cloud Ops Playbook

IT Operations teams are thrust into one of the toughest challenges any organization can face: making critical decisions under intense pressure. Follow our 9-step playbook below to help your Ops team have the frameworks and tools they need to respond to incidents before they happen.

Scott Case

Handle Cross-Functional Conflicts When Cloud Priorities Compete

Most cloud problems are not purely technical. There are priority conflicts between Cloud Engineering, Operations, Security, and the business that surface years after early decisions were made.