Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CMS Technical Reference Architecture (TRA)

The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency

Contact: TRA Team | tra-admin@cms.hhs.gov
slack logoCMS Slack Channel
  • #cms-it-governance

What is the TRA?

The CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. Having a common set of technical architecture standards helps us ensure the secure and high-quality delivery of healthcare services to beneficiaries, providers, and business partners.

The CMS TRA represents our policy guidance to all Agency business partners wishing to develop, transition, and maintain information systems that interact with the CMS Processing Environments. The CMS TRA is approved and authorized by the CMS Chief Information Officer (CIO) and Chief Technology Officer (CTO).

How does the TRA benefit us?

By requiring all CMS and project teams adhere to the common set of technical architecture standards provided by the TRA, we can:

  • Ensure an effective, standardized operating environment
  • Establish sound and consistent security practices
  • Promote compliance with CMS decisions in future CMS task orders and acquisitions
  • Enable interoperability and encourage reuse/shared infrastructure
  • Provide a consistent set of architectural best practices for use throughout CMS

TRA compliance requirements

Several major releases to the TRA are published annually. New systems are expected to be compliant with the current version of the TRA. For existing systems, compliance with new TRA updates is required within 24 months of publication.

Access the TRA

The current and complete version of the TRA is posted on the CMS TRA website. This is only accessible from the internal CMS network and requires EUA authentication.

External contractors needing access to the TRA can access the public version of the TRA here.

The public version has most of the TRA content, but sensitive information has been redacted. Contractors needing access to the restricted material can request it via their contracting officer's representative (COR).

Contact

For questions or assistance with the TRA, you can reach the TRA team via email: tra-admin@cms.hhs.gov

But if you have a specific technical question, you may want to check first with the CMS Technical Review Board (TRB), which provides technical guidance and advises project teams on their IT efforts, enabling successful integration within the CMS IT environment. You can reach the TRB via email: cms-trb@cms.hhs.gov 

Related documents and resources

  • CMS Acceptable Risk Safeguards (ARS)

    Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems

  • Authorization to Operate (ATO)

    Testing and documenting system security and compliance to gain approval to operate the system at CMS

  • System Authorization

    Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate

  • CMS Cloud Services

    Platform-As-A-Service with tools, security, and support services designed specifically for CMS

  • SaaS Governance (SaaSG)

    Considerations and guidelines for CMS business units wanting to use SaaS applications

  • CMS Security and Privacy Handbooks

    Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy