Purpose and audience

This memorandum is for all Centers for Medicare and Medicaid Services (CMS) Component Information System Security Officers (ISSOs), Cloud Resource Owners, and System Administrators.

This memorandum establishes the requirement that all CMS cloud resources be enrolled in the enterprise Cloud-Native Application Protection Platform (CNAPP) by June 30, 2026. This initiative directly supports CMS’s mission to strengthen cybersecurity readiness, enhance risk visibility, and ensure compliance with federal cloud security mandates.

Background

The expansion of Wiz, CMS’s designated enterprise CNAPP, is an intentional and strategic step to enhance our ability to evaluate and contextualize risk within cloud environments. Wiz provides a unified capability to visualize exposure pathways, reachability, and configuration risks that are not intuitively surfaced through existing toolsets.

Unlike traditional point solutions, Wiz integrates multiple security domains—Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), and Cloud Infrastructure Entitlement Management (CIEM)—into a single platform that improves contextual understanding and prioritization of risk.

Performance impact

We recognize there may be questions regarding potential performance implications. To clarify, Wiz’s scanning model operates fundamentally differently from traditional agent-based tools.

Wiz leverages Cloud Service Provider (CSP) Application Programming Interfaces (APIs) (for example, Amazon Web Services (AWS) APIs) that execute under a separate principal. These API calls do not consume or compete with system resources such as compute, storage, or network input/output (I/O). Key points to note:

• Wiz runs under its own Identity and Access Management (IAM) role, independent of the system’s API quotas.
• Workload scans rely on immutable, read-only snapshots that exist for less than five minutes, ensuring no measurable performance impact on active assets.
• Scanning occurs once every 24 hours, not continuously.

Communication and governance

The Information Security and Privacy Group (ISPG) Front Office will oversee governance and communication for Wiz operations. A formal outreach plan is being finalized to ensure consistent engagement with key security stakeholders and operational partners.

At a high level, ISPG will:

• Provide governance and oversight of Wiz deployment and operations.
• Ensure that contextualized risk insights are surfaced to ISSOs, Security Operations Center (SOC) analysts, and engineering teams for awareness and appropriate action.
• Coordinate with relevant components to support remediation activities and risk reporting.

Integration

Integration with existing tools such as AWS Security Hub is not in scope for this rollout. Wiz will be used by ISPG to identify and report critical and high-risk findings that may not be detected through other tools. Active monitoring responsibilities are not expected from ADO teams.

For awareness, Wiz differs significantly from AWS Security Hub. The latter functions as a Cloud Security Posture Management (CSPM) solution, while Wiz is a Cloud-Native Application Protection Platform (CNAPP) with broader integration capabilities spanning GitHub, Software-as-a-Service (SaaS), Google Cloud Platform (GCP), Microsoft Azure, and AWS.

If some stakeholders are interested in obtaining direct access to Wiz for transparency or familiarization, they are encouraged to contact the ISPG Front Office.

Conclusion

CMS’s adoption of Wiz is not intended to add complexity or redundant tools to existing processes. Rather, it strengthens our collective ability to detect and mitigate vulnerabilities before they escalate into security incidents.

Through continued collaboration between ISSOs, SOC analysts, ADO teams, and ISPG, we will continue to safeguard CMS’s cloud assets and uphold the confidentiality, integrity, and availability of federal information systems.

Contact

If there are additional concerns or topics that require further discussion, please contact the ISPG Front Office to schedule a joint discussion at ciso@cms.hhs.gov.

Report any security incidents immediately to the CMS IT Service Desk at 1-800-562-1963 or via email at cms_it_service_desk@cms.hhs.gov.

Thank you for your attention to and compliance with these requirements as we work to maintain a secure environment.