Skip to main content

CMS ATO Notice

CMS ATO information can now be found at, along with other security and privacy resources.

This website will be retired. You will be redirected in a moment.

Tools & Services

Security Automation Framework (SAF)

The CMS Security Automation Framework (SAF) unites applications, techniques, libraries, and tools from the CMS Information Security and Privacy Group (ISPG) and the security community.  It streamlines security automation for systems and DevOps pipelines, and the benefits of using this framework include:

  • Providing security data to the ACT (Adaptive Capabilities Testing) team. 

See the SAF FAQs for more on the ACT program.

  • Helping developers minimize security defects by running validation security test early and often. It allows them to use orchestration, functional, and unit testing systems in their environments. 

For more information about SAF visit

CMS Cloud Services

CMS Cloud Services provide your team with the tools, support, and services to let you focus on your mission, power our healthcare system, and serve our providers and beneficiaries.

With CMS Cloud, you get access to a powerful combination of offerings, including: 

  • Platform choice
  • Cloud services
  • Security
  • Support

For more information about CMS Cloud visit


When compliance is painful, it disincentivizes innovation and modernization. By removing redundant, burdensome tasks, the CMS BatCave initiative aims to make security and compliance easier and more accessible for end users. 

Modeled after the Air Force’s Platform One initiative, BatCave incorporates enterprise kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and the fears associated with updating production code, BatCave will incentivize faster innovation at CMS.

BatCave is determined to flip the script on security—measure positive security activities instead of negative security outcomes—to incentivize people to do more positive activities that ultimately result in better security outcomes at CMS.

Key aspects of the BatCave initiative:

  • Reduce burden and obligations to users 
  • Give users the knowledge they need make better security decisions
  • Incentivize behavior that strengthens the security posture of applications and CMS as a whole
  • Increase transparency and empower distributed decision-making
  • Measure, report and champion the positive behavior rather than punish negative actions

Video Resources