The Centers for Medicare and Medicaid Services (CMS) is accelerating its transition to a zero trust architecture, replacing what one agency official described as a “flat” network environment that posed a “huge security vulnerability.”

Speaking Tuesday at the Zscaler Public Sector Summit in Washington, Wade Zarriello, director of CMS’s Infrastructure and User Services Group, detailed the agency’s ongoing modernization effort and its partnership with Zscaler to redesign network access around identity, data, and devices rather than traditional perimeter defenses.

“CMS has some of the most important data in the world, right? We have a lot of it, and a lot of people want access to that,” Zarriello said. “So, for us, making sure that we can make that modernization journey in a fast, quick, and efficient way while continuing to provide reliable, stable access to our data … was critical.”

Zarriello said CMS anchored its strategy in what he termed an “identity, data, and device-driven policy,” or IDD, approach. The model shifts the agency away from traditional perimeter-based defenses toward continuous verification of users and devices.

CMS’s approach aligns with the Office of Management and Budget’s 2022 zero trust strategy, which directed agencies to adopt zero trust architectures and leverage built-in cloud security capabilities.

Zarriello noted that while CMS has addressed many foundational elements – the “low-hanging fruit” of its zero trust journey – work remains to migrate all of its cloud-based applications to a zero trust model.

Working with Zscaler, CMS is designing segmentation that provides access “directly to the applications without having to inject any type of friction,” such as traffic backhauling that can slow deployment.

“Every time my team gets a cloud onboarding request, they need it yesterday,” Zarriello said. “And so, us being able to facilitate quick onboarding to cloud and multicloud, but then also to reduce the choke points and barriers to achieve a faster deploy in those hybrid cloud environments is critical.”

Adam Geller, chief product officer at Zscaler, said the company has been a leader in FedRAMP cloud security, and that “will continue to be our main focus.”

“This commitment from Zscaler isn’t going to change. It’s certainly not going to waver,” Geller said. “And I’d just really like to thank you all again for continuing to be an incredible partner for us on this zero trust journey as we forge this cyber-strong nation together.”