The Centers for Medicare & Medicaid Services (CMS) Hybrid Cloud Team announces the following CMS Gold Image (GI) updates for September 2025:
September 2025 GI Updates
Transition from Windows 2016 (WIN2016) to Windows 2022 (WIN2022) before May 1, 2026
-
Please work with your CMS Hosting Coordinator to schedule, track, and decommission all WIN2016 instances and migrate to WIN2022 before Friday, May 1, 2026.
- CMS Cloud Customers with active WIN2016 instances received dedicated Cloud Support (CLDSPT) support tickets notifying them to decommission. If your team has not received the CLDSPT ticket, please contact your assigned Hosting Coordinator.
- Microsoft ended mainstream support of WIN2016 in January 2022, and extended support is scheduled to end in January 2027.
- Microsoft ended Windows 2019 (WIN2019) mainstream support in 2024, with extended support ending in January 2029.
-
The Defense Information System Agency (DISA) has not yet released a security technical implementation guide (STIG) for Windows 2025 (WIN25), or shared a timeline for the DISA WIN25 STIG. There is no current timeline for the creation or release of the CMS GI for WIN25. The most current Windows operating system available through CMS GI is WIN2022.
Instance Metadata Service Version 2 (IMDSv2) Required by Default in September 2025
- Starting in September 2025, all Amazon Web Services (AWS) GIs are now required with IMDSv2 by default to further increase the CMS security posture.
- Instance Metadata Service is an endpoint (169.254.169.254) that allows instances to retrieve information about themselves. IMDSv2 adds additional protections over IMDSv1.
- For more details about IMDSv2, including how to check if you are using IMDSv1, refer to this AWS Security Blog article.
-
Please note: Instances running Splunk Universal Forwarder versions before version 9.4.2 will report the usage of IMDSv1. We recommended that you upgrade your Splunk versions if you are unsure if your application is using IMDSv1 in other ways.
Final Amazon Linux 2023 (AL2023) Transition Plans Are Under Review
- The final CMS Amazon Linux 2 (AL2) GI was released on June 13, 2025.
- We are reviewing any outstanding AL2023 transition plans and will reach out directly with any concerns.
Gold Image Accessibility
CMS GI availability is based on each team's details in the Hybrid Cloud Customer Relationship Management Database (HC CRM DB), which will replace the Customer Automation and Management Platform (CAMP). If your team wants to request a new CMS GI, please open a Hybrid Cloud Support Ticket and contact your assigned Hosting Coordinator.
For more information about CMS GIs, please review the available Gold Image documentation.
Questions or Concerns
For questions or concerns, please contact your assigned Hosting Coordinator or submit a Hybrid Cloud support ticket.
|
