The Centers for Medicare & Medicaid Services (CMS) Hybrid Cloud Team announces the following CMS Gold Image (GI) updates for December 2025:
December 2025 GI Updates
Aging GI Clean-Up beginning February 28, 2026
- To improve cost savings and security postures, the GI Team will delete any Amazon Machine Image (AMI) greater than 1 year old, starting on February 28, 2026.
- Customers should review any deployment configurations deploying existing AMIs that are a year old or older to prevent deployment disruptions.
- Customers should accept the newest CMS GIs, updated monthly, as a rule of thumb.
Transition from Windows 2016 (WIN2016) to Windows 2022 (WIN2022) before May 1, 2026
- Please work with your CMS Hosting Coordinator to schedule, track, and decommission all WIN2016 instances and migrate to WIN2022 before Friday, May 1, 2026.
- Microsoft ended mainstream support of WIN2016 in January 2022, and extended support is scheduled to end in January 2027.
- Microsoft also ended Windows 2019 (WIN2019) mainstream support in 2024, with extended support ending in January 2029.
- The Defense Information System Agency (DISA) has not yet released a Security Technical Implementation Guide (STIG) for Windows 2025 (WIN25), or shared a timeline for the DISA WIN25 STIG. There is no current timeline for the creation or release of the CMS GI for WIN25.
- The most current Windows operating system available through CMS GI is WIN2022.
Instance Metadata Service Version 2 (IMDSv2) Required by Default
- All Amazon Web Services (AWS) GIs are now required with IMDSv2 by default to further increase the CMS security posture.
- Instance Metadata Service is an endpoint (169.254.169.254) that adds additional protections over IMDSv1 and allows instances to retrieve information about themselves.
- For more details about IMDSv2, including how to check if you are using IMDSv1, refer to this AWS Security Blog article.
-
Please note: Instances running Splunk Universal Forwarder versions before version 9.4.2 will report the usage of IMDSv1. Please upgrade your Splunk version to ensure that your application is not using IMDSv1 in other ways.
Gold Image Accessibility
- CMS GI availability is based on each team's details in the Hybrid Cloud Customer Relationship Management Database (HC CRM DB), which will replace the Customer Automation and Management Platform (CAMP). If your team wants to request a new CMS GI, please open a Hybrid Cloud support ticket and contact your assigned Hosting Coordinator.
- For more information about CMS GIs, please review the available Gold Image documentation.
Questions or Concerns
|
