
The Centers for Medicare & Medicaid Services (CMS) manages one of the largest digital infrastructures in the federal government—spanning hundreds of FISMA systems, cloud workloads, hybrid networks, and compliance environments. To safeguard this complex ecosystem, CMS partnered with ASSYST to implement a forward-thinking solution, a Security Data Lake (SDL). A Platform designed to unify Continuous Diagnostic and Mitigation (CDM) detailed cybersecurity telemetry from across the IT environment, enhancing threat intelligence and empowering real-time decision-making to improve the security posture of mission-critical applications.
It was a transformation driven by data engineering, human-centered design (HCD), and the power of AI infused user experiences.
CMS’s security teams were overwhelmed by volumes of data generated by disparate sources—cloud configurations, vulnerability scans, firewall logs, compliance assessments, and more. Each team operated in silos, using their ingestion tools, dashboards, and data schemas. This fragmentation slowed collaboration, increased storage costs, and made cross-domain analysis nearly impossible.
During zero-day events like Log4J, what should have been a rapid response became a manual process of stitching together insights from different systems—costing critical time and adding risk to operations. CMS needed a unified, governed, and accessible data platform that could provide a view of CDM data to support multiple teams, roles, and missions—without compromising agility or security.
ASSYST collaborated with CMS’s Information Security and Privacy Group (ISPG) to architect and operationalize a federated Security Data Lake platform built on Snowflake’s secure, FedRAMP-authorized Data Cloud. The platform centralized the ingestion of telemetry from AWS Config, Tenable, Snyk, Panther, Archer, and more, from both the cloud and the premise data center. Applying schema-on-read techniques to retain raw fidelity while enabling flexible, on-demand analytics.
We designed the SDL to support a multi-tenant access model featuring row-level security and role-based controls that enable different security units to collaborate securely from a shared source of truth. To support CMS’s modernization and automation goals, we integrated data services for metadata enrichment and cross-domain telemetry linking.
The AI-enabled platform is integrated with large language models (LLMs), predictive analytics, and multi-agent systems, which enhance context-driven decision-making, streamline investigations, and scale compliance readiness.
Recognizing that technology is only as valuable as it is usable, ASSYST adopted a Human-Centered Design (HCD) approach for data visualization of the CDM data. We developed detailed user personas to represent the diverse range of CMS stakeholders—from SOC analysts and vulnerability engineers to executive leadership and audit teams—each persona guided decisions regarding data access, dashboard views, chatbot behavior, and analytics priorities.
To unlock the full value of the SDL, we designed and deployed the Agentic AI App. This conversational, LLM-powered tool enables users to search and retrieve data catalog metadata using natural language queries. The Agentic AI app is capable of leveraging multiple UI patterns (linear, card-based, threaded) and selecting the threaded mode based on feedback from metadata users who require structured exploration paths and layered conversations. The UI integrates interactive components, such as buttons, forms, and menus, providing users with an intuitive, action-driven interface for discovering and utilizing cyber telemetry without requiring SQL knowledge to formulate queries.
Beyond search and metadata exploration, ASSYST focused on making data-driven decisions easier across CMS. Working closely with CMS stakeholders, we redesigned Tableau dashboards with HCD principles—streamlining visual layouts, reducing cognitive load, and improving data navigation across key views such as:
We facilitated user discovery sessions, journey mapping, and dashboard testing to ensure these dashboards not only reflected real-time SDL data but also aligned with user goals, workflows, and remediation processes. Special attention was given to login and landing page usability, with validated UX enhancements enabling faster access to alerts, insights, and reports.
These improvements have directly contributed to higher dashboard adoption across CMS, increased stakeholder satisfaction, and faster time-to-action in response to evolving cyber threats.
The results have been transformative. CMS now operates from a single pane of glass for security telemetry, with unified data access across departments, improved team collaboration, and sharply reduced response times. During major cyber events, queries that previously took days now return results in minutes. Compliance and audit preparation have become more efficient through the use of live telemetry overlays and the contextual mapping of NIST controls via AI Tools.
The Security Data Lake—once envisioned as a data warehouse—is now a living, AI-ready platform where data, design, and intelligence converge to drive mission success.
With the SDL in place, ASSYST is helping CMS prepare for its next leap forward: integrating Agentic AI. Using the Model Context Protocol (MCP), CMS will enable autonomous agents to interact with live data, perform security checks, validate configurations, and generate evidence for audits in real-time.
Through ASSYST’s Green Accelerator Framework, ASSYST is advancing toward a future where security operations are not only data-driven but context-aware, automated, and intelligently designed around the people who rely on them.