Vetting & Credentialling Informational Guide

Vetting and Credentialing 

The Vetting and Credentialing (V&C) program is CMS’s process for ensuring that only properly identified, trustworthy, and authorized individuals can access CMS systems, data, and facilities. It combines identity proofing, background investigations, and credential issuance into a unified framework that protects against unauthorized access and insider threats. 

V&C applies to all CMS employees, contractors, affiliates, and partners who need logical access (to systems and data) or physical access (to facilities and restricted spaces). Before anyone can be granted access, their identity must be verified, their suitability must be established through background investigations, and they must be issued secure, federally compliant credentials such as a Personal Identity Verification (PIV) card. 

V&C is more than an administrative requirement—it is a critical safeguard that connects people, credentials, and access. By linking Personnel Security (PS) and Identification & Authentication (IA) it ensures: 

• Identity is confirmed by using strong, federally approved standards
• Trustworthiness is established through background checks and continuous evaluation (PS).
• Credentials are secured and enforced through technical controls like multi-factor authentication (IA). 

By binding trust in people (PS) with trust in credentials (V&C) and trust in access (IA), the program provides CMS with a layered, end-to-end defense that protects its mission, operations, and sensitive beneficiary information. 

Why V&C Matters 

V&C is a cornerstone of CMS’s security framework because the agency is entrusted with highly sensitive federal systems, mission-critical operations, and the protected health information of millions of beneficiaries. The integrity of CMS operations depends on ensuring that only properly vetted and credentialed personnel are granted access to its systems and facilities. Without strict adherence to V&C requirements, unauthorized individuals could exploit gaps in access control, potentially infiltrating CMS networks or facilities, compromising the confidentiality of beneficiary data, and disrupting critical program functions. Such failures would not only place CMS operations and the public it serves at risk but could also result in non-compliance with key federal mandates, including the Federal Information Security Modernization Act (FISMA), Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standards (FIPS) 201-3, OMB Circular A-130, and CMS’s own Acceptable Risk Safeguards (ARS) which follows the guidance directly from the National Institute of Standards and Technology (NIST) SP 800-53 rev 5. To prevent these risks, CMS enforces rigorous identity proofing, background investigations, and credential lifecycle management. Failure to comply with these requirements carries serious consequences: individuals may lose access privileges, staff and contractors may face disciplinary or contractual action, and any misuse or fraudulent use of credentials may result in legal penalties under federal law. These enforcement measures ensure that V&C remains a reliable safeguard for CMS systems, facilities, and the sensitive information they protect. 

V&C is essential because CMS manages sensitive federal systems and data. Without strict vetting and credentialing: 

• Unauthorized individuals could gain access to CMS facilities and systems
• Beneficiary privacy and critical operations could be compromised
• CMS could face compliance failures under FISMA, HSPD-12, and other federal mandates 

Non-compliance with V&C requirements may result in: 

• Loss of access privileges
• Disciplinary or contract actions
• Legal consequences for credential fraud or misuse 

How V&C Works 

CMS protects its systems and facilities by making sure the right people have the right access. The V&C process is how we confirm who someone is, check their background, and give them secure credentials like PIV cards. These credentials are then used to control both system login and building entry. The process follows federal security standards, including background checks, multi-factor authentication, and regular reviews of who has access. Each step is designed to build trust—first in the person, then in the credential they use, and finally in the way that credential is used to access CMS resources. 

Step 1: Identity Proofing 

• Requires two forms of government-issued ID
• Identity verification follows NIST SP 800-63 standards 

Step 2: Background Investigations 

• Required by HSPD-12 and following  OMB M-19-17
• At least a Tier 1 Public Trust investigation for all personnel
• Roles of Higher sensitivity require more rigorous investigations
• Periodic reinvestigations ensure ongoing suitability 

Step 3: Credential Issuance 

• CMS issues PIV cards as the primary credential in accordance with FIPS 201-3
• Alternatives include Alternate Logon Tokens (ALTs), Restricted Local Access (RLA), or hardware tokens
• No credentials are issued until background investigations are completed and eligibility is confirmed 

Step 4: Logical Access (Systems & Data) 

• Multi-Factor Authentication (MFA) is mandatory
• Least privilege ensures access is restricted to role-based needs
• Privileged accounts require enhanced monitoring
• All CMS systems must encrypt data in transit and at rest
• Remote access is only allowed through CMS-approved secure channels (VPN/VDI) 

Step 5: Physical Access (Facilities) 

• A valid PIV card is required for unescorted access
• Visitors must be processed through the Physical Access Management (PAM) system
• Badges must be worn visibly and never left unattended
• Access is role- and clearance-based, with added restrictions for secure areas 

Step 6: Ongoing Monitoring and Revocation 

• Access rights are reviewed on a regular schedule
• Activity logs are continuously monitored for anomalies
• PIV credentials expire after five (5) years and require reissuance in accordance with FIPS 201-3
• Transfers or Terminations: credentials are updated or revoked immediately through coordination with multiple departments and notification to defined personnel or roles occurs with in twenty-four (24) hours 

Roles and Responsibilities 

• Individuals (Employees & Contractors): Confirm individual roster information, complete V&C steps, safeguard credentials, follow CMS access policies
• Contractor Representatives: Maintain contractor rosters, notify CMS of changes, support timely onboarding and offboarding
• Contracting Officer Representatives (CORs): Initiate Identity and Credentialing Tool (ICT) applications, approve requests, ensure offboarding steps are completed
• Office of Information Technology (OIT): Grants logical access, manages accounts, oversees CBT training
• Office of Security, Facilities, and Logistics Operations (OSFLO): Coordinates fingerprinting, manages physical access
• Division of Personnel Security (DPS): Makes suitability determinations that drive credential eligibility, adjudicates investigations
• Defense Counterintelligence and Security Agency (DCSA): Conducts background investigations 

Personnel Security (PS) and Its Relationship to V&C 

The Personnel Security program ensures individuals are trustworthy before V&C credentials are issued. 

PS contributions to V&C include: 

• Position Risk Designation: Determines sensitivity levels for roles, which drive the type of investigation required before credentials are issued
• Background Investigations: Conducted through DCSA, with adjudication by the Division of Personnel Security (DPS). These investigations determine if someone is eligible for a PIV card
• Continuous Evaluation: Ongoing checks to detect new risks that might affect credential status
• Lifecycle Alignment: Ensures credentials are updated or revoked when individuals transfer or terminate employment 

How PS and V&C overlap: 

• PS establishes trust in the person through suitability determinations
• V&C relies on those determinations to issue and manage credentials
• Together, they ensure only vetted, trustworthy individuals receive and maintain CMS credentials 

Identification & Authentication (IA) and Its Relationship with V&C 

The Identification & Authentication program ensures that credentials issued through V&C are used securely to access CMS resources. 

IA contributions to V&C include: 

• Multi-Factor Authentication (MFA): Credentials like PIV cards must be used with PINs or tokens for secure logins
• Unique Identifiers: Every CMS account is tied to a distinct, vetted identity
• Device Authentication: CMS-issued devices are verified through certificates, encryption, and MAC/IP filtering
• Account Management: Inactive accounts are automatically disabled; identifiers cannot be reused for at least three years
• Replay Resistance & Cryptography: TLS, tokens, and encryption protect against credential theft or misuse 

How IA and V&C overlap: 

• V&C issues credentials (PIV, ALT, RLA)
• IA enforces use of those credentials for both logical and physical access
• Together, they ensure credentials are not just issued, but also actively and securely used to protect CMS resources 

Summary 

The CMS V&C program safeguards systems, data, and facilities by verifying identity, conducting background investigations, and issuing secure credentials. It is tightly linked to Personnel Security (PS), which establishes trust in people through position risk designations, adjudicated investigations, and continuous evaluation, and to Identification & Authentication (IA), which enforces secure use of credentials through multi-factor authentication, unique identifiers, cryptography, and account management. Together, these three controls form a continuous cycle of protection—PS determines who is trustworthy, V&C binds that trust to a credential, and IA ensures that credential is used securely—ensuring that only the right individuals, with valid credentials, and appropriate authorization, can access CMS resources. 

• PS ensures trust in people.
• V&C ensures trust in credentials.
• IA ensures trust in access. 

Together, they safeguard CMS systems, data, and facilities from unauthorized access and insider threats.