Skip to main content

Identity Management

Date signed: 9/17/2025

PIA information for the Identity Management system
OPDIV:CMS
PIA Unique Identifier:P-5127102-673341
Name:Identity Management
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Agency
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization2/4/2026
Indicate the following reason(s) for updating this PIA. Choose from the following options.
  • PIA Validation (PIA Refresh/Annual Review)
  • Other - PIA renewal and added PII field Mailing address
Describe in further detail any changes to the system that have occurred since the last PIA.The changes performed on the system since the last PIA approval include Okta upgrade from Classic to Okta Identity Engine (OIE), Deprovisioning of inactive accounts, Migration of Amazon Web Services (AWS) Legacy to Greenfield (v3 to v4), Launch of the CMS Identity Store, Non-expiry password, and Risk Based Authentication (RBA) Remote Identity Proofing (RIDP) solution.
Describe the purpose of the system

In support of the American Recovery and Reinvestment Act (ARRA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Patient Protection and Affordable Care Act of 2010, also known as Affordable Care Act (ACA), Centers for Medicare & Medicaid Services (CMS) has implemented an Identity Management (IDM) system. Identity Management (IDM) is an Identity and Access Management (IAM) system that provides application program interface (API) and user interface services as a means for users needing access to CMS applications to self-identify, apply for and receive credentials in the form of a single-factor authentication, User Identifier (UserID) and Password and/or Multi-Factor Authentication (MFA). IDM manages the lifecycle of user IDs, passwords, and the supporting data collected from the users from issuance through deprovisioning and archival.

IDM services are grouped into a few main areas:

Registration Service – This function allows new users to register with IDM and obtain a single digital identity that can be used across CMS applications that are integrated with IDM. 

Authentication Service – This function confirms the user’s identity attributes and access privileges. It is available only to users who have completed the registration process and have a valid credential. The Authentication Service validates that users have a valid credential issued to them by providing something they know (e.g., a password), something they have (e.g., a security token), or a combination of those factors.

Authorization Service – provides for integrating applications that support multi-level approval for system access. It tracks and manages the assignments of IDM Solution roles to individual users and provides role detail information to participating applications. It also provides the ability to check the authorization against an authoritative data source and provision user information to various CMS repositories.

Identity Proofing- Remote Identity Proofing (RIDP) is integrated with Experian, using credit and demographic data to verify users at NIST IAL2 standards.

Identity Lifecycle Management (IDLM) Service – This function allows user information to change over time in a controlled and auditable manner within IDM. User information can be managed by the user through self-service or by an Authorized Help Desk user.

Reporting- Integrates with AWS QuickSight to provide dashboards and reports with:

Role-based access

Operational and monitoring metrics

Filtering, exporting, and printing features

User Interfaces

Accessible via: 

IDM UI (IDM Apps)

CMS Enterprise Portal (My Enterprise Portal)

Okta Dashboard

Custom application-built UIs

All interfaces are 508 compliant and browser compatible.

Help Desk Support 

Tier 1 (Application Help Desks): Initial user support

Tier 2 (IDM Team): Escalation support for IDM-specific issues

Key functions include account unlock, temporary passwords, and identity record updates

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

IDM collects, maintains and stores the following information on external and internal CMS system users: First Name, Last Name, Date of Birth, E-mail Address, Mailing address, Phone Number, Social Security Number, User Identifier (User ID) and Password and Organization Name.

The Social Security Number is used to check for registrant uniqueness within the system. The Username and Password are stored and are created by the user. Under some circumstances, the password may be reset to a temporary value by a helpdesk technician.

The User Identifier (User ID) and Password are used to grant access to applications that users have been authorized to access.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Identity Management (IDM) is an Identity and Access Management (IAM) system that provides application program interface (API) and user interface services as a means for users needing access to CMS applications to self-identify, apply for and receive credentials in the form of a single-factor authentication, Username and Password and/or Multi-Factor Authentication (MFA). IDM manages the lifecycle of user IDs, passwords, and the supporting data collected from the users from issuance through deprovisioning and archival.

IDM collects, stores and maintains the following information: First Name, Last Name, Date of Birth, E-mail Address, Mailing address, Phone Number, Social Security Number, User Identifier (User ID) and Password and Organization Name.

The Social Security Number is used to check for registrant uniqueness within the system. The First Name, Last Name, Date of Birth, Phone Number, and Organization Name are used by the approver to approve the user’s request for access.

The Username and Password are used to grant access to application that users have been authorized to access.

Application tier 1 and tier 2 helpdesk (HD) users and approvers of the tier 1 /vertical applications will verify the end-user's PII before assisting users. This retrieval is normally done by leveraging the user's username, Date of birth and/or last four of SSN in the search section of the HD user interface.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Social Security Number
  • Name
  • Date of Birth
  • E-Mail Address
  • Mailing Address
  • Phone Numbers
  • Other - Organization Name, Username and Password
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Public Citizens
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?100,000-999,999
For what primary purpose is the PII used?The primary purpose of the system is to collect and maintain individually identifiable information to assign, control, track, and report authorized access to and use of CMS’ computerized information and resources, for those individuals who apply for and are granted access across multiple CMS systems and business contexts. Information in this system is also used to: (1) Support regulatory and policy functions performed within the Agency or by a direct contractor, consultant, or CMS grantee; and (2) Support litigation involving the Agency related to this system. The Social Security Number is used to check for registrant uniqueness within the system. The First Name, Last Name, Date of Birth, and Phone Number are used by the approvers to approve the user’s request for access.
Describe the secondary uses for which the PII will be used (e.g. testing, training or research)Not Applicable.
Describe the function of the SSN.The main purpose of the Social Security Number (SSN) is for Remote Identity Proofing (RIDP). Identity Assurance Level (IAL) 2  users will provide SSN for RIDP.   The Social Security Number is also used to check for registrant uniqueness within the system.
Cite the legal authority to use the SSN.Executive Order 9397, the Debt Collection Improvement Act (PUBLIC LAW 104–134—APR. 26, 1996), 31 United States Code (U.S.C.) § 7701(c)(1), and 5 U.S.C. 552a(b)(1)
Identify legal authorities​ governing information use and disclosure specific to the system and program.

U.S.C. § 7701(c)(1), Appellate procedures
U.S.C. 552a(b)(1), Records Maintained on Individuals
5 U.S.C. Section 301, Departmental Regulations

Executive Order 9397, the Debt Collection Improvement Act (PUBLIC LAW 104–134—APR. 26, 1996), 31 United States Code (U.S.C.) § 7701(c)(1), and 5 U.S.C. 552a(b)(1)

Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Published: SORN 09-70-0538, Individuals Authorized Access to CMS Computer Services
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
  • Email
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
Identify the sources of PII in the system: Non-Government Sources
  • Members of the Public
  • Private Sector
Identify the OMB information collection approval number and expiration dateOMB No.0938-1236 | Expiration Date: 08/31/2025 |
Is the PII shared with other organizations?Yes
Identify with whom the PII is shared or disclosed and for what purpose.
  • Private Sector: Experian Information Solutions, Inc. provides Remote Identity Proofing (RIDP) services. PII is sent to Experian over a secure channel using Federal Information Processing Standards (FIPS) 140-2 compliant encryption. Experian enables IDM to prove the identity of users.
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)).Information Sharing Agreement (ISA) with Experian, reviewed on January 3, 2023: Experian provides Remote Identity Proofing (RIDP) web services for IDM to remotely identity proof its users.
Describe the procedures for accounting for disclosures

The disclosure of any Personally Identifiable Information (PII) within the Identity Management (IDM) system is formally documented and accounted for through multiple mechanisms to ensure transparency, accountability, and compliance with the ARS and federal regulations.

Disclosures are logged through:

Interconnection Security Agreements (ISA) – All third-party data exchanges involving PII, such as with Experian for Remote Identity Proofing (RIDP), are governed and documented via active ISAs that clearly define permissible use and safeguards.

CMS Incident Management Process – Any unauthorized or unintended disclosure of PII triggers the formal incident response protocol:

A ServiceNow ticket is immediately generated to capture all relevant incident details, including what was disclosed, when, how, and by whom.

A structured incident investigation is conducted to assess impact, identify root causes, and determine corrective actions.

Findings from the investigation are fully documented within the ServiceNow ticket and a formal incident report is provided to the data owner(s) of the affected system(s).

Remediation actions are implemented based on the severity and nature of the incident, in alignment with CMS security and privacy policies.

Additionally, all disclosure incidents and related actions are tracked to support audit readiness, risk mitigation, and compliance reporting to CMS leadership and oversight bodies as needed.

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Individuals are notified that their personal information will be collected through a Privacy Act Statement, which is presented during the initial registration process and again on a recurring basis (e.g., annually or at login). This statement is included as part of the Terms and Conditions, which users must affirmatively accept in order to proceed.

The Privacy Act Statement informs users that the Identity Management (IDM) system will collect their Personally Identifiable Information (PII) for the purpose of identity proofing, authentication, and access management. It explains how the information will be used, maintained, and shared in accordance with federal privacy laws, including the Fair Credit Reporting Act (FCRA), and states that explicit consent is required to use identity verification services.

This process ensures individuals receive prior notice and provide informed consent before any PII is collected or processed.

Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.Individuals are presented with a Privacy Act Statement as part of the Terms and Conditions during the initial registration process and at each login. Users have the option to decline to provide their personal identifiable information (PII) by choosing not to accept the Terms and Conditions. However, if a user opts not to provide the required information or declines the Terms and Conditions, a user account cannot be created. As a result, the individual will be unable to access CMS applications that require authentication. This limitation is necessary to ensure the security and integrity of CMS systems and the protection of user data.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Users are presented with a Privacy Act Statement that outlines the purposes for which their Personally Identifiable Information (PII) is collected and how it will be used. This statement is included in the Terms and Conditions during the initial registration process and is reaffirmed at each login. Additionally, a warning banner is displayed on the login page indicating that the system is a government-operated system and subject to monitoring.

In the event of major changes to the system that impact the disclosure or use of PII, users will be notified through updates to the Terms and Conditions and Privacy Act Statement. Continued use of the system after such changes constitutes acknowledgment and acceptance of the revised terms. Users have the option to discontinue use of the system at any time, thereby opting out of the use of their PII in IDM.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.Any concerns of inappropriate gathering or use of an individual's PII should be directed to the IDM Help Desk or sent in writing to Medicare following the complaint process outlined in Medicare’s Notice of Privacy Practices. A Service Now ticket will be created to record the incident and all relevant information about the incident (i.e. What was disclosed, when, how, by whom). An incident investigation will be initiated, and the results documented in the Service Now ticket and a report provided to the data owner for all the systems involved. Appropriate remediation actions will be taken based on the nature of the incident.
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

IDM ensures the periodic review of PII to maintain its integrity, accuracy, relevance, and availability in accordance with CMS policy and federal guidelines. While individual CMS applications are responsible for the initial collection and validation of PII, IDM conducts annual reviews as part of its Cybersecurity and Risk Assessment Program (CSRAP) to validate the appropriateness of retained PII, ensure it remains necessary for business purposes, and complies with CMS Acceptable Risk Safeguards (ARS).

These reviews include verification of data integrity checks, evaluation of data retention practices, and audits of user access and activity logs. IDM enforces role-based access control (RBAC) and the least privilege principles, ensuring only authorized personnel can access PII. All PII is encrypted in transit and at rest using FIPS 140-2 validated cryptographic modules. Data accuracy and relevancy are further supported through integration with authoritative data sources where feasible. Findings from these reviews are documented and used to inform remediation activities, if required.

Identify who will have access to the PII in the system and the reason why they require access.
  • Users: IDM account users have access to only their PII. This information is used to identify the user and allow them to manage their IDM user account.
  • Administrators: Administrators and direct Contractors have access to PII to facilitate the process of managing user accounts, creating new user accounts and disabling inactive user accounts. Administrators also have access to PII to maintain and test IDM.
  • Contractors: Administrators and direct Contractors have access to PII to facilitate the process of managing user accounts, creating new user accounts and disabling inactive user accounts. Administrators also have access to PII in order to maintain and test IDM.
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

IDM employs role-based access controls (RBAC) to ensure that access to Personally Identifiable Information (PII) is restricted to authorized users based on the principle of least privilege. Access is granted only to individuals whose roles require it to perform their official duties. System users—such as administrators, developers, and contractors—must submit access requests that specify the required level of access.

Each access request undergoes a formal review and approval process, which includes verification and approval by the designated business owner or their representative (e.g., Contracting Officer’s Representative). Access decisions are documented and reviewed periodically to ensure ongoing needs and appropriateness. Additionally, all access to PII is logged and monitored, and users are required to complete appropriate security and privacy training before being granted access.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

IDM uses the principle of the least privilege and role-based access controls (RBAC) to ensure that individuals, including system administrators, developers, and contractors, are only granted access to the minimum amount of Personally Identifiable Information (PII) necessary to perform their job functions. Access is based on assigned roles that are approved by the business owner or their delegate, and all access requests must specify the level and purpose of access required.

Additionally, IDM enforces periodic access reviews and account recertifications to validate that access remains appropriate. Technical safeguards, such as attribute-based access controls (ABAC), data masking, and system auditing, are used to prevent unauthorized access and to ensure that users cannot access more data than is necessary for their official duties.

Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All personnel with access to the Identity Management (IDM) system, including system owners, program managers, developers, operators, and contractors—are required to complete the CMS Information Systems Security and Privacy Awareness (ISSPA) Training. This training is mandatory when users are initially issued their CMS User ID and must be retaken on an annual basis.

The ISSPA Training covers responsibilities related to the handling of Personally Identifiable Information (PII), applicable federal privacy and security requirements, and CMS policies. Role-based training is also provided to individuals with elevated privileges or responsibilities related to system operations and data protection.

CMS tracks training compliance through its Learning Management System (LMS), and system access is contingent upon completion. 

Describe training system users receive (above and beyond general security and privacy awareness training)System administrators and users are required to complete role-based training and meet continuing education requirements commensurate with their role. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS are available apart from the regular annual training.
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

National Archives and Records Administration (NARA), General Records Schedule (GRS) 3.1, 3.2, 4.3 states that IDM will destroy/delete all records that are 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later. IDM will delete/destroy all records when the agency determines they are no longer needed for administrative, legal, audit or other operational purposes. The following are all NARA approved records schedules for IDM:

   

  1. Master Files

    1. Registration - username/password and challenge question/answers, allows users to prove their identity by associating federate credentials as well as using these credentials for subsequent authentication

      DISPOSITION: Destroy/delete when 7 years 6 months - 20 years 6 months old, based on the maximum level of operation of the Certification Authority, or when no longer needed for business, whichever is later.

      (Disposition Authority, N1-GRS-07-003, item 13a1)

  2. Authorization - manages applications as well as entitlements within applications as requested items to end users; integration of CMS applications into IDM; connects with application stores specific to Federal Exchange using the database connector.

    Regarding GRS:5.1/5.2
    Where applicable IDM will follow disposition instructions. IDM does not maintain any agency office record storage, non-recordkeeping electronic records, non-mission related committee records nor does IDM maintain any transitory/intermediary records. In the event of such a record IDM will follow the disposition requirements as set forth.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The Identity Management (IDM) system secures Personally Identifiable Information (PII) through a combination of administrative, technical, and physical controls in accordance with CMS policies and federal security standards.

Administrative: IDM enforces the principle of least privilege and role-based access control (RBAC) to ensure users and administrators are only granted access to the minimum PII necessary for their official duties. Access requests must be formally submitted, specifying the required access level, and are subject to review and approval by designated business owners or their representatives. All users must complete the CMS Information Systems Security and Privacy Awareness (ISSPA) training upon account issuance and annually thereafter.

Technical: IDM is hosted in a secure Amazon Web Services (AWS) environment and is designed using industry best practices, including secure coding standards, encryption of data in transit and at rest, multi-factor authentication (MFA), audit logging, and continuous monitoring. The system is assessed against applicable Federal Information Security Modernization Act (FISMA) requirements and implements NIST 800-53 controls to ensure the confidentiality, integrity, and availability of PII.

Physical: IDM is hosted within AWS Federal Risk and Authorization Management Program (FedRAMP) authorized data centers that implement layered physical security measures. These include on-site security personnel, surveillance, badge access, and biometric screening to restrict access to authorized personnel only.

Identify the publicly-available URL:

My Enterprise Portal

IDM Self Service

IDM Apps

Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?Yes
Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply)
  • Session Cookies - Collects PII?: No
  • Persistent Cookies - Collects PII?: No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?Yes

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs