Skip to main content

CISO Memo 26-05: Authentication Requirements for Phishing-Resistant Access

Establishes CMS authentication requirements for implementing PIV and phishing-resistant authentication and the process for systems requiring risk acceptance.

Published on: 7/7/2026

5 minute read

Summary

To align with HHS and federal Identity, Credential and Access Management (ICAM) directives, all CMS systems and business applications must adopt Personal Identity Verification (PIV)-based or phishing-resistant authentication methods for logical access to systems and applications. 

FISMA systems that cannot meet these requirements, including due to dependencies on existing identity system or capability availability, by March 31, 2027, will be required to be documented and approved by the CISO. Risk acceptance must be time-bound and include a migration plan to meet requirements. 

Purpose

The March 15, 2024, HHS Memorandum, HHS Approved Physical Access and Logical Access Authentication Mechanisms, reiterated HHS’ commitment to maintaining Homeland Security Presidential Directive-12 compliant credentials as the preferred method of logical access authentication and listed other acceptable forms of authentication. CMS systems not meeting this requirement will complete the CMS risk acceptance process. 

This memo establishes CMS expectations for implementing those requirements and aligning CMS authentication practices with current federal ICAM guidance, including updated guidance from NIST SP 800-63 r4.

Background

PIV cards and certificates remain the preferred authentication mechanism for logical access to enterprise systems. Federal guidance emphasizes the use of phishing-resistant authentication methods to reduce the risk of unauthorized account access. 

CMS is expanding the use of PIV to include the use of Multi-Factor Authentication (MFA) tokens containing certificates issued through the U.S. Federal PKI Common Policy Framework.  Where PIV is not available, FIPS-validated phishing-resistant authenticators (e.g., passwordless options such as FIDO2, passkey, or WebAuthn) are expected over legacy one-time password (OTP) MFA.CM

The use of PIV and Phishing-resistant MFA will be required for employees and contractors using  CMS authorized systems.  For systems serving public users (e.g., beneficiaries or consumers), MFA options may be offered where appropriate, including phishing-resistant MFA, keeping in mind accessibility, usability and program constraints. For other external users, including but not limited to providers and Marketplace partners, MFA is required and systems must offer phishing-resistant MFA.

CMS system owners will be responsible for aligning existing identity and authentication mechanisms with enterprise identity services and ensuring systems meet ICAM requirements. If a FISMA System is integrated with Enterprise IDM, the impacts of these changes should be minimal. There may be larger changes needed for systems running on the mainframes or those that currently interface directly with LDAP for authentication.

CMS is working to expand the availability and adoption of phishing-resistant authentication across CMS systems and reduce reliance on authentication mechanisms that are vulnerable to phishing.

Objectives

To support enterprise ICAM and strengthen CMS defenses against unauthorized account access, CMS is pursuing the following strategic objectives through the end of FY2027:

  1. Bring existing CMS Identity systems into alignment with the HHS memo on approved authentication mechanisms and applicable OMB and NIST guidance. 
  2. Expand the availability and adoption of phishing-resistant MFA across CMS system. 
  3. Consolidate use of existing CMS Identity systems for employees and contractors.

To support these objectives, CMS will continue working with identity system providers and program teams to expand the availability of phishing-resistant authentication methods across CMS systems. These efforts include enabling the use of FIPS-validated phishing-resistant authenticators like FIDO2 where appropriate, improving authentication options available to employees, contractors and external users and increasing interoperability among CMS identity services to support future enterprise identity capabilities. Where applicable CMS may also work with program and acquisition teams to update relevant contract language to support the use of phishing-resistant authentication technologies. 

Authentication Requirements

CMS recognizes and accepts the following authentication mechanisms for MFA3 and logical access in order of preference:

  1. PIV, including derived credentials or equivalent phishing-resistant MFA with certificates issued through the U.S. Federal PKI Common Policy Framework
  2. Phishing-resistant public-key authenticators such as FIDO2, WebAuthn or passkeys
  3. Multi-factor One-Time Password (OTP) authenticators, including app-based or hardware-based tokens
  4. Single-factor One-Time Password (OTP) authenticators
  5. Out-of-band authentication mechanisms (including codes delivered via email, SMS, or voice). Please note: One-Time Password (OTP) authenticators and out-of-band authentication mechanisms (email, SMS, or voice), are not phishing-resistant and may be used only where phishing-resistant options are not feasible, with documented risk acceptance by the CISO and migration planning.

Not all options may be available at the time of this memo. The CMS Information Security and Privacy Group (ISPG) is working with CMS identity system providers to enable enterprise authentication methods and increase the availability of phishing-resistant MFA across CMS enterprise and public-facing systems. 

FISMA systems that cannot implement these changes by March 31, 2027 will be required to work with their ISPG Cyber Risk Advisor (CRA) to submit a Plan of Action and Milestones (POA&M) and/or Risk Based Decision Request through the CFACTS process. Risk acceptance decisions will be reviewed periodically and will be subject to non-renewal.

This memorandum, including the risk acceptance process, will be incorporated into CMS Identity and Authorization Policy. 

Contact

For any questions regarding this memorandum, please contact the Information Security and Privacy Group (ISPG) at ciso@cms.hhs.gov.

Report any security incidents immediately to the CMS IT Service Desk at 1-800-562-1963 or via email at cms_it_service_desk@cms.hhs.gov.

Thank you for your attention to and compliance with these requirements as we work to maintain a secure environment.


See all blog posts