Skip to main content
Updates
from Policy

Information & Authentication RMH Retirement and Implementation of the Info Guide

We're retiring all the ARS control family handbooks and replacing them with informational guides.

Published on: 9/26/2025

How Identification and Authentication Keep Our Data Secure

In today’s digital environment, where cyber threats are constant, safeguarding sensitive health information is a top priority. At the Centers for Medicare & Medicaid Services (CMS), strong identification and authentication (IA) practices form the foundation of our security program. These measures help ensure that only the right people—and devices—can access our systems, while keeping our data secure and compliant with federal standards.

Identity and Access at CMS

CMS manages a vast network of users and systems. To protect this environment, we rely on Identity and Access Management (IAM), which ensures that every individual has a unique digital identity and that access to information is tightly controlled.

  • Unique Accounts: Every CMS user has their own account, which acts as an electronic signature. Sharing credentials is prohibited, and accounts are monitored for unusual activity.
  • Identity Proofing: Before granting access to sensitive applications, CMS verifies user identity using Remote Identity Proofing (RIDP). This process may occur online, by phone, or in person, and follows federal standards (NIST SP 800-63).

Authentication: Verifying Identity

Authentication means confirming that someone really is who they claim to be before they gain access. CMS uses multiple methods:

  • Passwords: Strong password rules apply across CMS. For privileged accounts, such as system administrators, longer and more complex passwords are required.
  • Multi-Factor Authentication (MFA): MFA is mandatory for accessing CMS systems. Users combine something they know (like a password) with something they have (such as a Personal Identity Verification (PIV) card or a Symantec VIP code).
  • PIV Credentials: In line with Homeland Security Presidential Directive 12 (HSPD-12), CMS requires federal employees and contractors to use government-issued PIV cards to log into systems and facilities securely.
  • Device Authentication: CMS also validates the devices connecting to its network, requiring secure VPN or Virtual Desktop Infrastructure (VDI), up-to-date security patches, and FIPS 140-3 compliant encryption.

Authorization: Controlling Access

Once a user’s identity is confirmed, authorization policies determine what they can do:

  • Least Privilege: Users are given only the access they need to do their jobs.
  • Role-Based Access Control (RBAC): Access is based on roles and responsibilities, ensuring only approved individuals can reach sensitive systems or Controlled Unclassified Information (CUI).

Additional Safeguards

Beyond login credentials, CMS employs layered protections to keep systems secure:

  • Replay Resistance: Authentication processes use encryption and challenge-response methods (like TLS and one-time codes) to block attackers from “replaying” stolen credentials.
  • Re-Authentication: CMS systems require users to re-enter credentials after inactivity, role changes, or suspicious activity, adding another layer of assurance.
  • Cryptographic Protections: CMS uses federally validated (FIPS 140-3) encryption modules and Public Key Infrastructure (PKI) certificates to secure communications and verify identities.
  • External Authenticators: When CMS uses external verification services such as Experian, these must meet NIST standards to ensure consistency and reliability.

Continuous Monitoring and Compliance

Security at CMS is not a one-time event. Ongoing monitoring and reviews ensure accounts remain appropriate and secure:

  • Account Reviews: CMS users must annually certify their access needs and complete required training. Inactive accounts are disabled automatically.
  • Monitoring for Misuse: Security teams continuously track accounts for unusual patterns or unauthorized attempts.
  • Contractor and Public Access: Non-CMS users (such as providers or researchers) must also meet strict identity verification and authentication requirements before being granted access.

Protecting Health Data and Public Trust

By enforcing these IA policies, CMS not only protects sensitive information like Personally Identifiable Information (PII) and Protected Health Information (PHI) but also upholds public trust. Our program is designed to align with federal standards including NIST SP 800-53, NIST SP 800-63, HSPD-12, and FIPS 201-3—ensuring that CMS remains a leader in safeguarding healthcare data.

https://security.cms.gov/policy-guidance/identification-and-authentication-ia

See all blog posts

Policy articles and updates

About the publisher

The Information Security and Privacy Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.

View all posts by Policy