Published on: 9/26/2025
New guidance for IA
A new guidance page is published for the Identification and Authentication (IA) control family, to help system teams at the Centers for Medicare & Medicaid Services (CMS) meet requirements from the CMS Acceptable Risk Safeguards (ARS). The IA control family from NIST SP 800-53 helps organizations prevent unauthorized access to computer systems by verifying the identity of users and processes.
Read the informational guide for Identification and Authentication (IA).
This new page joins the growing collection of policy guidance provided by CMS to help everyone follow the requirements of the ARS. The former Risk Management Handbook (RMH) chapters are being replaced by informational guides from the Policy team.
Why IA matters at CMS
In today’s digital environment where cyber threats are constant, safeguarding sensitive health information is a top priority. At CMS, strong identification and authentication (IA) practices are the foundation of our security program. These measures help ensure that only the right people—and devices—can access our systems, while keeping our data secure and compliant with federal standards.
By enforcing these IA policies, CMS not only protects sensitive data like Personally Identifiable Information (PII) and Protected Health Information (PHI) but also upholds public trust. Our program is designed to align with federal standards, including NIST SP 800-53, NIST SP 800-63, HSPD-12, and FIPS 201-3—ensuring that CMS remains a leader in safeguarding healthcare data.
What you’ll find in the IA guide
The new guidance page for Identification and Authentication includes CMS-specific practices for IA. Topics include:
Identity and access
CMS manages a vast network of users and systems. To protect this environment, we rely on Identity and Access Management (IAM), which ensures that every individual has a unique digital identity and that access to information is tightly controlled.
Authentication
Authentication means confirming that someone really is who they claim to be before they gain access. CMS utilizes strong passwords, multi-factor authentication, Personal Identity Verification (PIV) credentials, and device authentication as part of authentication practices.
Authorization
Once a user’s identity is confirmed, authorization policies determine what they can do. CMS uses strategies like Least Privilege and Role-Based Access Control (RBAC) to ensure that the right people have access to the right amount of information. Learn more about these strategies on the IA guidance page.
Additional safeguards
Beyond login credentials, CMS employs layered protections to keep systems secure. This includes things like replay resistance, re-authentication, cryptographic protections, and external authenticators. Learn more about all of these tactics in the IA guidance page.
Continuous monitoring
Security at CMS is not a one-time event. Ongoing monitoring and reviews ensure accounts remain appropriate and secure.
Questions?
If you have questions or need help regarding policy or guidance information, you can contact the Policy team:
- Email: CISO@cms.hhs.gov
- CMS Slack: #ispg-sec_privacy-policy
Give feedback
We welcome your feedback on the security guidance provided by the CMS Information Security and Privacy Program. Use our feedback form if you have suggestions or comments about the new IA page.
