IDM Password Policy Update

IDM Password Policy Change

IDM has begun the process of updating our password policy across all environments.  This is being done in order to comply with CMS’ ARS 5.0 requirements.  The updates consist of the following changes, which are being implemented in two parts:

1. Phase 1: Password minimum length will be set to 15 characters, the use of special characters will be optional, users will be prevented from reusing any of their 6 previous passwords
2. Phase 2: Passwords will become permanent and non-expiring. As long as the account remains active the user will never have to reset their password ever again

Active Accounts in IDM

Please note that applications should mindful that CMS ARS AC-02(03)(b) requires inactive accounts be disabled within 60 days for moderate systems.  IDM is a Moderate system and so we must comply with this requirement.

IDM provides this inheritable control to all of our downstream applications by expiring the passwords of all accounts after 60 days without any login activity from the user.  IDM does provide users with a self-service procedure to reenable their account by resetting their password themselves.  Additionally, users can contact their T1 Help Desk to request a password reset.  Once a user whose account has been disabled due to inactivity resets their password, their account will automatically be reenabled. 

As long as a user logs into IDM once every 60 days their password will never expire once Phase 2 is deployed to IDM Production.  The only way that a user’s password will expire is if they do not log into IDM for more than 60 days.  If that scenario occurs, the user will be prompted to reset their password the next time they login.  The user can do that themselves via IDM’s self-service password reset functionality, or they can contact their Tier 1 Help Desk to have a Help Desk representative reset their password for them.  Either way, once the password has been reset the user will regain access to their account.  Application teams should be mindful of this as they may see a spike in users contacting their T1 Help Desk once we begin the deployment of these changes.

Password Policy Communications

The IDM Team will be communicating these changes to Business Owners and System Maintainers through email and GovDelivery. Additionally, onscreen notifications are live in all IDM environments to educate end users of the coming changes.

IDM Password Requirements

Once the updated password policy is implemented, all IDM passwords:

• Must be 15 characters long
• Cannot be longer than 60 characters
• Must contain 1 uppercase letter
• Must contain 1 lowercase letter
• Must contain 1 number
• Can include special characters, however usage is optional
  • The following special characters are acceptable: " ! # $ % & ’ ( ) * + , - . / \ : ; < = > ? @ [ ] ^ _ ` { | } ~
• Cannot contain parts of the User ID
• Cannot contain the user’s First or Last Name that they used to register their account
• Can only be changed by the user once per 24 hours
  • If a user requires a second password change within a 24-hour period, then they must contact their Tier 1 Help Desk for assistance
• Must be different from the last 6 passwords used

IDM Password Change Timeline

These changes are being implemented in two phases.  IDM’s deployment strategy is to set the minimum length to 15 characters, make special characters optional, and disallow the use of the previously used six passwords in Phase 1.  Then, build-in a 60-day window for passwords to expire naturally before we make passwords permanent and non-expiring in Phase 2.

Our goal is for users to trigger the current 60-day password threshold once so that they’re only required to reset their password to meet the new requirements one time.  Then, IDM will institute the Phase 2 change to make passwords non-expiring and permanent.

Phase 1 changes will be deployed to IDM on Monday, April 24^th.  The first time that users will experience this change in IDM’s Production environment will be on Tuesday, April 25^th. Phase 2 will be deployed on or around the end of June, 2023.