March of DIMES: Keeping IDM a Step Ahead
It never hurts to be ahead of the curve. That was the case for the Division of Identity Management Enterprise Systems (DIMES), which ushered the Identity Management system (IDM) through its first Authorization to Operate (ATO) under the latest Acceptable Risk Safeguards (ARS).
This achievement marks a milestone in CMS's quest to enhance the security, access, and management of digital identities. Doing so is a critical precondition for the agency to fulfill its mission essential functions of providing consistent access to quality care for beneficiaries and ensuring timely payment of claims.
CMS ARS are based on several sources of federal guidance. These include the National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines as well as others that stipulate the implementation of Zero Trust principles.
Because IDM migrated to a new control set in September 2022, DIMES, which is part of the Enterprise Systems Solutions Group (ESSG), had a head start on building an ATO package for a reauthorization assessment in January 2023. But DIMES was already way out in front of federal mandates, having implemented multifactor authentication (MFA) for all CMS IDM-integrated applications by May 2022.
IDM is an enterprise shared service with business owners in every CMS office. It supports over 400 integrated CMS applications, offering a suite of core services that include authentication, MFA, authorization, identity proofing, help desk services, and reporting, along with multiple user interfaces. Users of the IDM system include over 800,000 healthcare providers and millions of Health Insurance Marketplace consumers.
“Migrating over to the new control set was the biggest challenge,” says DIMES ISSO Robert Martell. “It required significant effort from the ISPG CFACTS (CMS FISMA Continuous Tracking System) team.
“Once we migrated controls, we needed to make sure they were marked appropriately – that they were consistent with all security and privacy standards. When that was done, DIMES crafted implementation details like new security documents.”
Martell credits human-centered design specialists with mocking up, testing, and iterating user interfaces to integrate updates as seamlessly as possible.
Some of the IDM changes that impact users are new password guidelines. Passwords no longer expire or require special characters, but they do require a lengthier minimum of 15 characters.
When users are not forced to regularly update passwords, they tend to choose stronger ones. And a 15-character password with all lower-case letters would take 25 years to break using brute force methods.
As is always the case with cybersecurity, there’s no rest for the weary. Even newer standards are already coming down the pike, but DIMES, along with other divisions across OIT, are proactively shaping them.
“ESSG teamed with IUSG, the Office of Communications, and ISPG to respond as an agency during the public comment period for NIST’s new Digital Identity Guidelines (Special Publication 800-63-4), says DIMES Director Kristen Bruscha. “That collaboration was crucial because it’s very important for us to speak with one voice when responding to federal agencies that develop standards that impact our products and services.”
DIMES has already developed and received approval from the CMS CISO and CIO on a Risk Based Alternative remote identity proofing solution based on NIST guidelines. Those guidelines are phasing out knowledge-based authentication or what are commonly known as “out of wallet” questions (e.g., “What year did you purchase your home?”).
Martell and Bruscha both credit the DIMES Agile teams with facilitating collaboration and delivery.
“Changes that used to take months to get to end users, we can now get out in a couple weeks,” Martell says.
“That level of efficiency,” adds Bruscha, “allows us to anticipate and not just react because we made this a priority within our IDM Strategic Plan.”