We previously issued a blog which discussed the new implementation of a MFA process for the MSPRP. For our prior blog, please click here. Last week, CMS issued a document which provides additional guidance and background information surrounding the RIDP and MFA services. The document can be found here, but a summary of the document follows below.
RIDP is the process of validating information which identifies the user. In the case of using RIDP with the MSPRP, CMS will use Experian to identify the user. Experian will then use the identified user’s core credentials to locate the user’s personal information and generate a set of questions. CMS further discusses that any personal information provided as part of the RIDP will not be provided or stored to CMS or the MSPRP; rather all personal information will remain with Experian; Experian is required by law to maintain the data for seven years. Additionally, Experian will only run a “soft check” of the user’s credit history which will not affect the user’s credit. Additional Q&A regarding the Experian credit checking process is also provided within the CMS document.
CMS then further explains the MFA process. MFA is an approach to security authentication that requires the user to provide more than one form of a credential in order to prove the user’s identity. CMS policy specifies that all users who request access to a CMS Application that has a level of assurance (LOA) 3 security rating, must be identity proofed to the corresponding LOA 3 standards. This includes the requirement that users be authenticated using MFA. CMS uses Symantec’s Validation and Identity Protection (VIP) service to add a layer of protection for your online identity. Symantec’s VIP utilizes government certified technology and techniques to provide this multi-factor authentication. Additional Q&A regarding the MFA process is also provided within the CMS document.
Franco Signor Commentary: We applaud the implementation of the MFA and RIDP process due to the fact that CMS is responsible to protect the sensitivity of data housed in its systems; this process is extremely reasonable considering the alternatives. Many new users of the MFA process were initially surprised to have to provide credit and personal information to log onto the MSPRP. This additional information and guidance from CMS provides insight to the process not previously provided. However, we are still hopeful that CMS will provide the option for corporate users of the MSPRP to have a corporate user ID rather than an individual user ID so that entities do not have to require their employees to provide personal and credit information prior to accessing the MSPRP. There are still many issues and questions to be answered: What happens if a user loses or forgets their pin provided by the MFA? Would the user have to undergo the process a second time? Also, what are the entities that hire employees responsibility to close down access to the MSPRP after the employee separates? Is there a process for this? Lastly, what happens if the employee is disabled or dies? We will continue to address these questions on the RIDP and MFA with CMS through the MARC organization.
Heather Schwartz Sanderson, Esq., MSCC, CHPE, CLMP, CMSP
Chief Legal Officer