IDM Password Policy Update

IDM Password Policy Update

IDM Password Policy

Active Accounts in IDM

CMS' Acceptable Risk Safeguard (ARS) AC-02(03)(b) requires inactive accounts be disabled within 60 days for moderate systems.  Since IDM is a Moderate system, we must comply with this requirement.

IDM provides this inheritable control to all of our downstream applications by expiring the passwords of individual accounts after 60 days without any login activity from the user.  IDM does provide users with a self-service procedure to reenable their account by resetting their password themselves.  Additionally, users can contact their T1 Help Desk to request a password reset.  Once a user whose account has been disabled due to inactivity resets their password, their account will automatically be reenabled. 

As long as a user logs into IDM once every 60 days their password will never expire in IDM Production.  The only way that a user’s password will expire is if they do not log into IDM for more than 60 days.  If that scenario occurs, the user will be prompted to reset their password the next time they login.  The user can do that themselves via IDM’s self-service password reset functionality, or they can contact their Tier 1 Help Desk to have a Help Desk representative reset their password for them.  Either way, once the password has been reset the user will regain access to their account.


IDM Password Requirements

All IDM passwords:

  • Must be 15 characters long
  • Cannot be longer than 60 characters
  • Must contain 1 uppercase letter
  • Must contain 1 lowercase letter
  • Must contain 1 number
  • Can include special characters, however usage is optional
    • The following special characters are acceptable: " ! # $ % & ’ ( ) * + , - . / \ : ; < = > ? @ [ ] ^ _ ` { | } ~
  • Cannot contain parts of the User ID
  • Cannot contain the user’s First or Last Name that they used to register their account
  • Can only be changed by the user once per 24 hours
    • If a user requires a second password change within a 24-hour period, then they must contact their Tier 1 Help Desk for assistance
  • Must be different from the last 6 passwords used
Page Last Modified:
09/19/2024 11:51 AM