| # |
Form |
Change |
Current Location |
Reason |
| 1 |
Supporting Statement - Part A |
Title updated from "CMS Enterprise Identity Management System (EIDM)" to "CMS Identity Management (IDM) System" |
All sections of application |
New system name |
| 2 |
Supporting Statement - Part A |
Added CMS "on-premise model" to "cloud-based" model language directly after the introduction and explanation of EIDM and what its functions were. |
p. 1 - Second paragraph |
Provides reasoning for the migration to IDM and the intent to provide similar identity management services to EIDM. |
| 3 |
Supporting Statement - Part A |
Changed ""EIDM service provides the following functions", IDM service will provide the following functions" |
p. 1 - Third paragraph |
Document discusses what IDM intends to do once fully migrated from EIDM. |
| 4 |
Supporting Statement - Part A |
Under "IDM service will provide the following functions" and "Authentication Service", language regarding the use of Symantec for MFA is replaced with Okta’s cloud Identity as a Service (IDaaS) |
p. 1 - §A2 |
Change of service provider within the contract |
| 5 |
Supporting Statement - Part A |
Under "IDM service will provide the following functions", "Authorization Service" is changed to "Identity Governance and Administration Services" |
p. 1 - §A3 |
Indicates the implementation of Identity Governance and Administration (IGA) services within the new contract. |
| 6 |
Supporting Statement - Part A |
Under "IDM service will provide the following functions", "Identity Governance and Administration Services" (formerly "Authorization Service"), language is added to speak to the leveraging of Saviynt for their cloud Identity Governance and Administration as a Service (IGAaaS). |
p. 1 - §A4 |
Change of service provider within the contract. |
| 7 |
Supporting Statement - Part A |
Added language to indicate the system's projected go-live date and reason for non-substantive change request. |
p. 2 |
Technical detail |
| 8 |
Supporting Statement - Part A |
Changed "Experian RIDP services" to "Experian Precise ID RIDP services" |
§B2: Information Users, p. 4 |
Specific service name |
| 9 |
Supporting Statement - Part A |
Changed "The user will also be required to select three knowledge based authentication questions and provide a corresponding answer to the question" to "The user will also be required to select one (1) knowledge based authentication question and provide a corresponding answer to the question" |
§B2, Phase 1: Information Users, p. 5 |
Process change |
| 10 |
Supporting Statement - Part A |
Added "Additionally, the user’s full SSN will ne collected at this time." |
§B2, Phase 3: Information Users, p. 5 |
Process change |
| 11 |
Supporting Statement - Part A |
Changed "The CMS EIDM system will prompt the user to register an MFA device type from the list provided (e.g., phone, computer, email, SMS) and then the user will need to input the Credential ID they receive in order to complete MFA device registration." to "Email is automatically setup as the default MFA Factor for all users required to login with MFA. No further action is necessary by users to setup email as their MFA Factor. Users may add other MFA Factors by selecting Manage/View MFA from the My Profile menu page." |
§B2, Phase 4: Information Users, p. 5 |
Process change |
| 12 |
Supporting Statement - Part A |
Deleted "CMS identified twenty (20) potential shared services that could save up to $2.3 billion in development and operational costs over a 5-year period. EIDM was identified as one of the initial shared services to be implemented by CMS. EIDM is a suite of web-based services that supports organizational and non-organizational users. The user identification and authentication process requires the electronic submission of responses, and the data collected resides in a protected environment to mitigate or avoid the risk of data leakage in the event of a security breach. " |
§B3: Use of Information Technology, p. 5 |
Not relevant or applicable to this package |
| 13 |
Supporting Statement - Part A |
Under "IDM will save money and reduce operational burden by creating a single centralized identity and access management system that will be used by the entire agency. IDM should:", deleted "7. Reduce cost by becoming a relying party of FICAM certified credential providers;' |
§B3: Use of Information Technology, p. 6 |
Not relevant or applicable to this package |
| 14 |
Supporting Statement - Part A |
Under "Duplication of Efforts", deleted "Similar systems in CMS were examined in effort to determine whether information already being collected could be used for IDM. These other systems did not identity proof users to meet National Institute of Standards and Technology (NIST) standards and did not collect sufficient information that would support identity proofing to those standards. Information from other Identity and Access Management (I&AM) systems will be migrated into IDM, as appropriate." |
§B4: Duplication of Efforts, p. 6 |
Not relevant or applicable to this package |
| 15 |
Supporting Statement - Part A |
Under "Burden Estimates," average response time was changed to 20 minutes and the number of users who respond to the information collection was changed to 560,000. Additionally, the hourly wages of respondents were adjusted to reflect the updated Bureau of Labor and Statistics Occupational and Employment Datafor 2018. |
§B12: Burden and Estimates (Hours & Wages), p. 11 |
Increase in hourly wage means and an error in previous estimates for respondents and average response time. Provided justification for the changes made within Burden Estimates section. |
| 16 |
Supporting Statement - Part A |
Under "Cost to Federal Government", amounts and services were updated to reflect the current contracts within IDM. |
§B14: Cost to Federal Government, p. 11 |
Updated contract options |
| 17 |
Supporting Statement - Part A |
Under "Changes to Burden", added "In transitioning from EIDM to IDM, we estimate the total burden for end-user account registration in IDM to be 186,000 hours annually (560,000 respondents x 20 min. per response / 60 min.). There is, however, an increase to the annual cost burden, due to the increase in the mean hourly wages of our anticipated users. Based on the most recent Bureau of Labor and Statistics Occupational and Employment Data May 2018 (updated on 4/2/2019) for Category 43-0000 (Office and Administrative Support Occupations), the mean hourly wage for an administrative staff increased from $18.83 to $19.93, and for Category 29-0000 (Healthcare Practitioners and Technical Occupations), the mean hourly wage for a healthcare practitioner increased from $40.18 to $42.55. This has caused an overall total annual cost increase of 7.91% from $7,676,941 to $8,284,281." |
§B15: Changes to Burden, p. 12 |
Provided justification for the changes made within Burden Estimatessection. |
| 18 |
Supporting Statement - Part A |
Under "Expiration Date", added "The approved OMB Control No. (0938-1236) for this package is listed on the CMS.gov Enterprise Portal Terms and Conditions link, with an expiration date of 3/31/2021." |
§B17: Expiration Date, p. 13 |
Provided information regarding the status of the currently approved PRA package. |
| 19 |
Supporting Statement - Part A |
Under "Certification Statement", added "This ICR does not contain surveys, censuses, or employ statistical methods; is not intended to be a Privacy Impact Assessment (PIA) required by the E-Government Act of 2002; and is not related to the Dodd-Frank Act (Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203), as referenced in the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB Form 83-I. This ICR is however related to the American Recovery and Reinvestment Act of 2009 (ARRA) and the Affordable Care Act [PPACA, P.L. 111-148 & 111-152] (Healthcare Reform), as described in Section A of this document." |
§B18: Expiration Date, p. 13 |
Provided information to comply with PRA guidance language for this section |