Accessing Your RDS Secure Website User Account

Maintaining access to your RDS Secure Website user account is critical to ensuring your Plan Sponsor meets its Application and Reconciliation Deadlines and experiences all the benefits of participating in RDS. Consequently, it’s important to understand scenarios related to accessing your account. Review the following information to learn about some of the most common user access scenarios reported to CMS’ RDS Center.

• Scenario 1: I just completed registration. However, when I try to log in, I receive a message that my Login ID is not active.
• Scenario 2: I locked my account and changed my password to unlock it. The system is still telling me my credentials aren’t valid. What do I do so I don’t lock my account again?
• Scenario 3: I changed my password today, but I’ve forgotten it and locked my user account.
• Scenario 4: I’m trying to reset my password, but I’m receiving a message that the information I entered doesn’t match CMS’ RDS Center’s records.
• Scenario 5: I’m trying to enable my user account and can’t find my “RDS Secure Website User Account Disabled” email. I’ve clicked the link to re-send the email, but I haven’t received it.
• Scenario 6: A Plan Sponsor is attempting to invite me to a new user role but is receiving a message that I can’t be assigned because I’m already assigned a different role.
• Scenario 7: I’ve been assigned a new RDS Secure Website user role, but I can’t log in with the Login ID and password I created for my previous role.
• Contacting CMS' RDS Center About Access Issues

Scenario 1: I just completed registration. However, when I try to log in, I receive a message that my Login ID is not active.

When a user completes registration in the RDS Secure Website, the information supplied must be validated by CMS’ RDS Center. Login ID activation is not immediate. It can take up to 48 hours for registration information to be verified. Once the information is verified, the user receives an email that he/she has been approved and may activate Multi-Factor Authentication (MFA). Once MFA has been activated, the user may log in to the RDS Secure Website immediately.

Note: A text-enabled device is any device that has the capability to receive text (SMS) messages for user account management purposes, such as one-time tokens for Multi-Factor Authentication (MFA) and notifications for request forgotten Login ID, reset password, and enable account.

Scenario 2: I locked my account and changed my password to unlock it. The system is still telling me my credentials aren’t valid. What do I do so I don’t lock my account again?

Ensure you are carefully typing your new password exactly as it was created. Ensure your caps lock is not enabled. 

Pay close attention to which MFA code you are entering. If you have multiple MFA entries in your Google Authenticator app used for other websites, ensure you are entering the code associated with your RDS Secure Website account.

When a user enters Login information incorrectly (i.e., invalid Login ID, Password, and/or MFA token), CMS’ RDS Center is prohibited by Federal Security Regulations to identify which login requirements were entered incorrectly. If your user account becomes locked after three consecutive failed login attempts, you will be forced to change your password. 

Reminder: Passwords can be changed five (5) times in a 24-hour period. If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.  

CMS’ RDS Center recommends resetting MFA for your mobile device before attempting to log in with a new password and before using all three of your login attempts. CMS’ RDS Center cannot circumvent the Federal Security Regulations enforcing password requirements.

Due to these security restrictions, the 24 hours IMMEDIATELY PRECEDING a deadline can be very difficult to obtain remediation regarding account login issues, potentially resulting in a missed deadline and possible loss of subsidy. CMS’ RDS Center strongly encourages all Plan Sponsors to complete your application submissions in advance of your Application Deadlines and Reconciliation Deadlines. Please don’t wait until the last minute to submit your applications! 

CMS’ RDS Center’s official means of communication with the Plan Sponsor community is through email at RDS@cms.hhs.gov. Registered Secure Website users may use the Support Request feature to receive guidance on frequently asked questions or to submit inquiries to the RDS Center. A response to your inquiry shall be provided within 24 business hours from when it was received by CMS’ RDS Center; support is not guaranteed the same business day. When an inquiry is sent to the RDS Center during weekends or holidays, a response shall be provided within 24 business hours from the start of the next business day following receipt of the inquiry. 

Waiting until the last day of your deadline can put your subsidy at risk! 

Scenario 3: I changed my password today, but I’ve forgotten it and locked my user account.

For security reasons, passwords can be changed five (5) times in a 24-hour period. If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts. 

When a user enters Login information incorrectly (i.e., invalid Login ID, Password, and/or MFA token), CMS’ RDS Center is prohibited by Federal Security Regulations to identify which login requirements were entered incorrectly. If your user account becomes locked after three consecutive failed login attempts, you will be forced to change your password. 

Due to these security restrictions, the 24 hours IMMEDIATELY PRECEDING a deadline can be very difficult to obtain remediation regarding account login issues, potentially resulting in a missed deadline and possible loss of subsidy. Contact CMS’ RDS Center as soon as possible to remediate your account issue.

Scenario 4: I’m trying to reset my password, but I’m receiving a message that the information I entered doesn’t match CMS’ RDS Center’s records.  

During the process of resetting your password, you are asked to provide your Social Security Number, date of birth, and email address on the Validate Person Information page in the RDS Secure Website. If you have verified that you entered the correct Social Security Number and date of birth, consider the email address you entered. When supplying this information, ensure that you enter the email address that is on record with CMS’ RDS Center, or the RDS Secure Website will not recognize your information.

If your email address has changed, you are encouraged to update it once you log in. User information such as email address is updated using the Manage User Information link in the RDS Secure Website. If you no longer have access to the email address on record with RDS, send an email to RDS@cms.hhs.gov to request assistance from CMS’ RDS Center. CMS’ RDS Center will flag your account so that you will be prompted to verify and update your email address to your current address when you try to log in.

Scenario 5: I’m trying to enable my user account and can’t find my “RDS Secure Website User Account Disabled” email. I’ve clicked the link to re-send the email, but I haven’t received it.

The “RDS Secure Website User Account Disabled” email is sent to your email address on record with CMS’ RDS Center. Notifications are also sent via text (SMS) message if you provided a text-enabled device number to CMS' RDS Center. If you no longer have access to that email address, send an email to RDS@cms.hhs.gov to request assistance from CMS’ RDS Center. CMS’ RDS Center will flag your account so that you will be prompted to verify and update your email address to your current address when you try to log in. After you have updated your email address, you can proceed with enabling your user account.

Note: Ensure that messages sent from RDS email addresses are not blocked by any SPAM filters or Blocked Senders Lists.

Scenario 6: A Plan Sponsor is attempting to invite me to a new user role but is receiving a message that I can’t be assigned because I’m already assigned a different role.

The RDS Secure Website allows an individual to act in only one role at a time. In order for you to be assigned a different role, you must first be removed as a user from all Plan Sponsor accounts or applications, depending on your role. For an Account Manager or an Authorized Representative to be assigned a different role, that user must be removed from all Plan Sponsor accounts. For a Designee to be assigned a different role, the user must be deleted from all applications. Essentially, you must be expired from that role. After you have been removed from your previous role, the Plan Sponsor should wait one day before attempting to invite you to a new role.

Note: If neither the Account Manager nor the Authorized Representative is available to remove you from a Plan Sponsor account or application, please contact CMS’ RDS Center for assistance.

Scenario 7: I’ve been assigned a new RDS Secure Website user role, but I can’t log in with the Login ID and password I created for my previous role.

When you have been assigned to a new user role, you must once again complete registration in the RDS Secure Website and be approved in your new role. During the registration process, you will create a new Login ID and password and activate MFA for your new account.

Contacting CMS’ RDS Center About Access Issues

When requesting assistance from CMS’ RDS Center regarding account access issues, please keep the following things in mind:

• To best assist users with access issues, CMS’ RDS Center must work directly with that individual. Involving a third party to contact CMS’ RDS Center on behalf of another individual can delay resolving the issue.
• If you receive an error message while attempting to log in, please provide CMS’ RDS Center with the exact text of the error message.
• Do not include sensitive information such as Social Security Number and date of birth in communications to CMS’ RDS Center.
• For security reasons, passwords can be changed five (5) times in a 24-hour period. If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.
• When a user enters Login information incorrectly (i.e., invalid Login ID, Password, and/or MFA token), CMS’ RDS Center is prohibited by Federal Security Regulations to identify which login requirements were entered incorrectly.
• A response to your inquiry shall be provided within 24 business hours from when it was received by CMS’ RDS Center; support is not guaranteed the same business day. When an inquiry is sent to the RDS Center during weekends or holidays, a response shall be provided within 24 business hours from the start of the next business day following receipt of the inquiry. 

Remember: Protect yourself—do not share your login information. It is a violation of Federal law to share or transfer user accounts or login and password information.

If CMS’ RDS Center detects suspicious activity with a user account, the account will be deactivated until the security issue is resolved. This can delay completing important RDS Secure Website tasks and jeopardize deadlines.