Skip to main content

Changes to RDS Secure Website Password Rules

User Roles:





Program Components:

User Management

The Centers for Medicare & Medicaid Services (CMS) Retiree Drug Subsidy (RDS) Program has changed our policy regarding RDS Secure Website user account password resets. To give users more flexibility to manage user accounts and avoid inconvenience caused by locked user accounts, CMS’ RDS Center has increased the number of password resets allowed each day.

What is the new password reset policy?

When a user enters Login information incorrectly (i.e., invalid Login ID, Password, and/or MFA token), CMS’ RDS Center is still prohibited by Federal Security Regulations from identifying which login requirements were entered incorrectly. If you have three (3) consecutive failed login attempts, your account will lock, and you must change your password. This functionality has not changed.

Under the new policy, passwords can be changed five (5) times in a 24-hour period. Previously, only one (1) password change per day was allowed.

Please note however that if a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.

Furthermore, RDS policies regarding password format, password reserved words, and Multi-Factor Authentication (MFA) for RDS user accounts have not changed. As such, CMS’ RDS Center recommends resetting MFA on your device before attempting to log in with a new password and before making three (3) login attempts.

Want to learn more?

In addition to this announcement, CMS’ RDS Center has updated the RDS Public Website, Common Questions, Quick Start Guides, RDS User Guide, and Technical Articles to help educate users about the new password reset policy.

Thank you for your continued participation in the RDS Program.  

Page last updated: