Skip to main content

CMS' RDS Center will perform system maintenance on the RDS Secure Website on Friday, September 12, 2025, beginning at 9:00PM ET and concluding Saturday, September 13, 2025, at 10:00AM ET. The SWS will be available during this time with the following limitations until after system maintenance concludes: Retiree Files uploaded during this time will not appear on the SWS; Weekly Notification Files and Retiree Response Files will not be available for download; and Covered Retiree Lists requested during this time will not be available to view or download. Thank you for your patience.

Changes to RDS Secure Website Password Rules

User Roles:

AM

AR

AC

D

Program Components:

The Centers for Medicare & Medicaid Services (CMS) Retiree Drug Subsidy (RDS) Program has changed our policy regarding RDS Secure Website user account password resets. To give users more flexibility to manage user accounts and avoid inconvenience caused by locked user accounts, CMS’ RDS Center has increased the number of password resets allowed each day.

What is the new password reset policy?

When a user enters Login information incorrectly (i.e., invalid Login ID, Password, and/or MFA token), CMS’ RDS Center is still prohibited by Federal Security Regulations from identifying which login requirements were entered incorrectly. If you have three (3) consecutive failed login attempts, your account will lock, and you must change your password. This functionality has not changed.

Under the new policy, passwords can be changed five (5) times in a 24-hour period. Previously, only one (1) password change per day was allowed.

Please note however that if a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed. CMS' RDS Center cannot unlock user accounts.

Furthermore, RDS policies regarding password format, password reserved words, and Multi-Factor Authentication (MFA) for RDS user accounts have not changed. As such, CMS’ RDS Center recommends resetting MFA on your device before attempting to log in with a new password and before making three (3) login attempts.

Want to learn more?

In addition to this announcement, CMS’ RDS Center has updated the RDS Public Website, Common Questions, Quick Start Guides, RDS User Guide, and Technical Articles to help educate users about the new password reset policy.

Thank you for your continued participation in the RDS Program.