Program Components:
This section provides an overview of RDS Secure Website user registration.
- Introduction to User Registration
- Security Questions
- Login ID Requirements
- Password Requirements – New and Changed or Forgotten Passwords
- Information for New Users
Introduction to User Registration
All Retiree Drug Subsidy (RDS) participants must complete Registration to access the RDS Secure Website (SWS). The Registration process requires a user to enter personal information and create a Login ID and Password. CMS' RDS Center sends an email confirming the activation of the user's Login ID and Password within 48 hours after the Registration process is completed. Updated Federal security policies also require that each RDS Secure Website account must activate Multi-Factor Authentication (MFA) prior to accessing the RDS Secure Website. Refer to Multi-Factor Authentication for more information, as well as step-by-step instructions to activate MFA.
User Management is the responsibility of the Plan Sponsor. For data integrity and security purposes, CMS’ RDS Center does not alter registered user information on the user’s behalf.
Due to the sensitive nature of this data, the user should contact the RDS Center directly should assistance be required. One individual should not contact the RDS Center on another individual’s behalf. Do not include any Protected Health Information (PHI), as defined in the Health Insurance Portability and Accountability Act (HIPAA), or Personally Identifiable Information (PII) in the correspondence, such as User ID, Password, MBI, SSN, DOB, etc.
Federal Security Regulations require that a user log in to CMS' RDS Secure Website (SWS) at least once every 180 days to maintain an active account. Active user accounts are required to perform many tasks in the RDS Program, such as completing and submitting applications and completing Reconciliation.
Users with disabled accounts should refer to Enable Your User Account for more information about maintaining an active account, as well as step-by-step instructions to enable their user account.
Federal Law Governing User Account Access Information Sharing
Individuals are responsible for maintaining and protecting their RDS Secure Website account access. It is a violation of Federal law to share or transfer user accounts or Login and Password information. Do not share the QR code, Secret Key, Google Authenticator token, one-time token or any other account information with anyone. Activate your MFA configuration with your own personal device, not the device of another person.
If a security violation has been suspected by the RDS Center, the compromised account shall be terminated. If the user requires access to the Secure Website again, they will be required to be invited to each Plan Sponsor account and/or application they will perform work on and complete registration again, including being required to activate a new MFA configuration for the new account.
CMS' RDS Center shall not share your personal information with any third-party, except for disclosures required by law.
Login Warning
In order to access the RDS Secure Website, all users are required to read and accept the Login Warning each time they log in.
Note: CMS’ RDS Center requires users of the RDS SWS to periodically verify their Registered User Information in order to provide consistent, accurate information and uninterrupted access to the system. If you have not already verified your information recently, you will be prompted to do so during RDS SWS login after selecting Accept on the Login Warning page. For more information and step-by-step instructions, refer to Instructions to Access the RDS Secure Website.
Account Manager
The Account Manager Registration takes place during the new Plan Sponsor Registration process. For more information, refer to Create a New Plan Sponsor Account.
Account Manager Reassigned for an Existing Plan Sponsor
A new Account Manager reassigned for an existing Plan Sponsor receives an invitation email to begin Registration within 48 hours after the user role is reassigned. Registration can begin after the email invitation is received.
Authorized Representative, Designee, and Actuary
The Authorized Representative, Actuary, and Designee receive an invitation email to begin Registration within 48 hours after the user role is assigned. Registration can begin after the email invitation is received.
Vendors
Vendors identified by the Plan Sponsor are asked to contact CMS' RDS Center to establish a Vendor ID and Electronic Data Interchange (EDI) requirements.
Security Questions
During Registration, each user selects two Security Questions and enters Answers to those Security Questions.
The Security Questions are used to protect personal information and reset passwords. When the Secure Website prompts a user to answer Security Questions, the user is required to enter their own personal Security Question answers.
Note: Security Questions can only be changed once in a 24-hour period.
Locked Security Questions
The Security Questions will be locked after multiple incorrect Answers are entered to the Security Questions.
To unlock Security Questions, refer to Change Or Reset Security Questions or contact CMS' RDS Center.
Login ID Requirements
Each user creates a Login ID during Registration, which allows access to the RDS Secure Website.
Create a Login ID based on the following requirements:
- Must be 8 to 15 characters
- Can only contain Uppercase letters, Lowercase letters or numbers
Password Requirements – New and Changed or Forgotten Passwords
Each user creates and maintains a Password, which allows access to the RDS Secure Website.
Passwords are based on the following requirements:
- Must be 8 to 14 characters in length
- Must begin with a letter
- Must include each of the following:
- 1 - Lowercase letter
- 1 - Uppercase letter
- 1 - Number
- 1 - Special character
- Must not contain the Login ID
- Must not contain a reserved word. For more information, refer to Reserved Words List
- Must not be a dictionary word or name
- Password cannot match 4 consecutive characters in the most recent Password (applies to changed Passwords only)
- Password cannot match any of the previous 6 Passwords (applies to changed and forgotten Passwords only)
Note: Passwords can be changed five (5) times in a 24-hour period. CMS’ RDS Center cannot unlock user accounts on an individual’s behalf.
Password Expiration
Passwords expire every 180 days and must be changed to access the RDS Secure Website.
Locked User Account
IMPORTANT: When a user account becomes locked after multiple failed login attempts for any reason—invalid Login ID, Password, or MFA code, or any combination of these—
- CMS’ RDS Center is prohibited by Federal Security Regulations to identify which login requirements were entered incorrectly.
- The user is now required to change their password.
- Passwords can be changed five (5) times in a 24-hour period.
- If a user changes their password the maximum five (5) times and then locks their account again on the same day, the user cannot change their password to unlock their account until 24 hours have passed.
Due to security reasons, the RDS Center does not have the authority to unlock accounts for Secure Website users. As a result, the 24 hours IMMEDIATELY PRECEDING a deadline can be very difficult to obtain remediation regarding account login issues, potentially resulting in a missed deadline and possible loss of subsidy.
Refer to Instructions to Access the RDS Secure Website for step-by-step login instructions. Refer to the RDS Secure Website Login Quick Start Guide for support and best practices for logging in and communication with CMS’ RDS Center.
Information for New Users
CMS' RDS Center offers an RDS Welcome Kit to help new Account Managers, Authorized Representatives, Actuaries, and Designees become acquainted with the RDS Program and their role-specific tasks.
The RDS Welcome Kit offers:
- A list of Top 5 Things to Know that compiles important information to always keep in mind while participating in the RDS Program.
- A User Roles Support Tool to help new users understand how their role fits into the various components of the RDS Program.
- Role-based Quick Start Guides to direct new users to the information that will help them get started on their tasks.
Page last updated: