Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Identity Management Solution

Solicitation Number: HHS-CMS-OIS-RFI-09-001
Agency: Department of Health and Human Services
Office: Centers for Medicare & Medicaid Services
Location: Office of Acquisition and Grants Management
  • Print
Special Notice
Added: Mar 11, 2009 3:27 pm

1 Subject

This is a Request for Information (RFI). This is NOT a solicitation for proposals, proposal abstracts, or quotations. The purpose of this RFI is to obtain knowledge and information for project planning purposes. This RFI is to assist the Centers for Medicare & Medicaid Services (CMS) in the identification of potential options and to obtain Identity Management Solution vendor and product information for solutions that are able to support Agency requirements. CMS is seeking potential solutions for creating enterprise-level common services for Identity Proofing, creation of an “assurance” level within a workflow process that can be as generic as a 2-tier approval process to a complex multi-tier process using a delegated chain of trust model, and the collection of necessary information for an application (system) to assign role-based access privileges. The solution should provide services that comply with the National Institute of Standards and Technology (NIST) standards for assurance level 2 as stated in Special Publication (SP) 800-63. The solution requires knowledge-based Identity Proofing that is not dependent on the use of an individual’s social security number.

Responses to this RFI are due by 2:00 PM local time at the CMS Headquarters in Baltimore, Maryland on Thursday April 9, 2009.

1.1 Background

CMS is a Department of Health and Human Services (DHHS) Operating Division and is the Federal agency that administers the Medicare program and partners with the States to administer the Medicaid programs throughout the U.S. and Territories. CMS’ mission is to ensure effective, up-to-date health care coverage and to promote quality healthcare for the covered people under its programs.

CMS anticipates the Medicare and Medicaid programs will have increasing business demands for enterprise services supporting requirements for individuals to interact with CMS via some type of online access. The approximate number of potential users of this system is 4 to 6million individuals. There are approximately an additional 90 million Medicare and Medicaid beneficiaries however, they are out of scope for the purposes of this RFI.

Currently, CMS uses a custom Identity and Access Control system called “Individuals Authorized Access to CMS Computer Systems” (IACS). CMS has identified a number of major issues with the current implementation including limitation of the base Commercial off the Shelf (COTS) product for Identity Management (IDM) that IACS is built upon related to:

1. Scalability – the system will not support the expected CMS user base; and

2. Maintainability – Integration of new applications is a costly and lengthy process due to the coding efforts involved

2 Assumptions

1. It is recognized by CMS that a single solution or service may not meet all critical requirements and that an amalgam of integrated or connected solutions may be necessary to satisfy the requirements;

2. COTS or Government off the Shelf (GOTS) alternatives should facilitate better Federal security compliance through controls and auditing, ease-of-use for CMS customers, easier integration with internal systems and external partners, lower maintenance and upgrade costs over the long-term, etc.;

3. Responders should also include some industry “best practice” solution features that may not be expressly mentioned in this document. These will be considered “value added” features that are above and beyond our baseline expectations;

4. Responders should create a written response to this request for information that addresses each of the requirements set forth in Section 3 of this document.;

3 Requirements

Please review the following requirements and describe how your IDM Solution will fulfill these requirements.

3.1 User Provisioning

Req. No Requirements

3.1.1 Support for 4 to 6 million users.

These numbers represent what is necessary for planning purposes to support normal operations.

3.1.2 Workflow driven user lifecycle management for:

1. User provisioning;

2. User de-provisioning;

3.1.3 Provide users’ with the ability to query status of the workflow process and escalate in case of delays.

3.1.4 Rules based notifications for events such as user provisioning, user de-provisioning, changes in personal information or roles, etc.

3.1.5 IDM system administration console to monitor workflow processes. Administrative console must provide access based on roles such as Help Desk personnel, supervisors, IDM system administrators, etc.

3.1.6 Provide user provisioning, de-provisioning through IDM system administration console.

3.1.7 Support ability to temporarily suspend/de-activate a user’s account.

3.1.8 Offer ability to perform bulk approvals, provision, and/or de-provision users through IDM System Administration console.

3.1.9 Support Self Registration model for a user through web based interface.

3.1.10 Impart integration and synchronization with existing external data repositories – X.500 Directory Services using Lightweight Directory Access Protocol (LDAP), Relational Database, Mainframe, and Active Directory.

3.1.11 Enable Third-party ID Proofing CMS is interested in capabilities in the areas of identity proofing and identity verification.

3.2 Access Control

Req. No Requirements

3.2.1 Self service support for password management (password changes, forgotten password resets).

3.2.2 User profile management.

3.2.3 Enforce Password policies.

3.2.4 Ability for IDM Administrator and Help Desk operators to update user information.

3.2.5 Capable of issuance of two factor credentials out of the box or through integration with third party service providers.

3.2.6 Support for delegation of authority.

3.2.7 Ability to integrate with enterprise resources such as Unix/Linux servers, Windows Servers, Database Servers, Mainframe, and Directory Services, using LDAP

3.2.8 Flexibility to allow tokens, certificate-based authorizations, and challenge/response questions.

3.3 Auditing, Logging and Reporting

Req. No Requirements

3.3.1 Support for audit trailing and logging of configurable key events.

3.3.2 Ability to access logs and view logged activity from a central point.

3.3.3 Allow for rules based comprehensive reporting capabilities (e.g., quarterly reports for managers to review their employees’ system access).

3.4 Service Oriented Architecture Enablement

Req. No Requirements

3.4.1 Support enterprise wide Service Oriented Architecture (SOA) initiative.

3.4.2 Ability to provide authentication interoperability mechanisms such as security assertion mark-up language (SAML).

3.5 Miscellaneous

Open-ended requirements asking for descriptions or lists are denoted by an asterisk (*).

Req. No Requirements

3.5.1 Describe how the solution will enforce common security policies and procedures such as:

1. Principles around anonymous access;

2. Access rights based on least-privileged;

3. Enforcement of data classification;

4. Enforcement of password rules; and

5. Implementation of stronger audit trails, etc.

3.5.2 Capability to “scale up” to support surge processing related to the addition of new user types.

3.5.3 Support flexible user certification model. CMS should be able to choose the frequency (monthly, quarterly, or annually) based upon the criticality of data.

3.5.4 Ease of configuration through well defined user interfaces

3.5.5 *Describe the workflow that are part of the developed set of capabilities, how the workflows are developed, the level of difficulty and time involved in setting up workflows, and the level of difficulty in ongoing management and maintenance of the capability, including the necessary skill set(s) to sustain the capability*.

3.5.6 *Provide any additional information that you feel would be relevant to this RFI (via a separate attachment)*.

4 Disclaimer and Important Notes

This notice does not obligate the Government to award a contract or otherwise pay for the information provided in response. The Government reserves the right to use information provided by respondents for any purpose deemed necessary and legally appropriate. Any organization responding to this notice should ensure that its response is complete and sufficiently detailed. Information provided will be used to assess tradeoffs and alternatives available for the potential requirement and may lead to the development of a solicitation. Respondents are advised that the Government is under no obligation to acknowledge receipt of the information received or provide feedback to respondents with respect to any information submitted.

Any solicitation resulting from the analysis of information obtained will be announced to the public in Federal Business Opportunities in accordance with the FAR Part 5. However, responses to this notice will not be considered adequate responses to a solicitation.

Confidentiality. No proprietary, classified, confidential, or sensitive information should be included in your response. The Government reserves the right to use any non-proprietary technical information in any resultant solicitation(s)

5 Information Requested

Responders shall provide the following:

A. General Information:

i. Company name

ii. Address

iii. Point of contact

iv. Telephone number, fax number and email address

v. Business size

vi. Corporate entity/structure (Limited Liability Company, Joint Venture, Partnership, Sole Proprietorship, etc). Any teaming arrangements shall also include the above-cited information for each entity on the proposed team

B. Specific Information

i. Describe how your existing solution addresses each requirement described in Paragraph 3

ii. Provide names, descriptions and contacts of entities, in either the Private or Public Sectors, of similar size to CMS for whom services described above were performed in the past five years. Please include the number of users supported and any/all teaming arrangements. Provide a list of data sources provide a list of data sources used, a metric indicating the percentage of the U.S. population for whom they can provide effective identity proofing/authentication services and information about existing users of their services in healthcare, government, or equivalent complex and large-scale environments.

iii. CMS is also interested in receiving comments on the following points:

a. Industry Best Practices

• Potential challenges of the above stated requirements

• Industry best practices or lessons learned on projects of similar complexity and magnitude

b. Risk Management

• Potential major risk factors in performing services stated above

• Effective risk mitigation techniques

c. Performance Measures

• Key performance indicators

• Appropriate performance metric and measurements

d. Any additional information that you feel would be relevant to this RFI (via a separate attachment).

C. Submission Requirements

Submissions shall be no more than 50 pages, excluding cover sheet, title page and table of contents, single spaced, 8.5 x 11 paper, 1 inch margin, and no smaller than 12 point type.

Responders must submit four bound hardcopies of the information to:


Attn: Scott Shippy

7500 Security Boulevard

Mailstop: N2-04-27

Baltimore, MD 21244

In addition, an electronic copy in Microsoft Word 2003 must be emailed to: with the Subject line: HHS-CMS-OIS-RFI-09-001

Appendix A: Acronyms

Acronym Definition

CMMI Capability Maturity Model Integration

CMS Centers for Medicare and Medicaid Services

COTS Commercial Off the Shelf

DHHS Department of Health and Human Services

FAR Federal Acquisition Regulations

FIPS Federal Information Processing Standards

GOTS Government Off the Shelf

GSA General Services Administration

GWACS Government Wide Acquisition Contracts

IDM Identity Management

IACS Individuals Authorized Access to CMS Computer Systems

ISO International Organization for Standardization

LDAP Lightweight Directory Access Protocol

NIST National Institute of Science and Technology

RBAC Role Based Access Control

RFI Request for Information

SOA Service Oriented Architecture

SP Special Publication

7500 Security Blvd.
Baltimore, Maryland 21244-1850
Scott Shippy,
Project Officer
Phone: 410-786-2114