CMS sets the criteria for frequency of password resets and the characters that are required for password resets. These requirements are part of the Acceptable Risk Safeguards (ARS) which is a component of the National Institute of Standardized Technology (NIST).

Password Requirements:

  • Password is case sensitive.
  • Must be at least 8 characters long.
  • Must be no more than 50 characters long.
  • Must include at least 1 number.
  • Must have at least 1 symbol (non-letter or number) character.
  • Must have at least 1 lowercase letter.
  • Must have at least 1 uppercase letter.
  • Can be changed no more often than once every 1 day.
  • New password may not have been used previously.
  • New passwords must contain at least four different characters than previous password.


  • CMS requires passwords be changed every 60 days
  • Keep record of security answers to use the self-service rest password/unlock account feature
  • Be sure to clear your cookies/cache, close all browser windows and open a new one before you log in
  • Never save your NMP password in your browser


For Questions Relating to Multi-Factor Authentication (MFA), visit the MFA page on the Portal Guide.