The
contractor shall use the Defense Manpower Data Center (DMDC) Authentication
service to perform authentication for beneficiary web access to
contractor portals or web sites that access beneficiary-specific
TRICARE data. The DMDC Authentication service supports the Department
of Defense (DoD) approved enterprise self-service credential called
the DoD Self-Service Logon (DS Logon) account. Available credentialing
options may be modified due to security enhancements, and will be
made known when available. Contractors may also use authentication
methods that meet National Institute of Standards and Technology
(NIST) Level 2 requirements (NIST publication 800-63) for beneficiaries that
are not eligible to receive DS Logon accounts.
1.0 Access to beneficiary specific
TRICARE data requires authentication with the approved DoD credential,
or their equivalent. DMDC issues the DS Logon credential; DMDC retains
responsibility for maintaining this credential.
• An
authentication service will be provided by DMDC for the DS Logon
credential. For all beneficiaries eligible to obtain a DS Logon,
the contractor shall use the DMDC Authentication service at the
registration point for beneficiary access to the contractor portal
or web site. In addition, the contractor shall use the authentication
service to validate authentication of a beneficiary every time a
contractor portal or web site is accessed.
2.0 Upon presentation of the DS
Logon credential, the DMDC Authentication service will provide the
following data to the contractor upon successful authentication:
• Method
of Authentication (e.g., DS Logon)
• Status
of the account
• Identity information of the
authenticated beneficiary (e.g., DoD Electronic Data Information (EDI)
PIN)
• Affiliation information of
the authenticated beneficiary to the DoD
• Family
member association including DoD EDI PIN of the sponsor
3.0 The contractor may use the
information returned with a successful authentication to enforce any
application specific business rules. For example, the contractor
may exclude access by a parent to a family member’s Explanation
Of Benefits (EOB) information if the family member is over the age
of 18.
4.0 For those beneficiaries ineligible
for a DS Logon, the contractors shall rely on their own authentication
methodology to authenticate users accessing beneficiary-specific
TRICARE data via a contractor portal or web site.