From 568334df7d5d183632dcf533ae9be49a3799c9d8 Mon Sep 17 00:00:00 2001
From: Greg Pfadenhauer <gregpf@navapbc.com>
Date: Thu, 14 Nov 2024 13:37:05 -0500
Subject: [PATCH 1/3] Update credential management guidelines

---
 _includes/build/bcda_credentials.html | 44 +++++++++++++++------------
 build.html                            |  4 +--
 2 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/_includes/build/bcda_credentials.html b/_includes/build/bcda_credentials.html
index 272130a..cef4357 100644
--- a/_includes/build/bcda_credentials.html
+++ b/_includes/build/bcda_credentials.html
@@ -1,22 +1,28 @@
-<p>
-  In production, BCDA protects its endpoints with OAuth2 access tokens.
-  </p>
+<p>Production credentials authorize your organization's access to the Beneficiary Claims Data API (BCDA). Eligible model entities can manage BCDA credentials by logging into their model-specific system: </p>
+<ul>
+  <li><strong>ACOs in the Medicare Shared Savings Program</strong>: Credential delegates can manage and create credentials from <a href="https://acoms.cms.gov/api-key-mgmt/bcda">ACO Management System (ACO-MS)</a>. </li>
+  <li><strong>REACH ACOs</strong> and <strong>KCEs or KCF practices in the Kidney Care Choices Model</strong>: The following roles can manage and create credentials from <a href="https://4innovation.cms.gov/secure/api-credentials/bcda">4innovation (4i)</a>: <ul>
+      <li>Executive Contact </li>
+      <li>Entity Primary Contact </li>
+      <li>Entity Secondary Contact </li>
+      <li>DUA Requestor </li>
+      <li>DUA Custodian</li>
+    </ul>
+  </li>
+</ul>
+<p>Your registered contact can <a href="https://www.cms.gov/data-research/cms-information-technology/cms-identity-management/help-desk-support">contact the ACO-MS and 4i help desk</a> to assign these roles.</p>
 
-  <div class="ds-c-alert ds-c-alert--hide-icon">
-    <div class="ds-c-alert__body">
-      <h3 class="ds-c-alert__heading">Your credentials are protected data.</h3>
-        <p class="ds-c-alert__text">
-        Please store them safely and securely.	
-      </p>
-	</div>
-  </div>
+<h3 id="create-credentials">Create your credentials</h3>
+<p>BCDA credentials are formatted as a client ID and secret, which your organization will use every time it makes an API request and exports data. Production credentials are <a href="https://www.justice.gov/opcl/privacy-act-1974">Personally Identifiable Information (PII)</a> that must be stored securely. </p>
+<p>Create BCDA credentials by visiting the <em>API Credentials</em> page in your model-specific system. Choose the <em>BCDA Credentials</em> tab, then select <em>Create New API Credentials</em>. You'll need to provide a public, static IP address for every system, including vendors, that will access the API (up to 8 IP addresses). It may take up to an hour for the allow list to be updated. </p>
 
-<h3>
-Model Entities Gain Access to BCDA through ACO-MS or 4i
-</h3>
+<h3 id="rotate-credentials">Rotate your credentials</h3>
+<p>Your organization's credentials will expire and deactivate after a set period of time. You can rotate BCDA credentials in the <em>API Credentials</em> page to generate a new, active client ID and secret. </p>
+<p>You'll need to rotate credentials every <strong>90 days</strong> in 4i or every <strong>12 months</strong> in ACO-MS. Once you choose the <em>BCDA Credentials</em> tab, select the rotate icon under the <em>Actions</em> column. </p>
 
-<p>
- <p><u>ACOs in the Medicare Shared Savings Program:</u> Create and manage your organization's BCDA credentials from the <a href="https://acoms.cms.gov/" rel="noopener">ACO Management System</a>.</p> 
-<p><u>REACH ACOs and KCEs or KCFs in the Kidney Care Choices Model:</u> Create and manage your organization's BCDA credentials from the <a href="https://4innovation.cms.gov/landing" rel="noopener">4i portal</a>.</p>
-<p>When creating new credentials, be prepared to provide the IP address(es) for each system that will make requests to BCDA. It may take up to an hour for the allow list to be updated after the IP address(es) are added.</p>
-</p>
+<h3 id="revoke-credentials">Revoke your credentials</h3>
+<p>You may need to revoke (deactivate) your organization's credentials if they are leaked or compromised. You can create new credentials as a replacement afterward. </p>
+<p>Revoke BCDA credentials in the <em>API Credentials</em> page. Choose the <em>BCDA Credentials</em> tab, then select the delete (x) icon under the <em>Actions</em> column. </p>
+
+<h3 id="credentials-compromised">If your credentials have been compromised</h3>
+<p>Please revoke or rotate your BCDA credentials immediately. Afterward, notify the BCDA team at <a href="mailto:bcapi@cms.hhs.gov">bcapi@cms.hhs.gov</a> to review recent activity. </p>
\ No newline at end of file
diff --git a/build.html b/build.html
index 30e84c8..07685f4 100644
--- a/build.html
+++ b/build.html
@@ -38,7 +38,7 @@
           <ul class="ds-c-vertical-nav__subnav">
             <li class="ds-c-vertical-nav__subnav">
               <a class="ds-c-vertical-nav__label ds-c-vertical-nav__label" href="#bcda-credentials">
-                Obtain your BCDA Credentials
+                Manage your BCDA Credentials
               </a>
             </li>
             <li class="ds-c-vertical-nav__subnav">
@@ -160,7 +160,7 @@ <h1>
           </div>
           <div id="bcda-credentials">
             <h2>
-              Obtain your BCDA Credentials
+              Manage your BCDA Credentials
             </h2>
             <div class="ds-u-font-size--base">
               {% include build/bcda_credentials.html %}

From 7ee9ea8ae9ad7a8207f7b92332cd07e10388a21f Mon Sep 17 00:00:00 2001
From: Greg Pfadenhauer <gregpf@navapbc.com>
Date: Fri, 15 Nov 2024 09:57:36 -0500
Subject: [PATCH 2/3] Announce new credential management guidance

---
 _updates/2024-11-18.html | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 _updates/2024-11-18.html

diff --git a/_updates/2024-11-18.html b/_updates/2024-11-18.html
new file mode 100644
index 0000000..fe79413
--- /dev/null
+++ b/_updates/2024-11-18.html
@@ -0,0 +1,14 @@
+---
+---
+<div class="ds-u-padding-y--2">
+  <div class="ds-u-font-size--h3 ds-u-font-weight--bold ds-u-padding-y--2">
+    Updated guidance on managing BCDA credentials
+  </div>
+  <div class="ds-u-font-size--lead">
+    November 18, 2024
+  </div>
+  <div>
+    <p>The BCDA team has updated our guidance for model entities managing their BCDA credentials in 4i and ACO-MS. Please visit <a href="/build.html#bcda-credentials" class="in-text__link">Manage your BCDA Credentials</a> for model specific instructions on how to manage and create BCDA credentials for your organization.</p>
+    <p>No action is required for BCDA users, but we hope the updated guidance is helpful!</p>
+  </div>
+</div>
\ No newline at end of file

From 4f7637eed8439d18609898607e10ab4d8a099300 Mon Sep 17 00:00:00 2001
From: Greg Pfadenhauer <gregpf@navapbc.com>
Date: Tue, 19 Nov 2024 17:12:05 -0500
Subject: [PATCH 3/3] Address PR feedback

---
 _includes/build/bcda_credentials.html | 2 +-
 _updates/2024-11-18.html              | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/_includes/build/bcda_credentials.html b/_includes/build/bcda_credentials.html
index cef4357..a3550df 100644
--- a/_includes/build/bcda_credentials.html
+++ b/_includes/build/bcda_credentials.html
@@ -13,7 +13,7 @@
 <p>Your registered contact can <a href="https://www.cms.gov/data-research/cms-information-technology/cms-identity-management/help-desk-support">contact the ACO-MS and 4i help desk</a> to assign these roles.</p>
 
 <h3 id="create-credentials">Create your credentials</h3>
-<p>BCDA credentials are formatted as a client ID and secret, which your organization will use every time it makes an API request and exports data. Production credentials are <a href="https://www.justice.gov/opcl/privacy-act-1974">Personally Identifiable Information (PII)</a> that must be stored securely. </p>
+<p>BCDA credentials are formatted as a client ID and secret, which your organization will use every time it requests an authentication token. Production credentials are sensitive information and must be stored securely. </p>
 <p>Create BCDA credentials by visiting the <em>API Credentials</em> page in your model-specific system. Choose the <em>BCDA Credentials</em> tab, then select <em>Create New API Credentials</em>. You'll need to provide a public, static IP address for every system, including vendors, that will access the API (up to 8 IP addresses). It may take up to an hour for the allow list to be updated. </p>
 
 <h3 id="rotate-credentials">Rotate your credentials</h3>
diff --git a/_updates/2024-11-18.html b/_updates/2024-11-18.html
index fe79413..022a4e3 100644
--- a/_updates/2024-11-18.html
+++ b/_updates/2024-11-18.html
@@ -5,7 +5,7 @@
     Updated guidance on managing BCDA credentials
   </div>
   <div class="ds-u-font-size--lead">
-    November 18, 2024
+    November 20, 2024
   </div>
   <div>
     <p>The BCDA team has updated our guidance for model entities managing their BCDA credentials in 4i and ACO-MS. Please visit <a href="/build.html#bcda-credentials" class="in-text__link">Manage your BCDA Credentials</a> for model specific instructions on how to manage and create BCDA credentials for your organization.</p>