Skip to Content
Cancer Therapy Evaluation Program (CTEP)
Contact NExT
Show menu
Search this site
Last Updated: 08/03/24

NCI CTEP IAM User Access Update

The U.S. federal government has implemented new IT security requirements to improve data security. This next generation of technology and techniques is required to protect user credentials when accessing systems with confidential information in accordance with the Federal Information Security Management Act (FISMA). This mandate includes integration of Identity Proofing/Verification (IP) and Multi-factor Authentication (MFA) for all government IT applications. To ensure the security and safety of National Cancer Institute (NCI) systems, subjects, research staff, and all associated sensitive information, NCI has now incorporated IP and MFA into systems access. Identity proofing (IP) and multi-factor authentication (MFA) will be required for continued access to NCI systems. The US Government has established a deadline of September 30, 2024, for Federal IT systems, such as the NCI, to comply with this directive. Come this deadline date, users will no longer be able to access NCI systems using their CTEP-IAM login credentials.

NCI has partnered with ID.me, a nationally recognized identity platform that meets the highest federal standards for online identity proofing and authentication, in order to meet the enhanced Federal IT security standards established by NIST SP 800-63-3 Digital Identity Guidelines. ID.me also meets European Union (EU) standards and is now compliant with the General Data Protection Regulation (GDPR). The NCI database includes patient and proprietary information, and therefore requires level 2 IP in accordance to NIST guidelines. Level 2 IP requires the collection of a unique identifier such as a social security number, U.S. tax ID, or passport number; and an additional primary document (ex. Driver's license). However, since partnering with ID.me, NCI has gained insightful data on the reluctance within our research communities to share the type of information necessary for level 2 identity proofing that would potentially jeopardize participation on NCI research trials. With this new understanding, the NCI has secured a ‘waiver’ to the NIST level 2 IP requirements. NCI will still be implementing cybersecurity enhancements but without the stringent NIST requirements previously established.

Important updates for U.S based and international research staff: The NCI has implemented alternative methods to identity verification. The methods of IP and MFA will vary based on a user's resident or citizen country. By implementing alternative IP and MFA options, NCI aims to significantly enhance IT security without causing unnecessary disruption to your continued support of the NCI clinical research program. Please see below for more details on these changes.

  U.S.-Based CTEP USERS Canadian-Based CTEP USERS Other International-Based
CTEP USERS
Identity verification
requirement
New KBA-R workflow allows U.S. based users to complete IP simply verify their identity by providing a phone number to ID.me.

Options to verify identity now include a personal phone number, OR a government-issued photo ID (Driver's License, Passport, Passport Card, or State ID).
Site-based verification will allow Canadian based users to undergo IP with a designated IP/verifier(s) at their site.

New users requesting CTEP access will have their identity verified manually by a designated administrator. Existing users with active CTEP-IAM accounts will be automatically approved. (Existing profiles will be verified without any additional steps required of user. No further information/documentation will be required for IP.)
Site-based verification will allow international based users to undergo IP with a designated IP/verifier(s) at their site.

New users requesting CTEP access will have their identity verified manually by a designated administrator. Existing users with active CTEP-IAM accounts will be automatically approved. (Existing profiles will be verified without any additional steps required of user. No further information/documentation will be required for IP.)
Multi-factor authentication requirement Required to set up MFA with ID.me Required to set up MFA with ID.me Required to set up MFA with ID.me
Deadline September 30, 2024 September 30, 2024 September 30, 2024

International Users

NOW AVAILABLE: An alternative approach to IP and MFA for international-based users is now available. NCI has implemented an update allowing non-U.S. investigators to onboard with ID.me for MFA options only, without the IP requirements. Canadian and International research staff and investigators are no longer required to provide any personal information above and beyond what has traditionally been provided to the NCI (e.g., name, DOB, contact info, etc.). Provision of documentation, such as a passport or driver's license, to ID.me is NOT REQUIRED for identity proofing.

This new workflow has taken the identity verification process from the ID.me pathway to a site-level verification process. Staff outside of the United States are required to have their requests for a CTEP-IAM account verified by a designated international verifier(s) at their site. This process applies to any new international site staff requesting a CTEP-IAM account. Existing CTEP-IAM accounts will be automatically approved. International staff with existing profiles will be verified without any additional steps required of user.

Note that all international staff will still need to onboard ID.me to set up Multi-Factor Authentication. All users, existing and new, MUST establish an account with ID.me by sharing their name, telephone, and email address for MFA. This information will NOT be used for identity proofing purposes. After users establish MFA with ID.me, they must link their ID.me credentials to their CTEP-IAM account by the September 30, 2024, deadline for access to NCI systems.

Where you can find detailed instructions: Existing International users linking their CTEP-IAM account and ID.me credentials International users requesting a new account and linking their CTEP-IAM account and ID.me credentials International verifier SOP
Where you can find a training video: Existing International users onboarding to ID.me New International users onboarding to ID.me International verifier process

NIH Account Holders

Users with NIH accounts are not required to onboard with ID.me. NIH accounts already meet the IP/MFA requirement to access federal systems. For continued access to CTEP applications, users should instead link their NIH credentials/PIV cards to their existing or newly created CTEP-IAM accounts using the below instructions.

Where you can find detailed instructions: Existing CTEP-IAM users linking their CTEP-IAM account and NIH PIV/credentials SOP New users requesting a CTEP-IAM account and linking their new CTEP-IAM account and NIH PIV/ credentials SOP

Background

Identity Proofing (IP) is the process of verifying a user's digital identity using official, secure documentation such as a driver's license or passport. The goal of identity proofing is to ensure that a user's claimed identity matches their actual identity. Digital Authentication is the process of verifying a user or device's identity to enable access to a secure digital service (website, application, etc.). There are multiple ways to verify a user's electronic digital identity. Single-Factor Authentication is the use of a single authenticator, traditionally a password, to verify user identity. MFA is a digital authentication method that requires a user to provide two or more authentication factors to gain access to a protected system. Also known as Two Factor Authentication (2FA), this method ensures that user accounts and system data remain secure even when a user's password becomes compromised.

Affected Systems

Updated authentication requirements apply to all systems utilizing CTEP-IAM, including:

  • NCI systems such as CTEP ESYS, CTSU ESYS, THERADEX, CIRB, and NCORP SYS applications
  • Any other systems, including LPO websites, that use CTEP-IAM for federated authentication purposes

Affected Users

The new authentication requirements apply to all new and currently registered system users (all those with a CTEP-IAM account), including NCI, LPO, contractors, site staff, and international users.

Timeline for Users

July 8, 2022: The ID.me IP/MFA process introduced for all system users. Existing CTEP-IAM account credentials will allow access until users have authenticated using ID.me and linked their credentials.

August 10, 2023: Alternative identity verification methods introduced for CTEP-IAM users.

January 1, 2024: Migration to ID.me IP/MFA is expected to be completed for U.S.-based users.

September 30, 2024: IP/MFA must be established for continued access to Federal IT applications. Come this date, users will no longer be able to access NCI systems using their CTEP-IAM login credentials.

Flowchart illustrating the ID.me IP/MFA workflow

All NCI application users must link their ID.me credentials to their CTEP-IAM accounts. This process must be completed directly through the CTEP-IAM application site. Once an ID.me account has been linked, only ID.me credentials (username and password, plus the selected MFA option) will allow a user to access NCI systems. CTEP-IAM credentials will no longer allow access.

Where you can find detailed instructions: Existing CTEP-IAM user SOP New CTEP-IAM user SOP
Where you can find a training video: Existing CTEP-IAM user creating a new ID.me account- training video and transcript

Existing CTEP-IAM user linking existing ID.me account- training video and transcript
New CTEP-IAM user creating a new ID.me account- training video and transcript

Webinars:

Live webinars on the CTEP-IAM & ID.me implementation will be hosted to provide users with helpful and hands-on information. To view the schedule and register for the specialized webinars for Canadian and International researchers and staff, please click here. The webinar schedule and sign-up page for U.S. based investigators can be found here. We will continue to host these information sessions as they are needed to support the NCI and ID.me integration.

Help/Additional Resources

Additional communication will be provided through various methods to include email broadcasts, newsletters, and training videos. Be sure to return to this page for updates on the NCI and ID.me integration and help resources.

For frequently asked questions, click here

For more information on the NCI and ID.me integration, please visit NCI & ID.me.

For more information on ID.me’s privacy policies please visit ID.me Privacy Policy

For questions about the NCI and ID.me authentication process, please contact the CTEP Help Desk at ctephelpdesk@nih.gov.

For questions about your ID.me account or the ID.me verification process, go to ID.me Help Center.