BCDA-8434 Update credential management guidelines (#217)

## 🎫 Ticket

https://jira.cms.gov/browse/bcda-8434

## 🛠 Changes

Added the updated credential management instructions to build.html and
included a small announcement in updates.html
## ℹ️ Context
This content was originally drafted to be a new subpage in a redesigned
version of the site, but can be dropped into the current site. It will
be helpful for new model entities joining in 2025 and getting started
with BCDA.

<!-- If any of the following security implications apply, this PR must
not be merged without Stephen Walter's approval. Explain in this section
and add @SJWalter11 as a reviewer.
  - Adds a new software dependency or dependencies.
  - Modifies or invalidates one or more of our security controls.
  - Stores or transmits data that was not stored or transmitted before.
- Requires additional review of security implications for other reasons.
-->

## 🧪 Validation

<!-- How were the changes verified? Did you fully test the acceptance
criteria in the ticket? Provide reproducible testing instructions and
screenshots if applicable. -->
1. Published to staging site for review by @phamjennifer
2. Validated links from side navigation and from updates.html work as
intended to /build.html#bcda-credentials
<img width="1247" alt="image"
src="https://github.com/user-attachments/assets/02b33fe9-c241-4eaa-a38c-8553a328c3d3">
<img width="1187" alt="image"
src="https://github.com/user-attachments/assets/70f42ceb-92da-4fcc-b51c-711da4f45c28">

_includes/build/bcda_credentials.html

@@ -1,22 +1,28 @@
-<p>
-  In production, BCDA protects its endpoints with OAuth2 access tokens.
-  </p>
+<p>Production credentials authorize your organization's access to the Beneficiary Claims Data API (BCDA). Eligible model entities can manage BCDA credentials by logging into their model-specific system: </p>
+<ul>
+  <li><strong>ACOs in the Medicare Shared Savings Program</strong>: Credential delegates can manage and create credentials from <a href="https://acoms.cms.gov/api-key-mgmt/bcda">ACO Management System (ACO-MS)</a>. </li>
+  <li><strong>REACH ACOs</strong> and <strong>KCEs or KCF practices in the Kidney Care Choices Model</strong>: The following roles can manage and create credentials from <a href="https://4innovation.cms.gov/secure/api-credentials/bcda">4innovation (4i)</a>: <ul>
+      <li>Executive Contact </li>
+      <li>Entity Primary Contact </li>
+      <li>Entity Secondary Contact </li>
+      <li>DUA Requestor </li>
+      <li>DUA Custodian</li>
+    </ul>
+  </li>
+</ul>
+<p>Your registered contact can <a href="https://www.cms.gov/data-research/cms-information-technology/cms-identity-management/help-desk-support">contact the ACO-MS and 4i help desk</a> to assign these roles.</p>
 
-  <div class="ds-c-alert ds-c-alert--hide-icon">
-    <div class="ds-c-alert__body">
-      <h3 class="ds-c-alert__heading">Your credentials are protected data.</h3>
-        <p class="ds-c-alert__text">
-        Please store them safely and securely.	
-      </p>
-	</div>
-  </div>
+<h3 id="create-credentials">Create your credentials</h3>
+<p>BCDA credentials are formatted as a client ID and secret, which your organization will use every time it requests an authentication token. Production credentials are sensitive information and must be stored securely. </p>
+<p>Create BCDA credentials by visiting the <em>API Credentials</em> page in your model-specific system. Choose the <em>BCDA Credentials</em> tab, then select <em>Create New API Credentials</em>. You'll need to provide a public, static IP address for every system, including vendors, that will access the API (up to 8 IP addresses). It may take up to an hour for the allow list to be updated. </p>
 
-<h3>
-Model Entities Gain Access to BCDA through ACO-MS or 4i
-</h3>
+<h3 id="rotate-credentials">Rotate your credentials</h3>
+<p>Your organization's credentials will expire and deactivate after a set period of time. You can rotate BCDA credentials in the <em>API Credentials</em> page to generate a new, active client ID and secret. </p>
+<p>You'll need to rotate credentials every <strong>90 days</strong> in 4i or every <strong>12 months</strong> in ACO-MS. Once you choose the <em>BCDA Credentials</em> tab, select the rotate icon under the <em>Actions</em> column. </p>
 
-<p>
- <p><u>ACOs in the Medicare Shared Savings Program:</u> Create and manage your organization's BCDA credentials from the <a href="https://acoms.cms.gov/" rel="noopener">ACO Management System</a>.</p> 
-<p><u>REACH ACOs and KCEs or KCFs in the Kidney Care Choices Model:</u> Create and manage your organization's BCDA credentials from the <a href="https://4innovation.cms.gov/landing" rel="noopener">4i portal</a>.</p>
-<p>When creating new credentials, be prepared to provide the IP address(es) for each system that will make requests to BCDA. It may take up to an hour for the allow list to be updated after the IP address(es) are added.</p>
-</p>
+<h3 id="revoke-credentials">Revoke your credentials</h3>
+<p>You may need to revoke (deactivate) your organization's credentials if they are leaked or compromised. You can create new credentials as a replacement afterward. </p>
+<p>Revoke BCDA credentials in the <em>API Credentials</em> page. Choose the <em>BCDA Credentials</em> tab, then select the delete (x) icon under the <em>Actions</em> column. </p>
+
+<h3 id="credentials-compromised">If your credentials have been compromised</h3>
+<p>Please revoke or rotate your BCDA credentials immediately. Afterward, notify the BCDA team at <a href="mailto:bcapi@cms.hhs.gov">bcapi@cms.hhs.gov</a> to review recent activity. </p>

_updates/2024-11-18.html

@@ -0,0 +1,14 @@
+---
+---
+<div class="ds-u-padding-y--2">
+  <div class="ds-u-font-size--h3 ds-u-font-weight--bold ds-u-padding-y--2">
+    Updated guidance on managing BCDA credentials
+  </div>
+  <div class="ds-u-font-size--lead">
+    November 20, 2024
+  </div>
+  <div>
+    <p>The BCDA team has updated our guidance for model entities managing their BCDA credentials in 4i and ACO-MS. Please visit <a href="/build.html#bcda-credentials" class="in-text__link">Manage your BCDA Credentials</a> for model specific instructions on how to manage and create BCDA credentials for your organization.</p>
+    <p>No action is required for BCDA users, but we hope the updated guidance is helpful!</p>
+  </div>
+</div>

build.html

@@ -38,7 +38,7 @@
           <ul class="ds-c-vertical-nav__subnav">
             <li class="ds-c-vertical-nav__subnav">
               <a class="ds-c-vertical-nav__label ds-c-vertical-nav__label" href="#bcda-credentials">
-                Obtain your BCDA Credentials
+                Manage your BCDA Credentials
               </a>
             </li>
             <li class="ds-c-vertical-nav__subnav">
@@ -160,7 +160,7 @@ <h1>
           </div>
           <div id="bcda-credentials">
             <h2>
-              Obtain your BCDA Credentials
+              Manage your BCDA Credentials
             </h2>
             <div class="ds-u-font-size--base">
               {% include build/bcda_credentials.html %}