There are two issues to address here -

Automatic log out timing:

I've attached a screenshot of my MAT expiration message.

I logged into the MAT at at 10:23 AM. I received this message after 10 minutes of inactivity at 10:33 AM.   

You are correct in that the total time is 15 minutes. as the message states I will be logged out at 10:37 AM.  However, this is not practical for users of the application.  There is a mismatch between workflow and policy.  

We need more information on the CMS "guideline" for application inactivity as there is no PHI in the MAT.  We question if the correct security policy is being applied for this application.

Required password reset:

As for the emails - I am happy to forward them along, but please refer to the screenshots and the text here.

Sunday 3/15/20  - email states it is time to change my password.  

Wednesday 3/25/20 - email states password will expire in 5 days.

This is confusing for users as they feel they must change their password upon the receipt of BOTH emails.  There are no instructions in the second email that indicate that the user should disregard the second email if they responded to the first email.

Of greater concern is that the second email is generated even if the user has already changed their password in response to the first email.  This means the second email is generated without checking the password reset.  

Please change the language, or change the process!

Lastly the MAT is on version 5.8.  Documentation provided as current does not reflect this - as the only documentation provided for users is version 5.6.