Migration from EDE to ARC-AMPE Access Control Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the purpose of the migration, which is to enhance security and compliance with federal regulations. The document details the components of ARC-AMPE, including the control families and the specific focus on Access Control (AC) controls, which are crucial for limiting IT system access to authorized users and devices. The white paper also provides a background on the Affordable Care Act and the role of the Centers for Medicare & Medicaid Services (CMS) in overseeing DEEs. It emphasizes the importance of compliance with the new ARC-AMPE framework, which includes a significant increase in the number of required controls and a change in the format for the SSPP template. The document includes a control mapping section that compares EDE controls to their ARC-AMPE equivalents.