Migration from EDE to ARC-AMPE Awareness and Training Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It specifically addresses the Awareness and Training (AT) controls, which are part of a larger framework consisting of 308 controls derived from NIST Special Publication 800-53 Revision 5. The document outlines the purpose of the ARC-AMPE framework, which replaces the previous EDE security and privacy guidelines, and details the compliance requirements for DEEs, including the necessity for rigorous audits and adherence to operational policies. The white paper also discusses the importance of security awareness and training for personnel involved in managing Exchange IT systems, emphasizing the need for ongoing education and compliance with applicable regulations. Furthermore, it highlights the significant changes in control mapping and the format of the SSPP template from EDE to ARC-AMPE.