Migration from EDE to ARC-AMPE Configuration Management Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). The document outlines the purpose of the migration, emphasizing the need for compliance with updated security and privacy controls. It details the structure of the ARC-AMPE framework, which includes a significant increase in the number of controls from the previous EDE guidelines, and specifies that the compliance date for DEEs is set for June 2026. The paper also discusses the oversight role of the Centers for Medicare & Medicaid Services (CMS) in ensuring DEEs adhere to federal regulations and maintain data integrity. Additionally, it provides a comparison of control families between EDE and ARC-AMPE, focusing on Configuration Management controls, and highlights the changes in documentation format from Word to Excel. The white paper aims to facilitate a smooth transition for DEEs by clearly delineating the requirements and expectations.