Migration from EDE to ARC-AMPE Identification and Authentication Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). The document outlines the purpose of the migration, emphasizing the need for compliance with the new ARC-AMPE framework, which introduces a significant increase in the number of required controls from 295 to 308. It details the structure of the ARC-AMPE, including high-level guidance and minimum-level security controls, along with the compliance date set for June 2026. The paper also discusses the oversight role of the Centers for Medicare & Medicaid Services (CMS) in ensuring DEEs comply with federal regulations and maintain consumer data integrity. Furthermore, it presents control mapping between EDE and ARC-AMPE, specifically focusing on Identification and Authentication controls, which are essential for verifying the identities of users and devices accessing Exchange IT systems.