Migration from EDE to ARC-AMPE Personnel Security Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the significant increase in the number of controls required for compliance, which has risen from 295 in EDE to 308 in ARC-AMPE. The document details the framework established by the Centers for Medicare & Medicaid Services (CMS) for DEEs, emphasizing the importance of adhering to security and privacy control requirements. It also discusses the oversight mechanisms implemented by CMS, which include rigorous audit processes and the necessity for DEEs to renew their Authority to Connect (ATC) annually. The paper further explains the control mapping from EDE to ARC-AMPE, highlighting the changes in control formats and the focus on personnel security measures that ensure the protection of organizational information and systems. The compliance date for DEEs is set for June 2026.