Migration from EDE to ARC-AMPE Physical and Environmental Protection Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). The document outlines the purpose of the migration, which is to upgrade security and privacy controls in accordance with new CMS requirements. It details the structure of the ARC-AMPE framework, including the number of controls across various families, with a specific focus on Physical and Environmental Protection controls. The paper also discusses the oversight role of the Centers for Medicare & Medicaid Services (CMS) in ensuring DEEs comply with federal regulations and maintain consumer data integrity. Additionally, it highlights the significant changes in control requirements and the new format for SSPP documentation, emphasizing the need for DEEs to adapt to these updates by the compliance date set for June 2026.