Migration from EDE to ARC-AMPE Supply Chain Risk Management Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the purpose of the migration, emphasizing the need for DEEs to upgrade their security and privacy measures in compliance with the Affordable Care Act (ACA). The document details the oversight mechanisms established by the Centers for Medicare & Medicaid Services (CMS) to ensure DEEs adhere to federal regulations and maintain the integrity of Health Insurance Marketplaces (HIMs). It also introduces the ARC-AMPE framework, which replaces EDE guidelines and consists of a comprehensive set of controls derived from NIST standards. The white paper specifically addresses the Supply Chain Risk Management controls, providing insights into the new requirements and processes that DEEs must implement to mitigate risks associated with external parties involved in ICT and OT services.