Migration from EDE to ARC-AMPE System and Communications Protection Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the purpose of the migration, which is to comply with updated security and privacy controls mandated by the Centers for Medicare & Medicaid Services (CMS). The document details the significant increase in the number of controls required for compliance, moving from 295 under EDE to 308 under ARC-AMPE, and highlights the new format for the SSPP template. The paper also includes a section on System and Communications Protection controls, which focus on monitoring, controlling, and protecting communications within Exchange IT systems. Furthermore, it discusses the oversight mechanisms by CMS to ensure that DEEs adhere to federal regulations and maintain the integrity of the Health Insurance Marketplaces. This document is part of a series aimed at facilitating the upgrade process for DEEs.