Migration from EDE to ARC-AMPE System Controls

This white paper serves as a guide for Direct Enrollment Entities (DEEs) to transition their Enhanced Direct Enrollment (EDE) System Security and Privacy Plans (SSPPs) to the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE). It outlines the purpose of the migration, which is to enhance security and compliance with the Affordable Care Act (ACA) by implementing a new framework that includes a significant increase in the number of required controls. The document details the ARC-AMPE control families, including System and Services Acquisition controls, and provides a mapping of controls from the EDE baseline to the new ARC-AMPE framework. Additionally, it discusses the oversight role of the Centers for Medicare & Medicaid Services (CMS) in ensuring compliance and the necessary steps DEEs must take to meet the updated requirements, including the submission of more artifacts during audits and the new format for SSPPs. The compliance deadline for DEEs is set for June 2026.