CMS EDE audit submissions for Year 9 are open now, with the submission window closing July 1, 2026 at 3:00 AM ET. If you haven’t submitted yet, time is critical, entities that submit later in the window have fewer opportunities to correct completeness deficiencies before the deadline closes. The end-to-end review process can take a year or more, and resubmissions are common, making every remaining week count.
The Classic Direct Enrollment pathway ended October 31, 2025. Enhanced Direct Enrollment is now the only permitted pathway for all entities. Navigating CMS audit protocols requires meticulous documentation across business requirements, privacy controls, and operational standards. We’ve compiled this detailed documentation kit to help CMS EDE partners assess their current submission status and close any remaining gaps before the July 1 deadline.
CMS EDE Audit Submission Requirements for 2026
April 1 to July 1 Submission Window Timeline
CMS conducts completeness reviews on all prospective primary EDE entity and prospective phase change EDE entity audits submitted within the April 1, 2026 to July 1, 2026 at 3:00 AM ET window. Your opportunities to correct completeness deficiencies depend, in part, on the time you submit your audit in the submission window. Early submissions allow more resubmission cycles before the window closes. CMS will not review audits until the submission window begins. You must submit a complete audit that CMS designates as complete before the deadline to advance to the next review phase. There is no guarantee that every prospective primary EDE entity or prospective phase change EDE entity that submits a complete audit within the submission window will receive approval prior to the PY 2027 OEP or during the 2026 calendar year.
Primary vs Upstream Entity Documentation Differences
Primary EDE entities must hire independent auditors to perform business requirements and privacy and security audits. You will identify your selected auditors in both the EDE Business Agreement and the Interconnection Security Agreement. Primary entities maintain oversight of upstream EDE entities and downstream agent and broker users of the approved EDE environment. Upstream EDE entities employ a primary EDE entity’s platform with customized branding and must maintain a legal, documented relationship with a primary EDE entity through a signed written agreement. New upstream EDE entities or existing upstream entities adding new functionality should work with their primary EDE entity to notify CMS of the proposed arrangement and submit operational and oversight documentation for review.
Phase 1, 2, and 3 Audit Package Components
Prospective phase change EDE entities submit audits to change end-state eligibility application phases during the same April to July window. The applicable program requirements for prospective phase change entities are listed in Exhibit 11 (Business Audit Phase Change Requirements) of the Guidelines. If you continue to seek approval for the phase indicated in your original audit submission without adding new functionality or systems, you may use a previously submitted complete business requirements audit.
ISA and Business Agreement Submission Deadlines
For primary EDE entities, CMS countersigns the EDE Business Agreement after reviewing and approving both your business requirements audit and annual privacy and security audit. Approved primary EDE entities must submit the ISA for the upcoming open enrollment period by the last business day of June as part of the annual ISCM documentation submission. The ISA contains Appendices that must be completed in full to consider for approval.
Business Requirements Audit Documentation Kit
Independent Auditor Selection and Qualification Standards
You must hire independent third-party auditors to confirm compliance with program requirements. CMS thinks about auditors as downstream and delegated entities and makes you responsible for their performance and compliance. Business requirements audits need key auditor personnel to possess relevant certifications: Certified Internal Auditor (CIA), Certification in Risk Management Assurance (CRMA), Certified Information Systems Auditor (CISA), or Certified Government Auditing Professional (CGAP). You can select one auditor to handle both business and privacy audits or hire separate auditors to handle each component.
API Functional Integration Testing Toolkit
The API Functional Integration Toolkit verifies basic functional integration with EDE application programming interfaces. Your auditor must complete each test case on their own or work with you to verify proper functionality. The toolkit has nine data sets, with test data provided in the “EDE End-to-End Test Data” zip file. You must submit correct results for each test case, complete headers and bodies for API requests and responses, and raw, unmodified JSON and XML files that demonstrate successful OKTA integration.
Eligibility Results and Application UI Toolkits
Your auditor must provide screenshots of the entire application flow for each test case to verify eligibility results, along with correct eligibility results and eligibility determination notices. The Application UI Toolkit requires a clear assessment of Spanish-language applications when applicable. These toolkits must demonstrate complete field-level validation requirements consistent with FFE Application UI Principles.
Communications Toolkit and Section 508 Compliance Evidence
Your communications toolkit must have screenshots that demonstrate compliance in both English and Spanish where applicable. More, your eligibility application UI must meet Section 508 requirements under the Rehabilitation Act of 1973, as amended (29 U.S.C. § 749(d)). Your auditor confirms compliance with these accessibility standards.
Risk Assessment Documentation and Compliance Findings
CMS will not accept incomplete audits. Risks identified during the audit must be documented and explained, even if alleviated later. Your auditor must complete all yellow-shaded compliance findings columns in each toolkit and show compliance status, risk levels, mitigation strategies, and estimated resolution dates.
Privacy and Security Audit Documentation Package
Privacy and security audits are the second critical component of your CMS EDE submission package. Existing EDE entities that submit privacy and security audits must adhere to continuous monitoring reporting requirements in the ISCM Strategy Guide, which has completion of an annual assessment of security and privacy controls by an auditor. Primary EDE entities and hybrid non-issuer upstream EDE entities that are web-brokers may submit one ISCM audit covering both web-broker and EDE privacy and security continuous monitoring requirements.
NIST 800-53 Controls Assessment (294 Controls)
NIST SP 800-53 Rev 5 contains over 1,000 controls hosted in 20 control families. These controls address security and privacy from both functionality and assurance points of view. They protect organizational operations from a variety of threats including hostile attacks, human errors and natural disasters. Your auditor must assess controls at defined frequencies per the ISCM Strategy Guide.
NIST SP 800-63-3 Identity Proofing Documentation
NIST SP 800-63-3 Digital Identity Guidelines address three assurance components: Identity Assurance Level (IAL) for identity proofing, Authenticator Assurance Level (AAL) for authentication, and Federation Assurance Level (FAL) for federated environments. Book a Readiness Call to ensure your identity proofing processes meet federal standards before CMS audit protocols begin.
Infrastructure and Operational Process Evidence
Your Security Assessment Report (SAR) must contain a summary of findings from documentation reviews, control testing, scanning, penetration testing and interviews. The SAR cannot be modified after submission unless CMS finds deficiencies requiring correction.
ISCM Continuous Monitoring Reports
Monthly and quarterly reporting summaries document ongoing security posture. The ISCM Guide describes security and privacy controls action frequencies and the subset of core controls requiring annual testing.
Vulnerability Scan Results and Remediation Plans
Monthly vulnerability scans are mandatory for your IT systems. Submit the three most recent months of vulnerability scans during ISCM activities. Federal regulations require remediation of critical vulnerabilities within 15 days and high vulnerabilities within 30 days of discovery. All findings must combine into your monthly Plan of Action and Milestones (POA&M).
DE Entity Documentation Package Components
Each year before the OEP, CMS contacts prospective EDE entities that have submitted audits and existing entities to submit applicable components of the DE Entity Documentation Package, EDE Business Agreement, and ISA.
Operational and Oversight Information Form (Excel)
You must submit operational and oversight information to use the EDE pathway. Fill out this macro-enabled Excel file in its entirety. Follow the instructions in the Documentation Package to complete the form without enabling macros if you cannot complete the macro-enabled form.
Corporate Relationship Chart Requirements
Submit your entity’s corporate relationship chart suggesting subsidiary, sibling, or parent company relationships. You can provide this information in Microsoft Word or PDF format. This is not a request for an organizational chart of officers and individuals within your organization.
Website Privacy Policy and Terms of Service
Any website collecting consumer data as part of the EDE end-user experience must have its privacy policy and Terms of Service submitted. Submit the URL and text of each privacy policy statement displayed on your website.
Provider Credentials and Licensing Documentation
CMS requires documentation of provider credentials and licensing as part of cms documentation standards for cms ede partners.
Training Completion Records from REGTAP
Complete the required training on REGTAP at https://regtap.cms.gov/. Complete the course conclusion pages at the end of each module. You are not required to submit anything additional to CMS but must retain a copy of the training confirmation webpage to provide to CMS if requested.
ISA Appendix B: Upstream and Downstream Arrangements
Appendix B of the ISA must detail all arrangements with upstream EDE entities, relationship type, and any related data connections or exchanges. It should also include any arrangements with web-brokers and downstream agents and brokers that involve proposed additional functionality or systems. Book a Readiness Call to ensure your ISA Appendix B meets cms audit protocols before submission.
Conclusion
Successful cms ede audit submissions require complete preparation across business requirements, privacy and security controls, and operational documentation. The three-month submission window passes quickly, so early preparation gives you multiple resubmission opportunities if deficiencies arise. We’ve outlined the key documentation components you need for 2026 compliance. Your next step is straightforward: assess your current readiness against these requirements and hire qualified independent auditors well before April 1, 2026 to secure your approval timeline.
Key Takeaways
CMS EDE audit submissions for 2026 have a narrow three-month window from April 1 to July 1, making early preparation essential for success.
• Start audit preparation immediately – The end-to-end process takes over a year, and early submissions allow multiple resubmission cycles before the July deadline.
• Engage qualified independent auditors early – Auditors need specific certifications (CIA, CRMA, CISA, or CGAP) and must assess 294 NIST controls plus complete functional testing toolkits.
• Prepare comprehensive documentation packages – Business requirements, privacy/security audits, and DE entity documentation must all be complete and compliant before submission.
• Understand entity-specific requirements – Primary EDE entities have different obligations than upstream entities, including ISA submissions and continuous monitoring responsibilities.
• Focus on NIST compliance and vulnerability management – Monthly vulnerability scans, remediation within 15-30 days, and annual NIST 800-53 control assessments are mandatory.
The Classic Direct Enrollment pathway ends October 31, 2025, making Enhanced Direct Enrollment the only option moving forward. Success depends on meticulous preparation, qualified auditor selection, and comprehensive documentation that meets all CMS requirements well before the submission window opens.
FAQs
Q1. What documentation is required for a CMS EDE audit submission? A complete CMS EDE audit submission requires three main components: a business requirements audit (including API functional integration testing, eligibility results, application UI toolkits, and communications compliance), a privacy and security audit (covering NIST 800-53 controls assessment, identity proofing documentation, and vulnerability scan results), and a DE Entity Documentation Package (containing operational information forms, corporate relationship charts, privacy policies, and ISA appendices).
Q2. When is the deadline for submitting CMS EDE audit documentation for 2026? The submission window for CMS EDE audits opens on April 1, 2026, and closes on July 1, 2026 at 3:00 AM ET. This three-month window applies to both prospective primary EDE entities and prospective phase change EDE entities. Early submission is recommended as it allows more opportunities to correct any completeness deficiencies before the deadline.
Q3. What qualifications must independent auditors have for CMS EDE business requirements audits? Independent auditors conducting business requirements audits must have key personnel with relevant certifications including Certified Internal Auditor (CIA), Certification in Risk Management Assurance (CRMA), Certified Information Systems Auditor (CISA), or Certified Government Auditing Professional (CGAP). CMS considers these auditors to be downstream and delegated entities, making the primary entity responsible for their performance and compliance.
Q4. How often must vulnerability scans be conducted for CMS EDE compliance? Monthly vulnerability scans are mandatory for all IT systems. During ISCM activities, you must submit the three most recent months of vulnerability scan results. Federal regulations require remediation of critical vulnerabilities within 15 days and high vulnerabilities within 30 days of discovery, with all findings consolidated into a monthly Plan of Action and Milestones (POA&M).
Q5. What is the difference between primary and upstream EDE entity documentation requirements? Primary EDE entities must engage independent auditors to perform both business requirements and privacy and security audits, and they maintain oversight of upstream entities and downstream users. Upstream EDE entities use a primary entity’s platform with customized branding and must maintain a documented legal relationship through a signed written agreement. New upstream entities work with their primary EDE entity to notify CMS and submit operational and oversight documentation for review.