CMS EDE audits need rigorous preparation, complete documentation, and precise control implementation to achieve approval. Organizations face major challenges working through the complex requirements that span privacy controls, security frameworks, and operational protocols. Failing to meet these standards can result in audit delays, resubmissions, or approval denials that affect your marketplace participation.
This guide will help you build audit-ready systems. You’ll learn how to establish privacy and security controls, implement business requirements, and assemble evidence packages. The guide covers CMS audit protocols and program audit requirements. It also provides strategies to address common findings and maintain ongoing compliance as you work through the CMS EDE assessment timeline.
Understanding CMS EDE Audit Requirements and Program Protocols
Prospective entities pursuing the EDE pathway face distinct audit requirements based on their operational model. Primary EDE entities that build their own platform must undergo third-party audits of both their application and privacy/security structure. Upstream EDE entities that use a primary EDE entity’s platform with only minor branding changes are not subject to audits of their application and privacy/security structure. But if an upstream entity wishes to make deviations beyond minor branding from an approved primary platform, that entity may also face audit requirements.
Primary vs. Upstream EDE Entity Audit Scope
Primary EDE entities provide the full application, enrollment, and post-enrollment support experience on their websites and must implement the complete EDE API suite of required services, whatever their chosen application phase. These entities bear full responsibility for developing two distinct audit packages that demonstrate compliance with all program requirements.
Upstream entities using an approved EDE pathway from another entity must indicate this arrangement in their EDE Agreement and ISA. They must be prepared to submit copies of the business requirements audit package, privacy and security audit package, and documentation of the arrangement upon CMS request. An upstream entity that adds functionality or systems beyond the approved pathway must conduct and resubmit the applicable part of the operational readiness review with findings for any added functionality.
Business Requirements Audit vs. Privacy and Security Audit
Each prospective primary EDE entity must hire one or more independent auditors to perform two separate audits. The Business Requirements Audit certifies that the entity’s website and operations comply with applicable program requirements listed in the Business Requirements exhibit. Auditors conducting this audit must complete the Business Requirements Audit Report Template and applicable toolkits provided by CMS. These include API Functional Integration Testing, Eligibility Results, Application User Interface and Communications toolkits.
The Privacy and Security Audit will give compliance with privacy and security requirements through a Security and Privacy Control Assessment that produces a Security Assessment Report (SAR). This audit certifies that the entity has implemented processes sufficient to meet privacy and security requirements set forth in the ISA and applicable regulations. Auditors may determine that an entity does not meet one or more requirements. The entity must then create a Plan of Action and Milestones (POA&M) to resolve the deficiency.
Annual Audit Submission Window Timeline
The audit submission window for prospective primary EDE entities and prospective phase change EDE entities runs from April 1 to July 1 at 3:00 AM ET each year. CMS will not review audit submissions received after July 1 at 3:00 AM ET, whether they are submissions or resubmissions to address completeness findings. This timeline applies to all future calendar years unless CMS indicates otherwise.
An EDE environment may take up to or more than a year to develop and audit. The approval process starts once an entity submits a complete audit. It involves multiple resubmissions and may take many months after an audit submission has been deemed complete. The process can extend up to a year or more depending on the selected end-state phase, build quality, audit documentation quality and timeliness of resubmissions. CMS’s experience with prior audits shows that prospective EDE entities submitting complete audits later in the submission window (mid-to-late May through June) have a lower probability of being approved to go live before the Open Enrollment Period. This depends on submission quality and phase selection.
CMS Program Audit Protocols and Review Process
CMS conducts completeness reviews on all prospective primary EDE entity and prospective phase change EDE entity audits submitted within the applicable submission window. The entity must submit a complete audit and CMS must designate the audit submission as complete before the deadline for the end of the audit submission window. Only then can the entity advance to the next phase of the review process. An entity’s opportunities to correct completeness deficiencies depends, in part, on the timing of its audit submission in the audit submission window.
CMS will not accept incomplete audits and will require that incomplete audits be resubmitted in their entirety. CMS may request revisions and resubmissions to address non-compliant requirements during its compliance review of the audit submission. The prospective EDE entity may be required to continue working with its auditor after audit submission. If resubmission requires another audit of requirements in a template or toolkit, the entity is expected to work with its auditor to confirm that resubmitted requirements are compliant.
Building Privacy and Security Controls Framework
Privacy and security controls are the foundations of your CMS EDE audit readiness. You need detailed documentation, rigorous testing protocols and ongoing monitoring activities to implement these controls and demonstrate your commitment to protecting consumer data.
NEE SSPP Documentation Requirements
Web-brokers must implement the privacy and security controls set forth in the NEE SSPP consistent with requirements in the Web-broker Agreement. The NEE SSPP has complete security and privacy controls and implementation standards for all aspects of the EDE program. This documentation describes the annual assessment that entities must conduct. It covers the assessment methodology and the tests and analysis to be performed on an annual basis. Your SSPP provides an accurate, detailed description of your system itself, its security requirements and the controls in place to protect the system. So this living collection of information must be updated with any changes to the system, especially when a most important change occurs.
Identity Proofing and Multi-Factor Authentication Controls
CMS has implemented a risk-based alternative solution provided by Experian to prove identity when completing the Remote Identity Proofing process. Users must provide personally identifiable information that has full legal name, social security number, date of birth, current residential address, personal email and personal phone number. This process works in conjunction with Multi-Factor Authentication services, which uses two different factors to verify identity. Available MFA options are SMS text message, Interactive Voice Response phone call, Google Authenticator, Okta Verify and email. A 30-minute inactivity timer begins after connecting FFM account credentials when using an EDE website. The connection times out if systems detect no relevant FFM activity within that timeframe. Book a Readiness Call to ensure your implementation meets all CMS requirements if you’re building controls and need expert guidance.
Risk Assessment and Vulnerability Management
EDE entities must run monthly vulnerability scans of their IT systems. They must submit results from the most recent three months during Information Security Continuous Monitoring activities. Your testing environment used for CMS testing must be secured with user access credentials. Changes deployed to the production environment must be deployed to the test environment mirroring production at the same time. This requires developing a third environment to test new, unapproved changes before production deployment.
Penetration Testing and OWASP Top 10 Compliance
Penetration tests must cover the EDE Environment and tests based on the OWASP Top 10. Testing is performed every 3 years or when there is a most important change to the system, but annually for High or HVA systems. Penetration testing at CMS covers any login page, API endpoint, subdomain, storage bucket or connected asset that is exposed and part of the system’s boundary.
POA&M and Continuous Monitoring Implementation
Entities must submit a POA&M with all open findings from the SAR incorporated when auditors identify privacy and security compliance issues. All weaknesses must be documented in a POA&M after positive identification of security assessment findings. They must be remediated within specific timelines: Critical within 15 calendar days, High within 30 days, Moderate within 90 days and Low within 365 days. Existing EDE entities must adhere to continuous monitoring reporting requirements in the ISCM Strategy Guide. This has completion of an annual assessment of security and privacy controls by an auditor.
Establishing Business Requirements and Operational Controls
Building an operational EDE pathway requires integrating with more than 20 specific APIs that help with eligibility, enrollment, and post-enrollment experiences. These integrations are the technical foundations that enable secure data transfers between your platform and the Federally-facilitated Exchange.
API Integration and Functional Testing Requirements
The required API suite for Year 8 of EDE has Store ID Proofing, Person Search, Create App, Create App from Prior Year App, Store Permission, Revoke Permission, Get App, Add Member, Remove Member, Update App, Submit App, Get Data Matching Issue (DMI), Get Special Enrollment Period Verification Issue (SVI), Metadata Search, Notice Retrieval, Submit Enrollment, Document Upload, System and State Reference Data, Get Enrollment, Payment Redirect, Update Policy, and Events Based Processing. Primary EDE entities must implement the complete API suite whatever application phase they choose. Testing protocols require you to use the API Functional Integration Testing toolkit during your business requirements audit.
Application Phase Selection and Implementation
CMS offers three implementation phases to host applications. Phase 1 supports simplified scenarios equivalent to App 2.0 implementation and allows entities to use existing proxy DE application logic. Phase 2 expands coverage to include full-time students, pregnant members, non-U.S. citizens, naturalized citizens, members without SSNs, those previously in foster care, and stepchildren. Phase 3 provides complete application support for all scenarios and eliminates the need for consumer redirects. This includes American Indian and Alaskan Native members. Entities that implement Phase 1 or 2 must implement screening questions to redirect consumers whose circumstances cannot be supported.
Consumer and Agent/Broker Pathway Controls
Consumers must now be offered the chance to create a consumer-facing account when an Agent/Broker assists them via the Agent/Broker pathway. A 30-minute inactivity timer begins when agents and brokers connect their FFM account credentials through the CMS Enterprise Portal. The system requires reauthentication if it detects no relevant FFM activity within that timeframe.
Section 508 Compliance and Critical Communications
Auditors must confirm that your application UI and critical communications associated with the Communications Toolkit are Section 508 compliant. This will give enrollment services that remain available to all consumers whatever their abilities.
Post-Enrollment Support and DMI/SVI Management
Consumers can upload documentation to resolve SVIs and DMIs directly on your EDE website. Consumers have 30 days from plan selection to submit documentation that confirms their SEP eligibility for SVIs. Income-related DMIs require resolution within 90 days from the eligibility notice date. Your platform must display statuses for enrollments, SVIs, and DMIs while enabling consumers to download Marketplace notices directly.
Assembling Documentation and Evidence Package
Submitting audit packages requires assembling multiple documentation components that demonstrate your readiness in technical, operational and organizational areas. Each document serves a specific purpose in the CMS evaluation process and must meet precise formatting and content standards.
Required Auditor Documentation and SAP Submission
The Security Assessment Plan describes your auditor’s scope and methodology for the assessment. This document has an attestation of the auditor’s independence. You must complete it and submit it to CMS for review before you conduct the security and privacy controls assessment. Your Business Audit Package follows specific naming conventions: the zip file should be titled “Business Audit Package_[insert prospective EDE entity name]” with folders for completed toolkits and supplemental documentation organized by test case. Auditors must provide complete documentation in required columns with no ambiguous language about potential risks that remain unmitigated.
ISA and EDE Business Agreement Preparation
Primary EDE entities must submit the ISA via the CMS designated file sharing system by the last business day of June. The ISA contains appendices that must be completed in full to consider approval. Appendix B must detail all arrangements with upstream EDE entities, relationship types, related data connections or exchanges, and arrangements with downstream agents and brokers. CMS countersigns the ISA after reviewing and approving both your business requirements audit and annual privacy and security audit.
Operational and Oversight Information Forms
The Operational and Oversight Information Excel Form is a macro-enabled file that you complete and submit through the CMS designated file sharing system. You must fill out this form completely. It provides CMS with details about your organization’s oversight structure.
Corporate Relationship and Privacy Policy Documentation
Submit your corporate relationship chart that indicates subsidiary, sibling, or parent company relationships in Microsoft Word or PDF format. The privacy questionnaire collects information about what your platform collects, how that information is used, and which tracking technologies are used. If your privacy policy and Terms of Service remain unchanged from your last submission, you may submit an attestation on company letterhead with a signature from an officer authorized to bind your entity.
CMS EDE Assessment Timeline and Approval Strategy
Timing your CMS EDE audit submission determines your approval probability before Open Enrollment Period. The approval process has multiple stages where early preparation and quality documentation impact your timeline to go live.
Pre-Audit Notification and Kick-off Requirements
Prospective EDE entities must provide their Notice of Intent to Participate and Auditor Confirmation to DE Support at [email protected] as described in the EDE Guidelines. You cannot initiate an audit until you and your auditor attend an audit kick-off call with CMS and receive written approval to proceed.
Completeness Review and Resubmission Process
CMS conducts completeness reviews on all audits submitted within the April 1 to July 1 window. CMS takes two weeks or more to provide feedback on packages. You cannot advance if your package is incomplete or testing unsuccessful, then early feedback (such as early May) ensures time to resubmit. Your opportunities to correct completeness deficiencies depend in part on when you submit your audit.
Mini Audit and Final Approval Stages
The approval process involves multiple resubmissions once you submit a complete audit. The process takes many months after completeness designation and may extend up to a year or more depending on phase selection, build quality and audit documentation quality.
Common Audit Findings and Resolution Strategies
Prospective EDE entities submitting complete audits later in the window (mid-to-late May through June) have lower probability of approval before OEP, depending on submission quality and phase. No prospective entity receives approval unless it meets all program requirements. Book a Readiness Call with compliance experts if you need guidance navigating these challenges.
Maintaining Approval Through ISCM Activities
Existing EDE entities must adhere to continuous monitoring reporting requirements in the ISCM Strategy Guide, which has annual security and privacy control assessments by auditors.
Conclusion
You just need meticulous preparation on multiple fronts to navigate the CMS EDE audit process. In this piece, we’ve covered everything you need to build audit-ready systems. This includes privacy and security controls lined up with NEE SSPP requirements and detailed API integration spanning 20+ required services. You’ll also need complete documentation packages that demonstrate operational readiness.
The timeline between submission and approval is extensive. We encourage you to start building your controls and evidence early in the cycle. Prospective entities submitting complete, high-quality audits early in the April-July window improve their approval probability before Open Enrollment Period begins.
Key Takeaways
Successfully navigating CMS EDE audits requires strategic timing, comprehensive controls, and meticulous documentation to achieve marketplace participation approval.
• Submit early in the April-July window: Late submissions (mid-May through June) have significantly lower approval probability before Open Enrollment Period begins.
• Implement dual audit packages: Primary EDE entities must complete separate Business Requirements and Privacy & Security audits with independent third-party auditors.
• Build comprehensive API integration: Your platform must integrate with 20+ required APIs including eligibility, enrollment, and post-enrollment support services.
• Establish robust security controls: Implement NEE SSPP requirements including vulnerability scanning, penetration testing, POA&M management, and continuous monitoring protocols.
• Prepare complete documentation packages: Assemble ISA agreements, operational forms, corporate relationship charts, and privacy policies with precise formatting standards.
The approval process typically involves multiple resubmissions and can extend up to a year or more after submission, making early preparation and quality documentation critical for success.
FAQs
Q1. What steps should organizations take to prepare for a CMS EDE audit? Organizations should assign a dedicated compliance lead and team, maintain complete and updated documentation, verify data accuracy and resolve any issues, conduct mock audits to identify gaps, train staff regularly on compliance requirements, and establish clear communication protocols throughout the audit process.
Q2. When is the best time to submit a CMS EDE audit to maximize approval chances? Submitting early in the April-July audit window significantly improves approval probability before Open Enrollment Period begins. Late submissions (mid-May through June) have lower chances of approval before OEP, as the review process typically involves multiple resubmissions and can take many months to complete.
Q3. What are the main differences between Primary and Upstream EDE entity audit requirements? Primary EDE entities must undergo extensive third-party audits of both their application and privacy/security structure, as they build their own platform. Upstream EDE entities that leverage a primary entity’s platform with only minor branding changes are generally not subject to these audits, though they must be prepared to submit documentation upon CMS request.
Q4. What are the two separate audits required for CMS EDE compliance? Primary EDE entities must complete a Business Requirements Audit that certifies website and operations comply with program requirements, and a Privacy and Security Audit that ensures compliance through a Security and Privacy Control Assessment producing a Security Assessment Report (SAR).
Q5. How long does the CMS EDE approval process typically take? The approval process typically involves multiple resubmissions and may take many months after an audit submission has been deemed complete, potentially extending up to a year or more. The timeline depends on factors including selected end-state phase, build quality, audit documentation quality, and timeliness of resubmissions.