There are three categories for an upstream EDE Entity:
- White-Label Issuers
- Hybrid Issuers
- Hybrid Non-Issuers
For all upstream arrangements, the following must be observed:
- Must have a legal, documented relationship with a primary EDE Entity, which includes a contract of engagement
- The EDE “end-user experience” will constitute any and all data collected throughout the process, including but not limited to: pre-application, application, plan comparison and purchase, enrollment, and any post-enrollment data
- Must sign an EDE Business Agreement and maintain a unique Partner ID
It’s important to note that all EDE Web Brokers, DE Technology Providers, and Hybrid Entities meet all CMS requirements for both REMEDIATION and AUDIT. This includes remaining up-to-date on all requirements applicable to Upstream EDE Entities with a single sign-on (SSO). All Upstream EDE Entities with an SSO are required to retain an independent auditor to conduct a privacy and security audit.
This audit must be completed by the deadline (or prior to approval, for new entities). Failure to submit the required audit could result in the CMS suspending access to the EDE Entity’s access to use the EDE for production.
Summation of Audit requirements for Hybrid Issuer Upstream EDE Entity:
- Access Controls (AC)
- 39 Controls
- Awareness & Training (AT)
- 2 Controls
- Audit & Accountability (AU)
- 6 Controls
- Security Assessment & Authorization (CA)
- 5 Controls
- Configuration Management (CM)
- 5 Controls
- Identification & Authentication (IA)
- 19 Controls
- Incident Response (IR)
- 4 Controls
- Physical & Environmental Protection
- 2 Controls
- Planning (PL)
- 2 Controls
- Personnel Security (PS)
- 4 Controls
- Risk Assessment (RA)
- 2 Controls
- System & Services Acquisition (SA)
- 3 Controls
- System & Communication Protection (SC)
- 9 Controls
- System & Information Integrity (SI)
- 4 Controls
- Accountability, Audit, & Risk Management (AR)
- 2 Controls
- Data Minimization & Retention (DM)
- 3 Controls
- Individual Participation & Redress (IP)
- 3 Controls
- Security (SE)
- 2 Controls
- Transparency (TR)
- 2 Controls
The current requirements for an EDE Hybrid Issuer Upstream EDE Entity are as follows:
- Security Privacy Controls (SAP): This report is to be completed by an auditor and submitted to CMS prior to audit commencement
- Security and Privacy Assessment Report (SAR): CMS prefers a third-party auditor to perform this report testing all of the NIST controls required (first time and/or ongoing compliance)
- Plan of Action and Milestones (POA&M): Required document to document findings from SAR, penetration tests, vulnerability scans, risk assessment, and other findings related to the environment in scope.
- Privacy Impact Assessment (PIA): This detailed report of the evaluation of controls is not required for submission but must be available if requested via audit.
- Incident Response Plan and Incident/Breach Notification Plan: Includes details of the implementation of incident handling and breach response procedures. This detailed report of incident response procedures is not required for submission but must be available if requested, including via audit.
- Network and Components Vulnerability Scans: Vulnerability scans of the internal and external network and application components.
- Penetration Testing: Web Application and Network ensuring all CMS requirements are met (e.g., OWASP Top 10)
Elevate has extensive audit experience conducting operational, security, and privacy audits and we can efficiently assess and manage compliance with each CMS program requirement. Elevate can work with your organization to get ready to pass the audit and meet all CMS requirements and/or perform the audit. We have helped EDE Web Brokers and EDE Technology Provider get approved by CMS and DE Web Brokers meet the requirements.