CMS-10877 Change Notification Form

OMB Control #: 0938-NEW
Expiration Date: XX/XX/20XX

Centers for Medicare & Medicaid Services

Change Notification Form for Enhanced
Direct Enrollment Entities Information
Technology Systems
Version 2.0
October 13, 2022

PRA DISCLOSURE: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it
displays a valid OMB control number. The valid OMB control number for this information collection is 0938-NEW, expiration date is XX/XX/20XX.
The time required to complete this information collection is estimated to take up to 56,290 hours annually for all direct enrollment entities. If you
have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: CMS, 7500 Security
Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland 21244-1850. ****CMS Disclosure**** Please do not send
applications, claims, payments, medical records or any documents containing sensitive information to the PRA Reports Clearance Office. Please
note that any correspondence not pertaining to the information collection burden approved under the associated OMB control number listed on this
form will not be reviewed, forwarded, or retained. If you have questions or concerns regarding where to submit your documents, please contact
Brittany Cain at [email protected].

Sensitive and Confidential Information – For Official Use Only
Centers for Medicare & Medicaid Services

Change Notification Form for EDE Entities IT Systems

1. Introduction
As part of the continuing efforts to protect the confidentiality, integrity, and availability (CIA) of
the information collected, used, disclosed, and/or retained by the Enhanced Direct Enrollment
(EDE) Entity’s information technology (IT) systems, EDE entities must implement a
configuration change control process as part of the configuration management control family
described in the EDE system security and privacy plan (SSP). Any system changes that include
new, enhanced, or updated hardware and software capabilities; or that apply patches for
correcting software flows and new security threats; or that execute changes to business functions
and data collection, may cause changes to system configurations as well as the security and
privacy posture of the EDE Entity’s information systems. Consequently, EDE entities must
document system changes and evaluate the scope and nature of the changes in terms of the
potential security and privacy impact as an essential aspect of its own change management and
continuous monitoring activities.
All changes must be tested, validated, and documented before implementing the changes in the
EDE operational environment. If an EDE Entity is planning to make category 1, 2, or 3 changes
to its approved EDE environment, the EDE Entity must notify the Centers for Medicare &
Medicaid Services (CMS) prior to implementing these changes. CMS provides guidance on EDE
Entity-initiated change requests and categorization in the Change Notification Procedures for
Enhanced Direct Enrollment Entity Information Technology Systems (hereinafter CN
Procedures).

1.1

Purpose

The purpose of this document is to provide the EDE System Security and Privacy Change
Notification Form that an EDE Entity completes when making changes to its EDE environments.
It is applicable to any EDE Entity responsible for managing and administering the security and
privacy of the IT systems.

1.2

Instructions

The EDE entities must review and complete the form using the instructions outlined in each
section of this form, and the CN Procedures. The form should be submitted to CMS via the
Entity’s DE/EDE PME Site with an accompanying notification email to the DE Help Desk with
the email subject line starting with “EDE Entity initiated CR – Category [1, 2, or 3] Change”.
The EDE entities must submit additional documentation, as required, through their Entityspecific DE/EDE PME Site.

Change Notification Form for EDE Entities IT Systems
Version 2.0

1
October 13, 2022

Sensitive and Confidential Information – For Official Use Only
Centers for Medicare & Medicaid Services

1.3

Change Notification Form for EDE Entities IT Systems

EDE Entity System Security and Privacy Change Notification Form

Name of EDE Entity:

Entity-Initiated Change Request (EICR) Summary
Entity Type:
EDE Phase:
(If a Primary Entity)

Submission Date:

Planned Implementation Date:

Title of Proposed Change:

Proposed Change Category:
(See EDE Change Procedures, Section 2.2.1)

Description of Proposed Change:

1.
2.

Scope of Proposed Change
Is this proposed change a new upstream arrangement?
If yes, please answer questions 2-3. If no, please move to question 6.

☐Yes

☐No

Indicate the type of upstream Entity.
Select one. For more information, see the EDE Guidelines, Section IV.B.
☐White Label Issuer

☐Hybrid Issuer

☐Hybrid Issuer using
Single Sign-On

☐Hybrid Non-Issuer

3.

Will the proposed upstream Entity conduct identity-proofing?
If yes, please answer question 4. If no, please move to question 5.

4.

Indicate the type(s) of identity-proofing conducted by the proposed upstream Entity.
Check all that apply. For more information, see the EDE Guidelines, Section VI.
☐ Consumer Identity Proofing
Implementation

☐Yes

☐ Agent and Broker Identity Proofing
Verification

5.

Will the proposed upstream Entity conduct any business requirement
functions included in the EDE Business Requirements audit?
If yes, please describe below.

6.

Does the proposed change include an upstream Entity adding functionality or
systems beyond the boundary of the most recent EDE ISCM privacy and
security audit scope?
If yes, please describe below.

7.

Does the proposed change include the exchange of data?
If yes, please answer questions 8-9.

8.

Indicate the type(s) of data exchanged.
Check all that apply.

Change Notification Form for EDE Entities IT Systems
Version 2.0

☐No

☐Consumer-Provided Data

☐Yes

☐No

☐Yes

☐No

☐Yes

☐No

☐Exchange-Provided Data

1
October 13, 2022

Sensitive and Confidential Information – For Official Use Only
Centers for Medicare & Medicaid Services
9.

Change Notification Form for EDE Entities IT Systems

Are the systems receiving/collecting/storing data as part this proposed
change included within the audit boundary of the most recent EDE ISCM
privacy and security audit scope?

☐Yes

☐No

Impact of Proposed Change
10. Business Impact: Summarize the results of the Business Impact Analysis (BIA) below.

11. Security Impact: Summarize the results of the Security Impact Analysis (SIA) below.
Please indicate which security and privacy control families are impacted and provide a copy of the detailed
SIA report. (Note: See Section 2.3 of the EDE Change Notification Procedures)

12. Privacy Impact: Describe how the changes will impact privacy, for example, PII Data Collection, Use,
or Disclosure below.

13. Does the privacy impact require an updated Privacy/TPWA Questionnaire?
If yes, include an updated Privacy/TPWA Questionnaire.

☐Yes

☐No

14. Does the privacy impact require an updated website privacy policy or terms of
service for the Primary and/or Upstream Entity?
If yes, include a Word document or PDF with the proposed changes highlighted.

☐Yes

☐No

Entity-Initiated Change Request Documentation Checklist
Please complete the checklist below to confirm the necessary documentation is included in your EICR
submission. The form should be submitted to CMS via the Entity’s DE/EDE PME Site with an
accompanying notification email to the DE Help Desk with the email subject line starting with “EDE Entity
initiated CR – Category [1, 2, or 3] Change”.
EICR Document

Required?



Entity-Initiated Change Request Form

Yes, for all EICRs



Security Impact Analysis

Yes, for all EICRs



ISA Appendix B

Only proposed upstream arrangements



UI mock-up, screenshots, and/or diagram
compiled in MS PowerPoint

Any EICR that proposes data exchange,
changes to or additional systems, new
functionality, and UI modifications.



Privacy Questionnaire

Only if the Primary Entity identified a
privacy impact (Question 11 above)



Website Privacy Policy or Terms of
Service

Only if the Primary Entity identified a
privacy impact (Question 12 above)

Change Notification Form for EDE Entities IT Systems
Version 2.0

Included
EICR Package

2
October 13, 2022