SW
A Locked In Labs application · Seeded program template

CMS EDE Year 9 audit-readiness engine.

CMS EDE is ControlFrame’s first showcase because it requires source-native toolkit rows, deterministic browser evidence, API payload captures, screenshot metadata, source-row indexes, checksums, and blocker honesty. The same engine expands to PCI, HITRUST, SOC 2, HIPAA, NIST, GDPR, and other frameworks.

CMS EDE Year 9 / PY2026audit-readiness only
Toolkit lanes
9
UI, eligibility, API, comms, IDP, security
UI source rows
283
144 missing in source matrix
Workbook IDs
1155
9 CMS workbooks parsed
Scenarios
30
3 ready / 24 blocked
Screenshot slots
13
9 browser-run slots
Blocked rows
5
CMS UAT, IDM, Okta, credentials
HPS / MarketLink showcase

Production-shaped project for Wipro Health Plan Services

The first project instance is Health Plan Services / MarketLink. Existing MarketLink evidence can appear only as reference examples. Audit proof must come from fresh ControlFrame collector runs or explicit auditor-safe uploads.

Open project dashboardView UI-006 drilldownSource catalogSource reconciliationWorkbook native IDs
CMS EDE lanes
Application UI Toolkit
Phase 3 application flow

Application UI Toolkit UI Questions Item #1-#302, including conditional branches, required text, disclosures, inputs, dropdowns, and applicationAnswers mappings.

Eligibility Results Toolkit
Eligibility result scenarios

Eligibility Results Toolkit Phase 3 test case IDs, determination payloads, plan eligibility, APTC/CSR, Medicaid/CHIP, and SEP outcomes.

Partner Test Case Suite
CMS partner UAT cases

CMS EDE Partner Test Case Suite IDs and Test Case Suite User Guide execution evidence.

API Functional Integration Toolkit
EDE API integration

API Functional Integration Toolkit IDs, EDE API Companion Guide operations, and FFM Hub integration controls.

Communications Toolkit
Required consumer communications

Communications Toolkit requirement numbers, standardized disclaimers, legal notices, language assistance, and consumer-facing content.

Eligibility Determination Notices
Generated notices

Eligibility Determination Notice generation, content, language, distribution, archive, and metadata evidence.

Identity Proofing
RIDP-RBA / GetRecord

Year 9 RIDP-RBA / GetRecord requirements, NIST SP 800-63-3 identity assurance, and acceptable documentation paths.

Registration and Onboarding
Agent/broker gates

Agent/broker registration, onboarding, pending approval, MFA setup, authorization gates, and role-specific access.

Security Controls - ARC-AMPE / MARS-E
SSPP / SAR / POA&M

ARC-AMPE, MARS-E 2.2, NIST SP 800-53 Rev. 5, SSPP, SAR, POA&M, ISA, and privacy/security controls.

Reusable collector model
Browser flow collector

Log in with configured role accounts, follow deterministic route steps, capture full-page screenshots, extract page text, and write sidecar metadata.

API evidence collector

Exercise configured endpoints, capture request/response JSON, redact sensitive fields, hash outputs, and map payloads to source-native IDs.

Document and configuration collector

Index uploaded policies, SSPP/SAR/POA&M packages, configuration exports, and manual auditor artifacts with source-backed mappings.