Understanding
MARS-E migration to ARC-AMPE
What You Need to Know
Affordable Care Act
The Affordable Care Act of 2010 (ACA), also known as Obamacare, revolutionized access to healthcare in the United States by establishing Health Insurance Marketplaces (HIMs). Enhanced Direct Enrollment (EDE) is an ACA innovation that allows third-party entities, such as insurers and web-brokers, to offer consumers a seamless application and enrollment experience directly through their platforms. This approach improves accessibility to the marketplace while maintaining compliance with federal regulations.
CMS oversight
The Centers for Medicare & Medicaid Services (CMS) exercises oversight of Authorized Entities (AE), which are responsible for overseeing and managing marketplace operations to ensure compliance with federal regulations, safeguard consumer data, and maintain the integrity of the HIM. Through these oversight mechanisms, CMS ensures that AEs in the healthcare.gov environment deliver secure, compliant, and user-friendly services, aligning with the ACA’s mission to expand access to quality health coverage. Key aspects of CMS’s oversight include:
Requiring AEs to undergo rigorous audit processes, including demonstrating compliance with security and privacy control requirements.
Enforcing strict data protection measures in the AE environment to ensure the confidentiality, integrity, and availability of consumer data.
Requiring entities to implement cybersecurity controls, conduct regular risk assessments, and submit independent security audits.
Requiring AEs to adhere to operational policies and procedures, such as providing accurate plan information, maintaining transparent consumer interactions, and facilitating HIM enrollment without bias.
Requiring AEs to report any data breaches or system incidents promptly and to take corrective actions as directed by CMS and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Requiring AEs to renew their Authority to Connect (ATC) or Authority to Operate (ATO) annually, providing updated documentation and evidence of continued compliance with all requirements.
ARC-AMPE
CMS published the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE) Version 1.02 on April 9, 2025. This framework is slated to replace the Minimum Acceptable Risk Standards for Exchange (MARS-E) security and privacy guidelines:
402 Controls
The minimum control baseline for ARC-AMPE compliance consists of 402 controls which have been derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations.”
ARC-AMPE Volume 1 contains high-level guidance, and Volume 2 has the minimum-level security and privacy controls.
ARC-AMPE Volume 2 is the new format for the SSPP for ACA AEs.
AEs must have ARC-AMPE implemented by March 4, 2026.
The number of controls required represents a significant increase from the MARS-E baseline, and AEs should be prepared for an increased level of effort for developing the System Security and Privacy Plan (SSPP) and to submit more artifacts during audits.
Another major change is the format of the SSPP template. MARS-E uses a Microsoft Word format whereas ARC-AMPE is an Excel spreadsheet.
The list below provides details of the 20 control families and the number of controls required for the minimum baseline.
Follow the hyperlinks for more details and a guide for migrating from MARS-E to ARC-AMPE.
Download all files >
Physical and Environmental Protection (19)
Planning (6)
Program Management (28)
Personnel Security (9)
Personally Identifiable Information Processing and Transparency (10)
Risk Assessment (12)
System and Services Acquisition (34)
System and Communications Protection (34)
System and Information Integrity (34)
Supply Chain Risk Management (6)
Spotlight
The latest on MARS-E migration to ARC-AMPE
Connect 1:1 with a ARC-AMPE Expert
