CMS
ARC-AMPE: What You Need to Know
Migrating Controls from MARS-E, and EDE

Affordable Care Act
The Affordable Care Act of 2010 (ACA), also known as Obamacare, revolutionized access to healthcare in the United States by establishing Health Insurance Marketplaces (HIMs). Enhanced Direct Enrollment (EDE) is an ACA innovation that allows third-party entities, such as insurers and web-brokers, to offer consumers a seamless application and enrollment experience directly through their platforms. This approach improves accessibility to the marketplace while maintaining compliance with federal regulations.
CMS oversight
The Centers for Medicare & Medicaid Services (CMS) exercises oversight of Authorized Entities (AE), which are responsible for overseeing and managing marketplace operations to ensure compliance with federal regulations, safeguard consumer data, and maintain the integrity of the HIM. Through these oversight mechanisms, CMS ensures that AEs in the healthcare.gov environment deliver secure, compliant, and user-friendly services, aligning with the ACA’s mission to expand access to quality health coverage. Key aspects of CMS’s oversight include:
Requiring AEs to undergo rigorous audit processes, including demonstrating compliance with security and privacy control requirements.
Enforcing strict data protection measures in the AE environment to ensure the confidentiality, integrity, and availability of consumer data.
Requiring entities to implement cybersecurity controls, conduct regular risk assessments, and submit independent security audits.
Requiring AEs to adhere to operational policies and procedures, such as providing accurate plan information, maintaining transparent consumer interactions, and facilitating HIM enrollment without bias.
Requiring AEs to report any data breaches or system incidents promptly and to take corrective actions as directed by CMS and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Requiring AEs to renew their Authority to Connect (ATC) or Authority to Operate (ATO) annually, providing updated documentation and evidence of continued compliance with all requirements.

ARC-AMPE
- The Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) is the new security and privacy framework published by the Centers for Medicare & Medicaid Services (CMS).
- It incorporates NIST SP 800-53 Revision 5 controls, replacing the older Revision 4 controls used by previous CMS frameworks such as MARS-E and EDE.
- ARC-AMPE aims to modernize security and privacy controls for systems supporting the ACA and Medicaid programs.
- ARC-AMPE impacts the System Security and Privacy Plan (SSPP) for ACA Administering Entities (AEs). It also signifies a shift towards a more comprehensive approach to risk management, including enterprise risk management (ERM).
- ARC-AMPE Volume 1 contains high-level guidance, and Volume 2 has the minimum-level security and privacy controls.
- ARC-AMPE Volume 2 is the new format for the System Security & Privacy Plan (SSPP) for ACA administering entities.
Connect 1:1 with an ARC-AMPE Expert
