CMS

ARC-AMPE: What You Need to Know

Migrating Controls from MARS-E, and EDE

Adobe Stock 602926857 web

Affordable Care Act

The Affordable Care Act of 2010 (ACA), also known as Obamacare, revolutionized access to healthcare in the United States by establishing Health Insurance Marketplaces (HIMs). Enhanced Direct Enrollment (EDE) is an ACA innovation that allows third-party entities, such as insurers and web-brokers, to offer consumers a seamless application and enrollment experience directly through their platforms. This approach improves accessibility to the marketplace while maintaining compliance with federal regulations. 

CMS oversight

The Centers for Medicare & Medicaid Services (CMS) exercises oversight of Authorized Entities (AE), which are responsible for overseeing and managing marketplace operations to ensure compliance with federal regulations, safeguard consumer data, and maintain the integrity of the HIM. Through these oversight mechanisms, CMS ensures that AEs in the healthcare.gov environment deliver secure, compliant, and user-friendly services, aligning with the ACA’s mission to expand access to quality health coverage. Key aspects of CMS’s oversight include:

Requiring AEs to undergo rigorous audit processes, including demonstrating compliance with security and privacy control requirements. 

Enforcing strict data protection measures in the AE environment to ensure the confidentiality, integrity, and availability of consumer data.

Requiring entities to implement cybersecurity controls, conduct regular risk assessments, and submit independent security audits. 

Requiring AEs to adhere to operational policies and procedures, such as providing accurate plan information, maintaining transparent consumer interactions, and facilitating HIM enrollment without bias. 

Requiring AEs to report any data breaches or system incidents promptly and to take corrective actions as directed by CMS and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). 

Requiring AEs to renew their Authority to Connect (ATC) or Authority to Operate (ATO) annually, providing updated documentation and evidence of continued compliance with all requirements. 

Adobe Stock 479612131 web

ARC-AMPE

  • The Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) is the new security and privacy framework published by the Centers for Medicare & Medicaid Services (CMS).
  • It incorporates NIST SP 800-53 Revision 5 controls, replacing the older Revision 4 controls used by previous CMS frameworks such as MARS-E and EDE.
  • ARC-AMPE aims to modernize security and privacy controls for systems supporting the ACA and Medicaid programs.
  • ARC-AMPE impacts the System Security and Privacy Plan (SSPP) for ACA Administering Entities (AEs). It also signifies a shift towards a more comprehensive approach to risk management, including enterprise risk management (ERM).
  • ARC-AMPE Volume 1 contains high-level guidance, and Volume 2 has the minimum-level security and privacy controls.
  • ARC-AMPE Volume 2 is the new format for the System Security & Privacy Plan (SSPP) for ACA administering entities.

Connect 1:1 with an ARC-AMPE Expert


Our team members undergo extensive training, participate as industry thought leaders, and have earned industry certifications, including CMS Auditor Regulatory and Compliance Standards, CMS FWA, EDE Security and Privacy Audit Standards, EDE Business Audit Standards, CISSP, CCSFP, HCISPP, CCSK, RHIA, CHPS, CIPM, CCSK, AWS CCP, CCSK, HITRUST CCSFP.
Would you like to receive periodic updates regarding cybersecurity and compliance from Coalfire? Coalfire will process your personal data in accordance with our Privacy Policy.