Understanding

MARS-E migration to ARC-AMPE

What You Need to Know

Web Imge Adding Privacy to the Security Triad

CMS published the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE) Version 1.02 on April 9, 2025. This framework is slated to replace the Minimum Acceptable Risk Standards for Exchange (MARS-E) security and privacy guidelines: 

402 Controls

The minimum control baseline for ARC-AMPE compliance consists of 402 controls which have been derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations".

AEs must have ARC-AMPE implemented by March 4, 2026.

The number of controls required represents a significant increase from the MARS-E baseline, and AEs should be prepared for an increased level of effort for developing the System Security and Privacy Plan (SSPP) and to submit more artifacts during audits. Another major change is the format of the SSPP template. MARS-E uses a Microsoft Word format whereas ARC-AMPE is an Excel spreadsheet. 

The list below provides details of the 20 control families and the number of controls required for the minimum baseline.

Follow the hyperlinks for more details and a guide for migrating from MARS-E to ARC-AMPE.

Download all files >

Connect 1:1 with a ARC-AMPE Expert


Our team members undergo extensive training, participate as industry thought leaders, and have earned industry certifications, including CMS Auditor Regulatory and Compliance Standards, CMS FWA, EDE Security and Privacy Audit Standards, EDE Business Audit Standards, CISSP, CCSFP, HCISPP, CCSK, RHIA, CHPS, CIPM, CCSK, AWS CCP, CCSK, HITRUST CCSFP.
Would you like to receive periodic updates regarding cybersecurity and compliance from Coalfire? Coalfire will process your personal data in accordance with our Privacy Policy.