Understanding
MARS-E migration to ARC-AMPE
What You Need to Know

CMS published the Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE) Version 1.02 on April 9, 2025. This framework is slated to replace the Minimum Acceptable Risk Standards for Exchange (MARS-E) security and privacy guidelines:
402 Controls
The minimum control baseline for ARC-AMPE compliance consists of 402 controls which have been derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations".
AEs must have ARC-AMPE implemented by March 4, 2026.
The number of controls required represents a significant increase from the MARS-E baseline, and AEs should be prepared for an increased level of effort for developing the System Security and Privacy Plan (SSPP) and to submit more artifacts during audits. Another major change is the format of the SSPP template. MARS-E uses a Microsoft Word format whereas ARC-AMPE is an Excel spreadsheet.
The list below provides details of the 20 control families and the number of controls required for the minimum baseline.
Follow the hyperlinks for more details and a guide for migrating from MARS-E to ARC-AMPE.
Download all files >
Physical and Environmental Protection (19)
Planning (6)
Program Management (28)
Personnel Security (9)
Personally Identifiable Information Processing and Transparency (10)
Risk Assessment (12)
System and Services Acquisition (34)
System and Communications Protection (34)
System and Information Integrity (34)
Supply Chain Risk Management (6)
Connect 1:1 with a ARC-AMPE Expert
