Compliance

ARC-AMPE Awareness and Training requirements: What’s changed from MARS-E

Ian Walters jpg

Ian Walters

Principal, Coalfire

April 29, 2025
Adobe Stock 428659694 web

ARC-AMPE Introduction

As cyber threats grow more sophisticated and persistent, so do the expectations for safeguarding sensitive healthcare data. 

The Affordable Care Act (ACA), commonly referred to as Obamacare, is a comprehensive health care reform law enacted in 2010 to increase health insurance coverage for the uninsured and implement reforms to the health insurance market. Its primary goals are to make health insurance more affordable, expand Medicaid, and support innovative medical care delivery methods to lower healthcare costs.

The Acceptable Risk Controls for ACA, Medicaid, and Provider Entities (ARC-AMPE) was published in March 2025 to replace the Minimum Acceptable Risk Standards for Exchanges (MARS-E), with compliance required by March 2026.

These new controls modernize how organizations manage security and privacy training across systems that support the ACA, Medicaid programs, and provider networks. 

The migration to ARC-AMPE reflects the Centers for Medicare & Medicaid Services (CMS) move to adopt the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations.” MARS-E was based on NIST 800-53 Revision 4 which was withdrawn by NIST in January 2023.

This post highlights some of the key changes, plus provides a link to a white paper that maps the MARS-E to ARC-AMPE transition for the Awareness and Training (AT) control requirements.

Policy and Procedures (AT-01)

What’s new:

  • Assign a dedicated official to oversee the training program.
  • Update policies and procedures annually and after significant events.
  • Ensure alignment with laws, regulations, and federal directives.

What the auditor will be looking for:

  • A responsive training governance process, not a set-it-and-forget-it policy. Awareness campaigns should be reactive to current threats and vulnerabilities.

Literacy Training and Awareness (AT-02)

What’s new:

  • Training is now called “literacy” training and awareness, emphasizing user understanding.
  • Add interactive elements like phishing simulations.
  • Include lessons learned from real security incidents.

What the auditor will be looking for:

  • Training must be dynamic, relevant, and tailored to actual threats, not just theoretical knowledge.

Insider Threat (AT-02(02))

What’s new:

  • The new control language isn’t as specific as the previous version and leaves it up to the organization to define the indicators of insider threat.

What the auditor will be looking for:

From a pure audit perspective, the auditor will seek policy statements and training to recognize insider threat indicators. As a best practice (especially during a risk analysis) the indicators from NIST 800-53 Rev 4 should be considered, i.e. inordinate, long-term job dissatisfaction; attempts to gain access to information not required for job performance; unexplained access to financial resources; bullying or sexual harassment of fellow employees; workplace violence; and other serious violations of organizational policies, procedures, directives, rules, or practices.

New AT-02 control enhancements introduced by ARC-AMPE

AT-02(03): Social Engineering and Mining

  • Train users to recognize and respond to phishing, baiting, and similar tactics.

AT-02(04): Suspicious Communications and Anomalous System Behavior

  • Teach users how to identify signs of malware or abnormal activity.

AT-02(05): Advanced Persistent Threat (APT)

  • Raise user awareness of long-term, covert attack strategies.

What the auditor will be looking for:

Enhancements to AT-02 controls, including periodic testing of phishing, training on anomalous system behavior, and how to recognize APTs

Role-Based Training (AT-03)

What’s new:

  • Incorporate lessons learned from internal or external security incidents or breaches into role-based training.

What the auditor will be looking for:

  • Training must be dynamic, relevant, and tailored to actual roles. 

Processing Personally Identifiable Information (AT-03(05))

A new control enhancement under ARC-AMPE which mandates annual training for anyone handling Personally Identifiable Information (PII), including vendors.

What the auditor will be looking for:

Records of annual training, including vendors and any other entities in the supply chain that use or disclose PII (e.g. contractors).

Training Records (AT-04)

What’s new:

  • Adds privacy training to the control requirement

What the auditor will be looking for:

  • Sampling of security and privacy training records for the previous 5 years.

Conclusion

ARC-AMPE raises the bar for security and privacy training. These updates are a direct response to the evolving cyber threat landscape and the increasing need for risk-aware users, actionable training, and continuous improvement.

If you’re part of the ACA, Medicaid, or provider ecosystem, now is the time to act:

  • Reevaluate your training policies.
  • Modernize your training content and delivery.
  • Assign clear ownership for policy oversight.

White Paper

Migration from MARS-E to ARC-AMPE Awareness and Training (AT) controls

Information is correct at the time of publication. For updates and the latest versions, please visit the CMS Zone portal.

More Information.

Visit the Coalfire ARC-AMPE home page for more information, including white papers for each of the control families.

Please contact Coalfire for more information on migrating to ARC-AMPE, to schedule a gap analysis, or to conduct an audit of your ARC-AMPE system.