Healthcare GRC
CMS Publishes ARC-AMPE
The Centers for Medicare & Medicaid Services (CMS) published the Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) Version 1.0 on March 4th, 2025. Volume 1 contains high-level guidance, and Volume 2 has the minimum-level security and privacy controls.
ARC-AMPE Volume 2 is the new format for the System Security and Privacy Plan (SSPP) for Affordable Care Act (ACA) Administering Entities (AEs). This framework is slated to replace the Minimum Acceptable Risk Standards for Exchange (MARS-E) security and privacy guidelines.
AEs must have ARC-AMPE implemented by March 4th, 2026.
The implementation date for Enhanced Direct Enrollment (EDE) entities has yet to be announced.
Affordable Care Act
The ACA revolutionized access to healthcare in the United States by establishing Health Insurance Marketplaces (HIMs). EDE is an ACA innovation that allows third-party entities, such as insurers and web-brokers, to offer consumers a seamless application and enrollment experience directly through their platforms. This approach improves accessibility to the marketplace while maintaining compliance with federal regulations.
CMS oversight
CMS exercises oversight of AEs, which are responsible for overseeing and managing marketplace operations to ensure compliance with federal regulations, safeguard consumer data, and maintain the integrity of the HIM. Key aspects of CMS’s oversight include:
- Requiring AEs to undergo rigorous audit processes, including demonstrating compliance with security and privacy control requirements.
- Enforcing strict data protection measures in the AE environment to ensure the confidentiality, integrity, and availability of consumer data and requiring entities to implement cybersecurity controls, conduct regular risk assessments, and submit independent security audits.
- Requiring AEs to adhere to operational policies and procedures such as providing accurate plan information, maintaining transparent consumer interactions, and facilitating HIM enrollment without bias.
- Requiring AEs to report any data breaches or system incidents promptly and to take corrective actions as directed by CMS and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
- Requiring AEs to renew their Authority to Connect (ATC) or Authority to Operate (ATO) annually, providing updated documentation and evidence of continued compliance with all requirements.
Through these oversight mechanisms, CMS ensures that AEs in the healthcare.gov environment deliver secure, compliant, and user-friendly services, aligning with the ACA’s mission to expand access to quality health coverage.
ARC-AMPE
The minimum control baseline for ARC-AMPE compliance consists of 401 controls which have been derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations.”
The number of controls required represents a significant increase from the MARS-E baseline, and AEs should be prepared for an increased level of effort for developing the SSPP and to submit more artifacts during audits.
Another major change is the format of the SSPP template contained in Volume 2. MARS-E uses a Microsoft Word format whereas ARC-AMPE’s SSPP is an Excel spreadsheet.
Upgrade from MARS-E to ARC-AMPE
Coalfire has developed a series of white papers (one for each control family) that provides a mapping of the controls found in MARS-E Version 2.2. (based on NIST SP 800-53 Revision 4) to their new locations in ARC-AMPE (based on NIST SP 800-53 Revision 5).
We can also provide advisory services to assist in producing a compliant ARC-AMPE SSPP.