Healthcare GRC
CMS Publishes ARC-AMPE
The Centers for Medicare & Medicaid Services (CMS) published the Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) Version 1.0 on March 4th, 2025. Volume 1 contains high-level guidance, and Volume 2 has the minimum-level security and privacy controls.
ARC-AMPE Volume 2 is the new format for the System Security and Privacy Plan (SSPP) for Affordable Care Act (ACA) Administering Entities (AEs) and Direct Enrollment Entities (DEEs). This framework is slated to replace the Minimum Acceptable Risk Standards for Exchange (MARS-E) security and privacy guidelines and the Enhanced Direct Enrollment (EDE) security and privacy control baseline..
AEs must be ARC-AMPE (AE) compliant by March 4th, 2026.
DEEs must be ARC-AMPE (DEE) compliant by the end of June 2026
Affordable Care Act
The ACA revolutionized access to healthcare in the United States by establishing Health Insurance Marketplaces (HIMs). EDE is an ACA innovation that allows third-party entities, such as insurers and web brokers, to offer consumers a seamless application and enrollment experience directly through their platforms. This approach improves accessibility to the marketplace while maintaining compliance with federal regulations.
CMS oversight
CMS exercises oversight of AEs and DEEs, which are responsible for overseeing and managing marketplace operations to ensure compliance with federal regulations, safeguarding consumer data, and maintaining the integrity of the HIM. Key aspects of CMS’s oversight include:
- Requiring AEs and DEEs to undergo rigorous audit processes, including demonstrating compliance with security and privacy control requirements.
- Enforce strict data protection measures in the AE and EDE environment to ensure the confidentiality, integrity, and availability of consumer data.
- Require entities to implement cybersecurity controls, conduct regular risk assessments, and submit independent security audits.
- Requiring AEs and DEEs to adhere to operational policies and procedures, such as providing accurate plan information, maintaining transparent consumer interactions, and facilitating HIM enrollment without bias.
- Requiring AEs and DEEs to report any data breaches or system incidents promptly and to take corrective actions as directed by CMS and the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
- Requiring AEs and DEEs to renew their Authority to Connect (ATC) or Authority to Operate (ATO) annually, providing updated documentation and evidence of continued compliance with all requirements.
Through these oversight mechanisms, CMS ensures that AEs and DEEs in the healthcare.gov environment deliver secure, compliant, and user-friendly services, aligning with the ACA’s mission to expand access to quality health coverage.
ARC-AMPE
The minimum control baseline for ARC-AMPE compliance consists of 402 controls (AE) and 308 controls (DEE), which have been derived from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations.”
The minimum number of controls required represents a significant increase from the previous baselines, and AEs and DEEs should be prepared for an increased level of effort in developing the SSPP and submitting more artifacts during audits.
Another major change is the format of the SSPP template, which is currently in Microsoft Word format, whereas ARC-AMPE’s SSPP is in Excel spreadsheet format.
Transitioning to ARC-AMPE for AEs
Coalfire has developed a series of white papers (one for each control family) that provide a mapping of the controls found in MARS-E Version 2.2. (based on NIST SP 800-53 Revision 4) to their new locations in ARC-AMPE (based on NIST SP 800-53 Revision 5).
Transitioning to ARC-AMPE for DEEs
Coalfire has developed a second series of whitepapers to address the transition from the EDE security and privacy baseline to ARC-AMPE for DEEs