Healthcare GRC
CMS Releases ARC-AMPE (AE) Version 1.03
October 23, 2025
The Centers for Medicare & Medicaid Services (CMS) published the Acceptable Risk Controls for ACA (Affordable Care Act), Medicaid, and Partner Entities (ARC-AMPE) Version 1.0 on March 4th, 2025, with compliance required by March 2026.
A minor version (1.03) upgrade of the ARC-AMPE baseline for Administering Entities (AE) was released on October 23rd, 2025. This article looks at the changes.
ARC-AMPE (AE) Version 1.03
- Column J in the AE Mandatory Baseline has been renamed from “Primary Owner Control Status” to “State/AE System Owner Control Status”
- IR-02(03) Incident Response: Breach.
- This control is now categorized as a new control. “Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.”
- AC-02(03) Access Control: Disable Accounts
- The control requirement was previously limited to disabling accounts that “have been inactive for sixty (60) days.” It now differentiates between account types:
- 1) sixty (60) days for all non-consumer accounts, or,
- 2) fifteen (15) months for ACA consumer accounts
- The control requirement was previously limited to disabling accounts that “have been inactive for sixty (60) days.” It now differentiates between account types:
- AC-11 Access Control: Device Lock
- Formatting change only. Requirement (a) has been split into (a) and (b), and the former requirement (b) is now labelled (c)
- Prevent further access to the system by:
- a. initiating a device lock after fifteen (15) minutes of inactivity;
- b. requiring the user to initiate a device lock before leaving the system unattended; and,
- c. retaining the device lock until the user re-establishes access using established identification and authentication procedures.
- Prevent further access to the system by:
- Formatting change only. Requirement (a) has been split into (a) and (b), and the former requirement (b) is now labelled (c)
- IA-12(01) Identification and Authentication: Supervisor Authorization
- Supplemental guidance has been updated to include “Consumer accounts do not require human authorization so long as they pass all account setup and identity proofing requirements.”
- AT-03(01) Awareness and Training: Role-Based Training | Environmental Controls
- This is an example of Entity Specific Tailoring. i.e., controls that have been added to the entity’s control set due to known threats and vulnerabilities that the minimum baseline doesn’t address. Refer to “PL-11 Baseline Tailoring” for more information.
- The new version has added “<This is an example of a NIST SP 800-53 Rev.5 control that does not exist in ARC-AMPE>” to the guidance.
- This is an example of Entity Specific Tailoring. i.e., controls that have been added to the entity’s control set due to known threats and vulnerabilities that the minimum baseline doesn’t address. Refer to “PL-11 Baseline Tailoring” for more information.
- SA-08(31) System and Services Acquisition: Secure System Modification
- The supplemental guidance has changed from
- V1.02 - “All system changes must be accompanied by a Security Impact Analysis (SIA) and a Privacy Impact Assessment (PIA).”
- V1.03 - “All system changes must be accompanied by a Security Impact Analysis (SIA) (except for regular system patching).”
- The supplemental guidance has changed from