Healthcare GRC
CMS Releases ARC-AMPE (AE) Version 1.04
The Centers for Medicare & Medicaid Services (CMS) published the Acceptable Risk Controls for ACA (Affordable Care Act), Medicaid, and Partner Entities (ARC-AMPE) Version 1.0 on March 4th, 2025, with compliance required by March 2026.
A minor version (1.04) upgrade of the ARC-AMPE baseline for Administering Entities (AE) was released on November 20th, 2025. This article looks at the changes.
| Control | V1.03 | V1.04 |
| AU-04 Audit Log Storage Capacity | Allocate audit log storage capacity to accommodate, at a minimum, storage capacity of ninety (90) days and any other organization-defined audit log retention requirements. | Allocate audit logs to accommodate, at a minimum: a. storage capacity of ninety (90) days online and one (1) year offline for IT audit logs; b. ninety (90) days online and ten (10) years offline for business audit records; and, c. any other organization-defined audit log retention requirements. |
For control AU-04, CMS has introduced prescriptive requirements for the organization-defined parameters. The core of the NIST 800-53 controls includes a degree of interpretation based on the implementing entity’s requirements and circumstances. This change in ARC-AMPE ensures consistency across all Administering Entities (AEs) for long-term audit log storage.
Updated Supplemental Control Requirements and Guidance
AU-04 Audit Log Storage Capacity
Additional guidance: Business audit records are defined in 45 CFR §155.1210.
AU-11 Audit Record Retention
Additional guidance now includes specific requirements:
• Business audit records, as defined in 45 CFR:
155.1210 Maintenance of records.
(a) General. The State Exchange must maintain and must ensure its contractors, subcontractors, and agents maintain for 10 years, documents and records (whether paper, electronic, or other media) and other evidence of accounting procedures and practices, which are sufficient to do the following:
(1) Accommodate periodic auditing of the State Exchange's financial records; and
(2) Enable HHS or its designee(s) to inspect facilities, or otherwise evaluate the State- Exchange's compliance with Federal standards.
(b) Records. The State Exchange and its contractors, subcontractors, and agents must ensure that the records specified in paragraph (a) of this section include, at a minimum, the following:
(1) Information concerning management and operation of the State Exchange's financial and other record keeping systems;
(2) Financial statements, including cash flow statements, and accounts receivable and matters pertaining to the costs of operations;
(3) Any financial reports filed with other Federal programs or State authorities;
(4) Data and records relating to the State Exchange's eligibility verifications and determinations, enrollment transactions, appeals, and plan variation certifications; and
(5) Qualified health plan contracting (including benefit review) data and consumer outreach and Navigator grant oversight information.
(c) Availability. A State Exchange must make all records and must ensure its contractors, subcontractors, and agents must make all records in paragraph (a) of this section available to HHS, the OIG, the Comptroller General, or their designees, upon request.
ARC-AMPE V1.04 Summary
With these incremental changes, CMS is refining the ARC-AMPE baseline to be more prescriptive than previous versions and continues the adoption of measurable risk and privacy controls.
Implementation of these controls should also take into account other related controls for protecting the audit files, for example, access controls, data integrity, data loss prevention (DLP), backup, disaster recovery, etc.
From a compliance perspective, and to maintain an Authority to Connect (ATC), audits will require more testing of control effectiveness than Administering Entities (AEs) may have been accustomed to under Minimum Acceptable Risk Standards for Exchanges (MARS-E) requirements.