ARC-AMPE Replacing MARS-E for ACA Cybersecurity Compliance

The Centers for Medicare & Medicaid Services (CMS) has introduced a new cybersecurity and privacy framework: Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE). This framework, which replaces the previous Minimum Acceptable Risk Standards for Exchanges (MARS-E), represents a comprehensive modernization effort to address today’s evolving threats, compliance requirements, and privacy expectations across the Affordable Care Act (ACA) ecosystem. ACA Administering Entities must implement ARC-AMPE by March 4, 2026.

What Is ARC-AMPE?

ARC-AMPE is a comprehensive set of security and privacy standards designed to safeguard Personally Identifiable Information (PII) and Protected Health Information (PHI) across the Affordable Care Act (ACA) ecosystem. It applies to:

• Health Insurance Exchanges (Federal and State-based)
• Medicaid agencies
• Partner Entities that support ACA-related operations

ARC-AMPE integrates enterprise risk management (ERM) principles and aligns with the latest federal cybersecurity guidance to address the increasingly complex regulatory and technological environment.

Why the Shift from MARS-E to ARC-AMPE?

CMS recognized several key factors driving the need for a new approach:

• Evolving Cyber Threat Landscape: Increasingly sophisticated attacks demand more robust, proactive security controls.
• Privacy as a Core Component: Rising public and regulatory focus on privacy rights requires embedding privacy controls fully into organizational practices.
• Broader Ecosystem Coverage: New business models and third-party dependencies necessitate supply chain and vendor oversight.
• Alignment with Modern Federal Standards: Adoption of the latest NIST guidelines (SP 800-53 Revision 5) to reflect updated best practices.

Key Features and Enhancements in ARC-AMPE

1. Expanded Control Baseline

ARC-AMPE mandates over 400 security and privacy controls spanning classic NIST families—such as Access Control, Incident Response, and Systems and Communications Protection—as well as new SP 800-53 Revision 5 domains including:

• Privacy Controls: Introduction of the Personally Identifiable Information Processing and Transparency (PT) family, focusing on privacy governance, consent, data minimization, transparency, and ongoing accountability.
• Supply Chain Risk Management (SR): Controls to manage risks posed by third-party vendors and service providers, requiring assessments, monitoring, and contractual requirements.

2. Emphasis on Enterprise Risk Management (ERM)

ARC-AMPE calls for organizations to implement continuous risk assessments at the enterprise level—not merely system or program-specific efforts. This includes regularly updating risk registers, analyzing emerging threats, and ensuring senior leadership involvement to drive accountability across all business units.

3. Mandatory U.S.-Based Data Handling

Unlike previous frameworks, ARC-AMPE requires that all sensitive data processing and storage take place within the United States, eliminating offshore hosting options—even for cloud providers. This mandate supports stronger enforcement of U.S. data protection laws and minimizes jurisdictional risks.

4. Universal Applicability Across Environments

Whether organizations operate in public cloud, private cloud, hybrid, or on-premises infrastructures, ARC-AMPE’s controls and compliance expectations remain consistent and rigorous. This universality simplifies audit processes and strengthens defenses across complex IT environments.

5. Enhanced Documentation and Audit Readiness

• The System Security and Privacy Plan (SSPP) now uses a standardized Excel-based template, improving documentation consistency and simplifying updates.
• Detailed rationale for control implementation, consent tracking mechanisms, and privacy program plans are mandatory parts of documentation.
• Organizations must demonstrate continuous monitoring and evidence-based assessments to meet audit requirements.

6. Heightened Training and Awareness Requirements

Organizations must implement role-based, continuous training programs focused on:

• Protecting PII and PHI
• Recognizing modern cyber threats such as Advanced Persistent Threats (APT), suspicious communications, and anomalous system behavior
• Including subcontractors and vendors in annual security awareness initiatives
• Scenario-driven exercises to test incident response capabilities and privacy incident handling

Who Does ARC-AMPE Apply To?

ARC-AMPE applies to a broad range of organizations, including:

• ACA Administering Entities (AEs): Such as State-Based Exchanges (SBEs), Federally Facilitated Exchanges (FFEs), and Medicaid agencies.
• Partner Entities: Including IT vendors, data processors, and service providers that handle Exchange-related data or operations.

If your organization accesses, stores, or transmits Exchange data — such as eligibility information, enrollment records, or plan details — you may be subject to ARC-AMPE compliance requirements.

How CompliancePoint Can Help

At CompliancePoint, we specialize in helping organizations navigate complex regulatory frameworks like ARC-AMPE. Here’s how we support your compliance journey:

• Gap Assessments: We evaluate your current security posture against ARC-AMPE and NIST 800-53 Rev. 5 controls.
• Policy & Procedure Development: We help you build or update documentation to meet new compliance artifact requirements.
• Risk Management Consulting: Our experts guide you through implementing ERM strategies aligned with ARC-AMPE.
• Training & Awareness: We provide tailored training to ensure your team understands their responsibilities under the new framework.
• Audit Readiness: We prepare you for CMS audits and help you maintain continuous compliance.

ARC-AMPE represents a major evolution in how ACA-related entities manage cybersecurity and privacy risks. With its alignment to NIST Rev. 5 and broader scope, it’s more important than ever to ensure your organization is prepared.

Need help navigating ARC-AMPE? Contact CompliancePoint today at connect@compliancepoint.com to learn how we can help you take the first step toward confident compliance.