ARC-AMPE

What is ARC-AMPE?

Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) is a comprehensive set of security and privacy standards designed to safeguard Personally Identifiable Information (PII) and Protected Health Information (PHI). The framework is designed to protect data in the Affordable Care Act (ACA) ecosystem, specifically applying to:

• Health Insurance Exchanges (Federal and State-based)
• Medicaid agencies
• Partner Entities that support ACA-related operations

Organizations that fall under the ARC-AMPE umbrella include:

• ACA Administering Entities (AEs): Such as State-Based Exchanges (SBEs), Federally Facilitated Exchanges (FFEs), and Medicaid agencies.
• Partner Entities: Including IT vendors, data processors, and service providers that handle Exchange-related data or operations.

ARC-AMPE is comprised of more than 400 mandatory security and privacy controls, which are derived from the following NIST 800-53 families:

ARC-AMPE Replaces MARS-E

The Centers for Medicare & Medicaid Services (CMS) announced that ARC-AMPE would replace MARS-E as the ACA security framework. ACA Administering Entities must implement ARC-AMPE by March 4, 2026.

Reasons given by CMS for transitioning to ARC-AMPE include:

• Evolving Cyber Threat Landscape: Increasingly sophisticated attacks demand more robust, proactive security controls.
• Privacy as a Core Component: Rising public and regulatory focus on privacy rights requires embedding privacy controls fully into organizational practices.
• Broader Ecosystem Coverage: New business models and third-party dependencies necessitate supply chain and vendor oversight.
• Alignment with Modern Federal Standards: Adoption of the latest NIST guidelines (SP 800-53 Revision 5) to reflect updated best practices.

Some features that separate ARC-AMPE from MARS-E include:

Emphasis on Enterprise Risk Management: ARC-AMPE calls for organizations to implement continuous risk assessments at the enterprise level, not merely system or program-specific efforts. This includes regularly updating risk registers, analyzing emerging threats, and ensuring senior leadership involvement to drive accountability across all business units.

Mandatory U.S.-Based Data Handling: Unlike previous frameworks, ARC-AMPE requires that all sensitive data processing and storage take place within the United States, eliminating offshore hosting options—even for cloud providers. This mandate supports stronger enforcement of U.S. data protection laws and minimizes jurisdictional risks.

Universal Applicability Across Environments: Whether organizations operate in public cloud, private cloud, hybrid, or on-premises infrastructures, ARC-AMPE’s controls and compliance expectations remain consistent and rigorous. This universality simplifies audit processes and strengthens defenses across complex IT environments.

Enhanced Documentation and Audit Readiness:

• The System Security and Privacy Plan (SSPP) now uses a standardized Excel-based template, improving documentation consistency and simplifying updates.
• Detailed rationale for control implementation, consent tracking mechanisms, and privacy program plans are mandatory parts of documentation.
• Organizations must demonstrate continuous monitoring and evidence-based assessments to meet audit requirements.

Heightened Training and Awareness Requirements: Organizations must implement role-based, continuous training programs focused on:

• Protecting PII and PHI
• Recognizing modern cyber threats such as Advanced Persistent Threats (APT), suspicious communications, and anomalous system behavior
• Including subcontractors and vendors in annual security awareness initiatives
• Scenario-driven exercises to test incident response capabilities and privacy incident handling

How we can Help

At CompliancePoint, we specialize in helping organizations navigate complex regulatory frameworks like ARC-AMPE. We can guide you through the entire journey, including gap assessments, policy and procedure development, and audit readiness. Reach out to us at connect@compliancepoint.com to learn more about our services.