ARC‑AMPE Resource Guide: Acceptable Risk Controls Framework for ACA, Medicaid, and Partner Entities

Hosted by JANUS Associates, this resource presents the Centers for Medicare & Medicaid Services (CMS) ARC‑AMPE framework (Acceptable Risk Controls for Affordable Care Act, Medicaid, and Partner Entities) as the next generation of security and privacy standards for ACA Administering Entities and select partners. ARC‑AMPE supersedes and replaces the MARS‑E and NEE GRC frameworks, integrating updated federal laws, ACA regulations, and the latest NIST cybersecurity and privacy guidance into a single, consolidated standard.

ARC‑AMPE provides a harmonized, enterprise risk‑driven framework for protecting consumer and beneficiary Personally Identifiable Information (PII) and Protected Health Information (PHI) across Exchanges, Medicaid/CHIP programs, and partner entities that connect to or work with the CMS Federal Data Services Hub. It incorporates technical controls and governance expectations designed to support adherence to the HIPAA Security, Privacy, and Breach Notification rules while maintaining public trust in ACA and Medicaid operations.

What the ARC‑AMPE framework covers

This harmonized security and privacy framework defines how organizations that administer or support ACA and Medicaid programs must manage security and privacy risks throughout the health coverage eligibility and enrollment lifecycle. ARC‑AMPE is documented in two primary volumes:

Volume I – Guidance, scope, and governance:
High‑level guidance on purpose, authority, key concepts, mandatory vs. non‑mandatory implementation, reporting, and continuous monitoring requirements for ARC‑AMPE users.

Volume II – System Security and Privacy Plan (SSPP) and controls:
An Excel‑based SSPP template that establishes the minimum‑level security and privacy controls (derived from NIST SP 800‑53 Rev. 5 and SP 800‑53B) for the information systems that connect to the CMS Hub or process Exchange‑related PII.

Together, these volumes support ACA Administering Entities, select Partner Entities, and other stakeholders in aligning business operations with a consistent, risk‑based control environment that meets CMS security and privacy expectations.

Mandatory ARC‑AMPE users include:

  • Federally‑facilitated Exchanges (FFEs) operated by CMS
  • State‑based Exchanges (SBEs) and SBEs on the Federal Platform (SBE‑FPs)
  • State Medicaid agencies and CHIP agencies whose systems connect to the CMS Hub
  • State agencies administering Basic Health Programs (BHPs)
  • Classic Direct Enrollment entities and Primary Enhanced Direct Enrollment (EDE) entities
  • Select Hybrid and Service Provider Partner Entities that support ACA functions and connect to the Hub

Non‑mandatory users, such as some Upstream EDE entities, service providers performing non‑ACA functions, state health and human services agencies, and small or medium‑large healthcare organizations, are still strongly encouraged to use ARC‑AMPE as an informative reference to strengthen security and privacy programs and support HIPAA compliance.

Below is an embedded preview of ARC‑AMPE Volume I – Acceptable Risk Controls for ACA, Medicaid, and Partner Entities, as published by CMS (Version 1.02, April 10, 2025). ARC‑AMPE users should review Volume I in full to understand framework scope, authority, mandatory and optional implementation pathways, reporting requirements, and the role of NIST frameworks and ERM in shaping control expectations

Reporting, authorization, and continuous monitoring

For mandatory ARC‑AMPE users, CMS requires a defined set of evidentiary artifacts to demonstrate implementation of required controls and support authorization decisions for connections to the CMS Federal Data Services Hub. These artifacts typically include:

  • A completed ARC‑AMPE Volume II SSPP
  • Information Security Risk Assessment (ISRA)
  • Penetration test results and vulnerability scans
  • Plan of Actions and Milestones (POA&M)
  • Security Assessment Plan (SAP) and Security Assessment Report (SAR)
  • Privacy Impact Assessment (PIA), Security Impact Assessment (SIA), and applicable legal agreements such as Interconnection Security Agreements (ISA), Data Use Agreements (DUA), and Computer Matching Agreements (CMA).

CMS uses these materials to make risk‑informed decisions on Authority to Connect (ATC) for ACA Administering Entities and Request to Connect (RTC) outcomes for Non‑Exchange Entities, documenting authorization in the ISA. Once authorized, ARC‑AMPE users are required to perform Information Security and Privacy Continuous Monitoring (ISCM), submit defined artifacts on a recurring basis, and update their SSPPs at least annually or when significant changes affect the security or privacy posture of covered systems.

ARC‑AMPE and NIST / HIPAA alignment

ARC‑AMPE is explicitly grounded in federal law, ACA regulations, and CMS policy, including 45 CFR 155.260 and 155.280, the Privacy Act, FISMA, HIPAA, and related HHS and CMS security and privacy policies. The framework leverages:

  • NIST SP 800‑53 Rev. 5 and SP 800‑53B for control baselines and tailoring guidance
  • NIST SP 800‑171 Rev. 3 for protecting controlled unclassified information in non‑federal environments
  • NIST Cybersecurity Framework (CSF) and Privacy Framework for aligning business objectives with prioritized security and privacy outcomes
  • NIST SP 800‑37 Risk Management Framework (RMF) for end‑to‑end governance of system authorization and monitoring.

ARC‑AMPE also references recognized security practices under the HITECH Act and healthcare‑specific cybersecurity practices identified under Section 405(d) of the Cybersecurity Act of 2015, helping entities demonstrate mature, risk‑based programs in regulatory and oversight contexts.