ARC AMPE & MARS-E Compliance

Learn what ACA, Medicaid, and partner organizations need to know about the new compliance framework.
Get Started
ARC AMPE & MARS E Compliance

State Health Insurance Exchanges, Medicaid agencies, and partner entities must meet security and privacy requirements established by the Centers for Medicare & Medicaid Services (CMS) to protect sensitive Affordable Care Act (ACA) and Medicaid data.

CMS has introduced the ARC AMPE (Acceptable Risk Controls for ACA, Medicaid, and Partner Entities) framework to replace the legacy MARS E standard and align with NIST SP 800 53 Revision 5.

JANUS helps organizations navigate this transition with end-to-end cybersecurity assessment, advanced penetration testing, and ARC AMPE implementation support so you can meet CMS expectations with confidence.

Comparison Table: MARS-E vs. ARC-AMPE

Feature MARS-E (Legacy) ARC-AMPE (New/Current)
Full Name Minimum Acceptable Risk Standards for Exchanges Acceptable Risk Controls for ACA, Medicaid, and Partner Entities
Underlying Framework Based on NIST 800-53 Rev. 4 Based on NIST 800-53 Rev. 5
Control Count Lower baseline (approx. 300+ controls) Significantly higher (approx. 402 baseline controls)
Privacy Integration Privacy treated as a separate domain Integrated PT (PII Processing & Transparency) family
Data Residency Some offshore flexibility U.S.-Only (No offshore processing or storage)
Infrastructure Scope Often nuanced by environment (Cloud) Universal (same for Cloud, On-Prem, & Hybrid)
SSPP Format Microsoft Word Microsoft Excel
Mandatory Deadline Being phased out Must be implemented by March 4, 2026

Why Choose JANUS

State healthcare exchange and Medicaid cyber assessments, including MARS‑E and now ARC‑AMPE, are long‑standing specialty areas in JANUS’ consulting practice. JANUS has provided security assessments and advisory services to CMS and healthcare clients for more than 20 years, with deep experience interpreting and applying NIST, CMS, and HIPAA requirements in complex environments.​

Full time subject matter experts with extensive ACA/Medicaid security, privacy, and penetration testing experience.
Proven capability delivering MARS E and CMS aligned assessments on schedule, with a strong track record of working collaboratively with CMS on your behalf.

  • Independent, evidence driven reporting that supports system authorization decisions and audit readiness while reducing rework and delays.
  • Organizations seeking a partner for ARC AMPE and MARS E compliance engage JANUS for its combination of technical depth, regulatory insight, and ability to integrate security, privacy, and risk management into one coherent program rather than isolated projects.

Speak with us and find out why 20% of states requiring MARS-E compliance trust JANUS and have awarded us multiple-year contracts.

Request a Consultation

ARC‑AMPE & MARS‑E services

JANUS provides a structured portfolio of services to support entities through the full ARC‑AMPE lifecycle while maintaining continuity with existing MARS‑E obligations.​

ARC‑AMPE readiness and gap assessments

  • Evaluate current MARS‑E‑based controls, documentation, and SSPPs against the new ARC‑AMPE baseline derived from NIST SP 800‑53 Rev. 5.​
  • Identify gaps across 20 control families, including access control, incident response, privacy, system and communications protection, and supply chain risk management.​

Control mapping and remediation planning

  • Map MARS‑E controls, policies, and procedures to ARC‑AMPE requirements to preserve prior investments while meeting updated expectations.​
  • Develop prioritized remediation plans that balance CMS compliance, risk reduction, and operational reality.

Advanced penetration testing and technical validation

  • Conduct advanced penetration testing to validate that intended controls are correctly implemented and effective, satisfying CMS requirements for both independent assessment and technical testing.​
  • Align vulnerability management, configuration management, and monitoring practices with ARC‑AMPE and NIST SP 800‑53 Rev. 5 control objectives.​

SSPP development and documentation support

  • Assist with adopting and populating the Excel‑based ARC‑AMPE SSPP template, including detailed implementation descriptions and evidence references for each control.​
  • Improve supporting documentation such as policies, procedures, system descriptions, data flows, and risk assessments to meet CMS review expectations.

Ongoing compliance and audit preparation

  • Support continuous monitoring programs, periodic control reviews, and artifact collection to ensure organizations remain audit‑ready throughout the year rather than only at assessment time.​
  • Prepare teams for CMS or third‑party reviews with mock assessments, evidence walkthroughs, and remediation of previously identified findings.

Who Needs to Comply With MARS-E?

How to Comply With MARS-E

The government doesn’t currently have a formal certification process for MARS-E. However, MARS-E aligns closely with the US Federal Risk and Authorization Management Program (FedRAMP). This is because MARS-E and FedRAMP are both aligned with NIST SP 800-53r4.

FedRAMP has a standardized authorization process but focuses specifically on cloud services.

A FedRAMP assessment and authorization provide a useful framework for evaluating MARS-E compliance. The standards that MARS-E defines should help organizations follow other data security standards. Federal requirements that may also apply to healthcare organizations include:

– FISMA
– HIPAA
– HITECH
– Tax Information Safeguarding Requirements

Complying with MARS-E helps ensure you’re in compliance with other regulations.


JAN24011 MARS-E Resource Document–CTA-H

JAN24011 MARS-E Resource Document–CTA

System Security and Privacy Plan

A System Security and Privacy Plan (SSP) is a requirement for compliance with MARS-E.

An SSP has two main purposes. First, it describes the security and privacy environment for IT systems. Secondly, it documents the implementation of security and privacy controls.

These controls must address all relevant ACA data that a healthcare organization handles. It includes data that the entity receives, stores, processes,
and transmits.

The SSP has three parts:


System Identification


Implementation of security and privacy


SSP attachments

The system identification describes the IT system and service environment. Security and controls tables show how the SSP has been implemented. Attachments can include:

– Equipment list
– Software list
– Detailed configuration setting standards

A reevaluation of the SSP should occur at least once a year. More frequent reviews may be necessary. For example, IT system modifications could affect your security and privacy processes. This is one reason for an SSP review.

Request a Consultation

MARS-E Readiness and Compliance Assessment

A readiness assessment evaluates your current
and security controls. It tells you how your
processes compare to the MARS-E standards. A comprehensive analysis will also examine your current SSP. A complete audit reviews your full MARS-E compliance.

A MARS-E Compliance Assessment includes:

– Policies and procedures
– Documentation
– System configurations

The audit will identify any gaps in your procedures or documentation. The auditor will work with you to develop a remediation plan to prioritize the necessary changes and get back into compliance more efficiently.

Speak With Us

Protect your organization.
Get in touch with us now!


Importance of MARS-E Compliance

Following MARS-E standards is critical to protect users and healthcare organizations. Non-compliance can result in substantial fines and penalties. Maintaining robust cybersecurity practices as found in MARS-E protects user data. It also protects the ACA marketplace or other administering entities. As the number of cyber-attacks continues to grow, a successful cyber-attack can deal a critical blow to an organization, and it ultimately undermines user confidence.

Speak with a JANUS MARS-E Compliance professional today

Find out why 20% of states requiring these assessments trust JANUS.

Request a Consultation

JAN24011 MARS-E Resource Document–CTA-H

JAN24011 MARS-E Resource Document–CTA