MARS-E COMPLIANCE

Leading the charge in healthcare compliance and data protection. Cyber security experts you can trust.
Get Started
JANUS performs MARS-E assessments for 20% of states required to do so.

State Health Exchanges are required to adhere to security requirements published by the U.S. Centers for Medicare & Medicaid Services (CMS). Part of that includes a yearly assessment of exchange security and privacy controls. The number of controls that need to be assessed each year can run from approximately 200 to over 1000.

In prior years, organizations could find a security firm that would simply audit the required environment. However, today, CMS requires both an assessment of the intended controls AND a penetration test to ensure that what is intended by the Exchange is actually in place and working.

The firm that provides your annual MARS-E (Minimum Acceptable Risk Safeguards for Exchanges) assessment needs to be a specialist not only in healthcare security and privacy auditing but also must be a highly experienced penetration testing firm capable of advanced penetration testing. JANUS is that firm.

Why Choose JANUS

State Healthcare Exchange cyber assessments of all types, including MARS-E and FISMA assessments, are specialty areas in JANUS’ consulting practice and have been since JANUS began providing security assessments for CMS itself over 20 years ago.

With our full-time subject matter experts, never subcontractors, we undertake multiple assessments each year to meet client-specific schedules in a cost-effective manner. We have a long, well-respected history of producing quality results, working with CMS on your behalf, and walking you through the entire process successfully. CMS has trusted us for our audit, testing results, and accurate reports for over 20 years.

Speak with us and find out why 20% of states requiring MARS-E compliance trust JANUS and have awarded us multiple-year contracts.

Request a Consultation

What is MARS-E?

The Minimum Acceptable Risk Standards for Exchanges, or MARS-E, is a set of privacy and security standards that applies to federal and state health exchanges under the Affordable Care Act (ACA). ACA administering entities, as well as their contractors and subcontractors, must comply with MARS-E.

When Congress enacted the ACA, it required the Department of Health and Human Services to develop protocols for securely handling sensitive data in healthcare exchanges. A comprehensive federal policy related to privacy and security didn’t exist yet, and The Centers for Medicare and Medicaid Services (CMS) published MARS-E to address this lack of protocol.

MARS-E provides guidelines for federal and state marketplaces regarding:

– Federal tax information
– Protected health information
– Personally identifiable information of marketplace users

These guidelines define the minimum security standards necessary to protect this data.

MARS-E 2.2

MARS-E 2.2 is the latest version of the healthcare security guidelines. CMS released version 2.0 in 2015. It reflected the updated security guidelines in NIST SP 800-53r4. The changes responded to growing challenges to online security such as:

– Advanced persistent threats
– Insider threats
– Supply chain risks
– Application security
– Cloud and mobile computing security

MARS-E 2.0 included a new catalog of privacy controls. All administering entities must document how they are implementing these privacy controls. MARS-E 2.2 is an interim release. It reflects updates from CMS since 2015.

Who Needs to Comply With MARS-E?

All ACA administering entities must follow MARS-E. This includes:

– Federal and state exchanges and marketplaces
– State Medicaid agencies
– State agencies that administer the Basic
Health Program and Children’s Health
Insurance Program

Contractors and subcontractors of these agencies and programs must also comply. Essentially, compliance applies to any organization that handles:

– PHI (Protected health information)
– PII (Personally identifiable information)
– Federal tax information
– Complying with MARS-E also helps ensure you’re
in compliance with other regulations.

How to Comply With MARS-E

The government doesn’t currently have a formal certification process for MARS-E. However, MARS-E aligns closely with the US Federal Risk and Authorization Management Program (FedRAMP). This is because MARS-E and FedRAMP are both aligned with NIST SP 800-53r4.

FedRAMP has a standardized authorization process but focuses specifically on cloud services.

A FedRAMP assessment and authorization provide a useful framework for evaluating MARS-E compliance. The standards that MARS-E defines should help organizations follow other data security standards. Federal requirements that may also apply to healthcare organizations include:

– FISMA
– HIPAA
– HITECH
– Tax Information Safeguarding Requirements

Complying with MARS-E helps ensure you’re in compliance with other regulations.


JAN24011 MARS-E Resource Document–CTA-H

JAN24011 MARS-E Resource Document–CTA

System Security and Privacy Plan

A System Security and Privacy Plan (SSP) is a requirement for compliance with MARS-E.

An SSP has two main purposes. First, it describes the security and privacy environment for IT systems. Secondly, it documents the implementation of security and privacy controls.

These controls must address all relevant ACA data that a healthcare organization handles. It includes data that the entity receives, stores, processes,
and transmits.

The SSP has three parts:


System Identification


Implementation of security and privacy


SSP attachments

The system identification describes the IT system and service environment. Security and controls tables show how the SSP has been implemented. Attachments can include:

– Equipment list
– Software list
– Detailed configuration setting standards

A reevaluation of the SSP should occur at least once a year. More frequent reviews may be necessary. For example, IT system modifications could affect your security and privacy processes. This is one reason for an SSP review.

Request a Consultation

MARS-E Readiness and Compliance Assessment

A readiness assessment evaluates your current
and security controls. It tells you how your
processes compare to the MARS-E standards. A comprehensive analysis will also examine your current SSP. A complete audit reviews your full MARS-E compliance.

A MARS-E Compliance Assessment includes:

– Policies and procedures
– Documentation
– System configurations

The audit will identify any gaps in your procedures or documentation. The auditor will work with you to develop a remediation plan to prioritize the necessary changes and get back into compliance more efficiently.

Speak With Us

Protect your organization.
Get in touch with us now!


Importance of MARS-E Compliance

Following MARS-E standards is critical to protect users and healthcare organizations. Non-compliance can result in substantial fines and penalties. Maintaining robust cybersecurity practices as found in MARS-E protects user data. It also protects the ACA marketplace or other administering entities. As the number of cyber-attacks continues to grow, a successful cyber-attack can deal a critical blow to an organization, and it ultimately undermines user confidence.

Speak with a JANUS MARS-E Compliance professional today

Find out why 20% of states requiring these assessments trust JANUS.

Request a Consultation

JAN24011 MARS-E Resource Document–CTA-H

JAN24011 MARS-E Resource Document–CTA