MARS-E Compliance Assessments
The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a set of privacy and security standards for Affordable Care Act (ACA) administering entities, as well as their contractors and sub-contractors. Developed by the Centers for Medicare and Medicaid Services (CMS), the standards are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53. This framework establishes the security and privacy requirements required for compliance under MARS-E, ensuring the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI).
Our MARS-E Compliance Services
As a national cybersecurity and compliance firm, 360 Advanced has a deep understanding of federal privacy and security requirements. We work with exchanges, marketplaces, and their vendors, providing:
Readiness (GAP) Assessments
We can evaluate your current privacy and security controls as they compare to MARS-E requirements. We can also review your existing documentation, such as your System Security Plan (SSP), to confirm that it contains the necessary information.
If your readiness assessment identifies areas of non-compliance, we can provide a prioritized action plan to help you efficiently remediate gaps in your information security program.
Compliance Assessments
Upon completion of remediation activities, we can audit your policies and procedures; review your documentation; and examine the necessary system configurations. This can help you determine if your controls are appropriately designed and operating as intended.
After the assessment, we will issue an independent, third-party Security Assessment Report (SAR). This report will include a detailed explanation of your controls, as well as testing procedures and results. This report can be submitted to the CMS when applying for an Authorization to Operate (ATO); it can also be shared with key stakeholders as they work to evaluate your information security program. 360 Advanced will also provide a Letter of Completion that you can use for sales, marketing, and customer relations.
Risk Assessments
MARS-E requires annual risk assessments for ongoing compliance. Leveraging the NIST risk assessment framework, we can help you identify new vulnerabilities, evaluate their potential impact, and develop a mitigation plan.
Preparing for a MARS-E Assessment
New to the Minimum Acceptable Risk Standards for Exchanges? Learn more about MARS-E requirements, controls, and implementation standards.
Who is Required to Comply?
Under the ACA, MARS-E applies to:
- Federal and state marketplaces or exchanges
- State Medicaid agencies
- State agencies that administer the Basic Health Program or Children’s Health Insurance Program
- Contractors and subcontractors of the above organizations
These organizations may handle data from various federal agencies, including the Department of Health and Human Services, the Internal Revenue Service, and the Social Security Administration. As a result, they must demonstrate appropriate controls for protecting sensitive information.
Currently, there is no formal MARS-E certification program. Instead, marketplaces and exchanges must submit annual Security Assessment Reports to the CMS. MARS-E compliance reports are not restricted, and contractors and sub-contractors can provide their reports to customers and prospects as part of the due diligence process.
MARS-E Security Controls
MARS-E outlines security controls across each of the following NIST 800-53 control families:
- Access controls
- Awareness and training
- Audit and accountability
- Configuration management
- Contingency planning
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Physical and environmental protection
- Planning
- Personnel security
- Risk assessments
- System and services acquisition
- System and communications protection
- System and information integrity
- Program management
Each of these control groups cover multiple individual requirements. For instance, Awareness and Training includes requirements for Security Awareness Training; Insider Threats; Role-Based Security Training; and Security Training Record Keeping. You can find a complete list of sub-requirements here.
MARS-E Privacy Controls
MARS-E outlines privacy controls across each of the following domains:
- Authority and purpose
- Accountability, audit, and risk management
- Data quality and integrity
- Data minimization and retention
- Individual participation and redress
- Security
- Transparency
- Use limitation
As with the security control groups, each privacy control group covers multiple requirements. Detailed control lists can be accessed here.
MARS-E Implementation Standards
MARS-E is based on the National Institute for Standards and Technology (NIST) Special Publication 800-53. NIST provides recommendations and guidance for each control group, but does not mandate specific implementation methods. Instead, organizations can design policies and procedures that reflect the types of data they handle, the products or services they provide, and the other regulations they are required to meet.
MARS-E vs HIPAA
MARS-E was developed to streamline compliance with several federal requirements, including the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA compliance does not always translate to MARS-E compliance, organizations that have already taken steps to meet HIPAA’s privacy, security, and breach notification rules may have a head start. However, a HIPAA compliance report is not enough to satisfy CMS reporting requirements; organizations will still need to complete a MARS-E compliance assessment to meet the additional requirements of the ACA.