MARS-E Compliance Services

Expert MARS-E Compliance and Security Services

Whether you’re new to MARS-E or been around since version 1.0 we have many services to assist.

MARS-E Compliance Services

NuHarbor Security helps clients in a variety of ways depending on their unique situation and needs.  For more information on MARS-E requirements and regulation see below.

General consulting and training on MARS-E compliance requirements

Whether you’re getting started with MARS-E 2.0 or have more complex compliance hurdles our team can help.

MARS-E Security Assessments

If you are looking to complete your independent MARS-E security assessment then look no further.  We’ve helped many organizations fulfill this compliance requirement while providing meaningful remediation results.

Development and Documentation of System Security Plans (SSP)

Development of a System Security Plan (SSP) can be daunting.  If you don’t know where to start or need some bench strength contact us for support.

Plan of Action and Milestones (POA&M) Development and Management

Maintaining and managing a Plan of Action and Milestones (POA&M) is an ongoing task.  We’ve helped many organizations develop, manage remediation, and maintain POA&M hygiene.  If you need POA&M support please contact us now.


MARS-E Compliance Overview


The Patient Protection and Affordable Care Act (ACA) of 2010 created the federal and state health insurance exchanges (HIXs or marketplaces). Part of the Affordable Care Act was a requirement for Health and Human Services (HHS) to develop data security standards. As a result, in 2012, the Center for Medicare and Medicaid Services (CMS), a part of HHS, published the Minimum Acceptable Risk Standards for Exchange (MARS-E). These standards and document suite is intended to address the requirement of the ACA related to information security. The original MARS-E controls were largely based on NIST Special Publication 800-53 Revision 3, and in 2015, MARS-E 2.0 was released to coincide and address changes in NIST Special Publication 800-53 Revision 4.

The MARS-E security control requirements are organized using the 17 control families documented in NIST Special Publication 800-53 rev 4:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Security Assessment and Authorization (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Personnel Security (PS)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Program Management (PM)

In addition to the MARS-E standards for Exchanges, there may also be additional and more stringent security safeguards required if the system also receives, processes, stores, or transmits Federal Tax Information (FTI). These additional requirements are included in IRS Publication 1075, and documented in Table A-1 of MARS-E 2.0 Volume III.


Recent Blog Posts

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

Looking for MARS-E Support?

Pin It on Pinterest