NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Industry Insights
    • Security Operations
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
July 1, 2025

6 Major Changes in ARC-AMPE Your Team Should Be Planning for Now

Aaron Leech Aaron Leech
6 Major Changes in ARC-AMPE Your Team Should Be Planning for Now

If your organization is governed by CMS privacy and security requirements, ARC-AMPE isn’t just a new acronym. It’s a significant change that redefines how healthcare, ACA, Medicaid, and partner entities must plan, execute, and document their security and privacy programs.

Not familiar with ARC-AMPE or why it’s replacing MARS-E? Start with What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations, a quick overview of the framework and who it affects. 

Once you’re up to speed, here are six of the most important changes introduced by ARC-AMPE and what your team should be doing now to prepare for the March 4, 2026 deadline.

1. Further integration of privacy controls

ARC-AMPE introduces the Personally Identifiable Information Processing and Transparency (PT) family, which brings privacy directly into the security framework. This was previously handled separately in MARS-E v2.2. 

Controls like PM-18 require a formal Privacy Program Plan that includes executive approval, role-specific privacy training, and privacy impact assessments (PIAs). There are also new requirements for responding to privacy-related security events and protecting sensitive data like Social Security Numbers.

What to do now: Establish or update your Privacy Program Plan. Align it with your security strategy and ensure governance and accountability are in place at the executive level.

 

2. Tailor your control baselines, but keep them compliant

ARC-AMPE introduces PL-11, which allows you to tailor your control baseline. But tailoring must maintain or improve the CMS-defined standard. You can adjust any listed parameters as long as they are made more stringent or introduce new controls not found in ARC-AMPE.

AC-2(8), Dynamic Account Management, from NIST SP 800-53 Rev 5 is specifically prohibited from being added. Tailoring must be documented in the Entity-Specific Tailoring section of your System Security and Privacy Plan (SSPP).

What to do now: Review your current controls and identify any areas where tailoring is necessary. Be prepared to justify those decisions and ensure no reduction in baseline strength.

 

3. Prepare for two new control families: PT and SR

Two new control families were introduced in ARC-AMPE:

  • Personally Identifiable Information Processing and Transparency (PT) focuses on how PII is handled, trained on, assessed, and documented.
  • Supply Chain Risk Management (SR) requires organizations to formally manage vendor and third-party risk with policies, assessments, and a supply chain risk management (SCRM) team.

Each family requires defined roles, annual reviews, and integration into your risk program.

What to do now: Assign ownership of privacy and supply chain risk management. Update or create the necessary policies, training programs, and plans. Make sure these efforts are documented and auditable.

 

4. Keep data processing and storage within the U.S.

ARC-AMPE removes the allowance for offshore data processing. All ACA-related data must now be stored and processed within U.S. legal jurisdiction.

What to do now: Review your cloud providers, hosting arrangements, and any third-party data flows. Begin contract and infrastructure updates to ensure full compliance with this requirement.

 

5. Apply cloud-specific controls across your entire ACA system

ARC-AMPE no longer distinguishes between cloud and on-prem environments. All systems are expected to meet the same security and privacy standards. This includes stronger access controls, automation, and adopting zero trust principles.

What to do now: Assess your ACA system as a whole. Make sure cloud-grade controls are applied consistently across every environment, including hybrid and on-prem.

 

6. Build security into development and procurement from the start

ARC-AMPE expands System and Services Acquisition (SA) controls. Security is now expected to be part of planning, procurement, and design—not added after deployment.

It requires security impact assessments (SIA) and privacy impact assessments (PIA) before any system changes and mandates equal protections for preproduction environments.

What to do now: Integrate security earlier in your system lifecycle. Adjust procurement processes and development pipelines to reflect these updated expectations.

 

What to do next

To meet the March 2026 deadline, your team should begin:

  • Conducting an ARC-AMPE gap assessment
  • Updating your SSPP and Privacy Program Plan
  • Reviewing your architecture, cloud posture, and vendor contracts
  • Training teams across privacy, security, and development

 

Want the full breakdown?

The full ARC-AMPE Compliance Guide includes more detail on each control family, planning tips, and readiness recommendations.

Download the guide to get:

  • Expanded guidance on PL-11, PM-18, PT, and SR
  • Understand what CMS now expects
  • Start planning your path to compliance  

ARC-AMPE COMPLIANCE GUIDE_BLOG

Have questions about how these changes impact your organization? Contact a NuHarbor ARC-AMPE expert to start your compliance planning today. 

Don't miss another article. Subscribe to our blog now. 

Subscribe now

 

Included Topics

  • Compliance,
  • Industry Insights,
  • Advisory and Planning
Aaron Leech
Aaron Leech

Aaron Leach is an Information Assurance Team Lead at NuHarbor Security.

Related Posts

Compliance 2 min read
What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations
What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations
Read More
Security Testing 10 min read
Penetration Testing versus Vulnerability Scanning: What's the Difference?
Read More
Security Testing 5 min read
Red Teaming vs. Penetration Testing
Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.