If your organization is governed by CMS privacy and security requirements, ARC-AMPE isn’t just a new acronym. It’s a significant change that redefines how healthcare, ACA, Medicaid, and partner entities must plan, execute, and document their security and privacy programs.
Not familiar with ARC-AMPE or why it’s replacing MARS-E? Start with What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations, a quick overview of the framework and who it affects.
Once you’re up to speed, here are six of the most important changes introduced by ARC-AMPE and what your team should be doing now to prepare for the March 4, 2026 deadline.
1. Further integration of privacy controls
ARC-AMPE introduces the Personally Identifiable Information Processing and Transparency (PT) family, which brings privacy directly into the security framework. This was previously handled separately in MARS-E v2.2.
Controls like PM-18 require a formal Privacy Program Plan that includes executive approval, role-specific privacy training, and privacy impact assessments (PIAs). There are also new requirements for responding to privacy-related security events and protecting sensitive data like Social Security Numbers.
What to do now: Establish or update your Privacy Program Plan. Align it with your security strategy and ensure governance and accountability are in place at the executive level.
2. Tailor your control baselines, but keep them compliant
ARC-AMPE introduces PL-11, which allows you to tailor your control baseline. But tailoring must maintain or improve the CMS-defined standard. You can adjust any listed parameters as long as they are made more stringent or introduce new controls not found in ARC-AMPE.
AC-2(8), Dynamic Account Management, from NIST SP 800-53 Rev 5 is specifically prohibited from being added. Tailoring must be documented in the Entity-Specific Tailoring section of your System Security and Privacy Plan (SSPP).
What to do now: Review your current controls and identify any areas where tailoring is necessary. Be prepared to justify those decisions and ensure no reduction in baseline strength.
3. Prepare for two new control families: PT and SR
Two new control families were introduced in ARC-AMPE:
- Personally Identifiable Information Processing and Transparency (PT) focuses on how PII is handled, trained on, assessed, and documented.
- Supply Chain Risk Management (SR) requires organizations to formally manage vendor and third-party risk with policies, assessments, and a supply chain risk management (SCRM) team.
Each family requires defined roles, annual reviews, and integration into your risk program.
What to do now: Assign ownership of privacy and supply chain risk management. Update or create the necessary policies, training programs, and plans. Make sure these efforts are documented and auditable.
4. Keep data processing and storage within the U.S.
ARC-AMPE removes the allowance for offshore data processing. All ACA-related data must now be stored and processed within U.S. legal jurisdiction.
What to do now: Review your cloud providers, hosting arrangements, and any third-party data flows. Begin contract and infrastructure updates to ensure full compliance with this requirement.
5. Apply cloud-specific controls across your entire ACA system
ARC-AMPE no longer distinguishes between cloud and on-prem environments. All systems are expected to meet the same security and privacy standards. This includes stronger access controls, automation, and adopting zero trust principles.
What to do now: Assess your ACA system as a whole. Make sure cloud-grade controls are applied consistently across every environment, including hybrid and on-prem.
6. Build security into development and procurement from the start
ARC-AMPE expands System and Services Acquisition (SA) controls. Security is now expected to be part of planning, procurement, and design—not added after deployment.
It requires security impact assessments (SIA) and privacy impact assessments (PIA) before any system changes and mandates equal protections for preproduction environments.
What to do now: Integrate security earlier in your system lifecycle. Adjust procurement processes and development pipelines to reflect these updated expectations.
What to do next
To meet the March 2026 deadline, your team should begin:
- Conducting an ARC-AMPE gap assessment
- Updating your SSPP and Privacy Program Plan
- Reviewing your architecture, cloud posture, and vendor contracts
- Training teams across privacy, security, and development
Want the full breakdown?
The full ARC-AMPE Compliance Guide includes more detail on each control family, planning tips, and readiness recommendations.
Download the guide to get:
- Expanded guidance on PL-11, PM-18, PT, and SR
- Understand what CMS now expects
- Start planning your path to compliance
Have questions about how these changes impact your organization? Contact a NuHarbor ARC-AMPE expert to start your compliance planning today.
Don't miss another article. Subscribe to our blog now.
Included Topics
