What Is ARC-AMPE and Why It Matters for ACA and Medicaid Organizations

If your organization is a Medicaid Administering Entity (AE), supports Affordable Care Act (ACA) programs, or is a partner entity to either, you’ve probably heard about ARC-AMPE. But what is it, why did Centers for Medicare & Medicaid Services (CMS) update its requirements, and what do you actually need to do?

Here’s a quick, practical breakdown.

What is ARC-AMPE?

In March 2025, the CMS released a new security and privacy framework called ARC-AMPE (Acceptable Risk Controls for ACA, Medicaid, and Partner Entities).

ARC-AMPE replaces MARS-E v2.2, with compliance becoming mandatory by March 4, 2026. If your organization previously needed to comply with MARS-E before, ARC-AMPE now applies to you.

Why did CMS make this change?

This update isn’t just a name change; it reflects the need to modernize the framework in line with today’s privacy expectations and cybersecurity realities. Key reasons include:

Enhanced protection of Personally Identifiable Information (PII): With the increasing sensitivity around personal data, ARC-AMPE more deeply integrates privacy controls to ensure stronger protection.
Stronger privacy and security alignment: The framework improves collaboration across privacy, security, and IT domains by embedding privacy earlier in the control lifecycle.
Better alignment with federal standards: ARC-AMPE incorporates elements from updated frameworks like NIST 800-53 Rev5, making it more consistent with broader federal expectations.

What’s new in ARC-AMPE?

The following are some of the most significant updates, though not an all-encompassing list:

Privacy is part of the core controls: The new PT (Personally Identifiable Information Processing and Transparency) control family integrates privacy and security controls. For example, privacy controls like PM-18 require organizations to have a formal, documented, Privacy Program Plan with executive oversight.
You can tailor—but not weaken—controls: ARC-AMPE allows organizations to tailor some of the control baselines (e.g., PL-11, baseline tailoring), but all tailored controls must meet or exceed CMS-defined requirements. Customized control baselines must strengthen, not relax, your security posture.
Two new control families:
- PT addresses privacy requirements that are specific to PII data.
- Supply Chain Risk Management (SR) ensures vendors are part of your risk strategy. Both require documented policies, training, and oversight.
Data must stay in the U.S.: Offshore storage is no longer allowed. All data processing and storage must happen within U.S. legal jurisdiction.
Same security standards for all types of system environments: Previously cloud-specific Mars-E controls now apply to cloud, on-prem, and hybrid infrastructure. Taking a perimeter-based security approach is no longer enough.
Security must be incorporated early: ARC-AMPE requires secure development practices from the start of a change or project.

Who needs to pay attention?

If you handle ACA or Medicaid systems or data, ARC-AMPE likely applies to you:

ACA administering entities
State-based insurance marketplaces
Medicaid agencies
Partner entities
Vendors supporting these programs

When do you need to be compliant?

By March 4, 2026. But preparation takes time. Here’s a suggested timeline to stay on track:

By June 2025: Review framework and define organization-specific controls
By September 2025: Update System Security and Privacy Plan (SSPP) and security policies
By December 2025: Conduct compliance assessment
By March 2026: Remediate gaps and prepare CMS Plan of Action and Milestones (POA&M) submissions

Why it matters

ARC-AMPE reflects today’s threat landscape and regulatory updates
It shifts from reactive compliance to proactive risk management
Stronger alignment across privacy, security, and IT teams
Staying ahead supports resilience and readiness

How NuHarbor supports compliance

We help ACA and healthcare organizations migrate from MARS-E to comply with ARC-AMPE with:

ARC-AMPE third party assessments
CMS POA&M and Authorization to Connect (ATC) submissions and remediation planning
ARC-AMPE compliant security policies, SSPP, and incident response plans
Third-party web application and infrastructure penetration testing
Center for Internet Security (CIS) baseline configuration and compliance scanning
24/7 monitoring and managed compliance support

Our goal is to make the transition manageable and clear, with services tailored to what’s required.

Want the full breakdown?

Download the ARC-AMPE Compliance Guide for a detailed overview of the framework, what’s changed, and how to plan your next steps.

Have questions about how these changes impact your organization? Contact a NuHarbor ARC-AMPE expert to start your compliance planning today.

Don't miss another article. Subscribe to our blog now.

Subscribe now

Included Topics

Brianna Blanchard

Brianna Blanchard is the Senior Manager of Information Assurance and Advisory Services at NuHarbor Security where she leads a team of professionals. She has over 15 years of experience working in cybersecurity and information technology. Before joining NuHarbor Security, Brianna worked for government organizations helping them build their security compliance and governance programs from the ground up. Brianna currently is involved in co-leading the Women in Cybersecurity Council at Champlain College, with the goal of making cybersecurity more inclusive and Champlain College the best place for women in cyber.