The new Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 framework is out and effective as of September 30, 2015. The new MARS-E 2.0 standard includes significant updates to security and privacy controls of in-scope systems. These updates also impact security governance mechanisms, which include but are not limited to the System Security Plan (SSP).
Updates to the MARS-E 2.0 standard include:
- NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This was published in 2013.
- 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This was published in late 2014.
- Health and Human Services (HHS) Affordable Care Act (ACA) – updates made since 2012.
- Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Standards (ARS) – updates published in late 2013.
- Internal Revenue Services (IRS) – updates to Publication 1075 in early 2014.
MARS-E 2.0 is already here and in some cases requires immediate compliance for any submission made after September 30, 2015. Key dates you should know:
- MARS-E 2.0 went into effect on September 30, 2015.
- All documentation submitted after September 30, 2015, must meet the MARS-E 2.0 standards. This includes the Information Security Risk Assessment (ISRA) if being completed after September 30, 2015.
- All administering entities are required to comply by June 30,2016
There are many changes to the new MARS-E 2.0 standard, including the new privacy controls which must be included within the System Security Plan (SSP). The changes also impact Medicaid/CHIP, which must also conduct a Privacy Impact Assessment (PIA) to conform with new privacy controls. Additionally, the new security continuous monitoring controls need an annual attestation to MARS-E compliance and administering entities must report planned system changes, including changes in data use. Any legal agreements in place should be revisited to ensure compliance with MARS-E 2.0.
