By: Justin Fimlaid
The new Minimum Acceptable Risk Standards for Exchanges (MARS-E) 2.0 framework is out and effective as of September 30, 2015. The new MARS-E 2.0 standard includes some significant updates to security and privacy controls of in scope systems. These updates also impact security governance mechanisms which include but are not limited to the System Security Plan (SSP).
Updates to the MARS-E 2.0 standard include:
- NIST 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. This was published in 2013.
- 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations. This was published in late 2014.
- Health and Human Services (HHS) Affordable Care Act (ACA) updates made since 2012.
- Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Standards (ARS) updates published in late 2013.
- Internal Revenue Services (IRS) updates to Publication 1075 in early 2014.
MARS-E 2.0 is already here and some cases requires immediate compliance for any submission made after September 30, 2015. Key dates you should know:
- MARS-E 2.0 has been published as of September 2015 and is effective as of September 30, 2015.
- All documentation submitted after September 30, 2015 must meet the MARS-E 2.0 standards. This includes the Information Security Risk Assessment (ISRA) if being completed after September 30, 2015.
- All Administering Entities (AE’s) are required to comply by June 30,2016
There are some significant updates to the new MARS-E 2.0 standard. There are many changes which include the new privacy controls which must be included within the System Security Plan (SSP). The changes also impact Medicaid/CHIPs who must also conduct a Privacy Impact Assessment (PIA) to conform with new privacy controls. Additionally, the new security continuous monitoring controls need an annual attestation to MARS-E compliance and AE’s must report planned system changes including changes in data use. Any legal agreements in place should be revisited to ensure compliance with MARS-E 2.0.
As of the date of this post AE’s should have enough time to prepare for the June 30, 2016 due date but should start now to ensure proper time to address all changes required.