MARS-E Compliance Services
Expert MARS-E Compliance and Security Services
General consulting and training on MARS-E compliance requirements
MARS-E Security Assessments
Development and Documentation of System Security Plans (SSP)
Plan of Action and Milestones (POA&M) Development and Management
The Patient Protection and Affordable Care Act (ACA) of 2010 created the federal and state health insurance exchanges (HIXs or marketplaces). Part of the Affordable Care Act was a requirement for Health and Human Services (HHS) to develop data security standards. As a result, in 2012, the Center for Medicare and Medicaid Services (CMS), a part of HHS, published the Minimum Acceptable Risk Standards for Exchange (MARS-E). These standards and document suite is intended to address the requirement of the ACA related to information security. The original MARS-E controls were largely based on NIST Special Publication 800-53 Revision 3, and in 2015, MARS-E 2.0 was released to coincide and address changes in NIST Special Publication 800-53 Revision 4.
The MARS-E security control requirements are organized using the 17 control families documented in NIST Special Publication 800-53 rev 4:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Protection (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Program Management (PM)
In addition to the MARS-E standards for Exchanges, there may also be additional and more stringent security safeguards required if the system also receives, processes, stores, or transmits Federal Tax Information (FTI). These additional requirements are included in IRS Publication 1075, and documented in Table A-1 of MARS-E 2.0 Volume III.

Recent Blog Posts
2 Questions to Determine if a Security Program Review or Security Assessment is Better for your Company
By: Justin Fimlaid The beginning of the year is a great time to review your security posture. You have many options available to you as to how you conduct security review. The most common ways that we see companies approach a review of their security program generally...