Managed ARC-AMPE Compliance Services

Prepare for March 2026 with confidence, and build a stronger privacy and security program along the way.

The new ARC-AMPE framework replaces MARS-E and updates how ACA, Medicaid, and partner entities manage security and privacy. It’s more than a compliance update—it’s a chance to modernize, reduce risk, and improve resilience. NuHarbor helps you get there with readiness assessments, compliance support, and ongoing program management aligned to CMS requirements.

Connect with a compliance expert

Key Benefits of NuHarbor’s ARC-AMPE Services

Here’s how we help you meet ARC-AMPE requirements with confidence and clarity.

calendar

Stay aligned with CMS deadlines

We help you build and maintain an annual compliance calendar, update artifacts, and avoid missed submissions.

touch

Reduce burden on internal teams

We support organizations that lack the time, staff, or specialized knowledge to meet the full scope of ARC-AMPE compliance.

lighthouse

Clarity and confidence in your program

We bring deep understanding of what’s changed from MARS-E to ARC-AMPE, providing a clear, actionable roadmap for achieving and maintaining compliance.

resize-expand-corner

Tailored support for complex environments

We support hybrid infrastructures, legacy systems, and cloud platforms while helping you manage third-party compliance, privacy obligations, and required documentation.

The NuHarbor advantage

We’ve supported state exchanges and partner entities with CMS compliance frameworks for over a decade. With NuHarbor, you get:

  • A dedicated compliance partner with deep knowledge of CMS frameworks
  • A full suite of services across assessment, remediation, planning, and documentation
  • Proven templates and methodologies to streamline work and reduce rework
  • Privacy, security, and risk professionals who speak the language of both policy and infrastructure
  • Guidance that aligns compliance to your environment, not just to the controls

Suggested timeline to meet the March 4, 2026 ARC-AMPE deadline

To stay on track, we recommend the following milestones:

  1. By June 30, 2025

    Review the ARC-AMPE framework, define organization-specific controls, and map out required deliverables

  2. By September 30, 2025

    Update your SSPP, Privacy Program Plan, policies, and security documentation

  3. By December 31, 2025

    Conduct your annual ARC-AMPE controls assessment

  4. By February 15, 2026 

    Remediate open gaps, finalize POA&M updates, and prepare for CMS review

Not on this schedule? That’s okay. Whether you’re just getting started or need help closing gaps quickly, we can meet you where you are and get your program back on track.

How NuHarbor supports your ARC-AMPE compliance journey

ARC-AMPE introduces major changes to how privacy, risk, and security are integrated across your environment. Whether you’re transitioning from MARS-E or managing ongoing CMS requirements, NuHarbor provides structured, flexible support to help you meet compliance with confidence.

Infrastructure and application penetration testing

Meet annual and change control ARC-AMPE requirements for technical testing using our expert team of penetration testers.

Policy and documentation development

Create or update critical CMS artifacts, including your System Security and Privacy Plan (SSPP), Privacy Program Plan (PPP), Incident Response Plan, Contingency Plan, and related policies and procedures.

Compliance calendar and submission support

Stay aligned with CMS timelines through quarterly POA&M updates, Risk Acceptance Forms (RAFs), ATC submissions, and compliance tracking.

Independent controls assessments and audit preparation

Conduct annual security and privacy assessments (SAP, SAR, SAW) to validate your program and prepare for CMS review.

Third-party and supply chain risk management

Evaluate vendor compliance, develop Partner Information Security Agreements (ISAs), and meet ARC-AMPE’s SR control family requirements.

Privacy and security awareness training

Deliver role-based training aligned to ARC-AMPE using KnowBe4 to meet organizational and CMS-specific training requirements.

IRS Pub 1075 alignment

If applicable, we help integrate Pub 1075 requirements into your ARC-AMPE compliance program for a unified approach.

24/7 Managed security services

Strengthen your compliance posture with continuous monitoring, vulnerability management, and incident detection support that aligns with ARC-AMPE’s requirements for ongoing operational control.

Free Resource: ARC-AMPE Compliance Guide

This guide outlines the six key changes from MARS-E to ARC-AMPE, explains how to adapt your program, and offers practical steps to begin your transition with confidence.

Download guide

ARC_AMPE_GUIDE_IMAGE

 

Behind on your ARC-AMPE planning? We’ll help you catch up and get it right.

Connect with a compliance expert