MARS-E compliance

For ACA administering entities.

Minimum Acceptable Risk Standards for Exchanges (MARS-E) framework includes requirements for the security of information systems that handle protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). Whether you’re new to MARS-E compliance or have been around since version 1.0, we’ve got you covered.

Schedule my assessment

Man filling out a document

Types of MARS-E compliance services.

The MARS-E security assessment helps organizations identify and reduce risks to their health information. We offer a variety of services that help our clients achieve compliance.

  • General consulting and training on MARS-E compliance requirements.
  • Independent MARS-E security assessments
    with steps for remediation.
  • Development and documentation of System Security Plans (SSPs).
  • Plan of Action and Milestones (POA&M) development. Learn our methodology for developing and managing your plan.
  • POA&M maintenance. We keep your plan up to date with your business needs.

MARS-E history: What you need to know.

The Patient Protection and Affordable Care Act (ACA) of 2010 created the federal and state health insurance exchanges (HIXs or marketplaces). Part of the Affordable Care Act was a requirement for Health and Human Services (HHS) to develop data security standards. As a result, in 2012, the Center for Medicare and Medicaid Services (CMS), a part of HHS, published the Minimum Acceptable Risk Standards for Exchange (MARS-E). These standards and document suites are intended to address the requirements of the ACA related to information security. The original MARS-E controls were largely based on NIST Special Publication 800-53 Revision 3, and in 2015, MARS-E 2.0 was released to coincide with and address changes in NIST Special Publication 800-53 Revision 4.

The MARS-E security control requirements are organized using the 17 control families documented in NIST Special Publication 800-53 rev 4:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Security Assessment and Authorization (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Personnel Security (PS)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Program Management (PM)

In addition to MARS-E, there may also be additional and more stringent security safeguards required if the system also receives, processes, stores, or transmits Federal Tax Information (FTI). These additional requirements are included in IRS Publication 1075, and documented in Table A-1 of MARS-E 2.0 Volume III.

Our Approach

We make it easy to improve and manage your security

We believe great cybersecurity exists at the intersection of exceptional service delivery and purposeful deployment of security solutions.

Learn more about making cybersecurity easier

  • Easy to understand

    Our security experts are trained to support and communicate in ways you can understand. Cybersecurity solutions are created to answer your questions on your terms.

  • Easy to choose

    We have an established reputation as security and technology leaders. With a clear definition of cybersecurity outcomes for your business, you can make the best decisions to secure your organization.

  • Easy to trust

    We deliver clear and consistent communication. Paired with our trusted operations and reporting, your stakeholders can have peace of mind in their cybersecurity decisions.

Our solutions make it easy to progress in your cybersecurity journey.

No matter where you are in your cybersecurity journey, we can help. Whether you're just beginning, looking to improve, or not sure where to go next, our trusted experts are committed to your success and can help you every step of the way.

Strategic partners

We make it easy to tackle whatever comes next. We deliver the most comprehensive set of integrated security services in the market by harnessing the best technology available.

View all of our strategic partners

CrowdStrike logo
CrowdStrike Endpoint
Microsoft Logo
Microsoft Security Analytics & SIEM
Splunk logo
Splunk Security Analytics & SIEM
Tenable logo
Tenable Vulnerability Management
Zscaler logo
Zscaler Cloud Security

Explore comprehensive cybersecurity protection today.

  1. Consult with an expert

    Talk to one of our cybersecurity experts so we can better understand your needs and how we can help.

  2. Agree on a plan

    Based on your objectives we’ll create a tailored plan to meet your cybersecurity needs.

  3. Start maximizing your protection

    Experience peace of mind knowing what matters most is secure.

Consult with an expert