Summary:

Hosted by JANUS Associates, CMS developed, assembled, and implemented guidance, requirements, and templates known as the Minimum Acceptable Risk Standards for Exchanges (MARS-E) in accordance with the Agency’s Information Security and Privacy programs.

MARS-E provides guidance on the protection of security and privacy in the ACA program environment; and addresses the mandates of the ACA, including regulations 45 CFR §§155.260 and 155.280. It applies to all ACA Administering Entities (AE).

This Harmonized Security and Privacy Framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. The centerpiece of the framework is the streamlined and tailored selection of security and privacy controls for Exchanges.

The Security and Privacy controls specify applicable policies, standards, and procedures necessary for:

• Administering Entities to manage privacy and security risks in State-Based Exchange and
• Medicaid/Children’s Health Insurance Program (CHIP) environments
• Administering Entities to manage the responsibility to assure security and privacy for
• authorized data usage of ACA Personally Identifiable Information (PII)
• The Centers for Medicare & Medicaid Services (CMS) to define its responsibility for
• compliance oversight and monitoring.

CMS has established this framework on the ACA; Department of Health and Human Services (HHS) Regulations implementing the ACA; the Privacy Act; Federal Information Security Management Act of 2002, amended by the Federal Information Security Modernization Act of 2014 (FISMA); Office of Management and Budget (OMB) A-130 requirements of the federal government; and security and privacy guidance provided by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4.