What is ARC-AMPE?
- New CMS security and privacy framework
- Replaces MARS-E v2.2; mandatory by March 4, 2026
- Based on NIST SP 800-53 Rev. 5
- Requires 402 baseline controls — up from MARS-E
- Modernizes to match federal and industry standards
- System Security and Privacy Plan (SSPP) is now in Excel format(previously Word)
Key ARC-AMPE Changes
- Privacy controls integrated: New Personally Identifiable Information Processing and Transparency (PT) control family
- Two new families
- PT (Privacy)
- SR (Supply Chain Risk)
- No offshore data storage — U.S. only
- Applies to cloud, on-prem, and hybrid systems
- Promotes early security integration in development
CMS Oversight
- Enforces audits & data protection
- Requires breach reporting & risk assessments
- Ensures fair enrollment & policy compliance
- Annual Authority to Conect (ATC) or Authority to Operate (ATO) renewal
- Supports Affordable Care Act (ACA) goals through secure operations
Timeline to Prepare
By June 2025
Review & Define Controls
Review & Define Controls
By Sept 2025
Update SSPP & Policies
Update SSPP & Policies
By Dec 2025
Internal Assessment
Internal Assessment
By Mar 2026
Finalize POA&M & Remediation
Finalize POA&M & Remediation
Control Families
Note: ARC-AMPE control families are similar to those in NIST SP 800-53 Rev. 5
1
Access Control (AC)
51
2
Awareness and Training (AT)
9
3
Audit and Accountability (AU)
19
4
Assessment, Authorization, and Monitoring (CA)
12
5
Configuration Management (CM)
31
6
Contingency Planning (CP)
23
7
Identification and Authentication (IA)
24
8
Incident Response (IR)
16
9
Maintenance (MA)
16
10
Media Protection (MP)
9
11
Physical and Environmental Protection (PE)
12
Planning (PL)
13
Program Management (PM)
14
Personnel Security (PS)
15
Personally Identifiable Information Processing and Transparency (PT)
16
Risk Assessment (RA)
17
System and Services Acquisition (SA)
18
System and Communications Protection (SC)
19
System and Information Integrity (SI)
20
Supply Chain Risk Management (SR)
