The purpose of the Minimum Acceptable Risk Standards Exchanges (MARS-E) is to provide a starting point for security guidance that Exchanges can use in implementing and operating their IT systems in support of the Affordable Care Act.

The Minimum Acceptable Risk Standards for Exchanges – provides guidance to Exchanges and their contractors regarding the minimum level security controls that must be implemented to protect information and information systems for which CMS has oversight responsibility.

Each Exchange system owner is responsible for incorporating the security controls defined in MARS-e along with state-appropriate security and privacy requirements for protecting Personally Identifiable Information (PII) against anticipated threats or unlawful use.

Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources.

MARS-e Compliance

Exchanges must document such requirements and the control implementation details in their System Security Plans (SSP). Exchanges also are required to define system risks in an Information Security (IS) Risk Assessment (RA). The guidance in the MARS-E neither relieves nor waives any other federal, state, or other applicable laws, guidance, policies, or standards.

Section 155.260 (a)(3) of the HHS Final Rule on ACA Exchanges requires each Exchange to establish and implement privacy and security standards consistent with the principles stated in §155.260 of the Rule.

There is no integrated, comprehensive approach to security and privacy that respects applicable federal requirements under FISMA, HIPAA, HITECH, ACA, the Privacy Act, Tax Information Safeguarding Requirements, and state and other federal regulations.

The laws and guidance provided by other federal agencies and the National Institute for Standards and Technology remain the authoritative source. Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources. For example, when Exchanges handle PHI, they are subject to HIPAA regulations and standards.

With all of the nuances, Praetorian Secure LLC leaned on our strong history in compliance consulting to develop a service offering to guide organizations through the complex issues of dealing with comprehensive compliance through a less complicated approach ending in comprehensive compliance. Additionally, we designed a program through our managed security services division Managed Defense LLC to provide managed security services and software demonstrating compliance.

Praetorian Secure's MARS-e Services Include

  • Annual Risk Assessment
  • Annual Penetration Testing
  • Application Development Security Review
  • System Engineering
  • Policy and Procedural Review
  • Quarterly Vulnerability Scanning

Looking to Become MARS-e Complaint? Look No More.