MARS-E compliance

For ACA Administration Providers

The Minimum Acceptable Risk Standards for Exchanges (MARS-E) framework outlines requirements for securing information systems that handle protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). Whether you're new to MARS-E compliance or have been working with it since version 1.0, we’re here to help you navigate the requirements.

Consult with an expert                          

Cybersecurity services trusted by 500+ organizations and growing!

GuardsArm Inc. helped us pinpoint the right assets to monitor and optimized our systems for peak performance. Now, we only receive notifications for genuine threats, allowing my team to focus more on their core objectives.
IT Manager State University
We’ve been working with GuardsArm Inc. for several years to conduct quarterly vulnerability assessments. While we typically change vendors every few years, the exceptional service from GuardsArm has kept us loyal. The reports we receive are thorough and provide clear, prioritized remediation advice.
CISO Finance Institution
GuardsArm Inc. performed a web application penetration test on several of our edge applications. They identified numerous configuration weaknesses, including insecure direct object reference (IDOR). They alerted us right away and provided detailed advice on how to resolve the issue. Their expert engineers guided us through the fix step-by-step and retested to ensure the critical vulnerability was fully addressed.
Director State Government
Wi-Fi can be tricky to manage, and we turned to GuardsArm Inc. to test the wireless networks we provide for employees and customers accessing store services. GuardsArm sent a team onsite, equipped with their "toolkit" of antennas. They successfully set up a rogue access point, mimicking ours, and users unknowingly connected to it. They then conducted an evil twin attack to intercept and inject data into the network stream between user devices and other systems. Following this, they delivered detailed findings, helping us educate users and improve       behaviors.
Director Retail Business
GuardsArm Inc. conducted an external penetration test on our networks and flagged critical vulnerabilities. They provided insights into potential responses from the host before attempting any exploitation. We received updates twice daily, which was incredibly helpful for both me and my team. Additionally, their expert remediation guidance allowed us to address the vulnerabilities quickly and effectively.
IT Director Hospitality Company
Our company outsources web development, and we asked GuardsArm Inc. to review the source code and assess for insecure API calls. We were shocked by the vulnerabilities they uncovered. It was unsettling to realize that the web developer we hired had left so many security gaps in our code. I can’t express how reassuring it was to have the GuardsArm team provide us, and our partner, with clear recommendations to secure and fix the source code.
Founder Software Application
GuardsArm Inc. conducted a phishing campaign targeting our employees by replicating a realistic payroll website we use. Their engineers successfully captured several IT administrators' credentials. With domain administrator access, they compromised our entire domain within just 20 minutes of starting the campaign. This gave us a valuable opportunity to demonstrate to leadership the critical need for stronger user account practices, multi-factor authentication (MFA), improved user security awareness training, and the allocation of funds into our annual IT security budget.
Director Service Provider
GuardsArm Inc. conducted an internal penetration test using one of our legacy network protocols. They gained administrative access and pushed malicious code into our network. Had this been a real attack, we could have faced a total loss.
IT Manager Financial Service Company
GuardsArm Inc. assessments give us crucial visibility into our third-party risk exposure. With over 40 vendors, we don’t have the internal resources to conduct annual assessments. These valuable insights guide our decisions when selecting and managing partnerships.
CIO Insurance Company
GuardsArm Inc. has been crucial to our SOC operations. Without their flexibility, expertise, and rapid response, our small SOC team wouldn’t be able to function effectively. GuardsArm consistently engages with us at both the operational and executive levels, always seeking innovative solutions. Not only do they think outside the box, but they also deliver         results.
CISO Private R1 University
Man filling out a document

MARS-E Compliance Service Options

The MARS-E security assessment helps organizations identify and mitigate risks to their health information. We offer a range of services designed to help our clients achieve full compliance with MARS-E standards.

  • General consulting and training on MARS-E compliance requirements.
  • Independent MARS-E security assessments
    with steps for remediation.
  • Development and documentation of System Security Plans (SSPs).
  • Plan of Action and Milestones (POA&M) development. Learn our methodology for developing and managing your plan.
  • POA&M maintenance. We keep your plan up to date with your business needs.

MARS-E History: Key Information You Need to Know.

The Patient Protection and Affordable Care Act (ACA) of 2010 established federal and state health insurance exchanges (HIXs or marketplaces). One key requirement of the ACA was for the Department of Health and Human Services (HHS) to develop data security standards. In response, in 2012, the Centers for Medicare and Medicaid Services (CMS), a part of HHS, published the Minimum Acceptable Risk Standards for Exchanges (MARS-E). These standards are designed to meet ACA requirements related to information security. The original MARS-E controls were based on NIST Special Publication 800-53 Revision 3, and in 2015, MARS-E 2.0 was released to align with updates in NIST Special Publication 800-53 Revision 4.

The MARS-E security control requirements are organized into 17 control families, as outlined in NIST Special Publication 800-53 Revision 4:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Security Assessment and Authorization (CA)
  • Configuration Management (CM)
  • Contingency Planning (CP)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Physical and Environmental Protection (PE)
  • Planning (PL)
  • Personnel Security (PS)
  • Risk Assessment (RA)
  • System and Services Acquisition (SA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)
  • Program Management (PM)

In addition to MARS-E, there may be additional, more stringent security safeguards required if the system handles Federal Tax Information (FTI). These extra requirements are outlined in IRS Publication 1075 and documented in Table A-1 of MARS-E 2.0 Volume III.

Our Approach

We simplify the process of enhancing and managing your security.

We believe that strong cybersecurity is achieved through a combination of exceptional service delivery and the intentional implementation of effective security solutions.

Learn more about making cybersecurity easier

  • Easy to understand

    Our security experts are trained to communicate in a clear and understandable way. We create cybersecurity solutions that address your concerns on your terms.

  • Easy to choose

    We have built a strong reputation as leaders in security and technology. With a clear understanding of your business's cybersecurity goals, we help you make the best decisions to protect your organization.

  • Easy to trust

    We provide clear and consistent communication, supported by reliable operations and reporting. This ensures your stakeholders can make informed cybersecurity decisions with confidence.

Our solutions simplify your cybersecurity journey, making progress easier.

No matter where you are in your cybersecurity journey, we're here to assist. Whether you're just starting, aiming to improve, or unsure of your next steps, our trusted experts are dedicated to your success and will guide you every step of the way.

Discover comprehensive cybersecurity protection today and safeguard your organization from evolving threats.

  1. Consult with an expert

    Speak with one of our cybersecurity experts to help us understand your needs and explore how we can support your security goals.

  2. Agree on a plan

    Based on your objectives, we'll develop a customized plan to address your specific cybersecurity needs and ensure your protection.

  3. Start maximizing your protection

    Enjoy peace of mind, knowing that what matters most is securely protected.

Consult with an expert