Stay Compliant with the New MARS-E Compliance Changes
There's no surprise that cyber attacks continue to rise. Not only are the numbers growing but cyber threats are becoming more sophisticated too. 86% of data breaches were financially motivated and will attack any type of organization.* Cyber threats can come from external and internal sources. Either way, the fallout from a security breach can be catastrophic. And, if you operate in highly regulated industries, your risks are amplified.
70% of cyber attacks come from external sources - it's critical to safeguard your operations more than ever.*
As an Affordable Care Act (ACA) administering entity (AE) you are required to have a minimum set of security controls to protect personally identifiable information (PII) and Protected Health Information (PHI) – also known as the Center for Medicare and Medicaid’s (CMS) Minimum Acceptable Risk Standards for Exchanges (MARS-E). We'll walk you through the changes and how our Bulletproof team can help you.
Bulletproof has been at the fore of these MARS-E compliance changes, as one of the first independent assessors to start using the new SAR template in recent assessments. We have a good working relationship with CMS and an even stronger track record of thorough, reputable and, importantly, compliant SARs. We've provided MARS-E consulting and independent security assessment services since 2012 and worked with more than 18 administering entities.
*2020 Verizon Data Breach Report
The 2010 Affordable Care Act (ACA) created the federal and state health insurance exchanges. This means, consumers have access to shop online for health insurance coverage. Since personal data is collected online, it's necessary to ensure privacy & security.
As a result, in 2012, the Center for Medicare and Medicaid Services (CMS), a part of HHS, released the Minimum Acceptable Risk Standards for Exchange (MARS-E) which are information technology standards that address requirements of the ACA to ensure consumers data are secured.
MARS-E continues to evolve and requires regular assessment of your security controls to confirm compliance with the standard, which is required for a myriad of reasons, including access to additional federal and state funding and an Authority to Connect (ATC) to the Federal Data Services Hub.
The backbone of MARS-E compliance is the Security Assessment Report (SAR), which assesses your System Security Plan (SSP) – the roadmap of your IT security and privacy environment, and the tool to document the implementation of your security and privacy controls for the protection of all data received, stored, processed and transmitted by your IT systems and supporting applications. Without demonstrated compliance to MARS-E, you may find important initiatives, programs and system updates can come to a halt – which can be frustrating and costly, and impede citizen services and betterment.
CMS established MARS-E which defines a series of security controls. MARS-E controls were largely based on Nation Institute of Standards and Technology (NIST) Special Publication 800-53.
MARS-E applies to all Affordable Care Act administering entities, including exchanges or marketplaces, federal, state, Medicaid, and CHIP agencies administering the Basic Health Program, as well as all their contractors and subcontractors.
The MARS-E security control requirements are organized using the 17 control families from NIST Special Publication 800-53.
17 control families include: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Planning (PL), Personnel Security (PS), Risk Assessment (RA), System and Services Acquisition (SA), Systems and Communication Protection (SC), Systems and Information Integrity (SI)
In 2020, CMS released changes to the requirements for MARS-E compliance attestations for the 2021 audit year. The impetus of these changes is that CMS has rejected several attestations due to poor quality. What CMS is finding is that certain AEs are viewing MARS-E compliance as a “check box” initiative, versus ensuring adequate controls are in place and maintained. CMS is raising the bar when it comes to ensuring that security and privacy controls are in place. While CMS is continuing the accept the baseline, AEs should prepare for more stringent assessments and heightened requirements.
The current version of MARS-E is version 2.2, released in 2021. The underlying Standard is NIST 800-53 R4. The next version, 3.0 is expected to incorporate NIST 800-53 R5.2.
To access the full CMS MARS-E regulatory guidance documents, please click on relevant buttons below.
Below you will find the MARS-E Compliance changes that you should be aware of before you start your next assessment.
A significant change is the addition of the SAP. This deliverable is now required when an AE uses an independent assessor for its annual attestation. It documents all testing to validate the security and privacy controls for the AE’s system and must be jointly completed and agreed to before the state of the MARS-E assessment, both by the AE and the assessor.
While the SAP does not require approval by CMS, the agency does expect to review the SAP 60 days prior to an assessment starting. The reason for this review is to provide CMS the opportunity to provide guidance where the planned assessment activities may not meet the mark.
Due to the high number of state level agencies and independent assessment firms, which vary in their levels of maturity and capabilities, the primary driver behind the changes to the SAR template was the need for CMS to reset expectations regarding the level of detail required to approve the Authorization To Connect (ATC).
The SAR is CMS’s last line of defense in mitigating the risk associated with permitting state-based Medicaid systems to connect to the federal hub that they are responsible for protecting.
The SAR template now requires a greater level of detail. In 2021, the new SAR report is intended to stand on its own with no requirement for CMS to read through and decipher audit working papers or other reports to understand the assessment results. CMS often does not have the familiarity with the systems and background that the independent assessors have. The additional details in the new report format are intended to provide CMS with the background, context, and assessment details needed to make the authorization decision.
1 |
Rather than a list of assessment findings, the SAR Detailed Findings Section now requires a list of every control that was assessed along with a rating that is substantiated in the assessment comments. |
2 | The Detailed Findings Section must map applicable MARS-E controls to recognized critical controls, as defined by The Open Web Application Security Project (OWASP) and Center for Internet Security (CIS), so CMS can easily identify areas of risk or inconsistencies in the control assessment rating that causes a red flag. |
3 | The SAR Technical Testing Section has also been expanded and now requires a greater level of detail, including metrics tables that are intended to help CMS quickly identify areas of technical risk. |
4 | CMS now expects the independent assessor to provide oversight of your vulnerability assessments, focusing on areas such as configuration validation scans to ensure they are executed correctly so nothing is missed. |
5 | As part of the technical assessment, CMS expects the independent assessor to highlight gaps and identify opportunities for improvement in areas where you do not meet CMS requirements for this technical testing. |
Our comprehensive portfolio of best-in-class solutions includes significant expertise in cybersecurity, enabling us to bolster our existing security services for AEs. At Bulletproof, security is in our DNA. For the past 20 years, we have focused on helping clients navigate the increasingly complicated security landscape. Our security experts have extensive experience helping organizations shape their security operation models, governance structures and frameworks, and aligning their practices and technologies with industry and international best practices.
We have been providing MARS-E consulting and independent security assessment services since 2012. Our group of MARS-E experts have supported the consulting and assessment needs of 18 administering entities. Our experts have experience supporting the development of essential MARS-E documentation and conducting full MARS-E assessments and single year surveillance audits.
Bulletproof has been at the fore of these MARS-E compliance changes, as one of the first independent assessors to start using the new SAR template in recent assessments. We have a good working relationship with CMS and an even stronger track record of thorough, reputable and, importantly, compliant SARs.
A documented plan for the annual assessment that CMS must review 60 days prior to the assessment to provide guidance where the assessment may not meet the mark. Bulletproof can help you develop a plan to ensure you are meeting all requirements.
Bulletproof will conduct a thorough Threat Risk Assessment (TRA) to identify risks early in the system development/delivery life cycle. Risks that are identified early on will reduce costs and better secure the organizations system and data. Bulletproof will provide an assessment of all the security weaknesses and provide options how you can better strengthen your security.
A remedial action plan that helps identify and assess information system security and privacy weakness, sets priorities, and monitors progress toward mitigating any weaknesses.
An analysis of the risk to organizational operations, organizational assets, individuals, other organizations, and the nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
An assessment of an information system, program or project that collects, uses, maintains or shares personally identifiable information (PII), which can be conducted either during development or procurement of the new system, project or program, or against existing systems and programs to ensure compliance with applicable legal, regulatory and policy requirements.
Our MARS-E services will help you not only document, organize and implement required security controls, but help you identify and remediate risks and vulnerabilities, and provide a plan for continual monitoring.
Don’t tie your resources up trying to navigate MARS-E requirements. Let Bulletproof’s security experts help you achieve MARS-E compliance and avoid assessment surprises. In so doing, allowing you to focus efforts on what matters most – delivering innovative programs to the citizens you serve. Book your free consultation today!
Technology is inextricable to the way modern organizations operate - which spells both challenges and opportunities in such a highly regulated industry. We work with top organizations in the United States and across the world. We leverage our extensive industry experience and IT know-how to help organizations reduce risk and improve their processes, systems, and business infrastructure.
Complete the form to book your free no-obligation call to discover how Bulletproof can help your organization.