In 2012, the Centers for Medicare & Medicaid Services (CMS) published the Minimum Acceptable Risk Standards for Exchanges (MARS-E) in accordance with CMS information security and privacy programs. The suite of documents, including guidance, requirements, and templates, was designed to address mandates of the Patient Protection and Affordable Care Act (ACA) and regulations of the Department of Health and Human Services (HHS) that apply to the ACA. The National Institute of Standards and Technology (NIST) SP 800-53 Security and Privacy Controls for Information Systems and Organizations serves as the parent framework that establishes the security and compliance requirements for all systems, interfaces, and connections between ACA-mandated health exchanges and marketplaces.
Following the release of MARS-E, NIST released an update, SP 800-53 Rev. 4, to address growing challenges to online security, including application security; insider and advanced persistent threats; supply chain risks; and the trustworthiness, assurance, and resilience of systems of mobile and cloud computing. CMS then revised the MARS-E framework to align with the updated controls and parameters in NIST 800-53 Rev. 4, publishing MARS-E 2.0 in 2015. For more information, see Minimum Acceptable Risk Standards.
The MARS-E 2.0 updates address the confidentiality, integrity, and availability of protected data in health exchanges, which includes personally identifiable information, protected health information, and federal tax information. The MARS-E 2.0 framework aims to secure this protected data and applies to all ACA administering entities, including exchanges or marketplaces, federal, state, state Medicaid, or Children’s Health Insurance Program (CHIP) agencies, and their supporting contractors.
Azure and MARS-E
There's no formal authorization or certification process for MARS-E. However, the MARS-E framework is aligned with NIST SP 800-53 Rev. 4, which serves as the baseline control set for the US Federal Risk and Authorization Management Program (FedRAMP). Therefore, a FedRAMP assessment and authorization provides a strong foundation for evaluating MARS-E requirements mapped to NIST SP 800-53 controls.
- Microsoft maintains a FedRAMP High authorization for both Azure and Azure Government issued by the FedRAMP Joint Authorization Board (JAB). Although FedRAMP doesn't specifically focus on MARS-E, the MARS-E control requirements and objectives are very closely aligned with FedRAMP and serve to protect the confidentiality, integrity, and availability of data on Azure.
- An accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of MARS-E. The attestation was based on an analysis of the security controls defined in the MARS-E catalog to determine Azure and Azure Government compliance status based on existing assessments such as FedRAMP. The result of this analysis was that additional controls that are required as part of the MARS-E catalog were added to assessment scope to demonstrate compliance with the security controls defined in the MARS-E catalog.
- Azure Government
For instructions on how to access attestation documents using the Azure or Azure Government portal, see Audit documentation. The following documents are available:
- Azure Commercial – Attestation of Compliance with MARS-E (available from the Azure portal)
- Azure Government – Attestation of Compliance with MARS-E (available from the Azure Government portal)
An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government comply with the security controls defined in the CMS MARS-E catalog.
For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.
Frequently asked questions
To whom does the standard apply? MARS-E applies to all Affordable Care Act administering entities, including exchanges or marketplaces, federal, state, Medicaid, and CHIP agencies administering the Basic Health Program, as well as all their contractors and subcontractors.
How does Azure demonstrate adherence to this standard? Using the formal FedRAMP assessment and authorization program, Microsoft is able to show how relevant controls in the underlying NIST SP 800-53 control baseline demonstrate Azure alignment with MARS-E security and privacy requirements. Starting with the FedRAMP control baseline, an accredited third-party assessment organization (3PAO) identified additional controls required for Azure and Government to demonstrate compliance with the security controls defined in the MARS-E catalog. After these additional controls were successfully tested, the 3PAO produced attestation letters to confirm that Azure and Azure Government meet the applicable MARS-E requirements.
Where can I get the Azure MARS-E attestation documents? For links to audit documentation, see Attestation documents. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
How can I use Microsoft's support for MARS-E in my own assessment? You can review available Azure and Azure Government FedRAMP documentation for evidence of control effectiveness that Microsoft has implemented to maintain the security and privacy of the Azure platform. You may use the audited controls described in FedRAMP documentation as part of your own MARS-E compliance assessment. Microsoft doesn't inspect, approve, or monitor your applications deployed on Azure. You're wholly responsible for ensuring your own compliance with all applicable laws and regulations.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Centers for Medicare & Medicaid Services (CMS)
- CMS Minimum Acceptable Risk Standards
- Volume 2 MARS-E v2.0: Minimum Acceptable Risk Standards for Exchanges
- Volume 3 MARS-E v2.0: Catalog of Security and Privacy Controls
- FedRAMP documents and templates
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- Microsoft Cloud for healthcare compliance offerings
- Azure for healthcare
- Azure high-performance computing for health and life sciences
- Microsoft Cloud for healthcare
- Healthcare on the Microsoft Trust Center