MARS-E

What is MARS-E ?

Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a set of privacy and security standards for Affordable Care Act (ACA) administering entities. This framework establishes the security and privacy requirements required for compliance under MARS-E, ensuring the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). All Exchanges and Healthcare organizations implementing ACH are required to have both external and external assessments to validate, identify and remediate gap to maintain compliance.

What is MARS-E based ?

Developed by the Centers for Medicare and Medicaid Services (CMS), the standards are based on the National Institute of Standards and Technology (NIST) Special Publication 800-53.

MARS-E Assessment Scope

MARS-E comprises of 352 controls separated into Security and Privacy Controls as below.

Security Controls

• Access controls
• Awareness and training
• Audit and accountability
• Configuration management
• Contingency planning
• Identification and authentication
• Incident response
• Maintenance
• Media protection
• Physical and environmental protection
• Planning
• Personnel security
• Risk assessments
• System and services acquisition
• System and communications protection
• System and information integrity
• Program management
• Privacy Controls
• Authority and purpose
• Accountability, audit, and risk management
• Data quality and integrity
• Data minimization and retention
• Individual participation and redress
• Security
• Transparency
• Use limitation

MARS-E Assessment Procedure

• Review current system documentation, policies, Implementation and other information to evaluate the implementation of MARS-E controls.
• Conduct Interview with respective personnel responsible for each control to validate and gather evidence
• Create Test cases for all controls to validate the implementation of the control
• Run Test cases on the system to validate and document any gaps identified.
• Document control evaluation notes, interview and test case notes for each control as needed.

Additional

• Create Security Assessment Plan (SAP) with all Applications, Roles, Infrastructure, Databases, Others in scope.
• Identify all infrastructure and software assets in scope
• Perform vulnerability (credentialed) and compliance scans on all systems including database, application, web and more.
• Perform web application OWASP based web security testing, using tools and manual process.
• Perform Active scans reports for all applications in scope
• Perform Application Penetration Testing and capture results
• Perform SAST scans for application code

Delivery and Next Steps

• Identify and filter the false positives from all the scans and reports.
• Create a third-party Security Assessment Report (SAR). This report will include a detailed explanation of your controls, as well as testing procedures and results. This report can be submitted to the CMS when applying for an Authorization to Operate (ATO).