The Security of Health Insurance Exchanges – “MARS-E”

Under the Patient Protection and Affordable Care Act (the “ACA”), health insurance marketplaces have been set up to facilitate the purchase of health insurance in each state. Individuals eligible for federal subsidies use these health insurance exchanges to shop for health insurance policies. In the process, they provide their sensitive, personal information to health plans through the exchange. Have you ever stopped to think what the state and federal health insurance exchanges are required to do to ensure the security of that information?

That’s where “MARS-E” comes into the picture. MARS-E is short for Minimum Acceptable Risk Standards for Exchanges. The ACA required the U.S. Department of Health and Human Services (HHS), in consultation with the Health Information Technology (HIT) Policy Committee and the HIT Standards Committee (the Committees), to develop interoperable and secure standards and protocols. These standards are collected into a Catalog[1]. The Catalog was created using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control families and controls as a starting point.

Those familiar with the Federal Information Security Management Act (FISMA) and the challenges of compliance will recognize NIST SP 800-53. It is a high standard, a collection of best practices, and it is not for the faint of heart. To this base, HHS added the applicable federal requirements under HIPAA, HITECH, the Privacy Act, Tax Information Safeguarding Requirements, and a host of other state and federal regulations. MARS-E is the catalog which health insurance exchanges use to facilitate compliance with the myriad of security requirements.

A health insurance exchange would be required to incorporate the security controls defined in the Catalog with other state-appropriate security and privacy requirements, and document the control implementation details. In order to operate, health insurance exchanges seek an “Authorization to Operate” from the Centers for Medicare & Medicaid Services (CMS). Prior to granting the ATO, CMS would then inspect the exchange’s compliance evidence for completeness. Such compliance evidence would include the following:

  • System Security Plan (SSP) (and all associated attachments)
  • SSP Workbook (and all associated attachments)
  • Information Security Risk Assessment (IS RA) (and all associated attachments)
  • Contingency Plan (CP) (and all associated attachments)
  • CP Test Plan
  • CP Test After Action Report
  • Security Control Assessment Plan (SCA Test Plan)
  • Security Control Assessment Report (SCA Report)
  • Plan of Action and Milestones (POA&M) Report
  • Privacy Impact Assessment (PIA) (signed by the CMS Privacy Officer)
  • Certification Cover Memo (hard copy, soft copy in CFACTS)
  • Security Certification Form (hard copy, soft copy in CFACTS)

The SSP alone is a significant documentation effort. For example, the SSP template for GSA FEDRAMP compliance, which is based on FISMA, is approximately 350 pages in length. It was written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems.

In summary, MARS-E imposes FISMA, HIPAA, and a number of other requirements on health insurance exchanges and requires that the exchanges meet stringent security and documentation requirements.


[1] CMS Catalog of Minimum Acceptable Risk Controls for Exchanges – Exchange Reference Architecture Supplement, Version 1.0, August 1, 2012. Link: