MARS-E (US)

MARS-E overview

In 2012, the Centers for Medicare & Medicaid Services (CMS) published the Minimum Acceptable Risk Standards for Exchanges (MARS-E) in accordance with CMS information security and privacy programs. The suite of documents, including guidance, requirements, and templates, was designed to address mandates of the Patient Protection and Affordable Care Act (ACA) and regulations of the Department of Health and Human Services (HHS) that apply to the ACA. The National Institute of Standards and Technology (NIST) SP 800-53 Security and Privacy Controls for Information Systems and Organizations serves as the parent framework that establishes the security and compliance requirements for all systems, interfaces, and connections between ACA-mandated health exchanges and marketplaces.

Following the release of MARS-E, NIST released an update, SP 800-53 Rev. 4, to address growing challenges to online security, including application security; insider and advanced persistent threats; supply chain risks; and the trustworthiness, assurance, and resilience of systems of mobile and cloud computing. CMS then revised the MARS-E framework to align with the updated controls and parameters in NIST 800-53 Rev. 4, publishing MARS-E 2.0 in 2015. For more information, see Minimum Acceptable Risk Standards.

The MARS-E 2.0 updates address the confidentiality, integrity, and availability of protected data in health exchanges, which includes personally identifiable information, protected health information, and federal tax information. The MARS-E 2.0 framework aims to secure this protected data and applies to all ACA administering entities, including exchanges or marketplaces, federal, state, state Medicaid, or Children’s Health Insurance Program (CHIP) agencies, and their supporting contractors.

Azure and MARS-E

There's no formal authorization or certification process for MARS-E. However, the MARS-E framework is aligned with NIST SP 800-53 Rev. 4, which serves as the baseline control set for the US Federal Risk and Authorization Management Program (FedRAMP). Therefore, a FedRAMP assessment and authorization provides a strong foundation for evaluating MARS-E requirements mapped to NIST SP 800-53 controls.

  • Microsoft maintains a FedRAMP High authorization for both Azure and Azure Government issued by the FedRAMP Joint Authorization Board (JAB). Although FedRAMP doesn't specifically focus on MARS-E, the MARS-E control requirements and objectives are very closely aligned with FedRAMP and serve to protect the confidentiality, integrity, and availability of data on Azure.
  • An accredited third-party assessment organization (3PAO) has attested that both Azure and Azure Government meet the applicable requirements of MARS-E. The attestation was based on an analysis of the security controls defined in the MARS-E catalog to determine Azure and Azure Government compliance status based on existing assessments such as FedRAMP. The result of this analysis was that additional controls that are required as part of the MARS-E catalog were added to assessment scope to demonstrate compliance with the security controls defined in the MARS-E catalog.

Applicability

  • Azure
  • Azure Government

Attestation documents

For instructions on how to access attestation documents, see Audit documentation. The following attestation letters are available from the Service Trust Portal (STP) United States Government section:

  • Azure Commercial – Attestation of Compliance with MARS-E
  • Azure Government – Attestation of Compliance with MARS-E

An accredited third-party assessment organization (3PAO) has attested that Azure (also known as Azure Commercial) and Azure Government comply with the security controls defined in the CMS MARS-E catalog.

For access to Azure and Azure Government FedRAMP documentation, see FedRAMP attestation documents.

Frequently asked questions

To whom does the standard apply?
MARS-E applies to all Affordable Care Act administering entities, including exchanges or marketplaces, federal, state, Medicaid, and CHIP agencies administering the Basic Health Program, as well as all their contractors and subcontractors.

How does Azure demonstrate adherence to this standard?
Using the formal FedRAMP assessment and authorization program, Microsoft is able to show how relevant controls in the underlying NIST SP 800-53 control baseline demonstrate Azure alignment with MARS-E security and privacy requirements. Starting with the FedRAMP control baseline, an accredited third-party assessment organization (3PAO) identified additional controls required for Azure and Government to demonstrate compliance with the security controls defined in the MARS-E catalog. After these additional controls were successfully tested, the 3PAO produced attestation letters to confirm that Azure and Azure Government meet the applicable MARS-E requirements.

How can I get the Azure MARS-E attestation documents?
For links to audit documentation, see Attestation documents.

How can I use Microsoft's support for MARS-E in my own assessment?
You can review available Azure and Azure Government FedRAMP documentation for evidence of control effectiveness that Microsoft has implemented to maintain the security and privacy of the Azure platform. You may use the audited controls described in FedRAMP documentation as part of your own MARS-E compliance assessment. Microsoft doesn't inspect, approve, or monitor your applications deployed on Azure. You're wholly responsible for ensuring your own compliance with all applicable laws and regulations.

Resources