Minimum Acceptable Risk Standards for Exchanges (MARS-E)

The Centers for Medicare & Medicaid Services (CMS) has assembled a document suite of guidance, requirements, and templates known as the Minimum Acceptable Risk Standards for Exchanges (MARS-E), Version 2.2.  These documents address the requirements of the Patient Protection and Affordable Care Act of 2010 (ACA) applicable to all ACA Administering Entities.  Specifically, Volume I: Harmonized Security and Privacy Framework presents the security and privacy controls essential for managing ACA systems, data, and privacy successfully. 

An accredited third-party assessment organization (3PAO), has attested that Google Cloud meets the applicable requirements of MARS-E Version 2.2 standard . Though there is no formal authorization and accreditation process for MARS-E, the 3PAO compared the controls in the MARS-E Catalog of Security and Privacy controls with the assessment activities performed in evaluating FedRAMP and found there to be significant coverage.  The 3PAO then reviewed the most recent FedRAMP Security Assessment Report for the overlapping controls and performed independent testing of the remaining controls not covered by FedRAMP.