GRC | MARS-E | Medicare & Medicaid Services. Minimum Acceptable Risk Safeguards for Exchanges MARS-E
This Harmonized Security and Privacy Framework defines a structure for managing the security and privacy requirements of systems deployed to administer the provisions of the Affordable Care Act (ACA) that ensure affordable healthcare for all Americans. The centerpiece of the framework is the streamlined and tailored selection of security and privacy controls for Exchanges. The Security and Privacy controls specify applicable policies, standards, and procedures necessary for: • Administering Entities to manage privacy and security risks in State-Based Exchange and Medicaid/Children’s Health Insurance Program (CHIP) environments • Administering Entities to manage the responsibility to assure security and privacy for authorized data usage of ACA Personally Identifiable Information (PII) • The Centers for Medicare & Medicaid Services (CMS) to define its responsibility for compliance oversight and monitoring.
source
It's a shame AWS config doesn't have PCI DSS v4 policies