Microsoft Azure Information Protection offcial from youtube

Yesterday, Microsoft announced the availability of MARS-E control requirements for Azure and Azure Government. For those unfamiliar, MARS-E stands for Minimum Acceptable Risk Standards for Exchanges.

Published by the Center for Medicare and Medicaid Service in 2012, it contains a suite of documents. The documents include guidance and templates to help users adhere to the Protection and Affordable Care Act.

The suite also addresses growing online security concerns and is regularly updated to adhere to new threats.


It provides information to ACA administering entities on how to protect user data to a good standard.

Which Services Are Covered?

Though Microsoft doesn’t specifically have accreditation for MARS-E, they recently got approved for FedRAMP. FedRAMP is the highest level of security certification available as such covers most of MARS-E.

Microsoft has published a list of services that FedRAMP covers, and therefore MARS-E also:

  • Azure. These services are covered at the FedRAMP Moderate Impact Level: Application Gateway, Azure Active Directory, Cloud Services, Key Vault, Load Balancer, Multi-Factor Authentication, SQL Database, Storage, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway.
  • Azure Government. These services are covered at the FedRAMP High Impact Level: App Service: Web Apps, Application Gateway, Azure Active Directory,* Cloud Services, ExpressRoute, Key Vault, Load Balancer, SQL Database, Storage, Traffic Manager, Virtual Machines, Virtual Network, and VPN Gateway.”

The company also states that formal third party FedRAMP reports reveal Azure is capable of meeting the MARS-E security requirements. This means organizations can leverage Microsoft’s compliance and don’t have to audit that aspect manually.

It’s a complex issue, so as usual, you can find extensive guidance on the Trust Center website. You may also want to read the MARS-E guidance for yourself or more about Microsoft’s FedRAMP authorization.