Specifications include, but are not limited to: • Minimum Acceptable Risk Standards for Exchanges (MARS-E 2.2) and Acceptable Risk Controls for ACA, Medicaid, and Partner Entities (ARC-AMPE) required documents and artifacts required: o System Security Plan (SSP, under MARS-E 2.2 and ARC-AMPE) o Information System Risk Assessment (IRSA) o Updated POA&M o Interconnection Security Agreement (ISA) o Privacy Impact Assessment (PIA) using the new Unified PIA o Computer Matching Agreement (CMA) o Information Exchange Agreement (IEA) o IRS Safeguard Security Report (SSR) Approval Letter • Project Management Skills/Abilities: o Conduct an analysis of system performance o Review and make recommendations on risks o Communicate and coordinate with stakeholders o Provide timely distribution of reports • Knowledge of Security and Privacy Standards: o NIST V. ADDITIONAL REQUIREMENTS • Experience with Medical Eligibility Systems and Health Exchanges (FFM) o Verification Services § Significant experience with industry-standard and best practices regarding quality, quality assurance, and quality control principles and techniques; § Appropriate experience with the specified relational database, mainframe, client/server, data capture, and web portal technologies in use on this project; and § Experience in healthcare related concepts, configuration and management, with Medicaid experience a plus. o Validation Services § Extensive experience in providing MARS-E 2.2 and ARC-AMPE user services; § Broad experience with technical writing; § Experience with the CMS Certification process. • Experience completing MARS-E 2.2 and ARC-AMPE Certification for another state. VI. REQUIRED SERVICES The contractor shall perform all MARS-E 2.2 or ARC-AMPE Certification responsibilities defined in this Scope of Work throughout the term of the contract. The contractor will follow industry standard methodologies and approaches, and will consist of at a minimum the services listed below: A. Security Assessment Review 1. The contractor will produce a progress assessment on the MARS-E 2.2 or ARC-AMPE Certification process and identify any strengths and/or weaknesses found within the review. 2. The contractor will interview and observe the staff in accordance with the MARS-E 2.2 and ARC-AMPE Certification outlined in the CMS MARS-E 2.2 or ARC-AMPE document suite: a. Volume I: Harmonized Security and Privacy Framework, Version 2.0 b. Volume II: Minimum Acceptable Risk Standards for Exchanges, Version 2.0 c. Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges, Version 2.0 d. Volume IV: ACA Administering Entity System Security Plan, Version 2 3. The contractor will have access to the required documents. 4. The contractor will have access to the CMS zONE for uploading required documents. B. Evaluation 1. The contractor will evaluate and make recommendations about the State artifacts that are required for the MARS-E 2.2 or ARC-AMPE ACT Certification.