FISMA Compliance for Federal Contractors – Overview and Checklist

FLANK provides comprehensive FISMA compliance services for federal contractors, including reporting, certification and accreditation services for contractors and other entities throughout North America, and abroad.

With years of real-world experience in helping businesses comply with many of today’s demanding federal and industry specific compliance mandates, we’ve built a successful track record throughout the globe that speaks for itself.  With FISMA being one of the largest – and often most complex – federal mandates to implement for businesses, our expertise and knowledge of the Federal Information Security Modernization Act is vast and deep, offering professional guidance, support, and recommendations that are truly second-to-none. In short, if it’s about FISMA, it’s time to talk to the experts at FLANK.

FISMA Matrix

FISMA Compliance & Certification Essentials

Compliance with the Federal Information Security Management Act (FISMA) – signed into law by President George W. Bush in 2002 – (and then amended in 2014 and now knows as the Federal Information Security Modernization Act) is not an overnight process, not at all, it can take a tremendous amount of time, “if” not properly planned out. It’s why businesses all throughout North America turn to us for expert guidance and assistance, so take note of the following best practices and other essential subject matter you need to know about for conquering FISMA, courtesy of FLANK:

Understand What FISMA is

Knowing what you’re getting into in life goes a long way in understanding what’s expected of you, along with tempering expectations of what the overall process will be. Same can be said for FISMA, for which many businesses fail to truly understand the mandates of the Federal Information Security Modernization Act. We often field phone calls from prospective clients asking for a “certificate” or a quick review of their environment for FISMA. Unfortunately, as one of the largest and most demanding compliance mandates ever put forth, FISMA requires a long term, dedicated, and diligent effort for becoming – and staying – compliant.

Want to truly understand FISMA, then download a copy of NIST SP 800-53, the defining publication used for performing FISMA assessments for federal contractors. NIST SP 800-53 is an incredibly large and complex document, so pull up a chair and expect to spend a number of hours reading through it.

Technical Remediation is Essential

Many of the prescribed Control Families within the NIST SP 800-53 publication require implementing various hardware and software tools and security solutions for compliance. For example, from two-factor authentication to vulnerability scanning, audit trail logging capabilities – and more – there’s a healthy list of security protocols that need to be acquired for ultimately ensuring FISMA compliance.

The challenge is often determining which vendors to use and then implementing the products into one’s environment – both heavy financial and operational costs that must be addressed. FLANK has extensive experience in helping federal contractors pick and choose the best security tools for FISMA compliance, and we also can assist with technical implementation as necessary.

Documentation is a Must for FISMA Compliance

While much attention is given to the security and technical merits of FISMA compliance – and understandably so – don’t lose sight of the enormous need and task for developing all the necessary information security policies, procedures, and other essential materials. FISMA, like many of today’s demanding compliance requirements, requires extensive policy documentation to be in place, which is often a time-consuming and laborious process indeed.

FISMA Compliance Policies Policy Templates and Toolkit

FLANK offers industry leading security policy templates and other necessary forms and documents for helping federal contractors successfully develop all the necessary materials for FISMA compliance. It’s just another reason why we’re looked upon as North America’s leading provider of FISMA services.

Yes, FISMA Compliance is Attainable – Efficiently and Cost-Effectively

Becoming FISMA compliant is not an overnight process – by now that should be quite clear – but at the same time try and forget all those nightmarish stories you hear about as those are often reflective of improper planning and execution. Getting FISMA right in terms of cost containment, budgeting, approximation of hours, along with other essential elements, starts by doing two very important things: (1). Finding a reputable, competent firm that’s well versed in FIMSA, and (2). Performing a FISMA readiness & gap assessment. Get these two things right the first time, and you’ll be able to conquer the FISMA compliance mandates in an efficient, timely, and cost-effective manner.

The World’s Leading Provider of FISMA Compliance

From readiness & gap assessments to policy procedure writing, along with performing independent FISMA assessments, FLANK has the experience, manpower, and expertise for helping federal contractors become compliant with the Federal Information Security Modernization Act. We get FISMA done for you – plain and simple – so let’s talk today about your compliance needs and how FLANK can help. Contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn about our FISMA compliance and certification services.

8 Point FISMA Compliance Checklist for Contractors

1. Understand the Origins of FISMA Compliance & Certification: Federal contractors seeking FISMA compliance, reporting, certification and accreditation services need to know the origins for FISMA for understanding the road ahead. It’s essential, first and foremost, to understand that FISMA is not an overnight, check-the-box process, rather, a set of initiatives that results in the mature adoption and implementation of prescriptive security controls found within NIST SP 800-53. Simply stated, get to know NISTS SP 800-53, and you’re in good hands when it comes to understanding FISMA reporting, certification and accreditation.

2. FISMA Compliance & Certification is not a “Check-the-Box”, Paperwork Exercise: At FLANK, we’re often asked what it takes to become FISMA compliant – specifically – what does the entire FIMSA compliance, certification, and accreditation process entail? We get questions, such as, “Is it a simple checklist we can do in a few weeks,” “Is it similar to a SOC or PCI DSS audit”?

The cold hard truth about FISMA compliance is that it requires a true ideological change in how organizations manage security and privacy. It’s about putting in place highly formalized controls and well-written, comprehensive documentation. It’s a process, an evolution and maturity of an organization’s policies, procedures, and processes. And it can take time to fully meet the FISMA reporting requirements. No, it’s not an overnight process. No, it’s not a simple check-the-box process. Becoming compliant requires a true commitment from all participants, so keep that in mind.

Just take a look at NIST SP 800-53 and very quickly you’ll see the need for comprehensive security and privacy controls to be in place, along with well-written policies and procedures to support such controls. FLANK can help. We offer world-class FISMA policy templates and toolkits available for instant download today at flank.org. Contact us at today to learn more.

3. Understand the “Certification & Accreditation Process”: We’re often asked what it takes to become FISMA compliant, for which we also begin with a deep-dive into the FISMA certification & accreditation process. Here’s the simple version: To become FISMA compliant, you’ll need to provide the following three (3) deliverables: (1). System Security Plan (SSP). (2) Security Assessment Report (SAR). (3). Plan of Action and Milestones (POAM).

Then, once all of these documents are final, they become part of the certification and accreditation process in which a senior agency official provides (hopefully!) the Authority to Operate (ATO) for the in-scope information system. The ATO essentially means the federal agency is now accepting the risk for the information system and it can be used for its intended purpose.

Getting to this point – that is, developing the three (3) deliverables (i.e., the SSP, SAR and POAM), is not an overnight process, not at all. Most FISMA engagements do take time – how much – that ultimately depends on the maturity of one’s internal controls as it relates to the requirements within NIST SP 800-53. Can it take a few months – sure – how about six months or even a year – yes, that’s possible also. Contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more about the FISMA certification and accreditation process and how FLANK can help.

4. Learn about the New and Improved Risk Management Framework: Becoming FISMA compliance ultimately means following the path of the Risk Management Framework (RMF) as published in NIST SP 800-37. The new six-step process replaces the previous four-step process and is now considered a much more comprehensive roadmap for becoming FISMA compliant.

Here are the steps as published in NIST SP 800-37:

Step 1: Categorize Information System
Step 2: Select Security Controls
Step 3: Implement Security Controls
Step 4: Assess Security Controls
Step 5: Authorize Information System
Step 6: Monitor Security Controls

What’s important to note about the RMF process is that it’s really a fundamental approach to assessing one’s control environment in terms of scope, gaps/deficiencies, and then performing remediation and subsequent assessment procedures for confirming compliant. The actual six-step process is discussed in extreme detail within NIST SP 800-37 – and if you’re up for that type of reading – then the publication is available for download from NIST.
A well-informed, competent federal compliance and consulting firm – such as FLANK – can easily distill and clarify these six steps for you quickly. Contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more, along with visiting flank.org to learn more about our industry leading FISMA services and polity toolkits.

5. Get Acquainted with Essential FISMA Terminology: Of the literally dozens of FISMA compliance terms you need to know about, the critical four consist of the following:

(1). System Security Plan (SSP). The “SSP” is a document that provides an overview of the security requirements of the system and describe the controls in place or planned, for meeting those requirements.
(2). Security Assessment Report (SAR). The Security Assessment Report (SAR) essentially contains the results of the security tests and evaluations of on organization's information system.
(3). Plan of Action and Milestones (POAM). Used to document remediation and the related next steps an organization is to take for correcting any noted gaps or deficiencies within their control environment.
(4). Authority to Operate (ATO). The official management decision given by a senior organizational official to authorize operation of an information system and to therefore accept the relevant risk(s) to organizational operations

6. Learn about the “Security Authorization Package”: For your organization to “truly” be FISMA compliant, you’ll need a senior authorizing official from a federal agency to essentially authorize the information system and take on the relevant risks. This requires YOUR information system to be granted an Authority to Operate (also called Authorization to Operate) – simply known as “ATO”.

7. FISMA was Amended in 2014, and Here’s What You Need to Know: Many of the changes for FISMA in 2014 are generally administrative in nature. Specifically, they affect federal agencies as these government bodies have to adhere to procedural changes. Probably one of the biggest impacts on contractors providing services to such federal agencies is the new importance FISMA now has in the world of regulatory compliance.

If you take the time to read up on the new FISMA legislation, it speaks to the importance of ensuring the safety and security of federal information residing in non-federal information systems. Additionally, it speaks about the strict requirement that federal agencies have for ensuring contractors have in place a robust and well-developed information system architecture for mitigating and hopefully removing today’s growing technology and cyber-related threats.

The federal government is finally – yes finally – serious about information security, which means if you’re a federal contractor, FISMA may very well be a strict reporting requirement for your business. Need help? Contact the FISMA experts today at FLANK by emailing us at This email address is being protected from spambots. You need JavaScript enabled to view it.. Additionally, you can learn more about our industry leading FISMA and NIST SP 800-53 policy templates and toolkits; world-class material that’s available for instant download today.

8. FISMA All-in-One Toolkit Available for Download: FLANK is the world’s leading provider of FISMA compliance policy documentation, including our world-leading toolkit that contains hundreds of pages of FISMA specific information security policies, procedures, forms, checklists, templates – and more – all for helping ensure rapid and complete compliance with FISMA.

There’s no need to spend hundreds of hours and thousands of dollars on FISMA compliance documentation – not at all – just download FLANK’s world-class documentation today and start saving time and money.
Available for instant download, you’ll receive professionally developed NIST SP 800-53 specific information security policies, procedures, forms, checklists, templates, scoping & readiness documents, and more that map directly to all three levels of categorization of controls in accordance with NIST SP 800-53 (LOW, MOD, HIGH). View the FISMA All-in-One Toolkit product data sheet to learn more.

Available for instant download, the FISMA Compliance All-in-One Toolkit comes complete with the following seven (7) sections:

  • NIST SP 800-53 Information Security Policies and Procedures Packet

  • NIST SP 800-53 Policy Packet

  • FISMA System Security Plan (SSP) Template

  • FISMA Scoping & Readiness Assessment Templates

  • Cyber Incident Response and Reporting Program

  • Third-Party Due-Diligence & Vendor Management Program

  • Risk Assessment Program

World Leaders in Providing Proven FISMA Compliance Service

Learn more about the FISMA certification & accreditation process today from FLANK by emailing us at This email address is being protected from spambots. You need JavaScript enabled to view it. to get started. We are the world’s leading provider of information security policy templates and toolkits, and that includes FISMA and NIST SP 800-53 documentation. Whatever your regulatory compliance needs are, turn to the proven and trusted experts today at FLANK. We offer FISMA readiness & gap assessments for helping businesses kick-off your compliance initiatives in the right manner, along with numerous other services and solutions. Contact us today at This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more.
References:

https://www.dhs.gov/fisma
https://csrc.nist.gov/Projects/Risk-Management/Detailed-Overview
https://en.wikipedia.org/wiki/Federal_Information_Security_Management_Act_of_2002

Houston, TX Cybersecurity, Information Security Co...
FISMA Compliance, Certification & Accreditation fo...

By accepting you will be accessing a service provided by a third-party external to https://flank.org/