FISMA Assessments

The Federal Information Security Management Act (FISMA) is a federal law designed to increase the security posture of government agency federal systems, bureaus, departments and their supporting entities such as vendors and their subcontractors. Since its establishment, an increasing number of federal information systems and databases have been integrated into non-federal agencies, including municipalities, law enforcement, and contractors.

While FISMA outlines valuable controls for protecting these information systems, compliance with the law is complex. The requirements are time-consuming, yet the protection is often insufficient. With the recent introduction of the Federal Risk and Authorization Management Program (FedRAMP) for Cloud Service Providers it is important to know the differences of each program and which assessment to pursue. Review our FISMA vs. FedRAMP perspective (PDF) to review the similarities and differences.

Coalfire’s team of FISMA experts can help prepare your organization for FISMA audits, system certification and accreditation (C&A), asset classification, risk assessments and ongoing security authorization to obtain an Agency Authority to Operate (ATO) or maintain an Agency ATO. Our processes, tools, and methodologies are based on the core components identified by FISMA and established by NIST - as outlined by the NIST visual model of cloud computing - such as Special Publications 800-53rev3 (Recommended Security Controls for Federal Information Systems), 800-30 (Risk Management Guide for Information Technology Systems), and FIPS-199 (Standards of Security Categorization of Federal Information and Information Systems).