FISMA Services

FISMA assessment and advisory services

The Federal Information Security Management Act (FISMA) is a federal law designed to increase the security posture of government agency federal systems, bureaus, departments and their supporting entities such as vendors and their subcontractors. Vendors and sub-contractors that provide information systems to agencies, must prove they meet FISMA, through an annual assessment.

Protecting Government Systems

Federal Information Security Management Act (FISMA) of 2002 is legislation passed to ensure a process that information systems for use by the Federal Government meet federal security requirements. Commercial organizations seeking ‘FISMA compliance’, through a ‘FISMA assessment’, have to work directly with each specific agency to achieve authority to operate (ATO) and be assessed to controls that are based in FIPS 199, FIPS 200 and NIST SP 800-53 revision 4.

How Coalfire helps

Coalfire has helped organizations achieve their compliance to FISMA for authorization from agencies such as HHS, CMS, NIH, DHS, DOT and more.

Coalfire provides advisory or assessment services to meet your FISMA authorization needs. From controls mapping of various environments, to documentation development for a system security plan (SSP) to the assessment through security testing and POA&M management, Coalfire can do it all. The FISMA assessment process, based on the control selection for the level of impact system provided, follows a Risk Management Framework (RMF) approach.

  • FISMA Assessment - FIPS 199 categorization, FIPS 200 and Agency control selection, implementation of applicable security controls, assessment of security controls, authorization recommendation of system and continuous monitoring.

  • FISMA Advisory – support or create FISMA required documentation sets including System Security Plan (SSP) to include determination of organization’s system security boundary, architecture and system boundary assessment, configuration management, IT security and controls program development, network design and third party service provider evaluations, business process recommendation, contingency planning of the system and additional guidance based on client or Agency requirement.

Industry Resources