September 28, 2023 2 min read

Best Practices for FISMA Compliance

Proper planning and gaining a strong understanding of what constitutes FISMA compliance is essential for federal contractors. With that said, keep these measures in mind:

  • A Scoping & Gap Assessment is Critical: As a federal contractor, if you’re new to the entire FISMA process, then an upfront scoping & gap assessment is absolutely essential. Even LOW impact designated systems for FISMA compliance will have a tremendously large number of controls to comply with, thus, you need to determine what gaps exist - and how to remediate them - before pressing forward with any other FISMA initiatives.
  • Policies & Procedures will Need to be Developed - and Implemented: Each of the twenty (20) control families within the NIST SP 800-53 publication - the very framework for which earning FISMA compliance is based on - requires a heavy dose of information security and privacy policies and procedures to be developed.
  • Programs & Plans will Need to be Developed - and Implemented: Along with policies and procedures, the NIST SP 800-53 publication also requires numerous ‘programs’ and ‘plans’ to be developed relating to incident response, insider threats, contingency planning, supply chain risk management, and more.
  • Security Tools & Solutions will Need to be Acquired - and Implemented: From two-factor authentication to vulnerability scanning, DLP, FIM, and more, complying with FISMA also means having a healthy set of security tools & solutions in place.
  • A System Security Plan (SSP) will Need to be Written: A well-written System Security Plan (SSP) can take a tremendous amount of time to author as most FISMA SSPs range from 75 - 100 + pages in length, sometimes even more.
  • A Security Assessment Report (SAR) will Need to be Conducted: If you’re being asked by a federal agency to validate FISMA compliance, then expect to have an independent, third-party assessment performed, with the results documented in a formal SAR.
  • A Continuous Monitoring Program will need to be Established: Key to maintaining FISMA compliance is developing and implementing a structured, well-documented continuous monitoring (ConMon) program.
From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at