November 29, 2023 3 min read

What is the Federal Information Security Modernization Act (FISMA)?

In terms of FISMA “Compliance”, an independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

For federal contractors, FISMA compliance typically involves several key steps:

  • Security Control Implementation: Contractors are required to implement a set of security controls outlined in NIST Special Publication 800-53, which provides detailed guidance on security controls across multiple categories, including access control, incident response, and encryption. These controls are tailored to the specific risks and needs of the contractor's systems and processes.
  • Continuous Monitoring:FISMA compliance emphasizes continuous monitoring of information systems to identify and respond to security threats and vulnerabilities promptly. Contractors must establish monitoring processes, conduct security assessments, and report on the status of their security controls regularly.
  • Risk Management Framework (RMF): Federal contractors must follow the RMF, a structured approach to managing security risks. This framework involves categorizing information systems, selecting appropriate security controls, implementing those controls, assessing their effectiveness, and continuously monitoring and managing security risks.
  • Documentation and Reporting: Contractors are required to maintain extensive documentation of their security policies, procedures, and plans, as well as records of security incidents and compliance activities. Regular reporting to government agencies is also a critical component of FISMA compliance.
  • Security Awareness and Training: Ensuring that personnel are aware of and trained in security best practices is essential. Federal contractors should provide security awareness training to employees and contractors who have access to federal information and systems.

Overall, FISMA compliance for federal contractors involves establishing a robust security framework, continuously monitoring for risks and threats, maintaining extensive documentation, and fostering a culture of security awareness. Adherence to FISMA requirements not only helps protect sensitive government data but also ensures federal contractors' eligibility for government contracts and partnerships. It's a critical component of maintaining trust and integrity in the federal contracting ecosystem.

100 + NIST 800-53 Templates Available for Download

The solution for NIST RMF documentation is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities, providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

  • Scoping & Gap (i.e., Readiness) Assessments
  • Remediation Services (Policy and Procedures writing)
  • Remediation Services (Technical and Operational)
  • System Security Plan (SSP) Development
  • Independent Security Assessment Reports (SAR)
  • Continuous Monitoring (ConMon) Services

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at