As a federal contractor, what constitutes FISMA compliance?

An independent audit, accompanied by a Security Assessment Report (SAR) is used for reporting on FISMA.  Per NIST, a SAR “Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls.” 

But that’s not a hard and fast rule. At times, we’ve seen where federal contractors can provide only a System Security Plan (SSP) detailing their control environment against the NIST SP 800-53 controls. Other times, we’ve seen a simple statement of compliance given to federal contractors by a consulting firm.  It all depends on who is asking for FISMA compliance. If it’s a federal agency, then expect to produce both an SSP and a SAR. 

From Beginning to End, Complete Project Management for FISMA

With Arlington, we can manage your entire FISMA compliance engagement from beginning to end (i.e., from the initial FISMA scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of FISMA compliance.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Independent Security Assessment Reports (SAR)
• Continuous Monitoring (ConMon) Services