FISMA / NIST SP 800-53

The Federal Information Security Management Act (FISMA) of 2002—now known as the Federal Information Security Modernization Act of 2014—defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats, including cyber-security threats. It mandates all federal agencies to know the security risks that are posed to their systems and take appropriate steps to mitigate that risk.

In order to receive an Authority to Operate (ATO), vendors and contractors are required to demonstrate FISMA compliance via the security assessment and authorization process as outlined in the Risk Management Framework (RMF / SP 800-37). FISMA requires the use of National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53), “Security and Privacy Controls for Federal Information Systems and Organizations.”

DirectDefense consultants will work closely with your organization or agency to ensure FISMA compliance. Through a full range of offerings, our security experts will evaluate and determine system requirements, build out the components and assess overall readiness of systems. Choose from the following FISMA Assessment and Authorization services:



  • FIPS 199 Security Categorization / High Value Asset Determination
  • E-Authentication Workbook
  • Business Impact Analysis (BIA)
  • Contingency Plan (CP)
  • System Security Plan (SSP)
  • Privacy Impact Analysis
  • Interconnection Security Agreement (ISA) / Memorandum of Understanding (MOU)
  • Security & Privacy Control Selection
  • Security Policies and Procedures


FISMA Security Assessment

  • Security Assessment Plan (SAP)
  • Security Assessment Report (SAR)
  • Plan of Action and Milestone (POA&M) Development
  • Penetration Testing
  • Vulnerability / Compliance Scanning
  • Quality Assurance Memorandum
  • Finalize Security Assessment & Authorization Package


Post-Assessment / Ongoing Security

  • Continuous Monitoring Activities
    • Scanning, Security Control Review

  • Plan of Action and Milestone (POA&M) Management
    • Finding Remediation and/or Mitigation Recommendations
    • POA&M Documentation
    • POA&M Maintenance

  • Cybersecurity Strategy and Roadmap Development



The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.

Whether your organization is looking to become a Software as a Service (SaaS), Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) FedRAMP Certified Cloud Service Provider, or you’re transitioning to a FedRAMP Ready Cloud Service Provider, DirectDefense can help. Our team of experienced consultants is well versed in FedRAMP / cloud methodologies, and will identify gaps between your existing security posture and the FedRAMP security mandates to fully prepare you for a FedRAMP Assessment. Our services include:


FedRAMP Consulting Services

  • FedRAMP Education Session
    • FedRAMP Security Assessment Framework
    • Maintaining FedRAMP Authorization

  • Security Documentation Development and/or Updates
    • Information System Policies/Procedures
    • Required FedRAMP Documentation (FedRAMP Templates)

  • Security control tailoring and implementation support
    • Identification of Applicable Security Controls
    • Designing Compensating Controls
    • Identifying Inherited and Common Controls
    • Developing Justification for Security Control Exceptions and/or Risk Acceptance

  • Audit Preparation: Internal Personnel Assessment Preparation
    • Mock Interviews Prior to Engaging with Auditors


FedRAMP Testing Services

  • Vulnerability Scanning
    • Network Vulnerability Scanning, Application Scanning and Database Scanning

  • Penetration Testing
    • Network, Mobile Application, and Web Application Penetration Testing and Social Engineering to Align with “FedRAMP Penetration Test Guidance”

  • Security Control Assessments for Agency Authorizations
    • Please note: A 3PAO is not required for Agency ATOs, however, some agencies may have an internal requirement to use a 3PAO for all FedRAMP systems. Always verify with the approving agency prior to engaging an auditor.

  • Plan of Action and Milestone (POA&M) Management
    • Finding Remediation and/or Mitigation Recommendations
    • POA&M Documentation
    • POA&M Maintenance


Please note that if your organization is currently working to achieve FedRAMP Certification via a Federal Agency Sponsorship, DirectDefense can perform the assessment.  We ask that you confirm with your Sponsoring Agency in case they have additional 3PAO requirements.

Related Content:
Case Studies