FISMA Security Controls Assessment

Meet FISMA requirements and gain Authority to Operate

Next Steps:


The National Institute of Standards and Technology, as part of its responsibilities under the Federal Information Security Management Act (FISMA), published a number of documents, standards, and guidelines to help federal organizations define, manage, and assess the security of their information.

McAfee Foundstone, as a security specialist, is focused on helping organizations navigate the vast documentation landscape to assist in establishing, validating, and managing information security programs. The FISMA Security Controls Assessment helps fulfill organization’s certification and accreditation responsibilities under FISMA, enabling you to achieve Authority to Operate with minimal residual risk.

We are capable of delivering in the federal civilian, DoD, and intelligence community spaces, leveraging an organization’s pre-defined process and reporting templates, such as the Centers for Medicare and Medicaid Services (CMS) Acceptable Risk Safeguards, or using our own.

Our team of consultants has undergone background checks and many hold security clearances.

Key Benefits

  • Find security holes in systems and applications before hackers can exploit the vulnerabilities.
  • Evaluate the security of critical servers by analyzing the operating system and application-level security controls.
  • Identify and test potential points of attack, focusing on areas where a compromise would have the greatest impact and risk to the business.
  • Establish a solid security posture.
  • Gain Authority to Operate.


The FISMA Security Controls Assessment follows a structured approach to help organizations obtain Authority to Operate quickly and with little residual risk:

  1. Scoping
    • Review the assessment objectives with the customer.
    • Review relevant documentation such as system security plan, network diagrams, and inventory lists.
    • Select applications, systems, and controls to be tested.
  2. Assessment plan
    • Document roles and responsibilities of team members.
    • Define information to collect.
    • Define testing targets and controls.
    • Define reporting artifacts.
  3. Testing
    • Conduct interviews.
    • Perform documentation review.
    • Observe system demonstrations.
    • Perform network and web application penetration testing.
    • Lead daily out-briefing meetings.
  4. Reporting

Related Services

Foundstone offers the following services and training related to FISMA compliance.