FISMA and SP 800-171 Implementation, compliance, monitoring, and audit.

FISMA applies to federal agencies, state agencies that manage federal programs (i.e., Medicare, Medicaid, unemployment insurance, etc.) as well as companies with contracts to work with federal agencies. That means private sector companies that do business with federal agencies must adhere to the same information security guidelines.


To be FISMA compliant you need information security controls across your organization based on the guidance from the current version of FIPS and NIST Special Publication as applicable. For example:

SP800-171 is for the protection of US controlled but unclassified information in non-federal systems and organizations.

The requirements apply to all components of non-federal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.

SP80-171 provides basic security requirements and derived security requirements together with the assumptions and the methodology used to develop these.

To be compliant organizations should describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. You should describe how unimplemented security requirements will be met and how any planned mitigations will be implemented.

Failure to comply with NIST 800-171 could result in a stop-work order or criminal, civil, administrative, or contract penalties.

These consequences may include:

For both FISMA and SP800-171 you must also engage in continuous monitoring which requires regularly reviewing, assessing, and where needed making changes to the security controls.

Compliance & certification is not an overnight process, it can be achieved in an efficient manner.

We can help ensure compliance by creating an information security policy, risk management, procedures, forms, checklists, readiness documents, that map directly to all levels of categorization of controls.