FISMA Compliance

Information Technology Company, LLC (ITC) assists federal agencies and their contractors to meet requirements of the Federal Information Security Modernization Act (FISMA). Through our Security Test & Evaluation (ST&E) services, ITC supports clients in achieving Certification & Accreditation (C&A) outcomes and prepares them for comprehensive GAO and OIG audits— helping secure federal information systems and maintain regulatory compliance.

Why FISMA Matters

fisma-1

The Federal Information Security Modernization Act (FISMA) requires federal agencies—and the contractors that handle their data—to implement and maintain robust information security programs.

Yet, over 60% of federal agencies struggle with FISMA compliance, with only 26% rated “Effective” in cybersecurity risk management. Incomplete documentation and inadequate control assurance can result in audit findings, funding delays, and reputational harm.

 

Achieving FISMA compliance means:

  • Meeting strict NIST and DISA standards for information security
  • Demonstrating effective implementation of management, operational, and technical security controls

Maintaining readiness for GAO and OIG audits

 

Our FISMA ST&E Services

fisma-2

ITC delivers end-to-end FISMA ST&E support to verify that security controls are implemented correctly, operate as intended, and provide the expected protection

 

Our service includes:

  1. Vulnerability Assessments & Penetration Testing – network, infrastructure, mainframe, server, LAN, and database security
  2. Full Coverage Across FIPS 199 Categories – from Low to High systems
  3. Advanced Testing Tools – Nessus, Core Impact, Web Inspect, AppDetective (98%+ CVE detection rate)
  4. Key Security Areas – authentication, authorization, boundary protections, cryptography, monitoring, physical security
  5. Control Mapping & Documentation – 100% traceability of NIST 800-53 controls via customized SRTMs
  6. POA&M Management – verified closure of findings, linking risks to remediation tasks
  7. Continuous Monitoring – integration with platforms like Xacta for real-time compliance visibility
  8. Risk-Driven Approach – testing that reduces Mean Time to Remediate (MTTR) by 30-40%

 

Proven Results

Our work consistently strengthens agency security posture and audit readiness

 

Key Accomplishments:

  • CBP: Recurring GSS & MA assessments since 2017; validated control effectiveness at Network and Security Operations Centers
  • CFI Group: 192 controls tested, 25 POA&Ms closed, full exploitation testing and threat modeling completed
  • NASWA: Delivered FIPS 199 categorization, SAP, SAR, RAR, SCA, and POA&Ms — creating a clean, auditable record for leadership

By the Numbers:

  • 150+ FISMA/NIST assessments delivered
  • 100% on-time delivery for A&A documentation
  • 30+ federal systems assessed annually

Tools and methods capable of detecting and validating 95%+ of known critical vulnerabilities