Home/Capabilities/FISMA Compliance

FISMA, engineered to report itself.

FISMA 2014. OMB A-130 Appendix I. Ongoing authorization under NIST SP 800-37 Rev 2. CIO, IG, and SAOP metrics. Evidence pipelines, not three-ring binders.

Plan your FISMA programCapabilities statement

FISMA is the federal scoreboard

The Federal Information Security Modernization Act of 2014 (Public Law 113-283) is the statutory backbone of federal civilian cybersecurity. It updated the original FISMA 2002 by codifying continuous monitoring as the operating model, transferring operational authority for federal civilian cybersecurity from OMB to DHS — now CISA — and tightening incident reporting and inventory requirements. The two statutory citations that drive most engineering decisions are 44 USC 3553, which assigns federal information security authority to the Secretary of Homeland Security and OMB, and 44 USC 3554, which sets out federal agency responsibilities including the agency-wide information security program, periodic risk assessment, security training, periodic testing, incident handling, and reporting to OMB and to Congress.

Precision Delivery Federal engineers FISMA programs that produce continuous evidence rather than annual scrambles. Every control we implement is instrumented with telemetry that feeds the agency continuous monitoring program, the CDM dashboard, the CIO and IG FISMA Metrics workflows, and the OIG audit evidence repository. The objective is a FISMA program where the metrics report themselves when called.

OMB Circular A-130 Appendix I

OMB Circular A-130 "Managing Information as a Strategic Resource" — last revised July 2016 — is the executive policy that operationalizes FISMA, the Privacy Act, the Paperwork Reduction Act, the Federal Records Act, and related authorities. Appendix I "Responsibilities for Protecting and Managing Federal Information Resources" is the binding direction on federal information security and privacy. It requires:

  • Agency-wide information security and privacy program with senior officials accountable (CISO, SAOP).
  • System security plans for every federal information system, with categorization per FIPS 199 and control selection per FIPS 200 and NIST SP 800-53.
  • Continuous monitoring as the default state of system security operations.
  • Risk-based authorization decisions by named Authorizing Officials who own and accept system risk.
  • Independent assessment by Inspectors General using OMB-published maturity models.
  • Incident response with defined federal notification timelines and US-CERT coordination.
  • Privacy controls integrated with security controls, including PIA and SORN obligations.
  • Supply chain risk management including SBOM, software supply chain provenance, and vendor risk processes.

Ongoing authorization under NIST RMF

The Risk Management Framework codified in NIST SP 800-37 Rev 2 (December 2018) is the operating model for FISMA. Seven steps: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor. Step seven — Monitor — is where ongoing authorization lives. Under OA the Authorizing Official receives security state information at a frequency tied to the system's volatility and impact level, with authorization decisions revisited as risk changes rather than on a calendar.

We engineer OA programs around three pillars: a continuous control monitoring strategy that defines which 800-53 controls report which evidence at what frequency through which sensor; an ongoing authorization decision framework that gives the AO the data they need without burying them in raw telemetry; and an evidence repository (eMASS, Xacta 360, RegScale, Telos Xacta, or a custom repository) that holds the System Security Plan, Security Assessment Report, Plan of Action and Milestones, and the rolling continuous monitoring evidence — all version-controlled and audit-ready.

FISMA Metrics: CIO, IG, and SAOP

OMB and CISA publish annual FISMA Metrics in three categories. We engineer the data pipelines and evidence workflows so each one reports cleanly:

CIO FISMA Metrics

Agency self-assessment of capability across the NIST Cybersecurity Framework functions. Topics include Identity and Access Management, Anti-phishing and malware defense, network defense, data protection, and contingency planning. We build the source-of-truth integrations (Okta or Entra ID for IAM metrics, Defender for Office 365 or Proofpoint for anti-phishing, vulnerability management for patch metrics) so the CIO submission is the natural output of the operating systems, not a manual survey.

IG FISMA Metrics

Independent Inspector General assessment using OMB-published maturity models for each of the five FISMA functions: Identify, Protect, Detect, Respond, Recover. Maturity is rated on a five-level scale: Ad Hoc, Defined, Consistently Implemented, Managed and Measurable, Optimized. We engineer for Managed and Measurable as the floor — meaning controls are not only implemented but instrumented with metrics that drive management decisions.

SAOP FISMA Metrics

Senior Agency Official for Privacy reporting on privacy program maturity, PIA coverage, SORN currency, breach response, and PII inventory. We integrate the privacy metrics with the security metrics so the SAOP and CISO are working from the same evidence base rather than competing dashboards.

System inventory and FISMA reporting

FISMA Section 3554 requires every agency to maintain a current inventory of major information systems. CyberScope is the OMB/CISA portal through which agencies report quarterly. We engineer the system inventory as a first-class data product — sourced from the CMDB, validated against the SSP repository, reconciled against the cloud asset inventory in AWS GovCloud, Azure Government, and Google Cloud Assured Workloads — so quarterly CyberScope submission is a one-click extract rather than a six-week reconciliation exercise.

FedRAMP relationship

FedRAMP is the standardized FISMA-based authorization for cloud services. A FedRAMP-authorized cloud service inherits a defined set of NIST SP 800-53 controls; the consuming federal agency inherits those controls into its own ATO and is responsible only for the customer-side controls in the Customer Responsibility Matrix. We engineer agency ATOs that maximize inheritance from FedRAMP and DoD Cloud SRG-authorized providers and minimize duplicated assessment work. See our IL5 Cloud capability for DoD-specific cloud authorization patterns.

How we build

  1. System inventory and categorization. Reconcile the CMDB, the SSP repository, and the cloud asset inventory. Categorize each system per FIPS 199.
  2. Control baseline and tailoring. Select the NIST SP 800-53 baseline (Low/Moderate/High) per FIPS 200, tailor for the system, document inherited controls from FedRAMP CSPs.
  3. Continuous monitoring strategy. Define which controls report which evidence at what frequency through which sensor. Wire to the CDM feed where applicable.
  4. Evidence repository. Stand up eMASS, Xacta 360, or RegScale. Migrate SSP, SAR, POA&M, and continuous monitoring evidence into a single audit-ready store.
  5. Ongoing authorization framework. Define AO decision rules, escalation triggers, and reporting cadence.
  6. FISMA Metrics pipeline. Build CIO, IG, and SAOP metric pipelines from operating systems so quarterly CyberScope is an extract, not a project.

Federal context and past performance

Bo Peng holds Kaggle Top 200 global ranking and seven cloud certifications spanning AWS, Azure, and GCP. Precision Delivery Federal delivered production data engineering on SAMHSA platforms and is SAM.gov registered (UEI Y2JVCZXT9HP5, CAGE 1AYQ0). We pursue SBIR FISMA modernization topics across DISA, civilian agencies, and OMB-driven cross-agency initiatives. See our CISA playbook, VA playbook, ATO acceleration playbook, and FISMA readiness checklist.

Tooling we work with

  • GRC platforms: eMASS (DoD), Xacta 360 (Telos), RegScale (NIST OSCAL-native), Archer (RSA), ServiceNow GRC.
  • Continuous monitoring: Tenable.sc/Tenable.io, Microsoft Defender for Cloud, AWS Security Hub, Google Security Command Center, Wiz, Prisma Cloud, Lacework.
  • Asset and configuration: Tanium, Forescout, BigFix, ServiceNow CMDB.
  • Evidence and policy as code: Open Policy Agent, OSCAL (NIST), HashiCorp Sentinel.
  • Privacy: Microsoft Purview, OneTrust, BigID for PII inventory.
Frequently Asked
FISMA, answered.
What does FISMA 2014 require beyond FISMA 2002?

Continuous monitoring as the operating model, CISA operational authority, agency-wide programs, and codified federal incident reporting under 44 USC 3553/3554.

What is ongoing authorization?

NIST SP 800-37 Rev 2 ongoing authorization replaces 3-year ATOs with continuous risk-informed AO decisions based on continuous monitoring evidence.

What are the FISMA Metrics?

CIO Metrics (capability self-assessment), IG Metrics (independent maturity assessment), SAOP Metrics (privacy). Reported quarterly via CyberScope.

How does OMB A-130 fit?

A-130 Appendix I is the binding executive direction operationalizing FISMA, the Privacy Act, and related authorities. Every FISMA program maps to A-130.

FISMA vs FedRAMP vs CMMC?

FISMA = federal systems. FedRAMP = cloud services to federal. CMMC = DIB contractor environments. All trace to NIST SP 800-53 control families.

Related capabilities
Often deployed together.
Capability

Security Operations

Continuous monitoring evidence, incident notification, CDM feeds.
Capability

Zero Trust Architecture

OMB M-22-09 milestones produce FISMA evidence as a side effect.
Capability

IL5 Cloud

DoD Cloud SRG authorization and CUI Specified handling.
1 business day response

FISMA. As an operating system.

FISMA 2014. OMB A-130. Ongoing authorization. Metrics that report themselves.

[email protected]
UEI Y2JVCZXT9HP5CAGE 1AYQ0NAICS 541512SAM.GOV ACTIVE