FISMA Audits - Federal Lawyer
WSJ logo
Forbes logo
Fox News logo
CNN logo
Bloomberg logo
Los Angeles Times logo
Washington Post logo
The Epoch Times logo
Telemundo logo
New York Times
NY Post logo
NBC logo
Daily Beast logo
USA Today logo
Miami Herald logo
CNBC logo
Dallas News logo

FISMA Audits

Conducting Regular FISMA Audits is Essential for Federal Government Contractors. Our Lawyers and Consultants Guide Contractors Through the Audit Process

Federal government contractors that have access to sensitive data must continuously maintain compliance with the Federal Information Security Modernization Act (FISMA) and its enabling regulations. To ensure that their FISMA compliance programs are working, contractors must audit their System Security Plans (SSPs) and data security protocols on a regular basis.

At Oberheiden P.C., we represent federal government contractors in all FISMA compliance matters. This includes conducting FISMA audits. As former federal government attorneys and investigative agents, our lawyers and consultants are intimately familiar with FISMA’s requirements, and we offer deep investigative insights for conducting internal audits on behalf of federal contractors in all industries.

How We Conduct FISMA Audits for Federal Contractors

We take a comprehensive approach to conducting FISMA audits and use a systematic process to thoroughly assess the effectiveness of our clients’ FISMA compliance programs. When conducting any type of internal audit, comprehensiveness is key—as overlooking even a single issue can frustrate the purpose of the audit entirely. When federal contractors’ government business is on the line, they cannot afford to take chances. They need to rely on experienced counsel, and they need to know without question that their cybersecurity protocols are FISMA-compliant.

Some of the key steps in our process for conducting FISMA audits include:

Reviewing the Contractor’s FISMA Compliance Program

The first step in conducting a FISMA audit involves reviewing the contractor’s FISMA compliance program. In many cases, we will identify deficiencies with the program itself that require remediation at this stage. FISMA and its enabling regulations are extremely complex, and federal contractors must comply with comprehensive National Institute for Standards and Technology (NIST) guidelines. If a contractor’s compliance program fails to address any pertinent requirements, this alone can put the contractor at risk for losing its government business.

Evaluating the Contractor’s System Inventory and Categorization

Under FISMA, federal contractors must inventory their IT systems and data, and they must appropriately categorize all IT systems and data as low-risk, moderate-risk, or high-risk. This categorization has significant implications for what contractors need to do to establish and maintain FISMA compliance. During FISMA audits, we assess whether our clients’ inventories are comprehensive, and we determine whether our clients’ categorizations are correct.

Evaluating the Contractor’s System Security Plan and Cybersecurity Controls

A custom-tailored System Security Plan (SSP) and effective cybersecurity controls are key to FISMA compliance. When conducting FISMA audits, we devote a significant portion of our time to evaluating our clients’ SSPs and cybersecurity controls in light of the applicable statutory and regulatory requirements. Our cybersecurity consultants are heavily involved at this stage of the process.

Reviewing the Contractor’s Certifications and Accreditations

Federal contractors may need to hold various certifications and accreditations to maintain FISMA compliance. During FISMA audits, we review our clients’ certification and accreditation files to determine if they have all necessary certificates and whether their certificates are up-to-date.

Reviewing the Contractor’s Documentation of FISMA Compliance

Federal contractors that are subject to FISMA should be generating and storing documentation of compliance on an ongoing basis. We audit our clients’ compliance documentation to ensure that no compliance failures have gone overlooked, and we assess whether our clients’ documentation efforts are sufficient to comprehensively demonstrate compliance if necessary.

Providing a Summary Report and Corrective Action Plan (CAP)

Once we have comprehensively assessed our client’s FISMA compliance efforts, we prepare a summary report and corrective action plan (CAP). These provide our clients with a detailed look at the health of their FISMA compliance programs and actionable recommendations for addressing any compliance deficiencies.

Assisting with FISMA Compliance Program Updates and Modifications

If desired, we can assist with implementing the recommendations in our corrective action plan. This includes updating compliance program documents, establishing new compliance policies and protocols, and implementing new cybersecurity controls as necessary. Our lawyers and consultants are highly experienced in assisting clients with all aspects of cybersecurity protection and FISMA compliance.

Stress-Testing New Compliance Program Components and Cybersecurity Controls

Finally, once our clients have updated their FISMA compliance programs, we conduct stress testing to assess the efficacy of their new compliance program components and cybersecurity controls. If necessary, we assist our clients with repeating the remediation and testing processes until their FISMA compliance programs are adequate.

Put our highly experienced team on your side

Dr. Nick Oberheiden
Dr. Nick Oberheiden



Lynette S. Byrd
Lynette S. Byrd

Former Department of Justice

Brian J. Kuester
Brian J. Kuester

Former U.S. Attorney
Former DA

John W. Sellers
John W. Sellers

Former Senior Trial Attorney
U.S. Department of Justice

Local Counsel

Joanne Fine DeLena
Joanne Fine DeLena

Former Assistant U.S. Attorney

Local Counsel

Joe Brown
Joe Brown

Former U.S. Attorney & Former District Attorney

Local Trial & Defense Counsel

Amanda Marshall
Amanda Marshall

Former U.S. Attorney

Local Counsel

Aaron L. Wiley
Aaron L. Wiley

Former Federal Prosecutor

Local Counsel

Roger Bach
Roger Bach

Former Special Agent (OIG)

Michael Koslow
Michael Koslow

Former Supervisory Special Agent (FBI)

Chris Quick
Chris Quick

Former Special Agent (FBI & IRS-CI)

Ray Yuen
Ray Yuen

Former Supervisory Special Agent (FBI)

Best Practices for FISMA Audits

When conducting FISMA audits with the guidance and oversight of outside counsel, federal contractors need to follow several best practices. This will help ensure that the audit process is as efficient as possible, and it will also help ensure that no issues go overlooked during the audit process. Some examples of best practices for FISMA audits include:

  • Assembling an Effective Audit Team – Assembling a highly effective team is paramount. Working with their outside counsel, federal government contractors should select appropriate internal personnel to assist with executing their FISMA audits. These individuals may include compliance and information security officers, IT specialists, records custodians, and other subject matter experts.
  • Assigning an Internal FISMA Audit Team Leader – Federal contractors should assign an internal FISMA audit team leader who will serve as the primary point of contact between the company’s personnel and its outside counsel. Typically, this team leader will be an executive-level employee, such as a Chief Compliance Officer or Chief Technology Officer.
  • Comprehensively Identifying All IT Systems and Data Storage Facilities – When conducting FISMA audits, outside counsel must necessarily rely on a contractor’s personnel to assist with identifying all IT systems and data storage facilities. Once the contractor’s personnel have compiled comprehensive lists, counsel can then examine each system and facility to determine what compliance measures are needed.
  • Focusing On Accuracy, Not “Confirming” Compliance – Too often, federal contractors approach the FISMA audit process from the perspective of trying to confirm their compliance. A FISMA audit should be a neutral process focused on accurately assessing the realities of the circumstances at hand, and not focused on achieving any particular outcome.
  • Documenting the FISMA Audit Process – Documenting the FISMA audit process is critical as well, as this documentation can be invaluable when asked to demonstrate compliance to a contracting agency or other federal authority. At Oberheiden, P.C., we thoroughly document our clients’ FISMA audits, keeping the possibility that our documentation will be reviewed by federal agents top of mind.

Again, these are just examples. There are several complex and nuanced steps involved in conducting an effective FISMA audit. When we work with federal contractors, we provide the advice and insights our clients need to make informed and strategic decisions, and we help them derive maximum value from their audits.

FAQs: What Federal Government Contractors Need to Know About FISMA Audits

Why Should Federal Government Contractors Conduct FISMA Audits?


For federal government contractors, conducting FISMA audits is critical for ensuring ongoing compliance with their statutory and regulatory cybersecurity obligations. Federal contractors that fail to maintain FISMA compliance can face significant penalties, including (but not limited to) loss of their government business. As a result, conducting FISMA audits is a key element of effective risk management for federal contractors.

When Should Federal Government Contractors Conduct FISMA Audits?


Federal government contractors should conduct FISMA audits at least annually. In addition to conducting regularly scheduled audits, contractors should also conduct ad hoc audits in various circumstances. These include (but are not limited to) experiencing a cybersecurity incident, making changes to their IT systems or data storage facilities (which may also trigger a mandatory cybersecurity risk assessment under FISMA), and learning of updates to the FISMA cybersecurity regulations or NIST guidance.

Can Federal Contractors Conduct FISMA Audits In-House?


We generally advise against conducting FISMA audits in-house for various reasons. Most simply, most federal contractors do not have personnel with the knowledge and experience required to conduct a FISMA audit effectively. At Oberheiden P.C., we have a team of former federal prosecutors and investigative agents who are highly experienced, and they rely heavily on this experience to conduct comprehensive and effective audits that adequately protect our clients’ interests.

What Happens If a Federal Contractor Fails a FISMA Audit?


If a FISMA audit uncovers deficiencies in a federal contractor’s policies and procedures, System Security Plan, or cybersecurity controls, the contractor must address these deficiencies promptly. Depending on the nature of the issue (or issues) involved, voluntary disclosure and/or breach notification may be prudent (or necessary) as well. When we uncover deficiencies during our clients’ FISMA audits, we provide them with actionable guidance for coming into compliance, and we advise them regarding any attendant risks they may need to address proactively.

Speak with a Lawyer or Consultant at Oberheiden P.C. about Conducting a FISMA Audit

If you would like to know about our FISMA audit services for federal contractors, we invite you to get in touch. One of our senior lawyers or consultants will be happy to discuss your company’s needs in confidence. To arrange a complimentary initial consultation at your convenience, please call 888-680-1745 or tell us how we can contact you online today.

Why Clients Trust Oberheiden P.C.

  • 2,000+ Cases Won
  • Available Nights & Weekends
  • Experienced Trial Attorneys
  • Former Department of Justice Trial Attorney
  • Former Federal Prosecutors, U.S. Attorney’s Office
  • Former Agents from FBI, OIG, DEA
  • Serving Clients Nationwide
Email Us 888-680-1745