Certification & Accreditation



The Federal Information Security Management Act (FISMA) was developed in 2002 as recognition of the United States for the need of organizations to develop an information security program to protect assets and preserve economic and national security interests. The FISMA process draws from a variety of standards and frameworks including NIST and FIPS. Incorporating the Risk Methodology of NIST 800-37, FISMA includes the following steps:

  • Categorize
  • Select
  • Implement
  • Assess
  • Authorize
  • Monitor


FISMA Certification & Accreditation is a requirement for each federal agency to develop, document, and implement an agency-wide program while providing information security for the information and information systems that support the operations and assets of the agency; including those provided or managed by another agency, contractor, or source. Its general purpose is to provide information security.


SecureState's sole focus is on information security, such as Certification & Accreditation consulting services and penetration testing assessments; as well providing services similar to those requested for organizations such as Boeing, CACI, BAE Systems, WSI, and Stanley (CGI). SecureState’s C&A Project Manager has led C&A efforts for The White House Military Office, Transportation Security Administration (TSA), Federal Bureau of Investigation (FBI) and DOD Tricare. Additionally, our experienced Team Members construct a team of resources from our bench of consultants that specialize in C&A. Each consultant specializes in areas such as documentation, implementation of baselines, and C&A project management. These employees are certified to DoD 8570.2 with certifications such as CISSP, CISA, GIAC, Security+, Certified Information Privacy Professional (CIPP), which ensure that the project can be completed in a way that our clients have access to an expert in each area of the C&A process.

Did You Know?

  • FISMA requires a refresh of accreditation to occur every three years
  • FISMA requires ST&E on an annual basis

Our Approach and Methodology

FedRamp Process

click image to enlarge

Phase 1 – Proposed Methodology (RFP B.1.3.1):

The Federal Government requires any system that impacts the Federal Network to be subject to certification of government standard: IE FISMA, DIACAP, NIACAP, etc. These processes require a great deal of expertise and knowledge of the process itself as well as general security. The following phases are those included in FISMA and the embedded steps of NIST 800-37 process.

Phase 2 - Initiation/ Definition:

The Initiation Phase consists of preparation, notification and resource identification, as well as system security plan development, analysis, update, and acceptance. Some of the tasks that will be performed during this phase include, but are not limited to:

  • A risk assessment in accordance with NIST 800-30
  • Development of Systems Security Plan
  • Review FIPS 199 security categorization (Moderate) and Select Controls leveraging NIST 800-53
  • Review configurations in accordance with FIPS 200 and NIST 800-53
  • Conduct a Privacy Impact Assessment
  • Review ISA and MOA/MOU
  • Review Incident Response Plan in accordance with NIST 800-61

The following steps will be completed during this phase:

Step 1: Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis. SecureState will review the FIPS-199 risk assessment to confirm rating.

Step 2: Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions. SecureState leverages the use of NIST 800-53 Recommended Security Controls for Federal Information Systems and Organizations.

Step 3: Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Phase 3 – Certification/Verification:

The Security Certification Phase consists of two tasks: security control assessment and security certification documentation. Some the tasks that will be performed during this phase include, but are not limited to:

  • Development of Security Test & Evaluation (ST&E)
  • Update of Risk Assessments Report
  • Update of System Security Plan

Step 4: Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.

Phase 4 – Accreditation/Validation:

The Security Accreditation Phase consists of a security accreditation decision and security accreditation documentation. Some of the tasks that will be performed during this phase include, but are not limited to:

  • Final preparation of the C&A package

The following step will be completed during this phase:

Step 5: Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation; resulting from the operation of the information system and the decision that this risk is acceptable.

Phase 5 – Continuous Monitoring:

The Continuous Monitoring Phase consists of configuration management and control, security control monitoring; and status reporting and documentation. The following step will be completed during this stage:

Step 6: Monitor and assess selected security controls in the information system on an ongoing basis; including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.

What Makes Us Different

  • SecureState’s experienced Team Members carry a bench of DoD8570 compliant consultants for quick reactions
  • Our team is experienced in building full security programs for organizations leverage
  • We employ sound recruiting practices which allows us to quickly fill any positions
  • SecureState has strong past performance in FISMA Certification & Accreditation


We Can Help You