FISMA
Federal information security compliance.
Overview
What it is, in plain English.
FISMA requires every federal agency — and every contractor operating systems on their behalf — to develop, document, and implement an information security program based on NIST SP 800-53. Lyra works with civilian agencies, federal contractors, and FedRAMP-pursuing cloud service providers to build the Authority to Operate (ATO) package: categorization, control selection, SSP, assessment, and continuous monitoring.
FISMA compliance and FedRAMP-adjacent readiness for federal agencies and federal contractors — built on NIST 800-53 control families.
Who needs it
Built for organizations that have to get this right.
Federal civilian agencies and their support contractors
Cloud service providers pursuing FedRAMP Low, Moderate, or High
Systems integrators delivering federal information systems
Higher-ed and FFRDCs with federal information system responsibilities
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Categorize (FIPS 199)
We categorize the system as Low, Moderate, or High based on confidentiality, integrity, and availability impact.
- 02
Select & Tailor (NIST 800-53)
We select the baseline control set and tailor it to the system, documenting parameter values and inheritance.
- 03
Implement & Document (SSP)
We implement the controls and produce the System Security Plan, the central ATO artifact.
- 04
Assess, Authorize, Monitor
We coordinate the Security Assessment Report, support the Authorizing Official's ATO decision, and run continuous monitoring after authorization.
Key controls
What's actually in scope.
All applicable NIST SP 800-53 Rev. 5 control families
FIPS 199 categorization and FIPS 200 minimum requirements
System Security Plan (SSP), Security Assessment Plan, and Security Assessment Report
Plan of Action & Milestones (POA&M) management
Continuous monitoring strategy and metrics
Privacy controls and Privacy Impact Assessments (PIAs)
Deliverables
What you walk away with.
Complete ATO package: SSP, SAR, POA&M, contingency plan, IRP
FIPS 199 categorization memo
Continuous monitoring plan
Support through Authorizing Official briefings
Annual assessment and re-authorization support
Timeline
Initial ATO: 9–18 months. Annual assessments and re-authorization (every 3 years): 3–6 months.
Questions we hear
Straight answers to the real questions.
- Is FISMA the same as FedRAMP?
- FedRAMP is the cloud-specific implementation of FISMA — same NIST 800-53 backbone, with additional cloud-tailored controls and a centralized PMO. If you are a CSP selling to federal agencies, FedRAMP is the path.
- What changed with NIST 800-53 Rev. 5?
- Rev. 5 integrated privacy and supply chain controls into the main control catalog, restructured several families, and introduced new control overlays. All new ATOs are issued against Rev. 5.
- Can we get an ATO without a sponsor?
- Not really — an ATO is issued by a specific federal Authorizing Official for a specific system. FedRAMP offers an alternative path through the JAB or an Agency sponsor.
Other frameworks we support
SOC 2 (Type 1 and Type 2)
AICPA SOC 2
Learn moreISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.