The Federal Information Security Management Act (FISMA) requires federal agencies, contractors, and any organisation handling federal information to establish, document, and implement a comprehensive information security programme. Built on the NIST Risk Management Framework and the SP 800-53 security controls catalogue, FISMA compliance is not a one-time exercise — it requires ongoing risk assessment, continuous monitoring, annual security reviews, and regular reporting to the Office of Management and Budget. This free FISMA compliance checklist gives federal IT security teams and government contractors a structured, trackable framework for every phase of the FISMA lifecycle — from initial system inventory through to maintaining the Authorization to Operate.
The Federal Information Security Management Act (FISMA) is a US federal law enacted in 2002 and substantially updated by the Federal Information Security Modernization Act of 2014. It establishes a comprehensive framework requiring federal agencies to develop, document, and implement information security programmes to protect government information, operations, and assets from natural and man-made threats.
FISMA applies to all federal executive branch agencies and extends to any organisation that processes, stores, or transmits federal information on behalf of the government — including contractors, subcontractors, state agencies administering federal programmes such as Medicaid and unemployment insurance, and private sector organisations operating under federal contracts. Defense contractors handling Controlled Unclassified Information (CUI) are additionally subject to NIST SP 800-171, which implements many of the same principles as FISMA for non-federal systems.
FISMA compliance is built on the NIST Risk Management Framework (NIST SP 800-37) and the NIST SP 800-53 security and privacy controls catalogue — which provides over 1,000 security controls across 20 control families covering access control, incident response, contingency planning, configuration management, and more. Non-compliance can result in federal funding reductions, congressional censure, reputational damage, and — for contractors — loss of federal contracts.
This checklist maps to the six key phases of the FISMA compliance lifecycle, aligned with the NIST Risk Management Framework (SP 800-37) and the NIST SP 800-53 controls catalogue.
NIST SP 800-53 contains over 1,000 controls across 20 control families. The tasks below cover the most commonly required control families for Moderate impact systems. Confirm applicable controls based on your system’s FIPS 199 impact level and tailoring decisions.
This checklist is available as a free, runnable template in CheckFlow — with tasks assigned across IT security, system owners, and the authorising official review process, recurring monitoring activities scheduled automatically, and a complete audit trail for every FISMA reporting cycle.
Use This Template FreeEvery federal information system must be categorised under FIPS 199 as Low, Moderate, or High impact. The impact level determines which NIST SP 800-53 security control baseline applies. Understanding the difference is essential before selecting controls.
Loss of confidentiality, integrity, or availability would have a limited adverse effect on organisational operations, assets, or individuals. Typically applies to publicly available systems processing non-sensitive information.
Controls: NIST SP 800-53 Low baseline — approximately 125 controls.
Examples: Public-facing informational websites, non-sensitive internal tools.
Loss of confidentiality, integrity, or availability would have a serious adverse effect on operations, assets, or individuals. The most common impact level for federal information systems.
Controls: NIST SP 800-53 Moderate baseline — approximately 325 controls.
Examples: Agency business systems, HR systems, grant management systems.
Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse effect on operations, assets, or individuals — potentially including loss of life or national security implications.
Controls: NIST SP 800-53 High baseline — approximately 425 controls. Significant additional scrutiny and independent assessment requirements.
Examples: Critical infrastructure systems, law enforcement databases, national security systems.
CheckFlow’s template can be tailored to any impact level — add or remove control implementation tasks based on your FIPS 199 categorisation decision.
FISMA compliance depends heavily on the NIST framework. These are the key publications every FISMA compliance team needs to know.
The foundational FISMA document — defines the seven-step RMF process: Prepare, Categorise, Select, Implement, Assess, Authorise, and Monitor. The checklist on this page maps directly to this framework.
The comprehensive catalogue of over 1,000 security and privacy controls across 20 control families. The required controls for Low, Moderate, and High impact systems are drawn from this catalogue.
Applies to defense contractors and non-federal organisations handling Controlled Unclassified Information (CUI). Contains 110 security requirements derived from NIST SP 800-53, and is the basis for CMMC compliance requirements.
Defines the continuous monitoring strategy that FISMA requires — including monitoring frequencies, metrics, and reporting to the AO and OMB.
The mandatory standard for categorising federal systems as Low, Moderate, or High impact — the first and most consequential decision in the FISMA compliance process, as it determines the entire control baseline.
FISMA Moderate impact systems require implementation of approximately 325 NIST SP 800-53 controls — each with an owner, an implementation status, and evidence requirements. CheckFlow’s grid-based dashboard gives security teams a real-time view of control implementation status across all assigned tasks simultaneously — far more practical than tracking hundreds of controls in a spreadsheet.
Real-Time DashboardFISMA requires annual security reviews, ongoing vulnerability management, and continuous monitoring activities on defined schedules. CheckFlow’s recurring checklist feature automates these cycles — monthly vulnerability scan reviews, quarterly POA&M updates, and annual security reviews all run on schedule without anyone needing to remember to start them. Every completed activity is logged for the annual OMB report.
Recurring ChecklistsThe Authorization to Operate package — SSP, SAR, and POA&M — must be complete and current before the AO can authorise. Every task completed in CheckFlow is timestamped and attributed to a named individual, creating a running evidence trail that documents control implementation and testing throughout the authorisation cycle — not reconstructed at the end.
Audit TrailNIST SP 800-53 Personnel Security (PS) controls require that information system access is terminated immediately when employment ends. CheckFlow’s IT offboarding checklist provides a structured, automated way to ensure every system access, account, and credential is revoked on the leaver’s last day — with a timestamped record satisfying the PS-4 control evidence requirement. Learn more about CheckFlow for IT offboarding →
NIST SP 800-53 Contingency Planning (CP) controls require documented backup procedures, recovery objectives, and tested contingency plans. CheckFlow’s Disaster Recovery Audit Checklist provides a structured framework for auditing your CP control implementation and testing evidence. See the Disaster Recovery Audit Checklist →
The Federal Information Security Management Act (FISMA) is a US federal law requiring federal agencies and any organisation that processes, stores, or transmits federal information to establish and maintain a comprehensive information security programme. This includes federal executive branch agencies, contractors and subcontractors operating under federal contracts, state agencies administering federal programmes such as Medicaid and unemployment insurance, and private sector organisations with access to federal systems or data. Non-compliance can result in federal funding reductions, loss of contracts, congressional censure, and significant reputational damage. Defense contractors handling Controlled Unclassified Information (CUI) are additionally subject to NIST SP 800-171 and CMMC requirements derived from the same framework.
An Authorization to Operate (ATO) is the formal decision by an Authorising Official (AO) that a federal information system is authorised to operate and that the residual risk to the organisation is acceptable. The ATO is the central outcome of the FISMA compliance process — without it, a system cannot be used to process federal information. Obtaining an ATO requires completing a Security Assessment and submitting an authorisation package comprising the System Security Plan, Security Assessment Report, and Plan of Action & Milestones to the AO for review. ATOs have defined expiry dates and must be renewed through periodic reauthorisation.
FISMA is the law — it establishes the requirement for federal information security programmes and mandates annual reporting to OMB. NIST SP 800-53 is the technical standard — a comprehensive catalogue of security and privacy controls that FISMA compliance is implemented through. FISMA requires organisations to select and implement security controls appropriate to their system’s impact level; NIST SP 800-53 defines what those controls are. The NIST Risk Management Framework (SP 800-37) defines the process for selecting, implementing, assessing, and authorising those controls. Together, they form the practical FISMA compliance framework.
A Plan of Action & Milestones (POA&M) is a FISMA-required document that tracks every identified security weakness in a system — from initial identification through to remediation or formal risk acceptance. Each POA&M item must include a weakness description, the source of identification, risk level, planned remediation action, responsible party, and scheduled completion date. The POA&M is reviewed by the AO as part of ongoing authorisation monitoring and submitted as part of the annual FISMA reporting cycle. A current, well-maintained POA&M demonstrates active risk management and is one of the key indicators the AO uses to assess whether an ATO should be maintained or revoked.
FedRAMP (Federal Risk and Authorization Management Program) is a government-wide programme that standardises the security assessment and authorisation of cloud services for federal agencies. FedRAMP is built on the same FISMA framework and NIST SP 800-53 controls, but applies specifically to cloud service providers (CSPs) seeking to offer services to federal agencies. A FedRAMP authorization allows a CSP’s services to be used by any federal agency without requiring each agency to conduct its own assessment — a “do once, use many times” model. Federal agencies using FedRAMP-authorised services can inherit controls from the CSP’s FedRAMP package, reducing their own FISMA compliance burden for those systems.
FISMA requires annual security reviews for all federal information systems — assessing the effectiveness of security controls and reporting results to OMB. In addition, continuous monitoring activities run throughout the year on defined frequencies — vulnerability scans, configuration compliance checks, and log reviews run at intervals ranging from daily to quarterly depending on control type and system risk. ATOs have defined expiry periods (typically three years for standard authorisations) and must be renewed through reauthorisation before expiry. CheckFlow’s recurring checklist feature can automate all of these scheduled activities so nothing is missed between annual reviews.
You can start a free 14-day trial with no credit card required, giving you full access to all features including this template. The Business plan is $10 per user per month after the trial. Full details at checkflow.io/pricing.
