FISMA Compliance & ATO for Federal Health IT System
Engagement Type: FISMA / RMF Authorization Advisory
Client: Federal Agency IT Program Office
Engagement Start: July 2023
ATO Granted: December 2023
Framework: FISMA / NIST RMF (NIST SP 800-37 Rev 2)
A federal agency’s Office of Health IT engaged Krieger Security to support the FISMA authorization of a new cloud-hosted health data integration platform. The platform processed sensitive federal health information and required a full NIST Risk Management Framework (RMF) package, including categorization, control selection, implementation, assessment, and Authorization to Operate (ATO) approval from the Authorizing Official (AO).
Krieger Security’s RMF methodology delivers audit-ready documentation and actionable remediation guidance, enabling federal systems to achieve ATO efficiently and maintain continuous authorization.
THE CHALLENGE
The platform was built by a contractor team with limited FISMA/RMF experience, resulting in an incomplete Security Assessment Plan, missing privacy impact assessment, and system security plan that did not address all NIST SP 800-53 High/Moderate controls applicable to the system’s FIPS 199 categorization.
The agency also faced a hard deadline driven by a Congressional mandate, requiring the system to be operational within six months — leaving limited time for iterative control implementation and requiring a highly structured, milestone-driven approach.
THE STRATEGY
Krieger Security executed a full RMF lifecycle engagement: FIPS 199 system categorization, NIST SP 800-53 control tailoring and implementation, SSP authorship, Privacy Impact Assessment (PIA), and coordination with the agency’s ISSO and AO throughout the authorization process.
Our team managed the Security Assessment Report (SAR) process, resolved all identified vulnerabilities through a structured POA&M, and prepared the Authorization Package for the Authorizing Official. The system received a three-year ATO within five months of engagement start, meeting the Congressional deadline with two weeks to spare.
THE CHALLENGE
Completing a full NIST RMF authorization lifecycle for a complex health data platform within a five-month Congressional deadline.
Project Gallery
CLIENT’S TESTIMONIALS
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident. Krieger Security provided dedicated Information System Security Officer (ISSO) support throughout the engagement, maintaining close coordination with the Authorizing Official and supporting the agency’s continuous monitoring program following ATO issuance.
Benjamin Tickle, Project Manager
Company Name Inc