The Most Frequently Failed FISMA Compliance Assessment Controls — and How to Fix Them

Why FISMA Compliance Assessments Expose the Same Gaps Year After Year

Every year, federal agencies and their contractors undergo FISMA compliance assessment cycles that are supposed to drive meaningful security improvement. Yet the same control families continue to generate findings, repeat deficiencies, and stalled remediation plans. After working with dozens of federal contractors and agencies, the pattern is unmistakable: the failures are not random. They are structural, and they are preventable.

This post breaks down the controls that assessors flag most often, explains why organizations keep stumbling on them, and gives you concrete remediation steps you can act on before your next assessment cycle begins.

The Regulatory Foundation: What FISMA Actually Requires

FISMA mandates that federal agencies and organizations operating federal information systems maintain a continuous, risk-based security program aligned to NIST SP 800-53. Assessments evaluate whether security controls are implemented correctly, operating as intended, and producing the desired outcomes. The distinction matters: having a policy is not the same as having a functioning control. Assessors are trained to probe that gap, and most organizations underestimate how wide it is.

For federal contractors, the stakes extend beyond compliance scores. A weak FISMA posture can delay contract awards, trigger corrective action plans, and in serious cases invite scrutiny from agency inspectors general. Understanding the differences between NIST SP 800-171 and NIST SP 800-53 is an important first step for contractors operating under both frameworks simultaneously.

The Most Frequently Failed FISMA Control Families

1. Risk Assessment (RA)

Risk assessment controls are the foundation of every FISMA program, and they are among the most commonly deficient. Organizations either conduct assessments on a schedule that is too infrequent, produce documentation that is too generic to be useful, or fail to connect assessment findings to their Plan of Action and Milestones. Assessors look for evidence that risk assessments are current, that threat information has been incorporated, and that identified risks are actively tracked to resolution.

Fix it: Conduct formal risk assessments at least annually and after any significant change to your system boundary. Document threat sources, threat events, vulnerabilities, and likelihood ratings in sufficient detail to justify your risk acceptance decisions. Ensure a direct traceability link between your risk assessment outputs and your POA&M entries.

2. Security Assessment and Authorization (CA)

The CA control family governs how organizations evaluate their own security controls and maintain authorizations to operate. The most common failure here is an Authorization to Operate that has lapsed or was never formally issued. Close behind it are System Security Plans that are outdated, incomplete, or written at a level of abstraction that provides no operational value.

Fix it: Treat your SSP as a living document that is reviewed and updated at least annually and whenever your environment changes. Your SSP and POA&M should tell a coherent, verifiable story about your security posture. If your ATO is expiring, begin the reauthorization process at least 90 days in advance.

3. Configuration Management (CM)

Configuration management failures are pervasive because most organizations treat CM as an IT task rather than a compliance discipline. Common findings include undocumented baseline configurations, unauthorized software on production systems, and change control processes that exist on paper but are not enforced in practice. Assessors will pull configuration records and compare them to stated baselines. Gaps are easy to find.

Fix it: Establish documented, approved baseline configurations for every system type in your environment. Implement automated tools that detect and alert on deviations. Enforce a formal change control process and maintain evidence of approval for every change. Endpoint security controls are closely tied to this family and should be addressed in parallel.

4. Access Control (AC)

Access control is the most universally scrutinized control family in any federal assessment. The failures range from excessive user privileges that violate least privilege principles, to dormant accounts that were never disabled after employee separations, to multi-factor authentication that is implemented inconsistently across systems. Privileged account management is a specific area where assessors almost always find deficiencies.

Fix it: Conduct quarterly access reviews for all privileged and non-privileged accounts. Automate account disablement as part of your offboarding process. Enforce MFA on all remote access and privileged sessions without exception. Document your access control policy and verify that it reflects actual practice, not aspirational practice.

5. Audit and Accountability (AU)

Organizations routinely enable logging on their systems and then assume the AU control family is satisfied. Assessors disagree. Common findings include log retention periods that do not meet requirements, audit records that do not capture the events specified in NIST 800-53, alert mechanisms that generate notifications that nobody reviews, and a complete absence of log review procedures. The logs exist but the accountability does not.

Fix it: Define exactly which events must be logged across each system type and verify that your logging configuration captures them. Establish and document a log review process with assigned ownership. Set retention periods that meet or exceed the 90-day active and three-year archive standard commonly required for federal systems. Test your alerting mechanisms regularly.

6. Incident Response (IR)

Incident response plans are common. Tested, functional incident response capabilities are not. Assessors ask for evidence of tabletop exercises, after-action reports, and documented lessons learned. Most organizations cannot produce them. Reporting timelines are another recurring failure point, particularly the requirement to notify the agency and US-CERT within mandated windows.

Fix it: Conduct at least one tabletop exercise per year and document the results. Update your incident response plan based on exercise findings. Verify that staff responsible for incident detection and escalation understand their roles. Post incident response contact information where it can be found quickly under pressure.

7. System and Communications Protection (SC)

This control family generates findings related to boundary protection, encryption, and network segmentation. Organizations operating hybrid cloud environments are particularly vulnerable here because the boundaries between on-premises and cloud resources are often poorly defined and inconsistently controlled. Unencrypted data in transit remains a finding in organizations that should know better.

Fix it: Document your system boundary in your SSP with enough specificity that an assessor can verify it matches your actual architecture. Enforce encryption for all data in transit across all network segments. Review your cloud service provider agreements to confirm that the shared responsibility model is understood and that your obligations are being met. Our Federal and SLED Risk Assessment services can help you map your current boundary against FISMA requirements.

The Underlying Problem: Compliance Theater

Most of these failures share a common root cause. Organizations build compliance programs around documentation production rather than control implementation. Policies are written to satisfy a checklist. Procedures describe what should happen rather than what does happen. Assessors are trained to distinguish between the two, and they are very good at it.

A mature FISMA compliance program requires ongoing operational discipline, not a burst of activity before an assessment. The organizations that consistently pass assessments have integrated compliance into their daily operational processes. The ones that fail are still treating it as an annual documentation exercise.

If your organization is struggling with this shift, our Compliance Program Development services are designed to help you build programs that function operationally, not just on paper.

What a Strong Remediation Approach Looks Like

1. Start with a gap assessment. Before your next assessment cycle, conduct an independent evaluation of each control family against your actual environment. Do not rely on your last assessment findings as a current-state picture. Security environments change constantly.
2. Prioritize by risk, not by ease. Organizations that remediate the easiest findings first often leave the highest-risk gaps open the longest. Map your findings to threat likelihood and impact before sequencing remediation work.
3. Assign ownership explicitly. Every POA&M item should have a named owner, a realistic completion date, and scheduled milestone reviews. Vague ownership produces vague progress.
4. Build evidence collection into operations. Do not wait until assessment preparation to gather evidence. Log reviews, access certifications, configuration scans, and training records should be documented continuously throughout the year.
5. Consider external security leadership. If your organization lacks the internal capacity to manage this continuously, Regulatory vCISO services can provide the ongoing oversight needed to maintain assessment readiness between cycles.

FISMA and the Broader Compliance Landscape for Federal Contractors

Federal contractors operating under FISMA frequently have overlapping obligations under DFARS, CMMC, and NIST SP 800-171. Controls that fail in a FISMA assessment often indicate weaknesses that will surface in those frameworks as well. The access control failures, configuration management gaps, and audit deficiencies described above are equally relevant to CMMC, CUI, and DFARS compliance programs. Treating these as separate compliance silos is inefficient and increases risk.

The federal and defense contractor community faces increasing scrutiny across all of these frameworks simultaneously. Organizations that integrate their compliance programs across FISMA, CMMC, and DFARS requirements reduce assessment burden, eliminate redundant documentation work, and build more resilient security programs.

Take Action Before Your Next Assessment Cycle

FISMA compliance assessment failures are not inevitable. They are the predictable result of programs that prioritize documentation over implementation, and point-in-time effort over continuous operations. The controls discussed here have known remediation paths. The question is whether your organization has the leadership focus, the documented processes, and the operational discipline to execute them before the next assessor arrives.

If you are unsure where your program stands, or if your last assessment produced findings that have not been fully resolved, Cleared Systems can help. Our team works with federal contractors and agencies to build programs that perform under assessment conditions — not just around them. Request a quote to discuss your FISMA compliance posture with our team, or explore our engagement models to find the right level of support for your organization's needs.