Federal Regulatory Assurance

Companies doing business with the Federal Government face a shifting landscape of IT legislation, regulation and controls – and compliance is mandatory. Navigating this maze can be complicated and time-consuming. But done correctly, it can open the way to significant business for your company. PwC can help you reap those rewards.

More and more, the government is turning to commercial business partners for critical mission and operations support. The opportunity is big, but heightened regulatory and security requirements must be fully understood – and met. And right now, many companies interested in federal business are unfamiliar with these requirements.

Our Federal Regulatory Assurance team includes IT professionals with deep federal regulatory, compliance, and controls experience. As federal compliance is often part of broader compliance challenges, we partner with PwC’s Integrated Compliance team to maximize our value to clients.

We’re ready, today, to help you refine your compliance roadmap so you can pursue and successfully service the public sector.

FISMA and Federal Regulatory Compliance

Compliance with the Federal Information Security Management Act (FISMA) is required of all federal agencies and all commercial entities that provide services to the Federal Government. Companies must have a control environment that meets FISMA requirements, which include required documentation. Additional federal regulations beyond FISMA may also be applicable.

Underscoring the government’s mandate, federal agencies are updating key policy documents to explicitly require FISMA and federal regulatory compliance of their contractors. Bottom line: Your company can’t do business with the Federal Government unless it meets federal control requirements.

We can help. Our professionals can leverage their extensive FISMA and federal regulatory experience to help your company create a step-by-step FISMA and federal compliance roadmap, as we’ve done for many other clients. PwC’s advisors will help you:

  • Define security needs
  • Determine NIST SP 800-53 control requirements
  • Create required documentation
  • Train employees
  • Develop self-assessments
  • Manage remediation
  • Monitor and sustain compliance
  • Develop a federal regulatory roadmap and compliance framework


To trim costs, the current Cloud First mandate requires federal agencies to strongly consider cloud services. In fact, roughly 25% or $20B of federal IT spending is earmarked for cloud computing migration.

Accordingly, Commercial Cloud Service Providers (CSPs) for federal agencies must meet Federal Risk and Authorization Management Program (FedRAMP) requirements. FedRAMP standardizes the approach to cloud-related security assessments, authorizations, and ongoing monitoring. The program uses a “do once, use many times” model, i.e., CSP certification can be applied across multiple potential customers to save time, money and resources.

CSPs must pass a required audit in order to receive FedRAMP certification. PwC is an accredited FedRAMP 3PAO (Third Party Assessment Organization), signifying that our firm has appropriate cloud security expertise and methodology for performing cloud security assessments.

While guidance is still emerging, CSPs are encouraged to prepare now for compliance. CSPs are finding advance preparation necessary to ready their environment for the required audit, and do business with the federal government.

And remember – compliance is not optional.

Resources. Our FedRAMP team includes cloud security, federal regulatory, and controls professionals. Partnering with PwC’s Cloud Assurance team, you will be well-prepared to meet federal cloud compliance requirements. Our team offers powerful support to help you:

  • Tailor your offering to FedRAMP requirements
  • Understand the relationship of NIST SP 800-53 control requirements to your environment
  • Perform self-assessments and gap analyses
  • Develop and execute a comprehensive, continuous monitoring program
  • Support remediation
  • Produce documentation to support assessments
  • Generate awareness and develop training programs