Federal Regulatory Assurance

A path towards FISMA and Federal regulatory compliance

Want the Federal Government as one of your clients?

If you are doing business with the Federal Government, the opportunity is huge, but so are the multiple compliance requirements which must be met. Understanding the shifting landscape of Federal IT legislation, including the Federal Information Security Management Act (FISMA), Defense Federal Acquisition Regulation Supplement (DFARS), and the Federal Risk and Authorization Management Program (FedRAMP) is critical. Navigating regulation and controls the first time can be challenging. However, done correctly, it can pave the way to significant business for your company.

federal regulation

Cloud First Mandate: FedRAMP requirements for cloud service providers

Roughly 25% -- or $20B of federal IT spending is earmarked for cloud computing migration as per the Cloud First mandate.

Commercial cloud service providers (CSPs) must meet Federal Risk and Authorization Management Program (FedRAMP) requirements at the appropriate baseline (i.e. low, moderate, high). FedRAMP standardizes the approach to cloud-related security assessments, authorizations, and ongoing monitoring.

Our FedRAMP team includes cloud security, federal regulatory, and controls professionals. Partnering with PwC, you will be well-prepared to meet federal cloud compliance requirements.


  • Tailor your offering to FedRAMP requirements
  • Understand the relationship of NIST SP 800-53 control requirements to your environment
  • Perform diagnostic assessments and gap analyses
  • Develop and execute a comprehensive, continuous monitoring program
  • Support remediation
  • Produce documentation to support certification efforts
  • Generate awareness and develop training programs

FISMA: You can’t do business with the Federal Government without it

Requirements set forth by the government for all federal agencies and departments to bring their cyber security capabilities up to par in 2002 and refreshed in 2014. Dates and enforcement has come and gone, and many organizations both inside and outside the federal government, are still not meeting the necessary requirements but are expected to.

Our team has deep experience with the NIST 800-53 control set, 800-53A, RMF, 800-30 Risk Assessment framework, etc.


  • Define security needs
  • Determine NIST SP 800-53 control requirements
  • Create required documentation
  • Train employees
  • Develop and conduct regular self-assessments
  • Manage and track remediation
  • Monitor and sustain compliance
  • Develop a federal regulatory roadmap and compliance framework

DFARS, NIST 800-171, and PwC’s Approach to Adherence

As with any business, there are barriers to entry and minimum requirements to contract with the Department of Defense (DoD). In recent years, the list of these requirements has increased with additional scrutiny being placed on cybersecurity, specifically around securing systems that process, store, and/or transmit Controlled Unclassified Information (CUI), namely he Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 and NIST 800-171.

These flow-down requirements can be complicated and convoluted, but our cybersecurity practitioners have the technical and procedural capabilities to sort through the compliance requirements, help you define your accreditation boundary, document your level of adherence to the controls, and help take the guesswork out of implementing NIST 800-171.

Our 800-171 team includes cybersecurity specialists with a wealth of experience within A&D, our leading Third Party Risk Management team to help get a handle on your supply chain, as well as our Governance Contracting group to sort through all of the necessary requirements.

DFARS & NIST 800-171

  • Define and develop a NIST 800-171 assessment program/approach
  • NIST 800-171/DFARS readiness assessment
  • Assessments of compliance with requirements
  • SSP/POAM development/guidance
  • Roadmap development to meet compliance requirements
  • Aid in managing your overall vendor/supplier supply chain, and the flow-down support to your subcontractors
  • Develop a NIST 800-171 Compliance Governance Program


{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}

Contact us

Sloane Menkes

Sloane Menkes

Principal, Cybersecurity & Privacy, PwC US

Zachary Gable

Zachary Gable

Director, Cybersecurity & Privacy, PwC US

Jessica Martin

Director, Cybersecurity & Privacy, PwC US

Chris VanEvery

Chris VanEvery

Director, Cybersecurity & Privacy, PwC US

Follow us