Does SD Elements cover FedRAMP or FISMA compliance controls?

Short answer: Yes. Through NIST-800-53.

What is the difference between FISMA and FedRAMP controls?

FedRAMP and FISMA both use the NIST SP 800-53 security controls. The FedRAMP baseline contains 125 controls for low and 325 controls for moderate impact levels.


FedRAMP is a result of the "Cloud First" policy issued in 2011 and OMB memo Security Authorization of Information Systems in Cloud Computing requiring the use of FedRAMP authorized cloud services by agencies in an effort to reduce costs and to streamline the IT procurement process. This policy requires that government agencies move IT services to cloud solutions. FedRAMP has been developed as a program for CSPs to receive an independent security assessment, conducted by a certification authority (called 3PAO). Since these assessments are also based on NIST SP 800-53 Rev 4, FedRAMP can be thought of as "FISMA for the cloud" as it inherits the NIST baseline of controls and is tailored for cloud computing initiatives.


FISMA is a law enacted in 2002 that mandates a process to strengthen the security posture of government’s information systems. When most agencies (and their vendors) discuss being "FISMA compliant," they are usually referring to meeting the controls identified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, "Recommended Security Controls for Federal Information Systems." This is because the law is enforced through various processes (OMB A-130), which establish definitions, processes, and requirements for federal agencies to follow.

FISMA (through A-130) recommends guidance issued by NIST, specifically FIPS 200 for impact-level categorization (Low, Moderate, or High-impact systems), and NIST SP 800-53A Rev 4 (Recommended Security Controls for Federal Information Systems and Organizations) for the selection and implementation of security controls based on the system impact level.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request