The Federal Information Security Management Act (FISMA) now reaches into more industries than ever before. No longer is FISMA just a government concern. FISMA regulation is now being implemented in the healthcare, financial and tech industries as government agencies outsource IT and mission needs to third-party providers.

Based on an ever-growing number of National Institute of Standards and Technology (NIST) standards and best practices, it is easy to get lost in the quagmire of requirements. Gone are the days where following a few guidelines would yield a FISMA-compliant system. Standards have evolved to include requirements for insider threat, application security, supply chain risk, security assurance, mobile and cloud computing, advanced persistent threats and a barrage of privacy requirements. There’s also enterprise architecture, security automation, continuous monitoring and enhanced situational awareness in the mix. And that’s not even half of it.

Compliance can be a huge headache. We get it. But we love it. 38North’s FISMA consultants have been dealing with FISMA compliance for years. Ask them to regale you with stories of our past SSPs, ISCPs, ST&Es and ATOs, and you’ll get a taste of how much ground they’ve covered.

What is FISMA?

FISMA stands for the Federal Information Security Management Act, and is part of the US E-Government Act (Public Law 107-347) that became legislation in 2002.  It requires federal agencies to develop, implement and manage a risk-based, agency-wide information security program to ensure the ongoing protection of information and critical systems. In doing so, FISMA requires federal agencies (and their third parties) to place increased emphasis on accountability, stringent policy adherence, detailed reporting, performance measurement and ongoing security assessment and improvement.

Here are some of the ways we help you with FISMA:

FISMA Gap Analysis:

Have a new FISMA requirement, but don’t know how to get started? 38North’s FISMA gap analysis educates you on the process while gauging how your information system(s) would fare against FISMA standards. We’ll also let you know how much it will cost to complete a full security authorization, identify any risks and/or challenges, and focus your attention on the most critical items to get you ready for action. This is your first step if you’re completely new to the world of FISMA.

Security Authorization:

This is the whole enchilada. We work with your IT and security personnel to get your system(s) FISMA-compliant. We focus on minimum requirements to get you through the process in the shortest time possible. The result is a complete authorization package with an executive summary detailing all critical risks matched to a recommended remediation strategy. We even provide a continuous monitoring plan, once you’ve been granted an authority to operate (ATO), to prolong the longevity of your authorization.

FISMA Continuous Monitoring:

Security authorization is no longer a paperwork exercise that’s done once every three years. The NIST Risk Management Framework requires system owners to continuously track system changes that may affect security controls, and reassess control effectiveness. Controls need to be maintained, tested and reported on to ensure your system’s security posture is within acceptable levels of risk. Sound like too much overhead and expense? 38North takes the worry out of continuous monitoring by developing an actionable continuous monitoring plan that will keep pace with the ever-changing technology and cyber security landscapes.

Independent Assessment:

Control assessment. Security test and evaluation. NIST 800-53A assessment. Annual assessment. Whatever it is, we can do it. 38North consultants have conducted countless assessments in the government and commercial sectors — from simple, closed systems to complex, multinational operating environments. We don’t just scan and give you a report, either. We analyze all your controls, deploy automated testing and assess the business and security risk to your system and organization. You also receive a prioritized list of recommendations tailored to your business and mission requirements, so you can develop an immediate and meaningful action plan for remediation.

FISMA Training:

Rooted in the belief that an organization should be able maintain its own compliance efforts, 38North offers tailored FISMA training to match the unique needs and experience of each of our clients. We have half-day, one-day and two-day FISMA training courses on the NIST Risk Management Framework, security authorization and continuous monitoring. Recognizing that security awareness and training is a critical aspect of an effective security program, our courses are an ideal complement to our other FISMA services.

Jeremiah Thompson

Director of Cloud Security Architecture

Jeremiah Thompson is 38North’s Director of Cloud Security Architecture. He leads 38North’s technical teams as they tackle engineering challenges and design secure, compliant cloud security architectures.

For over 18 years Jeremiah has helped clients in the commercial, defense and federal civilian sectors engineer secure solutions to modern cyber challenges. Prior to 38North, he served as a Director at Coalfire, one of the nation’s preeminent Third-Party Assessment Organizations (3PAOs). At Coalfire he led FedRAMP and DoD FedRAMP+ assessments supporting Fortune 500 organizations. He was also a Lead Information Security Compliance Auditor supporting the National Cancer Institute, and an Information Security Compliance Auditor at IBM.

Jeremiah currently holds CISSP, CISM, CAP, C|EH, Security+, Network+, CCSK and MCP certifications.

Andy Davidson

Senior Director of Cloud Security

Andy Davidson is Senior Director of Cloud Security at 38North. He leads 38North Senior Advisors as they prepare IaaS, PaaS and SaaS providers for the rigors of FedRAMP authorization. One of the nation’s most experienced FedRAMP practitioners, Andy has been supporting FedRAMP assessment and consulting efforts since the initial FedRAMP pilot project. He specializes in helping hyperscale Cloud Service Providers (CSPs) navigate FedRAMP requirements and successfully achieve Provisional Authorities to Operate (P-ATO).

Prior to 38North, Andy was Senior Director of FedRAMP and Assessment Services at Coalfire, one of the leading Third-Party Assessment Organizations (3PAOs). At Coalfire, he was responsible for growing the 3PAO practice and managing assessor teams in the execution of high profile assessments for Fortune 500 CSPs. He also helped start Veris Group’s 3PAO practice. Prior to Veris, Andy was an IT security consultant at Booz Allen Hamilton, supporting security assessments and engineering efforts across the federal government.

Linda Morales

Senior Director of Global Compliance

Linda Morales is the Senior Director of Global Compliance at 38North Security. She leads assessments for customers in the healthcare, federal and commercial spaces. She specializes in helping organizations prepare for and complete FISMA, FedRAMP and HIPAA assessments. She is adept at leading teams to deliver efficient, accurate security reviews that withstand scrutiny from federal regulators. Linda is also a recognized expert in Healthcare security, helping Health-IT providers secure and defend Protected Health Information (PHI).

Prior to 38North, Linda served as a Director at Endeavor Systems, where she played a key role growing the federal security services practice. She also served as Security Manager for the Federal Aviation Administration’s (FAA) enterprise-wide assessment program, with responsibility for 150+ systems across FAA.

Linda earned a BS in Computer Science and a Masters in Engineering Management, with a focus in Information Security, both from The George Washington University. She is also a Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), and a Registered Practitioner with the Cybersecurity Maturity Model Certification Advisory Board (CMMC-AB).

Spence Witten

Senior Advisor and Director of Business Development

Spence Witten is a 38North Senior Advisor and Director of Business Development. He serves as a trusted security advisor to 38North’s clients in the cloud services, healthcare, financial, defense and critical infrastructure communities.

Prior to 38North, Spence was Vice President of Global Sales at Lunarline. Spence led sales and marketing across ten cybersecurity business units, culminating in Lunarline’s acquisition by Motorola Solutions. Prior to becoming VP of Global Sales, Spence ran Lunarline’s US Federal Security Services practice, overseeing Lunarline’s defense, intelligence and federal civilian portfolio. He was also an early employee of Endeavor Systems. He played a key role in Endeavor’s rapid expansion in the federal, civilian, defense, and research and development markets, through to Endeavor’s successful acquisition.

An Adjunct Professor at Cleveland-Marshall College of Law, Spence serves on the Board of Directors for the Center for Cybersecurity and Privacy Protection at Cleveland State University. He is also a member of CyberOhio, the official cybersecurity advisory board for the Governor of Ohio.

Virginia Suazo

Senior Director of Cloud Security Advisory

Virginia Suazo is 38North’s Senior Director of Cloud Security Advisory. She is responsible for leading 38North’s cloud security and compliance efforts, with a speciality in helping global CSPs juggle multiple overlapping regulatory frameworks.

Before joining 38North, Virginia worked at a tech startup supporting the first and only Red Hat OpenStack Platform that is FedRAMP-authorized. She played a vital role in successfully obtaining FedRAMP Moderate and High authorizations for IaaS, PaaS, and SaaS systems, while supporting other certifications including DoD IL4/5, PCI DSS, HIPAA and HITECH. Her 15 years of cybersecurity experience also includes several tours supporting US federal agencies, including State Department, Department of Justice, Health and Human Services, Food and Drug Administration, General Services Administration and Department of Transportation.

Matt Earley


Matt Earley is 38North’s founder and President. He started 38North – the premier cloud security advisory company, in the US and internationally – to solve complex security challenges while developing trusted relationships with an elite client base.

For over 20 years Matt Earley has designed and implemented security solutions for the US and Australian federal governments, critical infrastructure, utilities, and for global finance and healthcare organizations. He focuses on lean security architecture design and prioritizing security efforts based on the critical needs of his clients.

Prior to founding 38North, Matt was the director of federal services at Endeavor Systems, where he was responsible for Endeavor’s largest business unit, serving the Federal Aviation Administration, Department of Homeland Security and some of the world’s largest security operations centers. He was also a Senior Manager in the Australian Department of Defense, where he represented Australasia on the Common Criteria Management Board.

Matt has a Bachelor of Engineering in computer engineering from the University of Canberra in Australia, and a Master’s in engineering management from George Washington University. He also is a Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).