Skip to main content


Ensure FISMA compliance with Veracode.

The Federal Information Security Management Act of 2002, or FISMA, is a federal law designed to improve computer and network security within the U.S. federal government and with its affiliates and contractors. To achieve FISMA compliance, agencies and contractors must develop certain information security controls and perform periodic audits.

As federal agencies are increasingly moving away from paper-based processes to Internet-based service models, FISMA compliance has become more important and more challenging than ever. To ensure FISMA compliance, federal agencies and their partners and vendors must demonstrate that software applications have been tested for the kind of vulnerabilities that may be exploited by hackers to breach government security.

For agencies and contractors seeking an effective and cost-efficient FISMA compliance solution, Veracode has developed an on-demand testing solution that meets the requirements of FISMA and the guidelines from the National Institute of Standards and Technology for achieving secure compliance.

Everything You Need to Know About Maturing an AppSec Program

Learn best practices from the pros at Veracode.

Get the Handbook

How Veracode’s FISMA compliance solution works

To ensure FISMA compliance, Veracode provides a cloud-based application security testing service that scans for vulnerabilities, backdoors and malicious code like SQL injection in .NET. With Veracode, federal agencies and related organizations can more easily provide evidence of policies and controls that meet the requirements of FISMA compliance in the following areas:

  • Risk assessment. Veracode’s application testing tools find vulnerabilities by scanning binaries rather than source code, enabling federal agencies to easily meet requirements for ensuring that custom and commercially developed applications are free of flaws.
  • Certification, accreditation and security assessments. Veracode provides a standard-based rating system that offers proof to auditors that the security of a system has been assessed against government benchmarks.
  • Audit and accountability. With Veracode’s cloud-based service, federal agencies and contractors can easily submit applications for periodic audits.
  • System and communications protection. In addition to scanning for vulnerabilities, Veracode’s testing solutions evaluate applications for the presence of specific security features that FISMA compliance requires.
  • System and services acquisition. Veracode is the only application testing provider that can scan government and commercial off-the-shelf applications without requiring access to their source code, simplifying acquisition while demonstrating FISMA compliance more easily.

Beyond FISMA compliance: meeting healthcare and financial regulatory requirements

In addition to FISMA compliance, Veracode offer application testing and secure DevOps solutions for HIPPA compliance and compliance with financial regulations like PCI DSS 6.5.

Learn moreabout FISMA compliance with Veracode, and about Veracode’s solutions for compliance with PCI 6.5.