Abstract Look at FISMA certification as a project-oriented endeavor where the key objective is delivering a Security Package, performing and assessment, and ultimately protecting information assets. From the outset, put together a contact list and interview the participants. A project best practice is to hold a kick-off meeting to introduce the team members and to establish the expectations. Don’t wait for volunteers. Apply a questionnaire or checklist and interview the participants. Borrow from other agencies, but recognize different agencies have different needs. FISMA supports flexibility. Recognize that multiple applications and components can be covered by a single Security Package. This may save time and resources. Trust your contacts, but verify their answers. Retain your ethics—balance the need for authorization with the need for security.