The RSI security blog breaks down the actions in certain depth, but the process in essence goes similar to this: Go with a compliance automation software Instrument to avoid wasting time and cost. Pro tip- choose a certified CPA agency that also provides compliance automation software for an all-in-one Remedy https://www.nathanlabsadvisory.com/blog/nathan/secure-federal-contracts-with-fisma-compliance/