No. FISMA compliance requires the thoughtful selection and employment of stringent security controls for federal systems using a risk-based approach to protect critical federal missions and business functions. In addition to technology-based controls such as access control, identification and authentication, audit and accountability, encryption, and system and communications protection, there are also management and operational controls that address important security areas such physical security, personnel security, continuity of operations, awareness and training, incident response, security planning, system integrity, and acquisition. Developing sound security policies and procedures is a critical aspect of building an effective information security program. Security policies, while administrative in nature, demonstrate in clear and unequivocal teams, senior management’s commitment to information security and protecting the organization’s operations (mission, functions, image, and reputation) and assets, individuals, other organizations, and the Nation. Security procedures provide the necessary details for the organization’s security professionals to effectively implement the security policies. Effective policies and procedures, in conjunction with technology-based security controls, provide a defense-in-depth and holistic approach to information security and managing organizational risk from systems. In addition to the above, there are specific management controls that require an assessment of the controls in organizational systems to determine overall effectiveness. The determination of security control effectiveness provides critical information to senior leaders/executives needed to make credible risk-based decisions for the authorization (accreditation) of systems.