Coalfire is an independent, IT Governance, Risk and Compliance (IT-GRC) organization with offices across the U.S., providing IT Security advisory and assessment services to organizations that are required to conduct compliance assessments/audits to meet the requirements of an industry standard or regulation. As a benefit, clients are finding that maintaining compliance accelerates sales discussions with existing customers and new prospects, where compliance is considered a prerequisite for doing business.


  • FedRAMP Advisory and Assessment Services

    Coalfire is an accredited FedRAMP 3PAO, providing advisory services and security assessments of cloud environments and systems being made available for hosting government data. Services include pre-assessment, advisory services for documenting policies and procedures as well as developing a Systems Security Plan (SSP), security assessment services, vulnerability scanning, penetration tests and development of Security Assessment Reports (SARs). In addition, Coalfire is available to conduct 3PAO-required portions of the Continuous Monitoring requirement to maintain the FedRAMP Provisional ATO.

  • FISMA Advisory and Assessment Services

    Government agencies, and their vendors and subcontractors, are required to go through a FISMA assessment to achieve an agency ATO. Coalfire conducts assessments in accordance with NIST SP 800-53 r3 and FIPS 199, 200 that prescribe the minimum framework controls for government information systems. Coalfire's team of FISMA experts assist organizations in preparing for FISMA audits, system accreditation, asset classification, and risk assessments.


    Coalfire provides advisory and assessment services supporting a CSP’s pursuit of DISA ECSB provisional authority to operate (P-ATO) and listing in the DISA enterprise cloud service catalog, and a cloud service consumer request form by which requirements will be submitted to the ECSB. Our services are intended for CSPs seeking authorization for ECSB Impact Levels 1 – 6

  • NERC CIP Advisory and Assessment Services

    Electrical utility companies and organizations involved with the smart grid need to meet the new NERC Critical Infrastructure Program (CIP) requirements. Coalfire offers a complete range of services that meet the nine key areas addressed by NERC CIP - Sabotage, Critical Asset Identification, Security Management Controls, Personnel and Training, Electronic Security Perimeter, Physical Security Protection, Systems Security Management, Incident Reporting, and Response Planning and Recovery Plans.

  • HIPAA/HITECH and HITRUST Advisory and Assessment Services

    Coalfire is a HITRUST certified assessor for healthcare organizations seeking a Common Security Framework (CSF) assessment. The HITRUST CSF consolidates and normalizes the healthcare security requirements for healthcare organizations. For those that don't choose to pursue a HITRUST assessment, Coalfire can assess a healthcare organization, covered entity or business associate for their specific HIPAA or HITECH compliance requirements.

  • GLBA Advisory and Assessment

    Coalfire assists financial services institutions reduce security risk, meet FFIEC and GLBA compliance requirements, mitigate e-authentication risk and increase operational efficiency throughout an organization. Our experience in training NCUA, FDIC and OCC/OTS regulators allows us to provide thorough, cost-effective solutions to complex IT risk management requirements.

  • PCI Compliance Services- PCI QSA, PA-QSA, PA-QSA (P2PE)

    Coalfire has been a leader in conducting PCI assessments for the full range of organizations that make up the payment processing ecosystem. Coalfire carries all the required certifications and credentials to assess compliance to the Payment Card Industry Data Security Standard for ecommerce merchants, retail organizations, payment processors, service providers and payment application developers.

  • ISO Gap Analysis

    Coalfire provides gap analysis and pre-assessment services for organizations that need to meet ISO standards, such as 27001. 

  • Vulnerability Scanning

    Coalfire, through its suite of Navis solutions, provides vulnerability scanning services for both external and internal networks. Scan services are generally a complementary requirement for the security audit and assessment services for industry-specific regulatory requirements (e.g. PCI DSS).

  • Penetration Testing and Forensic Services

    The Coalfire Labs team of professionals conduct penetration testing and ethical hacking scenarios to demonstrate how well an organization's network assets are protected. Penetration testing services are available for corporate networks, data environments, and software applications. In addition, our forensic team assists with incident response issues, data breach analysis and threat mitigation.


GSA Schedule Contracts

GSA Schedule 70

GSA Schedule 70 GSA Schedule No. GS-35F-0119Y Term: December 20, 2011- December 19, 2021

State & Local Contracts

City of Seattle Contract

Contract #0000003265 Term: December 19, 2021


Contract # CMAS 3-12-70-2247E Term: through March 31, 2022

Fairfax County IT Hardware, Software, & Services

Virginia- Fairfax County CONTRACT EXPIRATION: October 4, 2020 (with 5 option years)

Ohio State Contract- 534354

Contract # 534354 Term: December 19, 2021

Orange County National IPA Co-Op

Through May 31, 2019 (with 2 option years)


Contract Number: UVA1482501 Term: May 2, 2014– December 19, 2021


Archived Events


SELECT Resource_ID, Title, Vendor, Vertical, Type, DateAdded, Path, Linktype, InvisibleBit, FeaturedEnd, FeaturedBit, Description, CustomLogo, LegacyLink, Form FROM Resources WHERE Vendor = ? AND InvisibleBit = 0 ORDER BY FeaturedBit DESC, Type ASC


Endless and evolving threats to your network demand the most rigorous security testing possible. Only then can you have the confidence that your data—and your customers’ data is safe and secure. That means probing for vulnerabilities, using the most sophisticated Penetration Test possible....

Coalfire Cloud Assessment and Advisory Credits are a flexible method to procure professional consulting services to augment, outsource, or supplement your IT staff for cloud management. Compliance assessment and advisory services benefit commercial organizations and government agencies adopting the ...

As part of its “cloud first” policy established in 2010, the U.S. government has formalized a set of regulations that Cloud Service Providers (CSP) must meet in order to do business with government agencies. FedRAMP requires CSPs to be independently assessed by an accredited Third Party Asses...

The healthcare industry is adopting the use of electronic health records, and placing a higher priority on the security of electronic protected health information (ePHI). To help ensure the safe exchange of ePHI and other personal information, the Health Information Trust Alliance (HITRUST) has es...

As online banking, the use of ACH transactions and cyber threats expand and evolve, data security and compliance is more important than ever. The consequences of a data breach reach beyond fines and penalties to include significant fraud losses and damaged reputations. Despite this, many banks an...

Since 1996, HIPAA has addressed the privacy and security of electronic protected health information (ePHI) used by healthcare organizations. With the passing of the HITECH Act in 2009, compliance with HIPAA standards is now mandated. But many small- to medium-sized healthcare organizations lack t...

As credit card usage expands and cyber threats evolve, PCI compliance is more important than ever. The consequences of a data breach reach beyond fines and penalties to include significant fraud losses and damaged reputations. Despite this, many organizations ignore the danger and bypass adequate...


Digital Reasoning believes that every organization can transform the way it operates by gaining insights into how its employees and customers communicate. We transform data into actionable knowledge, allowing our customers to see people, interactions and things in a way that they’ve never seen the...

The information technology landscape is continuously evolving, making IT Governance, Risk and Compliance (IT GRC) more critical than ever. You face increasing risk from cyber attacks and data breaches, as well as increasingly demanding regulatory and compliance requirements. Customers and partner...