The RSI Security web site breaks down the actions in some detail, but the process in essence goes like this: Formally attest your compliance. An AOC (attestation of compliance) is the form you employ to signal that you simply’ve achieved PCI DSS compliance. Finishing your questionnaire without having “Completely wrong” https://www.nathanlabsadvisory.com/blog/nathan/secure-federal-contracts-with-fisma-compliance/