The RSI Security blog site breaks down the steps in some element, but the procedure in essence goes similar to this: Formally attest your compliance. An AOC (attestation of compliance) is the shape you use to sign that you’ve obtained PCI DSS compliance. Ending your questionnaire with no “Mistaken” answers https://www.nathanlabsadvisory.com/fisma.html