Responding to CISA Emergency and Binding Operational Directives¶
FedRAMP actively responds to CISA Binding Operational Directives (BODs) and Emergency Directives (EDs). In cases where a CISA BOD or ED applies to the cloud computing community, FedRAMP will place a reporting requirement on FedRAMP Certified cloud service providers. FedRAMP uses the FedRAMP Security Inbox to communicate about urgent security matters.
FedRAMP collects responses to CISA BODs and EDs on behalf of the federal government and disseminates the responses to federal agencies. Agencies SHOULD NOT reach out individually to FedRAMP Certified cloud service providers as this causes a duplication of efforts and can slow response times.
Federal agencies that use cloud services that are NOT FedRAMP Certified are responsible to collect their own responses from non-FedRAMP-certified cloud providers. Agencies should determine whether they are using the FedRAMP Certified version of a cloud service offering as many cloud service providers have separate commercial and federal tenants.
Follow instructions in the CISA BOD or ED
FedRAMP works with CISA during the drafting of a BOD or ED to ensure they include guidance related to FedRAMP Certified cloud services, and participates in CISA calls announcing these directives. If anything is ever unclear, please reach out to the Agency Liaisons group.
Examples of BOD and ED Responses¶
FedRAMP notifies cloud service providers directly of all applicable new BODs and EDs and their impact and expectations for cloud service providers via email. We also share public notices about these activities. Some examples of recent BOD and ED activities include:
- Public Notice NTC-0014: FedRAMP Response to CISA BOD 26-04 (2026-06-16)
- Public Notice NTC-0010: FedRAMP Response to CISA V1 ED 25-03 (2026-04-23)
- Public Notice NTC-0006: Emergency Directive 26-03 (2026-02-25)