Incident Evaluation and Communication¶
The Incident Evaluation and Communication rules explain how providers must communicate incident information to FedRAMP and government customers when they are affected by an incident or likely to be affected by an incident.
Subsets
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-01-01
- Grace Ends: 2027-06-01
Activity Workflow: Incident Evaluation and Communication¶
This workflow illustrates the process for evaluating incidents and persistently notifying all affected parties during the incident if it is a FedRAMP Reportable Incident.
flowchart TD
node_an_incident_is_identified(["An incident is identified."])
node_iec_cso_efr{"IEC-CSO-EFR<br/>Evaluate FedRAMP Reportability"}
node_incident_evaluation_and_reporting_is_complete(["Incident Evaluation and Reporting is complete."])
node_iec_cso_efi{"IEC-CSO-EFI<br/>Estimate Federal Impact"}
node_iec_cso_dpr("IEC-CSO-DPR<br/>Default PAIN Rating")
node_iec_cso_iir("IEC-CSO-IIR<br/>Initial Incident Report")
node_iec_cso_oir("IEC-CSO-OIR<br/>Ongoing Incident Reports")
node_iec_cso_fir("IEC-CSO-FIR<br/>Final Incident Report")
node_incident_evaluation_and_reporting_are_complete(["Incident Evaluation and Reporting are complete."])
node_an_incident_is_identified --> node_iec_cso_efr
node_iec_cso_efr -->|"No"| node_incident_evaluation_and_reporting_is_complete
node_iec_cso_efr -->|"Yes, and the PAIN will be estimated."| node_iec_cso_efi
node_iec_cso_efr -->|"Yes, but the PAIN will not be estimated."| node_iec_cso_dpr
node_iec_cso_dpr -->|"Reporting clock starts, using default PAIN-5 timeframes for reporting."| node_iec_cso_iir
node_iec_cso_efi -->|"Reporting clock starts, using estimated PAIN timeframes for reporting."| node_iec_cso_iir
node_iec_cso_iir -->|"Ongoing persistent reporting until incident is resolved."| node_iec_cso_oir
node_iec_cso_oir -->|"Incident is resolved."| node_iec_cso_fir
node_iec_cso_fir --> node_incident_evaluation_and_reporting_are_complete
click node_iec_cso_efr href "#evaluate-fedramp-reportability" "Jump to IEC-CSO-EFR"
click node_iec_cso_dpr href "#default-pain-rating" "Jump to IEC-CSO-DPR"
click node_iec_cso_iir href "#initial-incident-report" "Jump to IEC-CSO-IIR"
click node_iec_cso_oir href "#ongoing-incident-reports" "Jump to IEC-CSO-OIR"
click node_iec_cso_fir href "#final-incident-report" "Jump to IEC-CSO-FIR"
click node_iec_cso_efi href "#estimate-federal-impact" "Jump to IEC-CSO-EFI"FedRAMP Responsibilities¶
These rules apply to FedRAMP.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: FedRAMP
Ongoing Review¶
IEC-FRP-ORV
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
FedRAMP MUST periodically review FedRAMP Incident Evaluation and Response implementation with providers based on lack of reporting or other information.
Corrective Actions
- FedRAMP will request a Corrective Action Plan when a provider is unaware of the rules or has failed to implement proper procedures.
- FedRAMP will grant a 3 month grace period to implement proper procedures pending remediation and possible revocation of FedRAMP Certification.
Terms: Incident, Vulnerability Response
General Provider Responsibilities¶
These rules apply to providers with FedRAMP Certifications of any type.
Path: ProgramAgency
Class: Class BClass CClass D
Audience: Providers
Evaluate FedRAMP Reportability¶
IEC-CSO-EFR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Response rules.
Terms: FedRAMP Reportable Incident, Federal Customer Data, Incident, Likely, Promptly, Vulnerability Response
Default PAIN Rating¶
IEC-CSO-DPR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers MUST treat FedRAMP Reportable Incidents as if they have a Potential Agency Impact N-rating (PAIN) of 5 UNLESS they promptly estimate the PAIN rating following the rule in IEC-CSO-EFI (Estimate Federal Impact).
Terms: FedRAMP Reportable Incident, Incident, Potential Agency Impact, Promptly
Initial Incident Report¶
IEC-CSO-IIR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
- Notify FedRAMP via email: FedRAMP Security Team.
- Notify Agency Customers via the appropriate recipient-specific method: Follow agency-specific incident reporting procedures (varies by agency).
- Notify All Necessary Parties via an update: Provider's Trust Center or USDA Connect (trust center).
Related JSON Schema: FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)
Providers with Class A Certifications SHOULD responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class B Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class C Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 1 hour |
| PAIN-4 | 1 hour |
| PAIN-3 | 1 hour |
| PAIN-2 | 24 hours |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 0.25 hours |
| PAIN-4 | 0.25 hours |
| PAIN-3 | 0.25 hours |
| PAIN-2 | 1 hour |
| PAIN-1 | 1 hour |
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Initial Incident Report (IIR), Responsibly
Ongoing Incident Reports¶
IEC-CSO-OIR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
- Notify FedRAMP via email: FedRAMP Security Team.
- Notify Agency Customers via the appropriate recipient-specific method: Follow agency-specific incident reporting procedures (varies by agency).
- Notify All Necessary Parties via an update: Provider's Trust Center or USDA Connect (trust center).
Related JSON Schema: FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)
Providers with Class A Certifications SHOULD responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier (if applicable)
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 1 business day |
| PAIN-4 | 1 business day |
| PAIN-3 | 1 business day |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class B Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 1 business day |
| PAIN-4 | 1 business day |
| PAIN-3 | 1 business day |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class C Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 24 hours |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 3 hours |
| PAIN-4 | 3 hours |
| PAIN-3 | 3 hours |
| PAIN-2 | 6 hours |
| PAIN-1 | 24 hours |
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Responsibly, Vulnerability Response
Final Incident Report¶
IEC-CSO-FIR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
This FRR includes a notification requirement!
- Notify FedRAMP via email: FedRAMP Security Team.
- Notify Agency Customers via the appropriate recipient-specific method: Follow agency-specific incident reporting procedures (varies by agency).
- Notify All Necessary Parties via an update: Provider's Trust Center or USDA Connect (trust center).
Related JSON Schema: FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)
Providers with Class A Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 business days |
| PAIN-4 | 3 business days |
| PAIN-3 | 3 business days |
| PAIN-2 | 3 business days |
| PAIN-1 | 3 business days |
Providers with Class B Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 business days |
| PAIN-4 | 3 business days |
| PAIN-3 | 3 business days |
| PAIN-2 | 3 business days |
| PAIN-1 | 3 business days |
Providers with Class C Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 hours |
| PAIN-4 | 3 hours |
| PAIN-3 | 3 hours |
| PAIN-2 | 6 hours |
| PAIN-1 | 24 hours |
Terms: All Affected Parties, Final Incident Report (FIR), Incident, Responsibly
Estimate Federal Impact¶
IEC-CSO-EFI
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Related JSON Schema: FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)
Providers SHOULD promptly estimate the likely adverse impact of an incident on agency customers to assign a Potential Agency Impact N-rating; this step is called Incident Rating.
- N1 for a likely minimal customer effect on 1 or more agencies.
- N2 for a likely narrow customer effect on 1 or more agencies.
- N3 for a likely disruptive customer effect on 1 agency.
- N4 for a likely debilitating customer effect on 1 agency or a likely disruptive customer effect on more than 1 agency.
- N5 for a likely debilitating customer effect on more than 1 agency.
Note: All incidents must be assigned a default PAIN-5 as required by IEC-CSO-DPR (Default PAIN Rating) if this step is not completed.
Terms: Debilitating Customer Effect, Disruptive Customer Effect, Incident, Likely, Minimal Customer Effect, Narrow Customer Effect, Potential Agency Impact, Promptly
Automated Incident Reporting¶
IEC-CSO-AIR
Changelog:
- 2026-06-24: Official launch of the FedRAMP Consolidated Rules for 2026.
Providers SHOULD use automation to minimize human intervention in the process of reporting FedRAMP Reportable Incidents to all affected parties.
Modern cloud services should not be reporting incidents by hand-crafting emails!
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident