FedRAMP Security Inbox requirements¶

FedRAMP must have a reliable way to directly contact security and compliance staff operating all FedRAMP Authorized cloud service offerings without tracking individual contacts or maintaining provider-specific logins to customer support portals. These requirements for a FedRAMP Security Inbox apply to all cloud service providers to ensure this direct reliable path remains open, especially in the event of critical security issues.

This set of requirements focus specifically on communication that comes from FedRAMP and includes three categories of communication:

Emergency communications that will only be used during an emergency where response times are critical to protecting the confidentiality, integrity, and availability of federal customer data; this communication path will occasionally be tested by FedRAMP.
Important communications that may require an elevated response due to a sensitive or potentially disruptive situation, typically related to ongoing authorization or other concerns.
General communications that include all other messages from FedRAMP that may be managed by a cloud service provider following their standard operational process.

All Emergency and Important messages sent by FedRAMP will include specific actions, timeframes expected for action, and an explanation of the corrective actions that FedRAMP will take if the timeframes are not met. Failure to take timely action as required by Emergency communications will result in corrective action from FedRAMP.

FedRAMP will conduct strictly controlled tests of response to emergency communications regularly and provide public notice of these tests in advance. The response times for these tests will be tracked by FedRAMP and made publicly available.

This set of requirements and recommendations include explicit requirements that FedRAMP will follow to ensure important communications or those sent during emergencies can be routed by cloud service providers separately from general communications.

Effective Date(s) & Overall Applicability

Release: 25.11A
Published: 2025-11-18
Designator: FSI
Description: Initial Release of the FedRAMP Security Inbox requirements for both 20x and Rev5.

FedRAMP 20x:
- This release is effective 2026-01-05 for 20x.
- These requirements apply after January 5, 2026 to all FedRAMP 20x authorizations.
- Phase One Pilot participants must address all of these requirements by January 5, 2026.
- Phase Two Pilot participants must address all of these requirements prior to submission for authorization review (even if submitted before January 5, 2026).
FedRAMP Rev5:
- This release is effective 2026-01-05 for Rev5.
- These requirements apply after January 5, 2026, to all FedRAMP Rev5 cloud services that are listed in the FedRAMP Marketplace.

Background & Authority

OMB Memorandum M-24-15 on Modernizing FedRAMP section VII (a) (17) states that GSA must "position FedRAMP as a central point of contact to the commercial cloud sector for Government-wide communications or requests for risk management information concerning commercial cloud providers used by Federal agencies."

Requirements & Recommendations¶

These requirements apply ALWAYS to FedRAMP and ALL cloud services listed in the FedRAMP Marketplace based on the current Effective Date(s) and Overall Applicability of this standard.

FRR-FSI-01 Verified Emails¶

FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication.

Note: Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have "FedRAMP" or "Q20B" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers.