Emergency Test: FY26 Q4 FedRAMP Security Inbox Test
NTC-0015 published at Tue, 07 Jul 2026 08:00:00 GMT // Markdown Version
This notice is an official Emergency Test from FedRAMP. This quarterly test will confirm the functionality and effectiveness of your FedRAMP Security Inbox.
As a reminder, cloud service providers must route Emergency designated messages to a senior security official for their awareness.
You must complete the required actions by Tuesday, July 14, 2026 at 5:00PM Eastern Time.
FedRAMP Response to CISA BOD 26-04:
CISA BOD 26-04 strongly aligns with FedRAMP’s Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rules. Cloud service providers should be familiar with the VDR and the planned migration of all services from legacy vulnerability scanning to an exposure and threat-based approach. The VER contains the evaluation and reporting rules from the VDR in a separate ruleset for convenience.
Any cloud service provider that follows the Vulnerability Detection and Response and Vulnerability Evaluation and Reporting rules will meet the timelines, prioritization requirements, and approach set out in BOD 26-04.
Unfortunately cloud service providers who are not actively working to transition to the new FedRAMP vulnerability rules will not be able to provide the assurance that agencies will require under BOD 26-04; the legacy monthly vulnerability scanning process that most FedRAMP Rev5 Certified cloud services currently follow is insufficient.
An update to the mandatory continuous monitoring processes is required for all FedRAMP Rev5 customers to ensure federal information is appropriately protected by all FedRAMP Certified cloud service offerings in a way that aligns with this updated Binding Operational Directive for the federal government.
To address BOD 26-04:
1. The Vulnerability Detection and Response rules will be mandatory for all cloud service offerings obtaining or maintaining FedRAMP Certification effective December 7, 2026.
2. The Vulnerability Evaluation and Reporting rules will be mandatory for all cloud service offerings obtaining or maintaining FedRAMP Certification effective December 7, 2026.
3. Additional reporting guidance will be provided for cloud service offerings that are not following the Certification Data Sharing rules yet.
4. FedRAMP will provide a grace period through March 7, 2027 where cloud service offerings may maintain their FedRAMP Certification under a corrective action plan (which will include notice to all agencies). After this date, FedRAMP Certification will be revoked for all cloud service offerings not following these rules.
20x Pilot Updates:
FedRAMP is removing the 12 month certification window for 20x pilot participants. Follow the Maintain timeline for the 20x applicable rules. You must show progress toward adopting the full 20x ruleset at your applicable Class level in your quarterly collaborative continuous monitoring meetings.
FedRAMP will be updating your Marketplace listing to include the pilot designation in your FedRAMP certification class until you complete a final certification package with all applicable rules addressed. The annual assessment dates will be updated to 03/07/2027 to reflect the CR26 adoption grace window.
Failure to show progress or meet CR26 Maintain / Grace period dates will result in revocation of pilot certification and delisting from the FedRAMP Marketplace.
Required Actions:
Provide the following information for your cloud service offering to FedRAMP by completing the Emergency Test Form:
1. Your email.
2. Your FedRAMP ID: @fr_id
3. Your unique code: @unique_code
4. Confirmation that you will adopt the Vulnerability Detection and Response and the Vulnerability Evaluation and Reporting rules by December 7, 2026 to maintain your FedRAMP certification in compliance with NTC-0014.
5. Confirmation of your awareness of the other CR26 important deadlines that went into effect June 24, 2026.
Emergency Test Form:
Providers will receive an email with the link to the Emergency Test Form. Providers MUST complete the Emergency Test Form to receive credit for responding to this test. Email responses will not be accepted.
Corrective Action:
Failure to respond to this FedRAMP Security Inbox test will result in revocation of your FedRAMP certification and removal from the FedRAMP Marketplace in accordance with the Grace Ends milestone.
FedRAMP’s ability to communicate directly with cloud service providers in the FedRAMP Marketplace is a critical component of ongoing authorization. Thank you for ensuring the government’s ongoing access to secure cloud services by maintaining open communication channels with us.
-FedRAMP Security Team