--- title: FedRAMP Response to CISA V1 ED 25-03 tabTitle: FedRAMP Response to CISA V1 ED 25-03 indexTitle: FedRAMP Response to CISA V1 ED 25-03 description: 'FedRAMP has been tasked with ensuring all federal agencies have the information they need from cloud services to respond to this Emergency Directive. This will avoid massive duplicative work for agencies and all cloud services.' noticeDate: 2026-04-23T14:00:00-04:00 noticeId: NTC-0010 --- This is a real emergency and **action is required** in response to [CISA V1: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices](https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices). This is NOT a test. FedRAMP has been tasked with ensuring all federal agencies have the information they need from cloud services to respond to this Emergency Directive. This will avoid massive duplicative work for agencies and all cloud services. Providers MUST complete required actions and report status to FedRAMP (Step 8) by **5:00 PM ET April 29, 2026** regardless of impact level. **PLEASE URGENTLY TAKE THE FOLLOWING REQUIRED ACTIONS IN ORDER!** 1. Providers MUST review [CISA V1: Emergency Directive 25-03](https://www.cisa.gov/news-events/directives/v1-ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices) to understand affected systems. 2. Providers MUST identify all public-facing Cisco Firepower 1000, 2100, 4100, 9300 series and Secure Firewall 200, 1200, 3100, 4200, and 6100 series devices within the FedRAMP boundary for their cloud service offering(s). _If no in-scope systems are identified, **skip to step 8.** Steps 3-7 are not required if no in-scope systems are identified. If in-scope systems are identified, proceed to step 3._ 3. Providers SHOULD collect logs from affected systems as outlined in the [Supplemental Direction ED 25-03: Core Dump and Hunt Instructions](https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions) to assist with hunt activities. 4. Providers MUST evaluate all identified devices for indicators of compromise. If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, providers MUST follow the [FedRAMP Incident Communication Procedures](https://www.fedramp.gov/docs/rev5/playbook/csp/continuous-monitoring/incident-communication/), which includes reporting to CISA and agency customers. a. Providers SHOULD use CISA’s [FIRESTARTER Backdoor Malware Analysis Report](https://www.cisa.gov/news-events/analysis-reports/ar26-112a) and/or other available threat intelligence reports to evaluate for indicators of compromise. b. Providers MAY submit core dumps of Cisco devices to CISA’s [Malware Next Gen portal](https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis) for evaluation. 5. If no indicators of compromise are present, providers MUST apply Cisco-provided updates to all of the CVEs identified in the Emergency Directive by **11:59PM EST on April 24, 2026.** This includes: a. The software updates to address CVE-2025-20333 and CVE-2025-20362, if not already patched; and, b. The recently released patch created for this specific persistence issue (links provided by device type in CISA’s step-by-step [Core Dump and Hunt Instructions](https://www.cisa.gov/news-events/directives/supplemental-direction-ed-25-03-core-dump-and-hunt-instructions)). 6. Providers MUST perform a hard reset of the device(s) by physically unplugging the device’s power supply, as a reboot is not sufficient to expunge the malware, no later than **April 29, 2026**. 7. Providers MUST upload supplemental information to the Incident Response folder in the FedRAMP repository and notify all agency customer Authorizing Official (or ISSO) POCs with notification of the completed action(s). - **File Format**: Files should be compatible with modern spreadsheet applications. Acceptable file formats are Comma Separated Values (csv) or Microsoft Excel (xlsx). - **Filename**: ED-25-03-V1-Response-[FRID] Note: Replace the [FRID] placeholder with your corresponding information. - **Recommended content**: - List of the type(s) of affected systems. - Summary of actions taken and results, including the collection of artifacts, patching, and hunting actions. - Additional information you wish to provide to customers 8. Complete the FedRAMP V1: Emergency Directive 25-03 Response Form by **5:00 PM ET April 29, 2026**. _Please Note: Cloud service providers will have received an email in their FedRAMP Security Inbox with a link to the form. This Public Notice does not include the link!_ **Corrective Action** Corrective action will include public notification that the provider is not following FedRAMP Security Inbox rules. **Additional Background** If any indication of compromise or anomalous behavior is found or there is any suspected impact to federal systems, follow the [FedRAMP Incident Communication Procedures](https://www.fedramp.gov/docs/rev5/playbook/csp/continuous-monitoring/incident-communication/), which includes reporting to CISA and agency customers. This email has also been posted as a FedRAMP Notification here: [fedramp.gov/notices/0010](http://fedramp.gov/notices/0010) If you have any questions, please reach out to [info@fedramp.gov](mailto:info@fedramp.gov) and [CyberDirectives@cisa.dhs.gov](mailto:CyberDirectives@cisa.dhs.gov)