RFC-0031 Updated Incident Communications Procedures

Summary & Motivation

FedRAMP’s historical Incident Communications Procedures require cloud service providers to “report any incident (suspected or confirmed) that results in the actual or potential loss of confidentiality, integrity, or availability of the cloud service, including the impact to federal customer data that it stores, processes, or transmits.”

These procedures have not been consistently followed or enforced because they are broad and often unclear. In practice, most cloud service providers with FedRAMP Certification rarely notify FedRAMP of an incident. FedRAMP believes that a clear set of reporting requirements must be established using a modern rules-based format to ensure cloud service providers understand and can implement incident reporting requirements to meet their ongoing FedRAMP certification requirements after initial certification. These rules should focus effort on reporting meaningful incidents that an agency customer would not otherwise be aware of and align with the potential adverse impact to agency operations.

This RFC proposes updates to the Incident Communications Procedures as follows:

1. Move reporting on incidents causing an impact to availability into public status pages or other notification mechanisms without requiring federal-specific reporting.
2. Focus incident reporting on likely or confirmed incidents that threaten confidentiality or integrity of federal customer data.
3. Clearly define the expected incident reporting data for federal reportable incidents.
4. Modify the expected timeframes for federal reportable incidents to factor for the potential adverse impact to the government and the level of commitment from the cloud service provider for managing agency risk, including much stricter requirements for cloud services that commit to Class D (High) certifications to align with the potential impact of an incident to such systems used by agencies.

For members of the public that have not followed recent developments in the FedRAMP modernization process, Public Notice NTC-0004 explains FedRAMP Certification and the related classes.

Feedback Requested

In addition to general feedback, FedRAMP would like to understand how we can effectively align these requirements with the existing reporting and informational fields that cloud service providers are creating during typical commercial incident response.

Effective Date(s) & Overall Applicability

The final version of this set of rules will be included in the FedRAMP Consolidated Rules for 2026 by the end of June 2026 after incorporating feedback from public comment. It will apply to both Rev5 and 20x type FedRAMP Certifications (replacing the current Incident Communications Procedures for 20x).

Documentation Guidelines

The capitalized key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this documentation are to be interpreted as described in IETF RFC 2119.

This document exists within the full context of FedRAMP documentation, including FedRAMP Definitions. It is not intended to be a standalone document and often references terminology or requirements that are explained elsewhere. Members of the public that haven’t followed recent developments in the FedRAMP modernization process may need to review other materials for context.

The following critical terms used in this document are already defined in the FedRAMP Definitions:

• Federal Customer Data
• Incident
• Likely
• Promptly
• Negligible Adverse Effect
• Limited Adverse Effect
• Serious Adverse Effect
• Catastrophic Adverse Effect

New Definitions

This RFC proposes modifying the official FedRAMP Definitions for Rev5 and 20x as follows:

FRD-INT Incident

Has the meaning given in 44 USC § 3552 (b)(2), which is “an occurrence that—(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”

Note: The FedRAMP Definition for this term previously scoped incidents only to those affecting federal customer data; this update to terminology removes that scoping to apply the base term “incident” to any such action that affects a cloud service offering.

FRD-IIR Initial Incident Report

An initial report about an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, aligned to the rules in the FedRAMP Incident Communications Procedures.

FRD-OIR Ongoing Incident Report

A recurring report about an ongoing incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, aligned to the rules in the FedRAMP Incident Communications Procedures.

FRD-FIR Final Incident Report

A final report after recovery from an incident that is supplied by FedRAMP Certified cloud service providers to FedRAMP and agency customers, aligned to the rules in the FedRAMP Incident Communications Procedures.

FRD-RSP Responsibly

In a way that shows that you have good judgment and the ability to act correctly and make decisions on your own.

Note: Refrain from broadcasting any details that might assist adversaries in their endeavors, disclosing vulnerabilities prior to full remediation, or providing overly specific technical information that could potentially facilitate further compromise. In short: use your best judgment, don’t be that guy.

FRD-AAP All Affected Parties

All federal entities whose interests are affected directly or are likely to be affected directly in the event of a vulnerability or incident related to federal customer data. This always includes FedRAMP and the directly impacted federal customer agency.

Incident Communication Procedures

The following requirements and recommendations will apply to Incident Communication Procedures.

ICP-FRP-ORV Ongoing Review

FedRAMP MUST periodically review Incident Communication Procedures with cloud service providers, based on lack of reporting or other information, to ensure cloud service providers are aware of the rules and have properly implemented procedures in alignment with these rules. If a provider is found to be unaware of these rules or failed to implement proper procedures, FedRAMP will request a Corrective Action Plan and grant a 3 month grace period to implement proper procedures pending remediation and revocation of FedRAMP Certification.

Effective Date: 2027 January 1

Note: Failure to follow proper incident reporting procedures is a critical failure in a service provider’s implementation of FedRAMP Certification controls.

ICP-CSO-PAR Public Availability Reporting

Class C (Moderate) and Class D (High) providers MUST maintain a publicly accessible status service that indicates the current and historical availability of core services within their cloud service offering over at least the past 30 days, including information about any availability incidents, in both human-readable and machine-readable formats; information on how to access and use this service must be available to all necessary parties in the authorization data for the cloud service offering.

Class A (Pilot) and Class B (Low) providers SHOULD maintain a publicly accessible status service that indicates the current and historical availability of core services within their cloud service offering over at least the past 30 days, including information about any availability incidents, in both human-readable and machine-readable formats; information on how to access and use this service must be available to all necessary parties in the authorization data for the cloud service offering.

Notes:

• This requirement allows considerable flexibility in maintaining this service to encourage providers to optimize for their federal agency customer experience, including flexibility in interval and presentation.
• Providers are strongly encouraged to create an availability reporting process that allows customers to subscribe to notifications in addition to having a public status service.

ICP-CSO-EFR Evaluate Federal Reportability

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data OR are likely to affect confidentiality or integrity of federal customer data; if true, the incident is a federal reportable incident.

ICP-CSO-EFI Estimate Federal Impact

Providers MUST evaluate federal reportable incidents to estimate adverse impact of the incident on government customers AND assign one of the following potential adverse impact ratings:

• N1: The incident is expected to have a negligible adverse effect on one or more agencies that use the cloud service offering.

• N2: The incident is expected to have a limited adverse effect on one or more agencies that use the cloud service offering.

• N3: The incident is expected to have a serious adverse effect on one agency that uses the cloud service offering.

• N4: The incident is expected to have a catastrophic adverse effect on one agency that uses the cloud service offering OR a serious adverse effect on more than one federal agency that uses the cloud service offering.

• N5: The incident is expected to have a catastrophic adverse effect on more than one agency that uses the cloud service offering.

  Note: FedRAMP has specific definitions for cloud service providers to follow to determine adverse effects based on the impact to the cloud service provider rather than the typical NIST definitions that require estimating the impact to government organizations.

ICP-CSO-AAP All Affected Parties

Providers MUST responsibly notify all affected parties after identifying federal reportable incidents by proactively sending an email, push notification, or submitting a form as specified in FedRAMP rules or as specified in agreements with specific agency customers; default requirements unless otherwise agreed to in writing are as follows:

1. Notify FedRAMP via email to fedramp_security@gsa.gov or fedramp_security@fedramp.gov
2. Follow specified instructions and contact arrangements provided by the security contact of each agency customer.
3. Upload notification information to the cloud service offering’s secure portal (typically USDA Connect) or FedRAMP-compatible Trust Center.

ICP-CSO-CSA Notify Cybersecurity and Infrastructure Security Agency

Providers MUST responsibly notify the Cybersecurity and Infrastructure Security Agency (CISA) if an incident affects confidentiality or integrity of federal customer data, following CISA’s Submitting Incident Notifications instructions on CISA’s Federal Incident Notification Guidelines web page.

ICP-CSO-IIR Initial Incident Report

Providers MUST responsibly notify all affected parties after identifying federal reportable incidents, including information available for least the following items in the Initial Incident Report:

1. Contact information for the federal incident response coordinator
2. Provider’s internally assigned tracking identifier
3. Description of the incident
4. Timeline of the incident, including start time, time and source of detection, time of completed federal reportable incident evaluation, and other major incident milestones determined by the provider
5. Historically and currently estimated potential adverse impact of the incident, including an explanation of the evaluation following the requirements in ICP-CSO-EFI
6. Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
7. Estimated recovery plan, milestones, and timelines

Note: Provide as much of the information components listed above as possible in the Initial Incident Report within the required ICP-CSO-IRT Incident Report Timeframes, but prioritize prompt notification with potentially incomplete information above delayed reporting with complete information. Additional information can be included in subsequent Ongoing Incident Reports.

ICP-CSO-IIR Ongoing Incident Reports

Providers MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for federal reportable incidents, including updates (or lack of updates) to all previously reported information and the following additional information if available:

1. Attack Vector identified from CISA’s Attack Vectors Taxonomy
2. Observed incident activity
3. Indicators of compromise
4. CERT identifier
5. Related CVE (if applicable)
6. Root cause
7. Response and recovery activities

ICP-CSO-FIR Final Incident Report

Providers MUST responsibly notify all affected parties once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

ICP-CSO-IRT Incident Report Timeframes

Providers MUST notify all affected parties, based on the PAIN and certification type, within the following timeframes:

Class D (High)

Potential Adverse Impact	Initial Incident Report	Ongoing Incident Reports	Final Incident Report
N5	Within 15min of evaluation	Every 3 hours	Within 3 hours of recovery
N4	Within 30min of evaluation	Every 6 hours	Within 6 hours of recovery
N3	Within 1hr of evaluation	Every 6 hours	Within 6 hours of recovery
N2	Within 1hr of evaluation	Every 6 hours	Within 6 hours of recovery
N1	Within 1hr of evaluation	Every 24 hours	Within 24 hours of recovery

Class C (Moderate)

Potential Adverse Impact	Initial Incident Report	Ongoing Incident Reports	Final Incident Report
N5	Within 1hr of evaluation	Every 6 hours	Within 6 hours of recovery
N4	Within 1hr of evaluation	Every 6 hours	Within 6 hours of recovery
N3	Within 6hrs of evaluation	Every 24 hours	Within 1 business day of recovery
N2	Within 24hrs of evaluation	Every 24 hours	Within 1 business day of recovery
N1	Within 1 business day of evaluation	Every business day	Within 1 business day of recovery

Class B (Low), Class A (Pilot)

Potential Adverse Impact	Initial Incident Report	Ongoing Incident Reports	Final Incident Report
N5	Within 6hrs of evaluation	Every business day	Within 3 business days of recovery
N4	Within 6hrs of evaluation	Every business day	Within 3 business days of recovery
N3	Within 12hrs of evaluation	Every business day	Within 3 business days of recovery
N2	Within 1 business day of evaluation	Every business day	Within 3 business days of recovery
N1	Within 1 business day of evaluation	Every business day	Within 3 business days of recovery

Note: Speed is a security factor. Where possible, provide Ongoing Incident Reports as soon as updates are available.

Collaborative Continuous Monitoring

The following updates will be made to the Collaborative Continuous Monitoring rules to align with the updated Incident Communications Procedures.

CCM-OAR-AVL Report Availability

The following required high-level summary item will be added to Ongoing Authorization Reports:

6. Federal reportable incidents or an attestation that no such incidents occurred
7. Lessons learned and changes planned or made as a result of federal reportable incidents

Vulnerability Detection and Response

The Vulnerability Detection and Response rules will be updated to change references from “security incidents” to “federal reportable incidents” to ensure consistency and alignment to the updated Incident Communications Procedures.