{"$schema":"https://json-schema.org/draft/2020-12/schema","$id":"https://fedramp.gov/schemas/fedramp-incident-report-schema-2026-06-24.json","$schemaVersion":"0.0.1","type":"object","title":"FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)","description":"Unified schema for the three incident report types in the IEC-CSO lifecycle: Initial (IEC-CSO-IIR), Ongoing (IEC-CSO-OIR), and Final (IEC-CSO-FIR).","required":["certificationPackageOverviewUri","reportType","providerTrackingId"],"properties":{"certificationPackageOverviewUri":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/certificationPackageOverviewUri"},"reportType":{"type":"string","title":"Report Type","enum":["Initial","Ongoing","Final"],"description":"Initial = IEC-CSO-IIR; Ongoing = IEC-CSO-OIR; Final = IEC-CSO-FIR."},"providerTrackingId":{"type":"string","title":"Provider Tracking ID","description":"Provider's internally assigned identifier for this incident. Must be consistent across IIR, OIR, and FIR reports for the same incident."},"federalIncidentCoordinator":{"type":"string","title":"Federal Incident Response Coordinator","description":"Contact information for the provider's federal incident response coordinator."},"incidentDescription":{"type":"string","title":"Incident Description","description":"Description of the incident."},"timeline":{"type":"object","title":"Timeline","description":"Timeline of the incident per IEC-CSO-IIR field 4.","properties":{"startedAt":{"type":"string","format":"date-time","title":"Started At"},"detectedAt":{"type":"string","format":"date-time","title":"Detected At"},"detectionSource":{"type":"string","title":"Detection Source"},"evaluationCompletedAt":{"type":"string","format":"date-time","title":"FedRAMP Reportable Incident Evaluation Completed At"},"milestones":{"type":"array","title":"Milestones","items":{"$ref":"#/$defs/milestone"}}}},"potentialImpact":{"type":"string","title":"Potential Impact","description":"Describe the current and historical potential impact to your system.","properties":{"historicalRating":{"type":"array","title":"Historical Rating","items":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/nRating"}},"currentRating":{"$ref":"https://fedramp.gov/schemas/fedramp-common-definitions-schema-2026-06-24.json/$defs/nRating","title":"Current Rating"},"evaluationNotes":{"type":"string","title":"Evaluation Notes","description":"Explanation of the PAIN evaluation per IEC-CSO-EFI. Required if applicable."}}},"functionalImpact":{"type":"string","title":"Functional Impact","description":"Describe the actual or potential impact to federal agency customers."},"recoveryPlan":{"type":"string","title":"Recovery Plan","description":"Estimated recovery plan, milestones, and timelines."},"affectedAgencies":{"type":"array","title":"Likely Affected Customer Agencies","items":{"type":"string"}},"observedActivity":{"type":"string","title":"Observed Incident Activity","description":"Per IEC-CSO-OIR."},"indicatorsOfCompromise":{"type":"array","title":"Indicators of Compromise","description":"Per IEC-CSO-OIR.","items":{"type":"string"}},"relatedCveIds":{"type":"array","title":"Related CVE Identifiers","description":"Per IEC-CSO-OIR. Include if applicable.","items":{"type":"string","pattern":"^CVE-[0-9]{4}-[0-9]+$"}},"rootCause":{"type":"string","title":"Root Cause","description":"Per IEC-CSO-OIR."},"responseAndRecoveryActivities":{"type":"string","title":"Response and Recovery Activities","description":"Per IEC-CSO-OIR."},"resolvedAt":{"type":"string","format":"date-time","title":"Resolved At","description":"When the incident was resolved and recovery completed. Required for Final reports (IEC-CSO-FIR)."}},"$defs":{"milestone":{"type":"object","title":"Incident Milestone","required":["occurredAt","milestoneDescription"],"properties":{"occurredAt":{"type":"string","format":"date-time","title":"Occurred At"},"milestoneDescription":{"type":"string","title":"Description"}}}}}