FedRAMP Issues Updated Guidance Doc on Reporting Information Security Incidents

FedRAMP Issues Updated Guidance Doc on Reporting Information Security Incidents
FedRAMP Incident Communications Procedures Document

The Federal Risk and Authorization Management Program (FedRAMP) has updated a document that details the roles and responsibilities of each stakeholder in the cyber incident communication process.

The updated FedRAMP Incident Communications Procedures document includes a response to the Cybersecurity and Infrastructure Security Agency’s (CISA) Emergency Directives and the appropriate timeframes for reporting information regarding security incidents, according to a blog post published Thursday.

Cloud service providers (CSPs) must report data security incidents to customers who are impacted, U.S.-Computer Emergency Readiness Team (CERT) and FedRAMP points of contact within one hour of being identified by the information technology department or computer security incident response team.

CSPs should maintain current contact information of FedRAMP POCs, include the required data elements when reporting to US-CERT and collaborate with the program’s POCs when using automated mechanisms for incident reporting. The provider is responsible for managing the recovery phase of the incident response life cycle and providing a post-incident activity report to their FedRAMP POCs.

“Additionally, CSPs are responsible for responding to emergency inquiries from FedRAMP, including those that are the result of the issuance of CISA Emergency Directives,” the document reads.

The guidance document also outlines the actions the Joint Authorization Board reviewers must take upon receipt of notification from a cloud provider. 

Defense Cybersecurity ForumTo register for this virtual forum, visit the GovConWire Events page.

You may also be interested in...

Defense Innovation Unit

DIU Seeks New Access Security Tool for Commercial Engagements

The Defense Innovation Unit (DIU) is interested in using commercial multifactor authentication to facilitate secure access to industrial systems not directly connected to U.S. military networks. DIU is in search of a tool that would verify identities on platforms not accessible via a military-issued common access card. DIU intends to this tool to securely collaborate with commercial partners.