The Federal Risk and Authorization Management Program has released a request for comments on a FedRAMP Security Inbox, or FSI, a proposed standard for resolving communication breakdowns with cloud service providers during cybersecurity emergencies.
Table of Contents
FedRAMP Security Inbox Overview
According to RFC-0018, the FSI outlines clear obligations for CSPs to maintain an open and direct communication path for urgent security notifications from FedRAMP and federal agencies. The RFC opened for comment on Monday and will close on Oct. 29.
Background and Need for FSI
The FSI follows a recent alert tied to the Cybersecurity and Infrastructure Security Agency’s Emergency Directive 25-03, which revealed that many FedRAMP authorized cloud services have neglected to keep updated and accurate emergency contact information. Some CSPs have restricted access through customer portals requiring registration or have severed direct emergency communication channels with FedRAMP.
In addition, the draft standard defines the future penalties FedRAMP will impose on providers who block critical communications and details plans for regular assessments of providers’ communication capabilities.
Penalties and Compliance Assessments
Once the FSI is finalized, CSPs will be given a limited timeframe to comply and should prepare for FedRAMP-wide quarterly assessments starting in the second quarter of fiscal year 2026.
Cloud services that do not comply with these requirements during quarterly tests or other communications will be suspended from the FedRAMP Marketplace for at least 30 days and publicly listed on a corrective action plan.