The Federal Risk and Authorization Management Program has issued a request for comments to update its incident communications procedures as part of efforts to clarify reporting requirements for cloud service providers, or CSPs.
As FedRAMP seeks public input on updated incident reporting rules, government and industry leaders will continue the conversation on cybersecurity priorities at the 2026 Cyber Summit on May 21. Sign up now for the May 21 event and join experts as they discuss zero trust, post-quantum cryptography, AI in cyber defense and other trends shaping the cyber landscape.
FedRAMP said Wednesday the comment period will run through May 12. Stakeholders can submit feedback through a GitHub RFC thread or via email to FedRAMP.
What Are the Proposed Changes to FedRAMP Incident Communications Procedures?
The RFC outlines several updates intended to establish a rules-based framework for incident reporting. FedRAMP proposes shifting reporting of availability-related incidents to publicly accessible status pages or similar notification mechanisms, rather than requiring federal-specific reporting.
The updated approach would focus federal reporting requirements on incidents that are likely or confirmed to affect the confidentiality or integrity of federal customer data.
The proposal seeks to clearly define the expected reporting data elements for federal reportable incidents and introduces revised reporting timeframes based on the severity of the incident and the provider’s certification level.
What Are the Updated & New FedRAMP Definitions?
RFC-0031 proposes updates to several FedRAMP definitions for Rev5 and 20x, including the definition of “incident.” FedRAMP previously limited the definition of an “incident” to events involving federal customer data. The updated definition broadens the term to cover any event that impacts a cloud service offering, regardless of whether federal data is involved.
New definitions include initial, ongoing and final incident reports.
What Does the ICP-FRP-ORV Ongoing Review Entail?
The request for comment introduces ICP-FRP-ORV, an ongoing review requirement under which FedRAMP will periodically assess whether CSPs are following incident communication procedures.
FedRAMP will initiate reviews based on factors such as lack of reporting or other indicators. If a provider is found to be unaware of the requirements or has not implemented appropriate procedures, FedRAMP will request a corrective action plan.
Providers will have a three-month grace period to address deficiencies. Failure to implement proper procedures may result in remediation actions and potential revocation of FedRAMP certification.
The ongoing review requirement is scheduled to take effect Jan. 1, 2027.
In 2021, FedRAMP issued an update to its Incident Communications Procedures document, detailing the roles and responsibilities of each stakeholder in the cyber incident communication process and the appropriate timeframes for reporting information regarding security incidents.
