The Federal Risk and Authorization Management Program has issued a request for comments to update its incident communications procedures as part of efforts to clarify reporting requirements for cloud service providers, or CSPs.
As FedRAMP seeks public input on updated incident reporting rules, government and industry leaders will continue the conversation on cybersecurity priorities at the 2026 Cyber Summit on May 21. Sign up now for the May 21 event and join experts as they discuss zero trust, post-quantum cryptography, AI in cyber defense and other trends shaping the cyber landscape.
FedRAMP said Wednesday the comment period will run through May 12. Stakeholders can submit feedback through a GitHub RFC thread or via email to FedRAMP.
Table of Contents
What Are the Proposed Changes to FedRAMP Incident Communications Procedures?
The RFC outlines several updates intended to establish a rules-based framework for incident reporting. FedRAMP proposes shifting reporting of availability-related incidents to publicly accessible status pages or similar notification mechanisms, rather than requiring federal-specific reporting.
The updated approach would focus federal reporting requirements on incidents that are likely or confirmed to affect the confidentiality or integrity of federal customer data.
The proposal seeks to clearly define the expected reporting data elements for federal reportable incidents and introduces revised reporting timeframes based on the severity of the incident and the provider’s certification level.
What Are the Updated & New FedRAMP Definitions?
RFC-0031 proposes updates to several FedRAMP definitions for Rev5 and 20x, including the definition of “incident.” FedRAMP previously limited the definition of an “incident” to events involving federal customer data. The updated definition broadens the term to cover any event that impacts a cloud service offering, regardless of whether federal data is involved.
New definitions include initial, ongoing and final incident reports.
What Does the ICP-FRP-ORV Ongoing Review Entail?
The request for comment introduces ICP-FRP-ORV, an ongoing review requirement under which FedRAMP will periodically assess whether CSPs are following incident communication procedures.
FedRAMP will initiate reviews based on factors such as lack of reporting or other indicators. If a provider is found to be unaware of the requirements or has not implemented appropriate procedures, FedRAMP will request a corrective action plan.
Providers will have a three-month grace period to address deficiencies. Failure to implement proper procedures may result in remediation actions and potential revocation of FedRAMP certification.
The ongoing review requirement is scheduled to take effect Jan. 1, 2027.
In 2021, FedRAMP issued an update to its Incident Communications Procedures document, detailing the roles and responsibilities of each stakeholder in the cyber incident communication process and the appropriate timeframes for reporting information regarding security incidents.
Related Articles
The Department of Health and Human Services has transitioned its payroll system to the cloud as part of a push to accelerate service delivery, improve interoperability and advance the shift to a shared human resource platform. The department’s move to a cloud-based payroll system highlights the kind of digital transformation reshaping federal operations today. Government leaders driving AI adoption and enterprise IT modernization efforts will share insights at the 2026 Digital Transformation Summit on April 22. Register now! HHS said Wednesday the replacement of the COBOL-based payroll system seeks to address increasing operational complexity and rising maintenance costs tied to
The 2026 Wash100 Popular Vote is surging into a high-stakes phase with only three weeks left in this exciting competition. Industry leaders are still making decisive moves up the leaderboard while new contenders emerge with force. Make sure to cast your votes before April 30th—all participants receive 10 votes—to elevate your top choices for the 2026 win. With rankings shifting and momentum accelerating, the competition is becoming more intense and unpredictable by the day. Who Are the New Forces Shaking Up the Leaderboard? This week brought a powerful infusion of new energy, with high-impact debuts that are immediately reshaping the competitive landscape.
The U.S. Navy has named Peter Reddy as executive director of the Naval Sea Systems Command’s Naval Surface and Undersea Warfare Centers, placing a senior engineering and acquisition official in charge of the service’s core technical enterprise at a time of mounting pressure on fleet delivery and modernization. The Potomac Officers Club’s 2026 Navy Summit on Aug. 27 convenes a high-level assembly of Navy leaders, defense officials and industry innovators to navigate the emerging technologies and modernization priorities critical to the future of naval dominance. Register now! Reddy most recently served as deputy assistant secretary of the Navy for research,