Incident Communications Procedures¶
This set of requirements and recommendations converts the existing FedRAMP Incident Communications Procedures (https://www.fedramp.gov/resources/documents/Continuous_Monitoring_Playbook.pdf) to the simpler FedRAMP 20x standard style and clarifies the expectations for FedRAMP 20x.
The only notable change from the default Rev5 Incident Communications Procedures for 20x is the addition of a recommendation that incident information be made available in both human-readable and machine-readable formats.
Effective Date(s) & Overall Applicability
- Release: 25.11A
- Published: 2025-11-18
- Designator: ICP
- Description: Initial release of simplified 20x version of this existing FedRAMP policy.
-
FedRAMP 20x:
- This release is effective 2025-11-18 for 20x.
- This policy applies to all FedRAMP 20x authorizations.
-
FedRAMP Rev5:
- This version does not apply to Rev5; the full Rev5 requirements related to this policy are documented in FedRAMP's Incident Communications Procedures.
Background & Authority
Requirements & Recommendations¶
These requirements and recommendations apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.
FRR-ICP-01 Incident Reporting to FedRAMP¶
Providers MUST responsibly report incidents to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov.
Applies to: Low, Moderate, High
FRR-ICP-02 Incident Reporting to Agencies¶
Providers MUST responsibly report incidents to all agency customers within 1 hour of identification using the incident communications points of contact provided by each agency customer.
Applies to: Low, Moderate, High
FRR-ICP-03 Incident Reporting to CISA¶
Providers MUST responsibly report incidents to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf.
Applies to: Low, Moderate, High
FRR-ICP-04 Incident Updates¶
Providers MUST update all necessary parties, including at least FedRAMP, CISA (if applicable), and all agency customers, at least once per calendar day until the incident is resolved and recovery is complete.
Applies to: Low, Moderate, High
FRR-ICP-05 Incident Report Availability¶
Providers MUST make incident report information available in their secure FedRAMP repository (such as USDA Connect) or trust center.
Applies to: Low, Moderate, High
FRR-ICP-06 Responsible Disclosure¶
Providers MUST NOT irresponsibly disclose specific sensitive information about incidents that would likely increase the impact of the incident, but MUST disclose sufficient information for informed risk-based decision-making to all necessary parties.
Applies to: Low, Moderate, High
FRR-ICP-07 Final Incident Report¶
Providers MUST provide a final report once the incident is resolved and recovery is complete that describes at least:
-
What occurred
-
Root cause
-
Response
-
Lessons learned
-
Changes needed
Applies to: Low, Moderate, High
FRR-ICP-08 Automated Reporting¶
Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA).
Applies to: Low, Moderate, High
FRR-ICP-09 Human-Readable and Machine-Readable Formats¶
Providers SHOULD make incident report information available in consistent human-readable and machine-readable formats.
Applies to: Low, Moderate, High