U.S. flag

An official website of the United States government

Mountain background

Notice Thumbnail

Notification of Planned FY26 Q2 FedRAMP Security Inbox Test

NTC-0003 published at Wed, 18 Feb 2026 17:03:00 GMT // Markdown Version

FedRAMP recently published a mandatory balance improvement release for all cloud service providers called the FedRAMP Security Inbox. These requirements are mandatory and went into effect on January 5, 2026. The requirements in this policy are designed to ensure that FedRAMP can directly contact the security teams of FedRAMP authorized cloud services during an emergency.

This policy also requires FedRAMP to perform quarterly tests to ensure all cloud service providers are complying with these requirements. FedRAMP is required to share public notice at least 10 business days in advance of such a test to ensure that cloud service providers are not surprised. This message serves as the required public notice (NTC-0003). The public record of this notice is available at https://fedramp.gov/notices/0003.

FY26 Q2 Emergency Test

FedRAMP will trigger the FY26 Q2 Emergency Test during normal business hours (8am-5pm Eastern Time) between March 2 and March 13, 2026.

This Emergency Test email will come from fedramp_security@gsa.gov and will clearly specify the actions that cloud service providers are expected to take in reaction to receiving this message.

The actions FedRAMP will expect cloud services to take for the FY26 Q2 Emergency Test follow:

The email will contain the FedRAMP ID, a unique code for each cloud service offering, and a link to a Google Form. The unique code ensures that the form is submitted in response to the email received from FedRAMP for the correct cloud service offering.

Providers will be required to submit the following information in the Google Form for each cloud service offering:

  • The FedRAMP ID of the cloud service offering
  • The unique three-word code received in the FedRAMP Emergency Test email
  • The name, title, and email of a preferred contact for follow up from FedRAMP if needed
  • Are you aware of the FedRAMP Secure Configuration Guide rules that are mandatory for all cloud service providers as of March 1, 2026?
  • Have you met the requirements and recommendations in the FedRAMP Secure Configuration Guide rules?
  • Where can FedRAMP or federal agencies find your Secure Configuration Guide?

Response times will be tracked and reviewed by FedRAMP; individual response times may be published as a security metric.

FedRAMP Security Team

A Special Email Test

To help cloud service providers ensure they are prepared, FedRAMP will be sending an individual informational notice the FedRAMP Security Inbox email address on file with a copy of this message. If you are a cloud service provider and do not receive an informational notification by Monday, February 23, please contact info@fedramp.gov immediately to begin troubleshooting any possible problems with your FedRAMP Security Inbox.

FedRAMP.gov

official website of the GSA’s Technology Transformation Services

Looking for U.S. government information and services?
Visit USA.gov