Incident Evaluation and Communication¶
The Incident Evaluation and Communication rules explain how providers must communicate incident information to FedRAMP and government customers when they are affected by an incident or likely to be affected by an incident.
Subsets
Effective Date(s) & Overall Applicability for 20x
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2026-07-04
- Maintain: 2027-01-01
- Grace Ends: On the first FedRAMP independent assessment completed after 2027-01-01
Effective Date(s) & Overall Applicability for Rev5
- Required (Consolidated Rules for 2026)
- Optional Adoption: 2026-07-04
- Obtain: 2027-01-01
- Maintain: 2027-01-01
- Grace Ends: 2027-06-01
- Sign-up Form: ADDME
Activity Workflow: Incident Evaluation and Communication¶
This workflow illustrates the process for evaluating incidents and persistently notifying all affected parties during the incident if it is a FedRAMP Reportable Incident.
flowchart TD
node_an_incident_is_identified(["An incident is identified."])
node_iec_cso_efr{"IEC-CSO-EFR<br/>Evaluate FedRAMP Reportability"}
node_incident_communication_procedures_are_complete(["Incident Communication Procedures are complete."])
node_iec_cso_efi{"IEC-CSO-EFI<br/>Estimate Federal Impact"}
node_iec_cso_dpr("IEC-CSO-DPR<br/>Default PAIN Rating")
node_iec_cso_iir("IEC-CSO-IIR<br/>Initial Incident Report")
node_iec_cso_oir("IEC-CSO-OIR<br/>Ongoing Incident Reports")
node_iec_cso_fir("IEC-CSO-FIR<br/>Final Incident Report")
node_an_incident_is_identified --> node_iec_cso_efr
node_iec_cso_efr -->|"No"| node_incident_communication_procedures_are_complete
node_iec_cso_efr -->|"Yes, and the PAIN will be estimated."| node_iec_cso_efi
node_iec_cso_efr -->|"Yes, but the PAIN will not be estimated."| node_iec_cso_dpr
node_iec_cso_dpr -->|"Reporting clock starts, using default PAIN-5 timeframes for reporting."| node_iec_cso_iir
node_iec_cso_efi -->|"Reporting clock starts, using estimated PAIN timeframes for reporting."| node_iec_cso_iir
node_iec_cso_iir -->|"Ongoing persistent reporting until incident is resolved."| node_iec_cso_oir
node_iec_cso_oir -->|"Incident is resolved."| node_iec_cso_fir
node_iec_cso_fir --> node_incident_communication_procedures_are_complete
click node_iec_cso_efr href "#evaluate-fedramp-reportability" "Jump to IEC-CSO-EFR"
click node_iec_cso_dpr href "#default-pain-rating" "Jump to IEC-CSO-DPR"
click node_iec_cso_iir href "#initial-incident-report" "Jump to IEC-CSO-IIR"
click node_iec_cso_oir href "#ongoing-incident-reports" "Jump to IEC-CSO-OIR"
click node_iec_cso_fir href "#final-incident-report" "Jump to IEC-CSO-FIR"
click node_iec_cso_efi href "#estimate-federal-impact" "Jump to IEC-CSO-EFI"FedRAMP Responsibilities¶
These rules apply to FedRAMP.
Ongoing Review¶
IEC-FRP-ORV
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
FedRAMP MUST periodically review Incident Communications Procedures implementation with providers based on lack of reporting or other information.
Corrective Actions
- FedRAMP will request a Corrective Action Plan when a provider is unaware of the rules or has failed to implement proper procedures.
- FedRAMP will grant a 3 month grace period to implement proper procedures pending remediation and possible revocation of FedRAMP Certification.
Terms: Incident
General Provider Responsibilities¶
These rules apply to providers with FedRAMP Certifications of any type.
Evaluate FedRAMP Reportability¶
IEC-CSO-EFR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Communications Procedures.
Terms: FedRAMP Reportable Incident, Federal Customer Data, Incident, Likely, Promptly
Default PAIN Rating¶
IEC-CSO-DPR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers MUST treat FedRAMP Reportable Incidents as if they have a Potential Agency Impact N-rating (PAIN) of 5 UNLESS they promptly estimate the PAIN rating following the rule in IEC-CSO-EFI (Estimate Federal Impact).
Terms: FedRAMP Reportable Incident, Incident, Potential Agency Impact, Promptly
Initial Incident Report¶
IEC-CSO-IIR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using fedramp_security@fedramp.gov.
- Notify Agency Customers by update using incident contact procedures documented in contract agreement.
- Notify All Necessary Parties by update using trust center.
Providers with Class A Certifications SHOULD responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class B Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class C Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 1 hours |
| PAIN-4 | 1 hours |
| PAIN-3 | 1 hours |
| PAIN-2 | 24 hours |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:
- Contact information for the federal incident response coordinator.
- Provider's internally assigned tracking identifier
- Description of the incident
- Timeline of the incident, including start time, time and source of detection, time of completed FedRAMP Reportable Incident evaluation, and other major incident milestones determined by the provider
- Historically and currently estimated Potential Agency Impact N-rating (PAIN) of the incident, including an explanation of the evaluation following the requirements in IEC-CSO-EFI (Estimate Federal Impact) (if applicable)
- Functional impact to federal agency customers (include impact to confidentiality and/or integrity and the impacted federal customer data types)
- Estimated recovery plan, milestones, and timelines
- List of likely affected customer agencies
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Initial Incident Report |
|---|---|
| PAIN-5 | 0.25 hours |
| PAIN-4 | 0.25 hours |
| PAIN-3 | 0.25 hours |
| PAIN-2 | 1 hours |
| PAIN-1 | 1 hours |
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Initial Incident Report (IIR), Responsibly
Ongoing Incident Reports¶
IEC-CSO-OIR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using fedramp_security@fedramp.gov.
- Notify Agency Customers by update using incident contact procedures documented in contract agreement.
- Notify All Necessary Parties by update using trust center.
Providers with Class A Certifications SHOULD responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier (if applicable)
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 1 business day |
| PAIN-4 | 1 business day |
| PAIN-3 | 1 business day |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class B Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 1 business day |
| PAIN-4 | 1 business day |
| PAIN-3 | 1 business day |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class C Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 24 hours |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:
- Observed incident activity
- Indicators of compromise
- Related Common Vulnerabilities and Exposures (CVE) identifier, if applicable
- Root cause
- Response and recovery activities
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Ongoing Incident Report |
|---|---|
| PAIN-5 | 3 hours |
| PAIN-4 | 3 hours |
| PAIN-3 | 3 hours |
| PAIN-2 | 6 hours |
| PAIN-1 | 24 hours |
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident, Responsibly, Vulnerability Response
Final Incident Report¶
IEC-CSO-FIR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
This FRR includes a notification requirement!
- Notify FedRAMP by email using fedramp_security@fedramp.gov.
- Notify Agency Customers by update using incident contact procedures documented in contract agreement.
- Notify All Necessary Parties by update using trust center.
Providers with Class A Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 business days |
| PAIN-4 | 3 business days |
| PAIN-3 | 3 business days |
| PAIN-2 | 3 business days |
| PAIN-1 | 3 business days |
Providers with Class B Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 business days |
| PAIN-4 | 3 business days |
| PAIN-3 | 3 business days |
| PAIN-2 | 3 business days |
| PAIN-1 | 3 business days |
Providers with Class C Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 6 hours |
| PAIN-4 | 6 hours |
| PAIN-3 | 6 hours |
| PAIN-2 | 1 business day |
| PAIN-1 | 1 business day |
Providers with Class D Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.
Potential Agency Impact N-rating (PAIN) Timeframes:
| PAIN Rating | Final Incident Report |
|---|---|
| PAIN-5 | 3 hours |
| PAIN-4 | 3 hours |
| PAIN-3 | 3 hours |
| PAIN-2 | 6 hours |
| PAIN-1 | 24 hours |
Terms: All Affected Parties, Final Incident Report (FIR), Incident, Responsibly
Estimate Federal Impact¶
IEC-CSO-EFI
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD promptly estimate the likely adverse impact of an incident on agency customers to assign a Potential Agency Impact N-rating; this step is called Incident Rating.
- N1 for a likely minimal customer effect on 1 or more agencies.
- N2 for a likely narrow customer effect on 1 or more agencies.
- N3 for a likely disruptive customer effect on 1 agency.
- N4 for a likely debilitating customer effect on 1 agency or a likely disruptive customer effect on more than 1 agency.
- N5 for a likely debilitating customer effect on more than 1 agency.
Note: All incidents must be assigned a default PAIN-5 as required by IEC-CSO-DPR (Default PAIN Rating) if this step is not completed.
Terms: Debilitating Customer Effect, Disruptive Customer Effect, Incident, Likely, Minimal Customer Effect, Narrow Customer Effect, Potential Agency Impact, Promptly
Automated Incident Reporting¶
IEC-CSO-AIR
Changelog:
- 2026-06-30: Initial reset for the Consolidated Rules for 2026 Public Preview.
Providers SHOULD use automation to minimize human intervention in the process of reporting FedRAMP Reportable Incidents to all affected parties.
Modern cloud services should not be reporting incidents by hand-crafting emails!
Terms: All Affected Parties, FedRAMP Reportable Incident, Incident