FedRAMP Proposes Major Overhaul of Incident Reporting Requirements, Solicits Feedback

The Federal Risk and Authorization Management Program (FedRAMP), a cybersecurity assessment and authorization program for cloud service providers (CSPs) used by federal agencies, has proposed a significant overhaul of its incident reporting requirements through a new Request for Comment, RFC-0031, "Updated Incident Communications Procedures." FedRAMP describes its proposal as a shift toward a more clear and modern rules-based reporting framework. In FedRAMP's view, CSPs often have underreported incidents because the preexisting rules are too broad, unclear, and inconsistently followed.

By the end of June 2026, the FedRAMP Board plans to include the final version of the incident reporting rules in the FedRAMP Consolidated Rules for 2026, which will apply to both Rev5 and 20x type FedRAMP Certifications.

Key Changes and Takeaways

Narrowed Incident Definition

FedRAMP currently requires CSPs to report all incidents, which include any suspected or confirmed event that results in the actual or potential loss of confidentiality, integrity, or availability of the cloud service, including the impact to federal customer data that it stores, processes, or transmits. Under the new proposal, CSPs would be required to report incidents "if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data." The new definition removes the concept of a "potential" loss, which has been difficult for CSPs to operationalize.

Availability Incident Portal

Availability incident reporting (i.e., a security event that disrupts a customer's ability to access systems, data, or services in a timely and reliable way) would move to a "publicly accessible status service" indicating current and historical availability of the cloud service offering. Historical availability must go back at least 30 days. The requirement varies based on the authorization level of the cloud service (i.e., the "Certification Class"). It is mandatory for Class C (equivalent to FedRAMP Moderate) and Class D (equivalent to FedRAMP High) providers and recommended for Class A (equivalent to Pilot) and Class B (equivalent to FedRAMP Low) providers. CSPs are also encouraged—but not required—to allow customers to subscribe to availability notifications.

Reporting Timeframe and Severity Rating

Under the new proposal, the uniform one-hour incident reporting deadline would be removed in favor of a tiered approach based on the Certification Class of the service and a newly-introduced severity rating that ranges from N1 (the incident is expected to have a negligible adverse effect) to N5 (the incident is expected to have a catastrophic adverse effect). At the most extreme end of the ratings range, CSPs would need to report a federal reportable incident within 15 minutes (an N5 event in a Class D system). At a minimum, all federal reportable incidents would need an initial incident report within one business day (i.e., an N1 event in a Class A system).

Ongoing and Final Incident Reports

The proposal also introduces requirements to provide ongoing reports and a final report after recovery. FedRAMP currently has no such requirements; CSPs are only required to make an initial incident report. Ongoing report cadence ranges from every three hours to every business day, and final reports are due within three hours to three business days of recovery depending on the severity rating and Certification Class. Ongoing reports are expected to layer in additional information as it becomes available, including attack vector, indicators of compromise, related CVE, root cause, and response and recovery activities.

Parallel CISA Notification

The proposal also requires CSPs to notify the Cybersecurity and Infrastructure Security Agency (CISA) for any incident affecting confidentiality or integrity of federal customer data, following CISA's Federal Incident Notification Guidelines.

Enforcement

FedRAMP will periodically review CSP incident communication procedures based on lack of reporting or other information. Providers found to be unaware of the rules or with deficient procedures will be issued a Corrective Action Plan and granted a three-month grace period to implement proper procedures pending remediation with possible revocation of FedRAMP Certification thereafter. This ongoing review provision is set to take effect January 1, 2027.

Practical Considerations for FedRAMP-Authorized Organizations

CSPs should review FedRAMP's proposal against their current incident response plan to identify gaps and weaknesses and potentially run a tabletop exercise against the new proposal, paying particular attention to whether existing workflows can meet the compressed timelines for high-severity incidents.

FedRAMP has specifically requested input on how to align these requirements with existing reporting and informational fields CSPs already create during typical commercial incident response. CSPs, especially Class D (FedRAMP High) providers facing the most aggressive notification timelines, should consider submitting comments before the May 12, 2026, deadline to shape the final rule. Comments may be submitted via the FedRAMP GitHub discussion or by email (pete@fedramp.gov).

+++

Michael Borgia is a partner in the Washington, D.C. office, and Andrew Lewis is counsel in the San Francisco office of DWT. For questions or more insights, please reach out to the authors or another member of our technology + privacy & security team and sign up for our alerts.