{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "FedRAMP.schema.json", "info": { "name": "Incident Communications Procedures", "short_name": "ICP", "current_release": "25.11A", "types": ["FRR"], "releases": [ { "id": "25.11A", "published_date": "2025-11-08", "description": "Initial release of simplified 20x version of this existing FedRAMP policy.", "public_comment": false, "effective": { "20x": { "timeline": { "pilot": { "start_date": "2025-11-01", "designator": "20x" } }, "comments": ["This policy applies to all FedRAMP 20x authorizations."] }, "Rev5": { "comments": ["This version does not apply to Rev5; the full Rev5 requirements related to this policy are documented in FedRAMP's Incident Communications Procedures."] } } } ], "front_matter": { "purpose": "This set of requirements and recommendations converts the existing FedRAMP Incident Communications Procedures (https://www.fedramp.gov/resources/documents/CSP_Incident_Communications_Procedures.pdf) to the simpler FedRAMP 20x standard style and clarifies the expectations for FedRAMP 20x.\n\nThe only notable change from the default Rev5 Incident Communications Procedures for 20x is the addition of a recommendation that incident information be made available in both human-readable and machine-readable formats." } }, "FRR": { "ICP": { "base": { "id": "FRR-ICP", "application": "These requirements apply ALWAYS to ALL FedRAMP Authorized cloud services based on the current Effective Date(s) and Overall Applicability of this standard.", "requirements": [ { "id": "FRR-ICP-01", "statement": "Providers MUST responsibly report _incidents_ to FedRAMP within 1 hour of identification by sending an email to fedramp_security@fedramp.gov or fedramp_security@gsa.gov.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40"] }, { "id": "FRR-ICP-02", "statement": "Providers MUST responsibly report _incidents_ to all _agency_ customers within 1 hour of identification using the _incident_ communications points of contact provided by each _agency_ customer.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40", "FRD-ALL-19"] }, { "id": "FRR-ICP-03", "statement": "Providers MUST responsibly report _incidents_ to CISA within 1 hour of identification if the incident is confirmed or suspected to be the result of an attack vector listed at https://www.cisa.gov/federal-incident-notification-guidelines#attack-vectors-taxonomy, following the CISA Federal Incident Notification Guidelines at https://www.cisa.gov/federal-incident-notification-guidelines, by using the CISA Incident Reporting System at https://myservices.cisa.gov/irf. ", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40"] }, { "id": "FRR-ICP-04", "statement": "Providers MUST update _all necessary parties_, including at least FedRAMP, CISA (if applicable), and all _agency_ customers, at least once per calendar day until the _incident_ is resolved and recovery is complete.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-18", "FRD-ALL-19", "FRD-ALL-40"] }, { "id": "FRR-ICP-05", "statement": "Providers MUST make _incident_ report information available in their secure FedRAMP repository (such as USDA Connect) or _trust center_.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40", "FRD-ALL-16"] }, { "id": "FRR-ICP-06", "statement": "Providers MUST NOT irresponsibly disclose specific sensitive information about _incidents_ that would _likely_ increase the impact of the _incident_, but MUST disclose sufficient information for informed risk-based decision-making to _all necessary parties_.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40", "FRD-ALL-04", "FRD-ALL-18"] }, { "id": "FRR-ICP-07", "statement": "Providers MUST provide a final report once the _incident_ is resolved and recovery is complete that describes at least:", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "MUST", "referenced_fr": ["FRD-ALL-40"], "following_information": ["What occurred", "Root cause", "Response", "Lessons learned", "Changes needed"] }, { "id": "FRR-ICP-08", "statement": "Providers SHOULD use automated mechanisms for reporting incidents and providing updates to all necessary parties (including CISA).", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-ALL-18"] }, { "id": "FRR-ICP-09", "statement": "Providers SHOULD make _incident_ report information available in consistent human-readable and _machine-readable_ formats.", "impact": { "low": true, "moderate": true, "high": true }, "affects": ["Providers"], "primary_key_word": "SHOULD", "referenced_fr": ["FRD-ALL-40", "FRD-ALL-17"] } ] } } } }