FR
AFCassurancestable

Addressing FedRAMP Communication

The Addressing FedRAMP Communication rules (formerly FedRAMP Security Inbox) ensure FedRAMP can reliably contact the security and compliance staff responsible for every FedRAMP-authorized cloud service offering. These rules also set expectations for urgent communications, response time testing, and routing important messages separately from general support or customer service channels.

Effective dates

Obtain by
2026-01-05
Maintain by
2026-01-05
Grace period
2026-07-01
FedRAMP ResponsibilitiesGeneral Provider Responsibilities

FedRAMP ResponsibilitiesFRP

8 rules

These rules apply to FedRAMP when communicating with cloud service providers.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsFedRAMP
AFC-FRP-CDS

Criticality Designators

MUST

FedRAMP MUST convey the criticality of the message in the subject line, IF the message requires an elevated reaction, using one of the following designators:

  • Emergency: There is a potential incident or crisis such that FedRAMP requires an extremely urgent reaction; emergency messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action.
  • Emergency Test: FedRAMP requires an extremely urgent reaction to confirm the functionality and effectiveness of the FedRAMP Security Inbox; emergency test messages will contain aggressive timeframes for reaction and failure to meet these timeframes will result in corrective action.
  • Important: There is an important issue that FedRAMP requires the cloud service provider to address; important messages will contain reasonable timeframes for reaction and failure to meet these timeframes may result in corrective action.
Messages sent by FedRAMP without one of these designators are considered general communications and do not require an elevated reaction; these may be resolved in the normal course of business by the cloud service provider.
TermsFedRAMP Security InboxIncidentProvider
AFC-FRP-COR

Explain Corrective Actions

MUST

FedRAMP MUST clearly specify the corrective actions that will result from failure to complete the required actions in the body of messages that require an elevated reaction; such actions may vary from negative ratings in the FedRAMP Marketplace to suspension of FedRAMP Certification depending on the severity of the event.

AFC-FRP-ERT

Elevated Reaction Timeframes

MUST

FedRAMP MUST clearly specify the expected timeframe for completing required actions in the body of messages that require an elevated reaction; timeframes for actions will vary depending on the situation but the default timeframes to provide an estimated resolution time for Emergency and Emergency Test designated messages will be as follows:

  • Class D: within 12 hours
  • Class C: by 3:00 p.m. Eastern Time on the 2nd business day
  • Class B: by 3:00 p.m. Eastern Time on the 3rd business day
  • Class A: by 3:00 p.m. Eastern Time on the 5th business day
FedRAMP Class D Certified cloud service providers are expected to address Emergency messages (including tests) from FedRAMP with a reaction time appropriate to operating a service where failure to react rapidly might have a severe or debilitating customer effect on the U.S. Government; some Emergency messages may require faster reaction and all such messages should be addressed as quickly as possible.
TermsDebilitating Customer EffectFedRAMP CertifiedProvider
AFC-FRP-PNT

Public Notice of Emergency Tests

MUSTEvery 10 bizdays

FedRAMP MUST post a public notice at least 10 business days in advance of sending an Emergency Test message; such notices MUST include explanation of the likely expected actions and timeframes for the Emergency Test message.

  • Public notice may include blog posts, social media posts, announcements during Community Updates, or e-blasts.
  • As this process matures, additional confirmed options may become available.

References

FedRAMP Public Notices
TermsLikely
AFC-FRP-RPM

Reaction Metrics

MAY

FedRAMP MAY track and publicly share the time required by cloud service providers to take the actions specified in messages that require an elevated reaction.

TermsProvider
AFC-FRP-RQA

Required Actions

MUST

FedRAMP MUST clearly specify the required actions in the body of messages that require an elevated reaction.

AFC-FRP-UFS

Use FedRAMP_Security Email in Emergencies

MUST

FedRAMP MUST send Emergency and Emergency Test designated messages from fedramp_security@gsa.gov OR fedramp_security@fedramp.gov.

AFC-FRP-VRE

Verified Emails

MUST

FedRAMP MUST send messages to cloud service providers using an official @fedramp.gov or @gsa.gov email address with properly configured Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) email authentication.

Anyone at GSA can send email from @fedramp.gov or @gsa.gov - FedRAMP team members will typically have "FedRAMP" or "F20B" in their name but this is not universal or enforceable. The nature of government enterprise IT services makes it difficult for FedRAMP to isolate FedRAMP-specific team members with enforceable identifiers.
TermsProvider

General Provider ResponsibilitiesCSO

8 rules

These rules apply to providers with any type of FedRAMP Certification.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
AFC-CSO-CRA

Complete Required Actions

MUST

Providers MUST complete the required actions in Emergency or Emergency Test designated messages sent by FedRAMP within the timeframe included in the message.

Timeframes may vary by FedRAMP Certification class.
TermsCertification ClassProvider
AFC-CSO-EMR

Emergency Message Routing

MUST

Providers MUST route Emergency designated messages sent by FedRAMP to a senior security official for their awareness.

Senior security officials are determined by the provider.

Required Artifacts

  • Configuration settings for FSI mailbox
  • Automated validation to check FSI mailbox configuration
TermsProvider
AFC-CSO-IMA

Important Message Actions

SHOULD

Providers SHOULD complete the required actions in Important designated messages sent by FedRAMP within the timeframe specified in the message.

Timeframes may vary by FedRAMP Certification class.
TermsCertification ClassProvider
AFC-CSO-INB

Maintain a FedRAMP Security Inbox

MUST

Providers MUST establish and maintain an email address to receive messages from FedRAMP; this inbox is a FedRAMP Security Inbox (FSI).

Be careful using a personal email tied to an individual for this inbox due to the significant risk to future communications after a change in personnel!
  • Unless otherwise notified, FedRAMP will use the listed Security Email on the Marketplace for these notifications.
  • If a provider establishes a new inbox in reaction to this guidance that is different from the Security Email then they must follow the AFC-CSO-NOC (Notification of Changes) rules to notify FedRAMP.

Required Artifacts

  • Email address to receive messages from FedRAMP
RelatedAFC-CSO-NOC
TermsFedRAMP Security InboxProvider
AFC-CSO-RCV

Receive Email Without Disruption

MUST

Providers MUST receive and react to email messages from FedRAMP without disruption and without requiring additional actions from FedRAMP.

This requirement is intended to prevent cloud service providers from requiring FedRAMP to complete a CAPTCHA, log into a customer portal, or otherwise take service-specific actions that might prevent the security team from receiving the message.
TermsProvider
AFC-CSO-TFG

Trust @fedramp.gov and @gsa.gov

MUST

Providers MUST treat any email originating from an @fedramp.gov or @gsa.gov email address as if it was sent from FedRAMP by default; if such a message is confirmed to originate from someone other than FedRAMP then the FedRAMP Security Inbox rules no longer apply.

Required Artifacts

  • Configuration settings for FSI mailbox
  • Automated validation to check FSI mailbox configuration
TermsFedRAMP Security InboxProvider