FR
IECassurancestable

Incident Evaluation and Communication

The Incident Evaluation and Communication rules explain how providers must communicate incident information to FedRAMP and government customers when they are affected by an incident or likely to be affected by an incident.

FedRAMP ResponsibilitiesGeneral Provider Responsibilities

FedRAMP ResponsibilitiesFRP

1 rules

These rules apply to FedRAMP.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsFedRAMP
IEC-FRP-ORV

Ongoing Review

MUST

FedRAMP MUST periodically review FedRAMP Incident Evaluation and Response implementation with providers based on lack of reporting or other information.

Corrective Actions

  • FedRAMP will request a Corrective Action Plan when a provider is unaware of the rules or has failed to implement proper procedures.
  • FedRAMP will grant a 3 month grace period to implement proper procedures pending remediation and possible revocation of FedRAMP Certification.
TermsIncidentProviderVulnerability Response

General Provider ResponsibilitiesCSO

7 rules

These rules apply to providers with FedRAMP Certifications of any type.

Types20xRev5
PathsProgramAgency
ClassesBCD
AffectsProviders
IEC-CSO-EFI

Estimate Federal Impact

SHOULD

Providers SHOULD promptly estimate the likely adverse impact of an incident on agency customers to assign a Potential Agency Impact N-rating; this step is called Incident Rating.

  • N1 for a likely minimal customer effect on 1 or more agencies.
  • N2 for a likely narrow customer effect on 1 or more agencies.
  • N3 for a likely disruptive customer effect on 1 agency.
  • N4 for a likely debilitating customer effect on 1 agency or a likely disruptive customer effect on more than 1 agency.
  • N5 for a likely debilitating customer effect on more than 1 agency.
All incidents must be assigned a default PAIN-5 as required by IEC-CSO-DPR (Default PAIN Rating) if this step is not completed.

Required Artifacts

  • An incident log showing an example of one or more incidents being evaluated including the reason for the determination. The log can be from real incidents, simulated incidents, or a combination of sources.

References

FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)
RelatedIEC-CSO-DPR
TermsAgencyDebilitating Customer EffectDisruptive Customer EffectIncidentLikelyMinimal Customer EffectNarrow Customer EffectPotential Agency ImpactPromptlyProvider
IEC-CSO-EFR

Evaluate FedRAMP Reportability

MUST

Providers MUST promptly evaluate incidents to determine if they affect confidentiality or integrity of federal customer data or are likely to affect confidentiality or integrity of federal customer data; such incidents are FedRAMP Reportable Incidents and must be reported following the FedRAMP Incident Evaluation and Response rules.

Required Artifacts

  • An incident log showing an example of one or more incidents being evaluated including the reason for the determination. The log can be from real incidents, simulated incidents, or a combination of sources.
TermsFedRAMP Reportable IncidentFederal Customer DataIncidentLikelyPromptlyProviderVulnerability Response
IEC-CSO-FIR

Final Incident Report

ClassRequirement
A
MUST

Providers with Class A Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

B
MUST

Providers with Class B Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

C
MUST

Providers with Class C Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

D
MUST

Providers with Class D Certifications MUST responsibly notify all affected parties by providing a Final Incident Report once the incident has been resolved and recovery is complete, including final updates to all previously reported information.

References

FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)FedRAMP Security TeamFollow agency-specific incident reporting proceduresProvider's Trust Center or USDA Connect
TermsAll Affected PartiesFinal Incident Report (FIR)IncidentProviderResponsibly
IEC-CSO-IIR

Initial Incident Report

ClassRequirement
A
SHOULD

Providers with Class A Certifications SHOULD responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:

B
MUST

Providers with Class B Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:

C
MUST

Providers with Class C Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:

D
MUST

Providers with Class D Certifications MUST responsibly notify all affected parties after identifying FedRAMP Reportable Incidents by providing an Initial Incident Report with as much of the following information that is available at the time of reporting and/or the current relevant status for each item:

References

FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)FedRAMP Security TeamFollow agency-specific incident reporting proceduresProvider's Trust Center or USDA Connect
RelatedIEC-CSO-EFI
TermsAll Affected PartiesFedRAMP Reportable IncidentIncidentInitial Incident Report (IIR)ProviderResponsibly
IEC-CSO-OIR

Ongoing Incident Reports

ClassRequirement
A
SHOULD

Providers with Class A Certifications SHOULD responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

B
MUST

Providers with Class B Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

C
MUST

Providers with Class C Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

D
MUST

Providers with Class D Certifications MUST responsibly notify all affected parties of ongoing activity as new information becomes available during incident response for FedRAMP Reportable Incidents, including updates (or lack of updates) to all previously reported information and as much of the the following additional information that is available and/or the current relevant status for each item:

References

FedRAMP Incident Report (IEC-CSO-IIR / IEC-CSO-OIR / IEC-CSO-FIR)FedRAMP Security TeamFollow agency-specific incident reporting proceduresProvider's Trust Center or USDA Connect
TermsAll Affected PartiesFedRAMP Reportable IncidentIncidentProviderResponsiblyVulnerability Response