Back

FedRAMP Proposes Overhaul of Incident Reporting for Cloud Service Providers

Severity: Low (Score: 27.9)

Sources: Dwt, www.fedramp.gov, www.cisa.gov, github.com

Summary

FedRAMP has introduced RFC-0031, proposing significant changes to incident reporting requirements for cloud service providers (CSPs) used by federal agencies. The current procedures have been criticized for being broad and inconsistently followed, leading to underreporting of incidents. The new rules aim to clarify reporting obligations, focusing on incidents affecting the confidentiality or integrity of federal customer data. A tiered reporting approach will replace the existing one-hour deadline, with varying timelines based on incident severity. CSPs will now need to provide ongoing reports and final reports post-recovery, a requirement previously absent. The proposal also mandates CSPs to notify CISA for incidents impacting federal customer data. Feedback from the public will be incorporated into the final rules, expected by the end of June 2026. Key Points: • FedRAMP's RFC-0031 proposes a clear, modern framework for incident reporting. • CSPs will face tiered reporting deadlines based on incident severity, enhancing accountability. • New requirements include ongoing updates and final reports post-incident recovery.

Key Entities

  • United States (country)
  • cisa.dhs.gov (domain)
  • fedramp.gov (domain)
  • mail.cisa.dhs.gov (domain)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed