On April 8, 2026, the Federal Risk and Authorization Management Program (“FedRAMP”) released Request for Comment (“RFC”) - 0031, Updated Incident Communications Procedures. The document aims to clarify and standardize incident reporting expectations to be more consistent and practical. Comments may be submitted through May 12, 2026. This RFC is part of FedRAMP’s broader modernization effort as it transitions to FedRAMP 20x, as discussed in our prior blog post.
New Definition for Incident & Estimated Impact Ratings
The new proposed incident response procedures focus incident reporting on ‘likely’ or ‘confirmed’ incidents that threaten the confidentiality or integrity of federal customer data. In new FedRAMP terms, an incident will be defined as “an occurrence that—(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” 44 U.S.C. § 3552(b)(2).
Cloud Service Providers (“CSPs”) will assign an estimated potential adverse impact rating to each incident, based on expected impact to government customers as follows:
- N1 - Negligible Adverse Effect: Incident is expected to have a small negative impact on one or more agency users of the cloud service offering.
- N2 - Limited Adverse Effect: Incident is expected to have a minor negative impact on one or more agency users of the cloud service offering.
- N3 - Serious Adverse Effect: Incident is expected to have a significant negative impact on one agency user of the cloud service offering.
- N4 - Catastrophic Adverse Effect or Serious Adverse Effect: Incident is expected to have either a severe negative impact on one agency user of the cloud service offering or a significant negative impact on multiple agency users of the cloud service offering.
- N5 - Catastrophic Adverse Effect: Incident is expected to have a severe negative impact on multiple agency users of the cloud service offering.
Initial Incident Notification
Once a federal reportable incident has been identified, FedRAMP proposes default notification requirements for all affected parties unless otherwise agreed to in writing:
- Notify FedRAMP at fedramp_security@gsa.gov or fedramp_security@fedramp.gov.
- Follow each agency customer’s instructions and contact arrangements through the agency’s security point of contact.
- Upload notification information to the cloud service offering’s secure portal or FedRAMP-compatible Trust Center.
If an incident affects the confidentiality or integrity of federal customer data, RFC-0031 also states CSPs must follow the Cybersecurity and Infrastructure Security Agency’s (“CISA”) Incident Notification Instructions to provide notice to CISA.
Incident Reporting Timeframes
The RFC proposes updating incident reporting timeframes to align with the sensitivity of the cloud service offering.
Importantly, as part of the FedRAMP 20x initiative, FedRAMP updated its naming conventions as follows (FedRAMP Authorization labels also have transitioned from FedRAMP “Authorization” to FedRAMP “Certification.”):
Legacy FedRAMP Paths
FedRAMP CR26 Paths
N/A
Class A (Pilot Baseline)
Low
Class B (Li-Saas and Low)
Moderate
Class C (Moderate)
High
Class D (High)
Proposed incident reporting timeframes are based on the Class Certification levels above and the estimated impact rating of the incident (specific timeframes depend on the assigned impact):
- Class A (Pilot) and B (Low): Reporting timeline ranges from 6 hours to one business day.
- Class C (Moderate): Reporting timeline ranges from 1 hour to one business day.
- Class D (High): Reporting timeline ranges from 15 minutes to one hour.
FedRAMP also contemplates ongoing reporting (as often as every 3 hours) as incidents are investigated.
Next Steps
RFC-0031 is open for comment from FedRAMP stakeholders until May 12, 2026 and comments can be posted via the FedRAMP RFC-0031 GitHub thread or emailed directly to pete@fedramp.gov.
FedRAMP plans to incorporate the outcome of the RFC (and others) into FedRAMP’s Consolidated Rule Set (“CR26”) set to be released in June 2026. This will be a major milestone compiling new FedRAMP rules in one place. Enforcement of CR26 is expected to begin December 31, 2026.
Sheppard’s Governmental Cybersecurity and Data Protection team is continuing to track developments in the FedRAMP 20x and CR26 process and will continue to provide updates as they become available.